+ Title: Build a global identity solution with funnel-based approach

+description: Learn the funnel-based design consideration for Azure AD B2C to provide customer identity management for global customers.

+# Build a global identity solution with funnel-based approach

+In this article, we describe the scenarios for funnel-based design approach. Before starting to design, it's recommended that you review the [capabilities](b2c-global-identity-solutions.md#capabilities-and-considerations), and [performance](b2c-global-identity-solutions.md#performance) of both funnel and region-based design approach. This article will further help determine which design may fit best for your organization.

+The designs account for:

+* Local Account sign up and sign in

+* Federated account sign up and sign in

+* Authenticating local accounts for users signing in from outside their registered region, supported by cross tenant API based authentication

+* Authenticating federated accounts for users signing in from outside their registered region, supported by cross tenant API based look up

+* Prevents sign up from multiple different regions

+* Applications in each region have a single endpoint to connect with

+## Local account sign-in use cases

+The following use cases are typical in a global Azure AD B2C environment. The local account use cases also cover accounts where the user travels. We provide a diagram and workflow steps for each use case.

+### Local user sign-up

+This use case demonstrates how a user from their home country/region performs a sign-up with an Azure AD B2C Local Account.

+

+1. A user from Europe, Middle East, and Africa (EMEA) attempts to sign up at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on defined criteria using OpenId federation. This can be a lookup based on Application clientId.

+1. The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.

+1. The user isn't found in the global lookup table. The user's account is written into Azure AD B2C, and a record is created into the global lookup table to track the region in which the user signed-up.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Existing local user attempts sign up

+This use case demonstrates how a user re-registering the same email from their own country/region, or a different region, is blocked.

+

+1. A user from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.

+1. The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.

+1. The user's email is found in the global lookup table, indicating the user has registered this email in the solution at some prior point in time.

+1. The user is presented with an error, indicating their account exists.

+### Local user sign-in

+This use case demonstrates how a user from their home country/region performs a sign-in with an Azure AD B2C local account.

+

+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.

+1. The user enters their credentials at the regional tenant.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Traveling user sign-in

+This use case demonstrates how a user can travel across regions and maintain their user profile and credentials stored in their regional tenant respective to their sign-up.

+

+1. A user from North America (NOAM) attempts to sign in at **myapp.fr** while they are on holiday in France. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.

+1. The user enters their credentials at the regional tenant.

+1. The regional tenant performs a lookup into the global lookup table, since the user's email wasn't found in the EMEA Azure AD B2C directory.

+1. The user's email is located to have been signed up in NOAM Azure AD B2C tenant.

+1. The EMEA Azure AD B2C tenant performs an Azure AD ROPC flow against the NOAM Azure AD B2C tenant to verify credentials.

+ >[!NOTE]

+ >This call will also fetch a token for the user to perform a Graph API call. The EMEA Azure AD B2C tenant performs a Graph API call to the NOAM Azure AD B2C tenant to fetch the user's profile. This call is authenticated by the access token for Graph API acquired in the last step.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Local user forgot password

+This use case demonstrates how a user can reset their password when they are within their home country/region.

+

+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.

+1. The user arrives at the EMEA Azure AD B2C tenant and selects **forgot password**. The user enters and verifies their email.

+1. Email lookup is performed to determine which regional tenant the user exists in.

+1. The user provides a new password.

+1. The new password is written into the EMEA Azure AD B2C tenant.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Traveling user forgot password

+This use case demonstrates how a user can reset their password when they're traveling away from the region in which they registered their account.

+

+1. A user from NOAM attempts to sign in at **myapp.fr** since they are on holiday in France. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.

+1. The user arrives at the EMEA Azure AD B2C tenant and selects **forgot password**. The user enters and verifies their email.

+1. Email lookup is performed to determine which regional tenant the user exists in.

+1. The email is found to exist in the NOAM Azure AD B2C tenant. The user provides a new password.

+1. The new password is written into the NOAM Azure AD B2C tenant through a Graph API call.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Local user password change

+This use case demonstrates how a user can change their password after they've logged into the region in which they registered their account.

+

+1. A user from EMEA attempts selects **change password** after logging into **myapp.fr**.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.

+1. The user arrives at the EMEA Azure AD B2C tenant, and the Single-Sign On (SSO) cookie set allows the user to change their password immediately.

+1. New password is written to the users account in the EMEA Azure AD B2C tenant.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Traveling user password change

+This use case demonstrates how a user can change their password after they've logged in, away from the region in which they registered their account.

+

+1. A user from NOAM attempts **change password** after logging into **myapp.fr**.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.

+1. The user arrives at the EMEA Azure AD B2C tenant, and the SSO cookie set allows the user to change their password immediately.

+1. The user's email is found to be in the NOAM tenant after checking the global lookup table.

+1. The new password is written to the users account in the NOAM Azure AD B2C tenant by MS Graph API call.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+## Federated Identity Provider authentications

+The following use cases show examples of using federated identities to sign up or sign in as an Azure AD B2C client.

+### Local federated ID sign-up

+This use case demonstrates how a user can sign up to the service from their local region using a federated ID.

+

+1. A user from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on application clientId.

+1. The user selects to sign in with a federated Identity Provider (IdP).

+1. Perform a lookup into the global lookup table.

+ * **If account linking is in scope**: Proceed if the federated IdP identifier nor the email that came back from the federated IdP doesn't exist in the lookup table.

+ * **If account linking is not in scope**: Proceed if the federated IdP identifier that came back from the federated IdP doesn't exist in the lookup table.

+1. Write the users account to the EMEA Azure AD B2C tenant.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Local federated user sign-in

+This use case demonstrates how a user from their local region signs into the service using a federated ID.

+

+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+2. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.

+3. The user selects to sign in with a federated identity provider.

+4. Perform a lookup into the global lookup table and confirm the user's federated ID is registered in EMEA.

+5. The regional tenant issues a token back to the funnel tenant.

+6. The funnel tenant issues a token to the application.

+### Traveling federated user sign-in

+This use case demonstrates how a user can sign into their account with a federated IdP, whilst located away from the region in which they signed up in.

+

+1. A user from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.

+1. The user selects to sign in with a federated identity provider.

+ >[!NOTE]

+ >Use the same App Id from the App Registration at the Social IdP across all Azure AD B2C regional tenants. This ensures that the ID coming back from the Social IdP is always the same.

+1. Perform a lookup into the global lookup table and determine the user's federated ID is registered in NOAM.

+1. Read the account data from the NOAM Azure AD B2C tenant using MS Graph API.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Account linking with matching criteria

+This use case demonstrates how users are able to perform account linking when matching criteria is satisfied. The matching criteria is typically the users email address. When the matching criteria of a sign in from a new identity provider has the same value for an existing account in Azure AD B2C, the account linking process can begin.

+

+1. A user from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the global funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.

+1. The user selects to sign in with a federated identity provider/social IdP.

+1. A lookup is performed into the global lookup table for the ID returned from the federated IdP.

+1. Where the ID doesn't exist, but the email from the federated IdP does exist in EMEA Azure AD B2C ΓÇô this is an account linking use case.

+1. Read the user from the directory and determine which authentication methods are enabled on the account. Present a screen for the user to sign in with an existing authentication method on this account.

+1. Once the user proves they own the account in Azure AD B2C, add the new social ID to the existing account, and add the social ID to the account in the global lookup table.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+### Traveling user account linking with matching criteria

+This use case demonstrates how nonlocal users are able to perform account linking when matching criteria is satisfied. The matching criteria is typically the users email address. When the matching criteria of a sign in from a new identity provider has the same value for an existing account in Azure AD B2C, the account linking process can begin.

+

+1. A user from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local application instance, the traffic manager enforces a redirect.

+1. The user reaches the Global Funnel Azure AD B2C tenant. This tenant is configured to redirect to a regional Azure AD B2C tenant based on some criteria using OpenId federation. This can be a lookup based on Application clientId.

+1. The user selects to sign in with a federated identity provider/social IdP.

+1. A lookup is performed into the global lookup table for the ID returned from the federated IdP.

+1. Where the ID doesn't exist, and the email from the federated IdP exists in another region - this is a traveling user account linking use case.

+1. Create an id_token_hint link asserting the users currently collected claims. Bootstrap a journey into the NOAM Azure AD B2C tenant using federation. The user proves that they own the account via the NOAM Azure AD B2C tenant.

+ >[!NOTE]

+ >This method is used to re-use existing account linking logic in the home tenant and reduce external API calls to manipulate the identities collection. A custom policy sample which utilizes id_token_hint can be found [here](https://github.com/azure-ad-b2c/samples/tree/master/policies/invite).

+1. Once the user proves they own the account in Azure AD B2C, add the new social ID to the existing account by making a Graph API call to the NOAM Azure AD B2C tenant. Add the social ID to the account in the global lookup table.

+1. The regional tenant issues a token back to the funnel tenant.

+1. The funnel tenant issues a token to the application.

+## Next steps

+- [Azure AD B2C global identity solutions](b2c-global-identity-solutions.md)

+- [Build a global identity solution with region-based approach](b2c-global-identity-region-based-design.md)

+- [Azure AD B2C global identity proof of concept region-based configuration](b2c-global-identity-proof-of-concept-regional.md)

+- [Azure AD B2C global identity proof of concept funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md)

+ Title: Azure Active Directory B2C global identity framework proof of concept for funnel-based configuration

+description: Learn how to create a proof of concept for funnel-based approach for Azure AD B2C to provide customer identity and access management for global customers.

+# Azure Active Directory B2C global identity framework proof of concept for funnel-based configuration

+The following section describes how to create proof of concept implementations for funnel-based orchestration. The completed Azure Active Directory B2C (Azure AD B2C) custom policies can be found [here](https://github.com/azure-ad-b2c/samples/tree/master/policies/global-architecture-model/funnel-based-approach).

+## Funnel-based approach

+The following block diagram shows the proof of concept. The guidance will show how to configure the Azure AD B2C tenants. The External API layer and Geo distributed lookup table isn't included as part of this guide.

+

+## Funnel tenant

+1. [Create a tenant.](../active-directory-b2c/tutorial-create-tenant.md)

+1. [Configure federations to each Azure AD B2C tenant/policy combination](../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-user-flow)

+1. Configure client_id mapping to region ΓÇô use [lookup claim transformation](general-transformations.md) to emulate.

+ ```xml

+ <ClaimsTransformation Id="ClientIdToRegion" TransformationMethod="LookupValue">

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="regionFromURL" TransformationClaimType="inputParameterId" />

+ </InputClaims>

+ <InputParameters>

+ <InputParameter Id="0dd7579e-fb90-4178-bc36-77a3fe658683" DataType="string" Value="APAC" />

+ <InputParameter Id="7e7f5403-b3d7-41cc-85fc-130ab6fd9361" DataType="string" Value="NOAM" />

+ <InputParameter Id="4ea5d578-9c51-4091-96d1-58e15e98e9b9" DataType="string" Value="EMEA" />

+ <InputParameter Id="errorOnFailedLookup" DataType="boolean" Value="false" />

+ </InputParameters>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="sendToRegion" TransformationClaimType="outputClaim" />

+ </OutputClaims>

+ </ClaimsTransformation>

+ ```

+1. Configure federations to be enabled based on client_id ΓÇô region mapping.

+ ```xml

+ <TechnicalProfile Id="HRDLogic">

+ <DisplayName>ParseDomainHint</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="regionFromURL" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" />

+ </InputClaims>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="sendToRegion" />

+ <OutputClaim ClaimTypeReferenceId="identityProviders" />

+ </OutputClaims>

+ <OutputClaimsTransformations>

+ <OutputClaimsTransformation ReferenceId="ClientIdToRegion" />

+ <OutputClaimsTransformation ReferenceId="CreateidentityProvidersCollection" />

+ </OutputClaimsTransformations>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+## Regional tenant

+1. [Create a tenant.](../active-directory-b2c/tutorial-create-tenant.md)

+1. [Create an application registration](../active-directory-b2c/tutorial-register-applications.md?tabs=app-reg-ga) to establish federation with funnel tenant.

+## Sign in

+1. Configure identifier to region lookup via global lookup table, use [lookup claim transformation](general-transformations.md) to emulate.

+ ```xml

+ <ClaimsTransformation Id="UserIdToRegion" TransformationMethod="LookupValue">

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="signInName" TransformationClaimType="inputParameterId" />

+ </InputClaims>

+ <InputParameters>

+ <InputParameter Id="bob@noam.com" DataType="string" Value="NOAM" />

+ <InputParameter Id="bob@noam1.com" DataType="string" Value="NOAM" />

+ <InputParameter Id="john@emea.com" DataType="string" Value="EMEA" />

+ <InputParameter Id="john@emea1.com" DataType="string" Value="EMEA" />

+ <InputParameter Id="alice@apac.com" DataType="string" Value="APAC" />

+ <InputParameter Id="alice@apac1.com" DataType="string" Value="APAC" />

+ <InputParameter Id="errorOnFailedLookup" DataType="boolean" Value="false" />

+ </InputParameters>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="userLookupRegion" TransformationClaimType="outputClaim" />

+ </OutputClaims>

+ </ClaimsTransformation>

+ ```

+1. Configure API based authentication for traveling user, and MS Graph API call to fetch users profile.

+ 1. Check credentials and get MS Graph API token from respective tenant. Register **Native** app registration in each regional tenant with permissions to MS Graph API for delegated permission: *user.read*.

+ ```xml

+ <TechnicalProfile Id="REST-login-NonInteractive-APAC">

+ <DisplayName>non interactive authentication to APAC</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://login.microsoftonline.com/b2capac.onmicrosoft.com/oauth2/v2.0/token</Item>

+ <Item Key="AuthenticationType">None</Item>

+ <Item Key="SendClaimsIn">Form</Item>

+ <Item Key="AllowInsecureAuthInProduction">true</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="apac_client_id" PartnerClaimType="client_id" DefaultValue="cf3f6898-9a79-426a-ba16-10e1a377c843" />

+ <InputClaim ClaimTypeReferenceId="ropc_grant_type" PartnerClaimType="grant_type" DefaultValue="password" />

+ <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" />

+ <InputClaim ClaimTypeReferenceId="password" />

+ <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" AlwaysUseDefaultValue="true" />

+ <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />

+ </InputClaims>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="bearerToken" PartnerClaimType="access_token" />

+ </OutputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+ 1. Read profile via MS Graph API for traveling user.

+ ```xml

+ <TechnicalProfile Id="Azure AD-Read-User-MSGraph">

+ <DisplayName>revoke my refresh token</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://graph.microsoft.com/beta/me</Item>

+ <Item Key="AuthenticationType">Bearer</Item>

+ <Item Key="UseClaimAsBearerToken">bearerToken</Item>

+ <Item Key="SendClaimsIn">Url</Item>

+ <Item Key="DebugMode">true</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="bearerToken" />

+ </InputClaims>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="id" />

+ <OutputClaim ClaimTypeReferenceId="givenName" />

+ <OutputClaim ClaimTypeReferenceId="surName" />

+ <OutputClaim ClaimTypeReferenceId="displayName" />

+ <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />

+ <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />

+ </OutputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+## Sign up

+Write users region to global lookup table.

+ > [!NOTE]

+ > No setup due to hardcoded lookup table.

+## Password reset

+1. Configure identifier to region lookup via global lookup table.

+ > [!NOTE]

+ > No setup due to hardcoded lookup table.

+1. Configure cross tenant password reset via REST API call.

+ >[!NOTE]

+ >Will require brokering API using client_credential authentication and User Admin role applied to the service principal.

+## Next steps

+- [Azure AD B2C global identity proof of concept regional-based configuration](b2c-global-identity-proof-of-concept-regional.md)

+- [Azure AD B2C global identity solutions](b2c-global-identity-solutions.md)

+- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)

+- [Build a global identity solution with region-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)

+ Title: Azure Active Directory B2C global identity framework proof of concept for region-based configuration

+description: Learn how to create a proof of concept regional based approach for Azure AD B2C to provide customer identity and access management for global customers.

+# Azure Active Directory B2C global identity framework proof of concept for region-based configuration

+The following section describes how to create proof of concept implementations for region-based orchestration. The completed Azure Active Directory B2C (Azure AD B2C) custom policies can be found [here](https://github.com/azure-ad-b2c/samples/tree/master/policies/global-architecture-model/region-based-approach).

+## Region-based approach

+Each regional Azure AD B2C tenant will require an Azure AD B2C Custom policy, which contains the following capabilities:

+Sign-up journey:

+* Display a screen to collect the user's username, password, and any other attributes

+* Prevent sign up if the user already exists by querying the user-region mapping table

+* Write the user profile to the local tenant

+* Write the users username-to-region mapping into a mapping table

+* Issue a token to the application

+Sign-in journey:

+* Display username and password screen

+* Perform a lookup of the username and return its region

+* Perform a local credential verification or a cross tenant credential verification

+* Read the user profile from the local tenant, or via a cross tenant call

+* Issue a token to the application

+Password reset journey:

+* Display a screen to validate the users email via email OTP

+* Perform a lookup of the username and return its region

+* Display a screen to capture the new password

+* Write the new password to the local tenant or via a cross tenant call

+* Issue a token to the application

+The following block diagram shows the proof of concept. The guidance will show how to configure the Azure AD B2C tenants. The External API layer and Geo distributed lookup table isn't included as part of this guide.

+

+### Prerequisites

+1. [Create a tenant](tutorial-create-tenant.md) per region your business requires to support. You'll require at least two tenants for this proof of concept.

+1. [Deploy custom policies](tutorial-create-user-flows.md) into your tenants.

+### Prepare your storage layer

+You'll need a storage layer, which can store the users email, objectId and region. This will allow you to track and query where the user signed up. You can use an [Azure Storage table](../storage/tables/table-storage-overview.md) to persist this data.

+### Prepare your API layer

+There are multiple APIs used as part of the proof of concept to demonstrate the region-based approach.

+#### Verify if user already exists

+An API is used during sign-up to determine whether the user exists in any region already.

+The request will be as follows:

+```http

+POST /doesUserExistInLookupTable HTTP/1.1

+Host: yourapi.com

+Content-Type: application/json

+{

+ email: bob@contoso.com

+}

+```

+* The response should be an HTTP 200 if the user doesn't exist.

+* The response should be HTTP 409 if the user does exist.

+#### Record the users region mapping

+An API is used during sign-up to record which region the user has signed-up in.

+The request will be as follows:

+```http

+POST /userToRegionLookup HTTP/1.1

+Host: yourapi.com

+Authorization Bearer: <token>

+Content-Type: application/json

+{

+ "email": "bob@contoso.com"

+}

+```

+* The response should be an HTTP 200 if the user exists.

+* The response should be HTTP 409 if the user does exist.

+#### Return which region the user exists in

+An API is used during sign-in to determine in which region the user had signed-up. This indicates whether a cross tenant authentication is required to be performed.

+The request will be as follows:

+```http

+POST /userToRegionLookup HTTP/1.1

+Host: yourapi.com

+Authorization Bearer: <token>

+Content-Type: application/json

+{

+ "email": "bob@contoso.com"

+}

+```

+The response should be an HTTP 200 with the users registered region and objectId.

+```json

+{

+ "objectId": "460f9ffb-8b6b-458d-a5a4-b8f3a6816fc2",

+ "region": "APAC"

+}

+```

+The API should respond with an HTTP 409 if the user doesn't exist, or encounters an error.

+#### Write password across tenants

+An API is used during the password reset flow to write the users new password in a different region that which they reset their password at.

+The request will be as follows:

+```http

+POST /writePasswordCrossTenant HTTP/1.1

+Host: yourapi.com

+Authorization Bearer: <token>

+Content-Type: application/json

+{

+ "objectId": "460f9ffb-8b6b-458d-a5a4-b8f3a6816fc2",

+ "password": "some!strong123STRING"

+}

+```

+The response should be an HTTP 200 if the process succeeds, or HTTP 409 if there's an error.

+## Region-based Azure AD B2C configuration

+The following sections prepare the Azure AD B2C tenant to track the region in which the user signed-up and perform cross tenant authentications or password resets if necessary.

+### Sign up custom policy configuration

+During sign-up, we must make sure to check the user doesn't exist in any other tenant, and write the users user-region mapping into an external table.

+Modify the `LocalAccountSignUpWithLogonEmail` technical profile in the Azure AD B2C starter pack is as follows:

+```xml

+<TechnicalProfile Id="LocalAccountSignUpWithLogonEmail">

+...

+ <ValidationTechnicalProfiles>

+ <ValidationTechnicalProfile ReferenceId="REST-getTokenforExternalApiCalls" />

+ <ValidationTechnicalProfile ReferenceId="REST-doesUserExistInLookupTable" />

+ <ValidationTechnicalProfile ReferenceId="AAD-UserWriteUsingLogonEmail" />

+ <ValidationTechnicalProfile ReferenceId="REST-writeUserToRegionMapping" />

+ </ValidationTechnicalProfiles>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />

+</TechnicalProfile>

+```

+The **ValidationTechnicalProfiles** will perform the following logic:

+1. Get a token to call your protected API endpoints using the `REST-getTokenforExternalApiCalls` technical profile.

+ * Follow the documentation [here](secure-rest-api.md?tabs=windows&pivots=b2c-custom-policy#using-oauth2-bearer) to obtain and protect your API using an Azure AD bearer token.

+1. Verify if the user already exists in the user-region mapping via your secured external REST API endpoint:

+ * This API call is made before all sign-up's, it's critical to make sure this API has appropriate load balancing, resiliency, and failover mechanisms to uphold uptime requirements.

+ * An example of a technical profile to query a user-region mapping via an external REST API is as follows:

+ ```xml

+ <TechnicalProfile Id="REST-doesUserExistInLookupTable ">

+ <DisplayName>User to Region lookup</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://myApi.com/doesUserExistInLookupTable</Item>

+ <Item Key="AuthenticationType">Bearer</Item>

+ <Item Key="UseClaimAsBearerToken">ext_Api_bearerToken</Item>

+ <Item Key="SendClaimsIn">Body</Item>

+ <Item Key="AllowInsecureAuthInProduction">false</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="ext_Api_bearerToken" />

+ <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email" />

+ </InputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+ * This API should respond with HTTP 409 if the user exists, with appropriate error message to be displayed on screen. Otherwise, respond with an HTTP 200 if the user doesn't exist.

+1. Write the user-region mapping via your secured external REST API endpoint

+ * This API call is made before all sign up's, it's critical to make sure this API has appropriate load balancing, resiliency, and failover mechanisms to uphold uptime requirements.

+ * An example of a technical profile to write the user-region mapping via an external REST API is as follows:

+ ```xml

+ <TechnicalProfile Id="REST-writeUserToRegionMapping">

+ <DisplayName>User to Region lookup</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://myApi.com/writeUserToRegionMapping</Item>

+ <Item Key="AuthenticationType">Bearer</Item>

+ <Item Key="UseClaimAsBearerToken">ext_Api_bearerToken</Item>

+ <Item Key="SendClaimsIn">Body</Item>

+ <Item Key="AllowInsecureAuthInProduction">false</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="ext_Api_bearerToken" />

+ <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email" />

+ <InputClaim ClaimTypeReferenceId="region" DefaultValue="EMEA" />

+ <InputClaim ClaimTypeReferenceId="objectId" />

+ </InputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```ΓÇâ

+### Sign in custom policy configuration

+During sign-in, we must determine the users profile location, and authenticate them against the Azure AD B2C tenant where their profile lives.

+Modify the `SelfAsserted-LocalAccountSignin-Email` technical profile in the Azure AD B2C starter pack to perform the user-region lookup, and perform cross tenant authentication when the user is from a different region to that of the tenant they've reached. Update the `ValidationTechnicalProfiles` as:

+```xml

+<TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">

+...

+ <ValidationTechnicalProfiles>

+ <ValidationTechnicalProfile ReferenceId="REST-getTokenforExternalApiCalls" />

+ <ValidationTechnicalProfile ReferenceId="REST-regionLookup" />

+ <ValidationTechnicalProfile ReferenceId="login-NonInteractive">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="false">

+ <Value>user_region</Value>

+ <Value>EMEA</Value>

+ <Action>SkipThisValidationTechnicalProfile</Action>

+ </Precondition>

+ </Preconditions>

+ <ValidationTechnicalProfile ReferenceId="REST-login-NonInteractive-APAC">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="false">

+ <Value>user_region</Value>

+ <Value>APAC</Value>

+ <Action>SkipThisValidationTechnicalProfile</Action>

+ </Precondition>

+ </Preconditions>

+ </ValidationTechnicalProfile>

+ <ValidationTechnicalProfile ReferenceId="REST-fetchUserProfile-APAC">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="false">

+ <Value>user_region</Value>

+ <Value>APAC</Value>

+ <Action>SkipThisValidationTechnicalProfile</Action>

+ </Precondition>

+ </Preconditions>

+ </ValidationTechnicalProfile>

+ </ValidationTechnicalProfiles>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-AAD" />

+</TechnicalProfile>

+```

+The **ValidationTechnicalProfiles** will perform the following logic when the user submits their credentials:

+1. Get a token to call your protected API endpoints using the `REST-getTokenforExternalApiCalls` technical profile.

+ * Follow the documentation [here](secure-rest-api.md?tabs=windows&pivots=b2c-custom-policy#using-oauth2-bearer) to obtain and protect your API using an Azure AD bearer token.

+1. Look up the user-region mapping via your secured external REST API endpoint

+ * This API call is made before all sign-up's, it's critical to make sure this API has appropriate load balancing, resiliency, and failover mechanisms to uphold uptime requirements.

+ * An example of a technical profile to query a user-region mapping via an external REST API is as follows:

+ ```xml

+ <TechnicalProfile Id="REST-regionLookup">

+ <DisplayName>User to Region lookup</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://myApi.com/userToRegionLookup</Item>

+ <Item Key="AuthenticationType">Bearer</Item>

+ <Item Key="UseClaimAsBearerToken">ext_Api_bearerToken</Item>

+ <Item Key="SendClaimsIn">Body</Item>

+ <Item Key="AllowInsecureAuthInProduction">false</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="ext_Api_bearerToken" />

+ <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="email" />

+ </InputClaims>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="user_region" PartnerClaimType="region" />

+ <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId" />

+ </OutputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+

+1. Perform local account authentication via the `login-NonInteractive` technical profile for users who signed up in this tenant. This is the default technical profile found in the Azure AD B2C starter pack.

+1. Conditionally, perform a cross tenant authentication via the `REST-login-NonInteractive-[region]` technical profiles for each respective region.

+ * This will also obtain an MS Graph API token from the users home tenant. Register a **Native App** Application Registration in each regional tenant with permissions to MS Graph API for the delegated permission `user.read`.

+ * An example of a technical profile to perform user-region mapping via an external REST API is as follows:

+ ```xml

+ <TechnicalProfile Id="REST-login-NonInteractive-APAC">

+ <DisplayName>non interactive authentication to APAC</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://login.microsoftonline.com/yourAPACb2ctenant.onmicrosoft.com/oauth2/v2.0/token</Item>

+ <Item Key="AuthenticationType">None</Item>

+ <Item Key="SendClaimsIn">Form</Item>

+ <Item Key="AllowInsecureAuthInProduction">true</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="apac_client_id" PartnerClaimType="client_id" DefaultValue="cf3f6898-9a79-426a-ba16-10e1a377c843" />

+ <InputClaim ClaimTypeReferenceId="ropc_grant_type" PartnerClaimType="grant_type" DefaultValue="password" />

+ <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="username" />

+ <InputClaim ClaimTypeReferenceId="password" />

+ <InputClaim ClaimTypeReferenceId="scope" DefaultValue="https://graph.microsoft.com/.default" AlwaysUseDefaultValue="true" />

+ <InputClaim ClaimTypeReferenceId="nca" PartnerClaimType="nca" DefaultValue="1" />

+ </InputClaims>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="ext_Api_bearerToken" PartnerClaimType="access_token" />

+ </OutputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+ * Replace `<yourb2ctenant>` in the `ServiceUrl` with the tenant you need to target for authentication.

+

+ * Use the application registration `ApplicationId` to populate the `DefaultValue` for the `apac_client_id` input claim.

+1. Conditionally, fetch the user profile using a cross tenant REST API call via the `REST-fetchUserProfile-[region]` technical profiles for each respective region.

+ * An example technical profile to read the user's profile via MS Graph API is as follows:

+ ```xml

+ <TechnicalProfile Id="REST-fetchUserProfile-APAC">

+ <DisplayName>fetch user profile cross tenant</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://graph.microsoft.com/beta/me</Item>

+ <Item Key="AuthenticationType">Bearer</Item>

+ <Item Key="UseClaimAsBearerToken">graph_bearerToken</Item>

+ <Item Key="SendClaimsIn">Body</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="graph_bearerToken" />

+ </InputClaims>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="id" />

+ <OutputClaim ClaimTypeReferenceId="givenName" />

+ <OutputClaim ClaimTypeReferenceId="surName" />

+ <OutputClaim ClaimTypeReferenceId="displayName" />

+ <OutputClaim ClaimTypeReferenceId="userPrincipalName" PartnerClaimType="upn" />

+ <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localAccountAuthentication" />

+ </OutputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+### Password reset custom policy configuration

+During password reset, we must determine the users profile location, and update the password against the Azure AD B2C tenant where the user profile lives.

+Modify the `LocalAccountSignUpWithLogonEmail` technical profile in the Azure AD B2C starter pack to perform the user user-region lookup, and update the password in the respective tenant. Update the `ValidationTechnicalProfiles` as:

+```xml

+<TechnicalProfile Id="LocalAccountDiscoveryUsingEmailAddress">

+ <OutputClaims>

+ ...

+ <OutputClaim ClaimTypeReferenceId="ext_Api_bearerToken" DefaultValue="EMEA"/>

+ </OutputClaims>

+ <ValidationTechnicalProfiles>

+ <ValidationTechnicalProfile ReferenceId="REST-getTokenforExternalApiCalls">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="true">

+ <Value>user_region</Value>

+ <Value>EMEA</Value>

+ <Action>SkipThisValidationTechnicalProfile</Action>

+ </Precondition>

+ </Preconditions>

+ </ValidationTechnicalProfile>

+ <ValidationTechnicalProfile ReferenceId="REST-regionLookup" />

+ <ValidationTechnicalProfile ReferenceId="AAD-UserReadUsingEmailAddress" />

+ </ValidationTechnicalProfiles>

+</TechnicalProfile>

+```

+The **ValidationTechnicalProfiles** will perform the following logic when the user submits a verified email to update their password:

+1. Get a token to call your protected API endpoints

+1. Look up the user-region mapping via your secured external REST API endpoint

+ * This API call is made before all password reset attempts, it's critical to make sure this API has appropriate load balancing, resiliency, and failover mechanisms to uphold uptime requirements.

+Modify the `LocalAccountWritePasswordUsingObjectId` technical profile to write the new password to the local tenant or conditionally to the cross regional tenant.

+```xml

+<TechnicalProfile Id="LocalAccountWritePasswordUsingObjectId">

+ ...

+ <ValidationTechnicalProfiles>

+ <ValidationTechnicalProfile ReferenceId="AAD-UserWritePasswordUsingObjectId">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="false">

+ <Value>user_region</Value>

+ <Value>EMEA</Value>

+ <Action>SkipThisValidationTechnicalProfile</Action>

+ </Precondition>

+ </Preconditions>

+ </ValidationTechnicalProfile>

+ <ValidationTechnicalProfile ReferenceId="REST-UserWritePasswordUsingObjectId-APAC">

+ <Preconditions>

+ <Precondition Type="ClaimEquals" ExecuteActionsIf="false">

+ <Value>user_region</Value>

+ <Value>APAC</Value>

+ <Action>SkipThisValidationTechnicalProfile</Action>

+ </Precondition>

+ </Preconditions>

+ </ValidationTechnicalProfile>

+ </ValidationTechnicalProfiles>

+</TechnicalProfile>

+```

+The **ValidationTechnicalProfiles** will perform the following logic when the user submits a new password:

+1. Write the users new password to the directory if the user existed in the EMEA tenant (this tenant).

+1. Conditionally, write the new password to the user profile in the region where the user profile lives, using a REST API call.

+ ```xml

+ <TechnicalProfile Id="REST-UserWritePasswordUsingObjectId-APAC">

+ <DisplayName>Write password to APAC tenant</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://myApi.com/writePasswordCrossTenant</Item>

+ <Item Key="AuthenticationType">Bearer</Item>

+ <Item Key="UseClaimAsBearerToken">ext_Api_bearerToken</Item>

+ <Item Key="SendClaimsIn">Body</Item>

+ <Item Key="DebugMode">true</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="ext_Api_bearerToken" />

+ <InputClaim ClaimTypeReferenceId="objectId" />

+ <InputClaim ClaimTypeReferenceId="newPassword" />

+ </InputClaims>

+ <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />

+ </TechnicalProfile>

+ ```

+## Next steps

+- [Azure AD B2C global identity solutions](b2c-global-identity-solutions.md)

+- [Build a global identity solution with funnel-based approach](b2c-global-identity-funnel-based-design.md)

+- [Build a global identity solution with region-based approach](b2c-global-identity-region-based-design.md)

+- [Azure AD B2C global identity proof of concept funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md)

+ Title: Build a global identity solution with region-based approach

+description: Learn the region-based design consideration for Azure AD B2C to provide customer identity management for global customers.

+# Build a global identity solution with region-based approach

+In this article, we describe the scenarios for region-based design approach. Before starting to design, it's recommended that you review the [capabilities](b2c-global-identity-solutions.md#capabilities-and-considerations), and [performance](b2c-global-identity-solutions.md#performance) of both funnel and region-based design approach.

+The designs account for:

+* Local Account sign up and sign in

+* Federated account sign up and sign in

+* Authenticating local accounts for users signing in from outside their registered region, supported by cross tenant API based authentication.

+* Authenticating federated accounts for users signing in from outside their registered region, supported by cross tenant API based look up

+* Prevents sign up from multiple different regions

+* Applications in each region have a set of endpoints to connect with

+## Local account authentications

+The following use cases are typical in a global Azure AD B2C environment. The local account use cases also cover accounts where the user travels. Each provides a diagram and workflow steps for each use case.

+### Local user sign-up

+This use case demonstrates how a user from their home country/region performs a sign-up with an Azure AD B2C Local Account.

+

+1. User from Europe, Middle East, and Africa (EMEA) attempts to sign up at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.

+1. The user isn't found in the global lookup table. The user's account is written into Azure AD B2C, and a record is created into the global lookup table to track the region in which the user signed-up.

+1. The regional tenant issues a token back to the app.

+### Existing local user attempts sign up

+This use case demonstrates how a user re-registering the same email from their own country/region, or a different region, is blocked.

+

+1. User from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. The user attempts to sign up. The sign-up process checks the global lookup table to determine if the user exists in any of the regional Azure AD B2C tenants.

+1. The user's email is found in the global lookup table, indicating the user has registered this email in the solution at some prior point in time.

+1. The user is presented with an error, indicating their account exists.

+### Local user sign-in

+This use case demonstrates how a user from their home country/region performs a sign-in with an Azure AD B2C local account.

+

+1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. User enters their credentials at the regional tenant.

+1. The regional tenant issues a token back to app.

+1. The user is signed in to the app.

+### Traveling user sign-in

+This use case demonstrates how a user can travel across regions and maintain their user profile and credentials stored in their regional tenant respective to their sign-up.

+

+1. User from North America (NOAM) attempts to sign in at **myapp.fr**, since they are on holiday in France. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. User enters their credentials at the regional tenant.

+1. The regional tenant performs a lookup into the global lookup table, since the user's email wasn't found in the EMEA Azure AD B2C directory.

+1. The user's email is located to have been signed up in NOAM Azure AD B2C tenant.

+1. The EMEA Azure AD B2C tenant performs an Azure AD ROPC flow against the NOAM Azure AD B2C tenant to verify credentials.

+ >[!NOTE]

+ >This call will also fetch a token for the user to perform a Graph API call.

+ The EMEA Azure AD B2C tenant performs a Graph API call to the NOAM Azure AD B2C tenant to fetch the user's profile. This call is authenticated by the access token for Graph API acquired in the last step.

+1. The regional tenant issues a token back app.

+### Local user forgot password

+This use case demonstrates how a user can reset their password when they are within their home country/region.

+

+1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. The user arrives at the EMEA Azure AD B2C tenant and selects **forgot password**. The user enters and verifies their email.

+1. Email lookup is performed to determine which regional tenant the user exists in.

+1. The user provides a new password.

+1. The new password is written into the EMEA Azure AD B2C tenant.

+1. The regional tenant issues a token back to the app.

+### Traveling user forgot password

+This use case demonstrates how a user can reset their password when they're traveling away from the region in which they registered their account.

+

+1. User from NOAM attempts to sign in at **myapp.fr**, since they are on holiday in France. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. The user arrives at the EMEA Azure AD B2C tenant and selects **forgot password**. The user enters and verifies their email.

+1. Email lookup is performed to determine which regional tenant the user exists in.

+1. The email is found to exist in the NOAM Azure AD B2C tenant. The user provides a new password.

+1. The new password is written into the NOAM Azure AD B2C tenant through a Graph API call.

+1. The regional tenant issues a token back to the app.

+### Local user password change

+This use case demonstrates how a user can change their password after they've logged into the region in which they registered their account.

+

+1. User from EMEA attempts selects **change password** after logging into **myapp.fr**.

+1. The user arrives at the EMEA Azure AD B2C tenant, and the Single-Sign On (SSO) cookie set allows the user to change their password immediately.

+1. New password is written to the users account in the EMEA Azure AD B2C tenant.

+1. The regional tenant issues a token back to the app.

+### Traveling user password change

+This use case demonstrates how a user can change their password after they've logged in, away from the region in which they registered their account.

+

+1. Users from NOAM attempts select **change password** after logging into **myapp.fr**.

+1. The user arrives at the EMEA Azure AD B2C tenant, and the SSO cookie set allows the user to change their password immediately.

+1. The users email is found to be in the NOAM tenant after checking the global lookup table.

+1. The new password is written to the users account in the NOAM Azure AD B2C tenant by MS Graph API call.

+1. The regional tenant issues a token back to the app.

+## Federated Identity Provider authentications

+The following use cases show examples of using federated identities to sign up or sign in as an Azure AD B2C client.

+### Local federated ID sign-up

+This use case demonstrates how a user from their local region signs up to the service using a federated ID.

+

+1. User from EMEA attempts to sign up at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. User selects to sign in with a federated identity provider.

+1. Perform a lookup into the global lookup table.

+ * **If account linking is in scope**: Proceed if the federated IdP identifier nor the email that came back from the federated IdP doesn't exist in the lookup table.

+

+ * **If account linking is not in scope**: Proceed if the federated IdP identifier that came back from the federated IdP doesn't exist in the lookup table.

+1. Write the users account to the EMEA Azure AD B2C tenant.

+1. The regional tenant issues a token back to the app.

+### Local federated user sign-in

+This use case demonstrates how a user from their local region signs into the service using a federated ID.

+

+1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. User selects to sign in with a federated identity provider.

+1. Perform a lookup into the global lookup table and confirm the user's federated ID is registered in EMEA.

+1. The regional tenant issues a token back to the app.

+### Traveling federated user sign-in

+This scenario demonstrates how a user located away from the region in which they signed up from, performs a sign-in to the service using a federated IdP.

+

+1. User from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. User selects to sign in with a federated identity provider.

+ >[!NOTE]

+ >Use the same App Id from the App Registration at the Social IdP across all Azure AD B2C regional tenants. This ensures that the ID coming back from the Social IdP is always the same.

+1. Perform a lookup into the global lookup table and determine the user's federated ID is registered in NOAM.

+1. Read the account data from the NOAM Azure AD B2C tenant using MS Graph API.

+1. The regional tenant issues a token back to the app.

+## Account linking with matching criteria

+This scenario demonstrates how users will be able to perform account linking when a matching criterion is satisfied (usually email address).

+

+1. User from EMEA attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. User selects to sign in with a federated identity provider/social IdP.

+1. A lookup is performed into the global lookup table for the ID returned from the federated IdP.

+1. Where the ID doesn't exist, but the email from the federated IdP does exist in EMEA Azure AD B2C, it's an account linking scenario.

+1. Read the user from the directory, and determine which authentication methods are enabled on the account. Present a screen for the user to sign in with an existing authentication method on this account.

+1. Once the user proves they own the account in Azure AD B2C, add the new social ID to the existing account, and add the social ID to the account in the global lookup table.

+1. The regional tenant issues a token back to the app.

+### Traveling user account linking with matching criteria

+This scenario demonstrates how users will be able to perform account linking when they're away from the region.

+

+1. User from NOAM attempts to sign in at **myapp.fr**. If the user isn't being sent to their local hostname, the traffic manager will enforce a redirect.

+1. User lands at the EMEA tenant.

+1. User selects to sign in with a federated identity provider/social IdP.

+1. A lookup is performed into the global lookup table for the ID returned from the federated IdP.

+1. Where the ID doesn't exist, and the email from the federated IdP exists in another region, it's a traveling user account linking scenario.

+1. Create an id_token_hint link asserting the users currently collected claims. Bootstrap a journey into the NOAM Azure AD B2C tenant using federation. The user will prove that they own the account via the NOAM Azure AD B2C tenant.

+

+ >[!NOTE]

+ >This method is used to re-use existing account linking logic in the home tenant and reduce external API calls to manipulate the identities collection. A custom policy sample which utilizes id_token_hint can be found [here](https://github.com/azure-ad-b2c/samples/tree/master/policies/invite).

+1. Once the user proves they own the account in Azure AD B2C, add the new social ID to the existing account by making a Graph API call to the NOAM Azure AD B2C tenant. Add the social ID to the account in the global lookup table.

+1. The regional tenant issues a token back to the app.

+## Next steps

+- [Azure AD B2C global identity solutions](b2c-global-identity-solutions.md)

+- [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md)

+- [Azure AD B2C global identity proof of concept regional-based configuration](b2c-global-identity-proof-of-concept-regional.md)

+- [Azure AD B2C global identity proof of concept funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md)

+ Title: Azure Active Directory B2C global identity framework

+description: Learn how to configure Azure AD B2C to provide customer identity and access management for global customers.

+# Azure Active Directory B2C global identity framework

+[Azure Active Directory B2C](overview.md) is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks.

+Azure Active Directory B2C (Azure AD B2C) is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). It's built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allows self-service sign-up to applications.

+Azure AD B2C is a globally distributed service made up of several components:

+* Directory

+* [Application registrations](tutorial-register-applications.md?tabs=app-reg-ga)

+* [User flows and custom policies](user-flow-overview.md)

+* [Sign-in options](sign-in-options.md)

+* [Keys](tokens-overview.md)

+When creating an Azure AD B2C solution, you must provide a location to host the service. This location only pertains to the region in which the user profile data will be stored, while the rest of the service that processes your sign-in runs globally.

+You typically deploy an Azure AD B2C tenant in the region closest to your user base. This makes it easier to maintain compliance with data residency laws, as the user profile is only replicated in the [selected region](data-residency.md). This also provides the best performance during sign-in, as network latencies are optimized to the directory store.

+When your Azure AD B2C directory requires to service users across the globe, the regional structure poses a challenge. You must determine which location to create the Azure AD B2C tenant in. Any users outside the selected region may not be compliant with data residency requirements and may also experience increased latency when verifying their credentials or reading their user profile data.

+For example, consider an application that supports users in Australia and North America, and Azure AD B2C directory is created in the North America region. Users who sign-in from Australia may face longer processing times to complete their authentication.

+To better meet data residency requirements and mitigate performance issues, you must deploy multiple Azure AD B2C tenants. By placing a tenant in each region where your business operates, the operations into the directory are optimized for latency. However, by doing so, the solution creates other overheads to configure, manage and protect these sensitive tenant resources in each region. Other overheads include:

+* Tenant administration

+* Tenant isolation resulting in an end user experience that doesn't feel global

+* Billing

+* CI/CD processes to manage policies/app registrations/keys

+This document proposes architectures with Azure AD B2C that best accommodate solutions for customers who serve users across the globe. The solutions serve the following requirements:

+* Users can maintain the same set of credentials, no matter from where in the world they access applications.

+* Consistent performance and latency no matter where users authenticate from.

+* Make it easy for customers to deliver processes, frameworks, or SDKs to their developer teams with least possible configuration required.

+* User profiles can be maintained while users travel around the world. This creates more value in the analytics generated by user interactions within any service.

+* Customer user data is stored in regional data stores.

+The following are two approaches to consider when implementing an identity platform using Azure AD B2C tenants for a globally operating business model.

+* The first approach uses geographical regions as the boundary and applications are configured specifically for the region.

+* The second approach has a global boundary for the applications and uses an additional Azure AD B2C tenant to orchestrate interaction between regional tenants.

+## Regional tenant orchestration

+In this model, applications are either hosted per region, or have a per region configurations to connect to a regional tenant. Applications directly send the user to a region-specific tenant. Cross tenant communication is used to perform cross tenant authentications, or profile updates across tenants, when the user may have traveled to a different region.

+

+## Funnel tenant orchestration

+In this model, an Azure AD B2C tenant funnels users to regional Azure AD B2C tenants. The funnel tenant functions as a redirect orchestrator to other Azure AD B2C tenants. This is handled by a globally distributed component of the Azure AD B2C service, therefore performance is unaffected. This redirection is performed using OpenId Connect identity provider federations.

+Cross tenant communication is used to perform cross tenant authentications, or profile updates across tenants. The funnel tenant provides applications a single endpoint to communicate with.

+

+The architecture you decide to model the solution after, requires making choices based on the trade-offs between the two models described. For example, the funnel model enables you to maintain a single instance of applications. The following section describes the capabilities, selection criteria, and performance that might impact the design you choose.

+## Capabilities and considerations

+The following table describes the capabilities provided using a regional versus funnel-based design:

+| Capability| Region-based| Funnel-based |

+| - | - | - |

+| Supports local account sign-up and sign-in| |  |

+| Supports federated account sign-up and sign-in| |  |

+| Supports authenticating local accounts for users signing in from outside their registered region| |  |

+| Supports authenticating federated accounts for users signing in from outside their registered region using cross-tenant API-based look up| |  |

+| Prevents sign up from multiple different regions| |  |

+| Applications in each region have a set of endpoints to connect with| | |

+| All applications connect to a single set of endpoints, regardless of which region they're hosted| |  |

+| Supports fine-grained Conditional Access policies.| | |

+| Optimized for cost.| | |

+Based on the capabilities, the following considerations must be taken into account:

+* When using the region-based approach, the primary consideration is that the approach requires applications spanning multiple regions to have respective configurations for each regional Azure AD B2C tenant.

+* When using the funnel-based approach

+ * There's a double-token cost

+ * There's an additional HTTP redirect introduced

+ * Custom domains are required on many tenants

+ * Conditional Access is applied at the tenant level, not application level

+ * Single sign out through multiple IdPs might introduce challenges

+The approach you choose will be based on the number of applications you host and the specific requirements for access to the applications.

+## Performance

+The performance advantage of using multiple tenants, in either the regional or funnel-based configuration, will be an improvement over using a single Azure AD B2C tenant for globally operating businesses.

+When using the funnel-based approach, the funnel tenant is located in one specific region and serve users globally. Since the funnel tenants operation utilizes a global component of the Azure AD B2C service, it maintains a consistent level of performance regardless of where users log in from.

+

+As shown in the diagram above, the Azure AD B2C tenant in the funnel-based approach will only utilize the Policy Engine to perform the redirection to regional Azure AD B2C tenants. The Azure AD B2C Policy Engine component is globally distributed. Therefore, the funnel isn't constrained from a performance perspective, regardless of where the Azure AD B2C funnel tenant is provisioned. A performance loss is encountered due to the extra redirect between funnel and regional tenants in the funnel-based approach.

+In the regional-based approach, since each user is directed to their most local Azure AD B2C, performance is consistent for all users logging in.

+The regional tenants will perform directory calls into the Directory Store, which is the only regionalized component in both the funnel-based and regional-based architectures.

+Additional latency is only encountered when the user has performed an authentication in a different region from which they had signed-up in. This is because, calls will be made across regions to reach the Directory Store where their profile lives to complete their authentication.

+## Next steps

+- [Azure AD B2C global identity proof of concept regional-based configuration](b2c-global-identity-proof-of-concept-regional.md)

+- [Azure AD B2C global identity proof of concept funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md)

+- [Build a global identity solution with funnel-based approach](b2c-global-identity-funnel-based-design.md)

+- [Build a global identity solution with region-based approach](b2c-global-identity-region-based-design.md)

+1. Select **Users**, and then select **Bulk Operations** and **Download Users**.

+1. Select **Start**, and then select **File is ready! Click here to download**.

+## Revoke a consumer user's session

+Currently, Azure AD B2C doesn't support user session revocation from the Azure portal. However, you can achieve this task by using Microsoft Graph PowerShell or [Microsoft Graph API](/graph/api/user-revokesigninsessions). If you choose to use Microsoft Graph PowerShell, use the following steps:

+1. If you haven't done so, install [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation#installation) module.

+1. In your Windows PowerShell, run the following command, then respond to the prompts. This command allows you to sign in with the required scopes. You need to sign in with your Azure AD B2C admin account to consent to the required scopes:

+ ```powershell

+ Connect-MgGraph -Scopes "User.ReadWrite.All"

+ ```

+1. After you successfully sign in, run the following command in your Windows PowerShell. Replace `$userId` with the consumer user's *objectId* or *UPN*.

+ ```powershell

+ Revoke-MgUserSign -UserId $userId

+ ```

+For automated user management scenarios, for example migrating users from another identity provider to your Azure AD B2C directory, see [Azure AD B2C: User migration](user-migration.md).

+>[!NOTE]

+>This feature is in public preview.

+| [Go-Local add-on](data-residency.md#go-local-add-on) | Azure AD Go-Local add-on enables you to store data in the country/region you choose when your Azure AD tenant.| Just like Azure AD, Azure AD B2C supports [Go-Local add-on](data-residency.md#go-local-add-on). |

+ Title: Manage directory size quota in Azure Active Directory B2C

+description: Learn how to manage directory size quota in your Azure AD B2C tenant

+# Manage directory size quota of your Azure Active Directory B2C tenant

+It's important that you monitor how you use your Azure Active Directory (AD) B2C directory quota. Directory quota has a given size that is expressed in number of objects. These objects include user accounts, app registrations, groups, etc. When the number of objects in your tenant reach quota size, the directory will generate an error when trying to create a new object.

+## Monitor directory quota usage in your Azure AD B2C tenant

+

+1. Use the steps in [Register an application](client-credentials-grant-flow.md#step-2-register-an-application) to register an app in your tenant, which uses client credentials flow. Record the **Application (client) ID** for use in a later.

+1. Use the steps in [Create a client secret](client-credentials-grant-flow.md#step-2-register-an-application) to configure a client secret for your app. Record the secret's **Value**. You'll use this value for configuration in a later step.

+1. For your app to call Microsoft Graph API, you need to grant it the required permissions. To do so, use the steps in [Grant API access](microsoft-graph-get-started.md?tabs=app-reg-ga#grant-api-access), but only grant **Organization.Read.All** permission.

+1. Run the following PowerShell script. Replace the placeholder:

+ 1. `[TenantId]` with your Azure AD B2C tenant ID. Learn [how to read your tenant ID](tenant-management-read-tenant-name.md#get-your-tenant-id)

+

+ 1. `[ClientID]` with the Application (client) ID that you copied earlier.

+

+ 1. `[ClientSecret]` with the application client secret value that you copied earlier.

+

+```ps

+$tenantId = "[TenantId]"

+$clientId = "[ClientID]"

+$clientSecret = "[ClientSecret]"

+## Use Client Credentials flow to get token to call Graph API

+$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

+$headers.Add("Content-Type", "application/x-www-form-urlencoded")

+$body = "grant_type=client_credentials&client_id=" + $clientId + "&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=" + $clientSecret

+$endpoint = "https://login.microsoftonline.com/" + $tenantId + "/oauth2/v2.0/token"

+$response = Invoke-RestMethod $endpoint -Method "POST" -Headers $headers -Body $body

+## Call Graph API using token obtained in previous step

+$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

+$headers.Add("Authorization", "Bearer " + $response.access_token)

+$response = Invoke-RestMethod 'https://graph.microsoft.com/beta/organization?$select=directorySizeQuota' -Method 'GET' -Headers $headers

+$response | ConvertTo-Json

+```

+The response from the API call looks similar to the following json:

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#organization(directorySizeQuota)",

+ "value": [

+ {

+ "directorySizeQuota": {

+ "used": 211802,

+ "total": 300000

+ }

+ }

+ ]

+}

+```

+- The attribute `total` is the maximum number of objects allowed in the directory.

+- The attribute `used` is the number of objects you already have in the directory.

+If your tenant usage is higher that 80%, you can remove inactive users or request for a quota increase.

+## Request increase directory quota size

+You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md)

+## Next steps

+- Learn [how to manage inactive user accounts](user-manage-inactive.md).

+ Title: Manage inactive users in Azure Active Directory B2C

+description: Learn how to manage inactive users and remove unused accounts

+# Manage inactive users in your Azure Active Directory B2C tenant

+We recommend that you monitor your user accounts. Monitoring your user accounts enables you to discover inactive user accounts, which consume your Azure Active Directory (AD) B2C directory quota. Monitoring user accounts also help you to reduce the overall attack surface.

+## List inactive users in your Azure AD B2C tenant

+

+1. Use the steps in [Register an application](client-credentials-grant-flow.md#step-2-register-an-application) to register an app in your tenant, which uses client credentials flow. Record the **Application (client) ID** for use in a later.

+1. Use the steps in [Create a client secret](client-credentials-grant-flow.md#step-2-register-an-application) to configure a client secret for your app. Record the secret's **Value**. You will use this value for configuration in a later step.

+1. For your app to call Microsoft Graph API, you need to grant it the required permissions. To do so, use the steps in [Grant API access](microsoft-graph-get-started.md?tabs=app-reg-ga#grant-api-access), but only grant **User.Read.All** and **AuditLog.Read.All** permissions.

+1. Run the following PowerShell script. Replace:

+ 1. `[TenantId]` with your Azure AD B2C tenant ID. Learn [how to read your tenant ID](tenant-management-read-tenant-name.md#get-your-tenant-id)

+

+ 1. `[ClientID]` with the Application (client) ID that you copied earlier.

+

+ 1. `[ClientSecret]` with the application client secret value that you copied earlier.

+```ps

+$tenantId = "[TenantId]"

+$clientId = "[ClientID]"

+$clientSecret = "[ClientSecret]"

+## Use Client Credentials flow to get token to call Graph API

+$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

+$headers.Add("Content-Type", "application/x-www-form-urlencoded")

+$body = "grant_type=client_credentials&client_id=" + $clientId + "&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=" + $clientSecret

+$endpoint = "https://login.microsoftonline.com/" + $tenantId + "/oauth2/v2.0/token"

+$response = Invoke-RestMethod $endpoint -Method "POST" -Headers $headers -Body $body

+## Call Graph API using token obtained in previous step

+$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

+$headers.Add("Authorization", "Bearer " + $response.access_token)

+$response = Invoke-RestMethod 'https://graph.microsoft.com/beta/users?$select=displayName,signInActivity' -Method 'GET' -Headers $headers

+$response | ConvertTo-Json

+```

+The following JSON shows an example of the results:

+```json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(displayName,signInActivity)",

+ "value": [

+ {

+ "id": "[object id]",

+ "displayName": "Martin Balaz",

+ "signInActivity": "@{lastSignInDateTime=2023-03-28T20:08:07Z; lastSignInRequestId=c43ac6b5-c644-456f-832d-ea323bf1cf00; lastNonInteractiveSignInDateTime=; lastNonInteractiveSignInRequestId=}"

+ },

+ {

+ "id": "[object id]",

+ "displayName": "Takuya Miura",

+ "signInActivity": "@{lastSignInDateTime=2023-03-28T20:08:26Z; lastSignInRequestId=3f546eba-ba9b-4bc4-9bd3-b5b6fa5fce00; lastNonInteractiveSignInDateTime=; lastNonInteractiveSignInRequestId=}"

+ }

+ ]

+}

+```

+The attribute lastSignInDateTime shows the last sign in date.

+## Delete inactive users in your Azure AD B2C tenant

+To delete a user in your Azure AD B2C tenant, you need to call the [Delete a user](/graph/api/user-delete) Microsoft Graph API. To call this API you need to grant your app **User.ReadWrite.All** Microsoft Graph API permission as explained earlier.

+>[!NOTE]

+>DELETE /graph/api/user-delete

+The following PowerShell script reads all users with sign in date before a given date, then attempts to delete them. Before you run it, replace the `[TenantId]`, `[ClientID]` and `[ClientSecret]` placeholders with appropriate values as explained earlier. Also replace `[Date]` with a date that you consider appropriate to determine if a user is considered inactive. For example: 2023-04-30T00:00:00Z

+```ps

+$tenantId = "[TenantId]"

+$clientId = "[ClientID]"

+$clientSecret = "[ClientSecret]"

+## Use Client Credentials flow to get token to call Graph API

+$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

+$headers.Add("Content-Type", "application/x-www-form-urlencoded")

+$body = "grant_type=client_credentials&client_id=" + $clientId + "&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=" + $clientSecret

+$endpoint = "https://login.microsoftonline.com/" + $tenantId + "/oauth2/v2.0/token"

+$response = Invoke-RestMethod $endpoint -Method "POST" -Headers $headers -Body $body

+# $response | ConvertTo-Json

+## Call Graph API using token obtained in previous step

+$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

+$headers.Add("Authorization", "Bearer " + $response.access_token)

+$response = Invoke-RestMethod 'https://graph.microsoft.com/beta/users?$select=displayName,signInActivity&$filter=signInActivity/lastSignInDateTime le [Date]' -Method 'GET' -Headers $headers

+$response | ConvertTo-Json

+## Call Graph API to delete the users obtained in the previous query

+foreach ($value in $response.value) {

+ $deleteEndpoint = "https://graph.microsoft.com/v1.0/users/" + $value.id

+ $deleteResponse = Invoke-RestMethod $deleteEndpoint -Method 'DELETE' -Headers $headers

+}

+```

+The **incremental cycle** may also take longer than the duration we have documented above. Some of the factors that influence this duration are:

+- The number of changes on the individual objects properties.

+- The number of changes on the groups memberships.

+- The scope of assignment configured for the app. Configuration of **sync assigned users and groups only** is recommended where possible.

+## Updating a custom connector dll

+When updating a connector, ensure that the dll is updated in all required locations. Use the steps below to properly update your custom connector dll:

+1. Close the Microsoft ECMA2Host Configuration Wizard.

+2. Stop the Microsoft ECMA2Host service.

+3. Manually update the custom connector dll into the following folders.

+ 1. ECMA

+ 2. ECMA > Cache > {connector name}

+ 3. ECMA > Cache > {connector name} > AutosyncService

+4. Start the Microsoft ECMA2Host service.

+

+ > [!NOTE]

+ > If multiple connectors are using the same custom dll, you will need to complete step 3.ii and 3.iii for each connector.

+

+## Requirements

+Custom connectors built for MIM rely on the [ECMA framework](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)). Please ensure that you are following best practices such as:

+* Ensuring that methods in your connector are declared as public

+* Excluding prefixes from method names. For example:

+ * **Correct:** public Schema GetSchema (KeyedCollection<string, ConfigParameter> configParameters)

+ * **Incorrect:** Schema PrefixGetSchema.GetSchema (KeyedCollection<string, ConfigParameter> configParameters)

+

+The following table includes capabilities of the ECMA framework that are either partially supported or not supported by the Azure AD provisioning agent. For a list of known limitations for the Azure AD provisioning service and on-premises application provisioning, see [here](known-issues.md#on-premises-application-provisioning).

+| Concurrent operations | Ignored | |

+| DeleteAddAsReplace | Ignored | |

+This topology supports business requirements where attribute mapping and provisioning logic differ based on user type (employee/contractor), user location or user's business unit. You can also use this topology to delegate the administration and maintenance of inbound user provisioning based on division or country/region.

+1. Use Workday **Maintain Localization Settings task -> Personal Information** area to activate pronoun data for different countries/regions.

+ Title: Android certificate-based authentication with federation

+description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication in solutions with Android devices

+# Azure Active Directory certificate-based authentication with federation on Android

+Android devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:

+* Office mobile applications such as Microsoft Outlook and Microsoft Word

+* Exchange ActiveSync (EAS) clients

+Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

+## Microsoft mobile applications support

+| Apps | Support |

+| | |

+| Azure Information Protection app |![Check mark signifying support for this application][1] |

+| Intune Company Portal |![Check mark signifying support for this application][1] |

+| Microsoft Teams |![Check mark signifying support for this application][1] |

+| OneNote |![Check mark signifying support for this application][1] |

+| OneDrive |![Check mark signifying support for this application][1] |

+| Outlook |![Check mark signifying support for this application][1] |

+| Power BI |![Check mark signifying support for this application][1] |

+| Skype for Business |![Check mark signifying support for this application][1] |

+| Word / Excel / PowerPoint |![Check mark signifying support for this application][1] |

+| Yammer |![Check mark signifying support for this application][1] |

+### Implementation requirements

+The device OS version must be Android 5.0 (Lollipop) and above.

+A federation server must be configured.

+For Azure Active Directory to revoke a client certificate, the AD FS token must have the following claims:

+* `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>`

+ (The serial number of the client certificate)

+* `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>`

+ (The string for the issuer of the client certificate)

+Azure Active Directory adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.

+As a best practice, you should update your organization's AD FS error pages with the following information:

+* The requirement for installing the Microsoft Authenticator on Android.

+* Instructions on how to get a user certificate.

+For more information, see [Customizing the AD FS Sign-in Pages](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)).

+Office apps with modern authentication enabled send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.

+You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task:

+```powershell

+Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled

+```

+## Exchange ActiveSync clients support

+Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are supported. To determine if your email application does support this feature, contact your application developer.

+## Next steps

+If you want to configure certificate-based authentication in your environment, see [Get started with certificate-based authentication on Android](active-directory-certificate-based-authentication-get-started.md) for instructions.

+<!--Image references-->

+[1]: ./media/active-directory-certificate-based-authentication-android/ic195031.png

+ Title: Certificate-based authentication with federation

+description: Learn how to configure certificate-based authentication with federation in your environment

+# Get started with certificate-based authentication in Azure Active Directory with federation

+Certificate-based authentication (CBA) with federation enables you to be authenticated by Azure Active Directory with a client certificate on a Windows, Android, or iOS device when connecting your Exchange online account to:

+- Microsoft mobile applications such as Microsoft Outlook and Microsoft Word

+- Exchange ActiveSync (EAS) clients

+Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

+>[!NOTE]

+>As an alternative, organizations can deploy Azure AD CBA without needing federation. For more information, see [Overview of Azure AD certificate-based authentication against Azure Active Directory](concept-certificate-based-authentication.md).

+This topic:

+- Provides you with the steps to configure and utilize CBA for users of tenants in Office 365 Enterprise, Business, Education, and US Government plans.

+- Assumes that you already have a [public key infrastructure (PKI)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831740(v=ws.11)) and [AD FS](../hybrid/how-to-connect-fed-whatis.md) configured.

+## Requirements

+To configure CBA with federation, the following statements must be true:

+- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication, or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Azure AD CBA without needing federation, see [How to configure Azure AD certificate-based authentication](how-to-certificate-based-authentication.md).

+- The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.

+- Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.

+- You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.

+- For Exchange ActiveSync clients, the client certificate must have the user's routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.

+- Your client device must have access to at least one certificate authority that issues client certificates.

+- A client certificate for client authentication must have been issued to your client.

+>[!IMPORTANT]

+>The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds. If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.

+## Step 1: Select your device platform

+As a first step, for the device platform you care about, you need to review the following:

+- The Office mobile applications support

+- The specific implementation requirements

+The related information exists for the following device platforms:

+- [Android](active-directory-certificate-based-authentication-android.md)

+- [iOS](active-directory-certificate-based-authentication-ios.md)

+## Step 2: Configure the certificate authorities

+### Connect

+### Retrieve

+### Add

+### Remove

+### Modify

+## Step 3: Configure revocation

+## Step 4: Test your configuration

+### Testing your certificate

+As a first configuration test, you should try to sign in to [Outlook Web Access](https://outlook.office365.com) or [SharePoint Online](https://microsoft.sharepoint.com) using your **on-device browser**.

+If your sign-in is successful, then you know that:

+- The user certificate has been provisioned to your test device

+- AD FS is configured correctly

+### Testing Office mobile applications

+1. On your test device, install an Office mobile application (for example, OneDrive).

+1. Launch the application.

+1. Enter your username, and then select the user certificate you want to use.

+You should be successfully signed in.

+### Testing Exchange ActiveSync client applications

+To access Exchange ActiveSync (EAS) via certificate-based authentication, an EAS profile containing the client certificate must be available to the application.

+The EAS profile must contain the following information:

+- The user certificate to be used for authentication

+- The EAS endpoint (for example, outlook.office365.com)

+An EAS profile can be configured and placed on the device through the utilization of Mobile device management (MDM) such as Microsoft Intune or by manually placing the certificate in the EAS profile on the device.

+### Testing EAS client applications on Android

+1. Configure an EAS profile in the application that satisfies the requirements in the prior section.

+2. Open the application, and verify that mail is synchronizing.

+## Next steps

+[Additional information about certificate-based authentication on Android devices.](active-directory-certificate-based-authentication-android.md)

+[Additional information about certificate-based authentication on iOS devices.](active-directory-certificate-based-authentication-ios.md)

+ Title: Certificate-based authentication with federation on iOS

+description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication for Azure Active Directory in solutions with iOS devices

+# Azure Active Directory certificate-based authentication with federation on iOS

+To improve security, iOS devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory (Azure AD) using a client certificate on their device when connecting to the following applications or

+* Office mobile applications such as Microsoft Outlook and Microsoft Word

+* Exchange ActiveSync (EAS) clients

+Using certificates eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device.

+## Microsoft mobile applications support

+| Apps | Support |

+| | |

+| Azure Information Protection app |![Check mark signifying support for this application][1] |

+| Company Portal |![Check mark signifying support for this application][1] |

+| Microsoft Teams |![Check mark signifying support for this application][1] |

+| Office (mobile) |![Check mark signifying support for this application][1] |

+| OneNote |![Check mark signifying support for this application][1] |

+| OneDrive |![Check mark signifying support for this application][1] |

+| Outlook |![Check mark signifying support for this application][1] |

+| Power BI |![Check mark signifying support for this application][1] |

+| Skype for Business |![Check mark signifying support for this application][1] |

+| Word / Excel / PowerPoint |![Check mark signifying support for this application][1] |

+| Yammer |![Check mark signifying support for this application][1] |

+## Requirements

+To use CBA with iOS, the following requirements and considerations apply:

+* The device OS version must be iOS 9 or above.

+* Microsoft Authenticator is required for Office applications on iOS.

+* An identity preference must be created in the macOS Keychain that includes the authentication URL of the AD FS server. For more information, see [Create an identity preference in Keychain Access on Mac](https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac).

+The following Active Directory Federation Services (AD FS) requirements and considerations apply:

+* The AD FS server must be enabled for certificate authentication and use federated authentication.

+* The certificate needs to have to use Enhanced Key Usage (EKU) and contain the UPN of the user in the *Subject Alternative Name (NT Principal Name)*.

+## Configure AD FS

+For Azure AD to revoke a client certificate, the AD FS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:

+* `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` - add the serial number of your client certificate

+* `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` - add the string for the issuer of your client certificate

+As a best practice, you also should update your organization's AD FS error pages with the following information:

+* The requirement for installing the Microsoft Authenticator on iOS.

+* Instructions on how to get a user certificate.

+For more information, see [Customizing the AD FS sign in page](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)).

+## Use modern authentication with Office apps

+Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to AD FS as `wauth=usernamepassworduri` (asks AD FS to do U/P Auth) and `wfresh=0` (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.

+To update the default behavior, set the '*PromptLoginBehavior*' in your federated domain settings to *Disabled*. You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task, as shown in the following example:

+```powershell

+Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled

+```

+## Support for Exchange ActiveSync clients

+On iOS 9 or later, the native iOS mail client is supported. To determine if this feature is supported for all other Exchange ActiveSync applications, contact your application developer.

+## Next steps

+To configure certificate-based authentication in your environment, see [Get started with certificate-based authentication](active-directory-certificate-based-authentication-get-started.md) for instructions.

+<!--Image references-->

+[1]: ./media/active-directory-certificate-based-authentication-ios/ic195031.png

+## Usable and non-usable methods

+Administrators can view user authentication methods in the Azure portal. Usable methods are listed first, followed by non-usable methods.

+Each authentication method can become non-usable for different reasons. For example, a Temporary Access Pass may expire, or FIDO2 security key may fail attestation. The portal will be updated to provide the reason for why the method is non-usable.

+Microsoft doesn't guarantee consistent SMS or voice-based Azure AD Multi-Factor Authentication prompt delivery by the same number. In the interest of our users, we may add or remove short codes at any time as we make route adjustments to improve SMS deliverability. Microsoft doesn't support short codes for countries/regions besides the United States and Canada.

+| FAQ|[Password management frequently asked questions](./passwords-faq.yml) |

+* Follow [Password management frequently asked questions](./passwords-faq.yml)

+You can register this redirect URI in your app registration using the [Azure portal](https://portal.azure.com/). For more information on Azure AD app registration, see [Integrating with Azure Active Directory](../develop/how-to-integrate.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).

+This redirect URI needs to be specified in your app registration using the [Azure portal](https://portal.azure.com/). For more information on Azure AD app registration, see [Integrating with Azure Active Directory](../develop/how-to-integrate.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).

+[ACOM-How-To-Integrate]: ../develop/how-to-integrate.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json

+CAE only has insight into [IP-based named locations](../conditional-access/location-condition.md#ipv4-and-ipv6-address-ranges). CAE doesn't have insight into other location conditions like [MFA trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips) or country/region-based locations. When a user comes from an MFA trusted IP, trusted location that includes MFA Trusted IPs, or country/region location, CAE won't be enforced after that user moves to a different location. In those cases, Azure AD will issue a one-hour access token without instant IP enforcement check.

+### Countries/regions

+Organizations can determine country/region location by IP address or GPS coordinates.

+### Block countries/regions from which you never expect a sign-in.

+Azure active directory allows you to create [named locations](location-condition.md). Create the list of countries/regions that are allowed, and then create a network block policy with these "allowed countries/regions" as an exclusion. This is less overhead for customers who are based in smaller geographic locations. **Be sure to exempt your emergency access accounts from this policy**.

+- Country/region location (resolving new IP or GPS coordinates)

+When you've completed the app registration, you have a globally unique instance of the app (the application object) that lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more.

+* For more information on application objects and service principals in the Microsoft identity platform, see [How and why applications are added to Azure AD](how-applications-are-added.md).

+ Title: How and why apps are added to Azure AD

+description: What does it mean for an application to be added to Azure AD and how do they get there?

+# How and why applications are added to Azure AD

+There are two representations of applications in Azure Active Directory (Azure AD):

+- [Application objects](app-objects-and-service-principals.md#application-object) - Although there are [exceptions](#notes-and-exceptions), application objects can be considered the definition of an application.

+- [Service principals](app-objects-and-service-principals.md#service-principal-object) - Can be considered an instance of an application.

+ Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.

+## What are application objects and where do they come from?

+You can manage [application objects](app-objects-and-service-principals.md#application-object) in the Azure portal through the [App registrations](https://aka.ms/appregistrations) experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings. The application object will only exist in its home directory, even if it's a multi-tenant application supporting service principals in other directories. The application object may include (but not limited to) any of the following:

+- Name, logo, and publisher

+- Redirect URIs

+- Secrets (symmetric and/or asymmetric keys used to authenticate the application)

+- API dependencies (OAuth)

+- Published APIs/resources/scopes (OAuth)

+- App roles

+- Single sign-on (SSO) metadata and configuration

+- User provisioning metadata and configuration

+- Proxy metadata and configuration

+Application objects can be created through multiple pathways, including:

+- Application registrations in the Azure portal

+- Creating a new application using Visual Studio and configuring it to use Azure AD authentication

+- When an admin adds an application from the app gallery (which will also create a service principal)

+- Using the Microsoft Graph API or PowerShell to create a new application

+- Many others including various developer experiences in Azure and in API explorer experiences across developer centers

+## What are service principals and where do they come from?

+You can manage [service principals](app-objects-and-service-principals.md#service-principal-object) in the Azure portal through the [Enterprise Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/) experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory), and one or more service principal objects representing instances of the application in every directory in which it acts.

+The service principal can include:

+- A reference back to an application object through the application ID property

+- Records of local user and group application-role assignments

+- Records of local user and admin permissions granted to the application

+ - For example: permission for the application to access a particular user's email

+- Records of local policies including Conditional Access policy

+- Records of alternate local settings for an application

+ - Claims transformation rules

+ - Attribute mappings (User provisioning)

+ - Directory-specific app roles (if the application supports custom roles)

+ - Directory-specific name or logo

+Like application objects, service principals can also be created through multiple pathways including:

+- When users sign in to a third-party application integrated with Azure AD

+ - During sign-in, users are asked to give permission to the application to access their profile and other permissions. The first person to give consent causes a service principal that represents the application to be added to the directory.

+- When users sign in to Microsoft online services like [Microsoft 365](https://products.office.com/)

+ - When you subscribe to Microsoft 365 or begin a trial, one or more service principals are created in the directory representing the various services that are used to deliver all of the functionality associated with Microsoft 365.

+ - Some Microsoft 365 services like SharePoint create service principals on an ongoing basis to allow secure communication between components including workflows.

+- When an admin adds an application from the app gallery (this will also create an underlying app object)

+- Add an application to use the [Azure AD Application Proxy](../app-proxy/application-proxy.md)

+- Connect an application for SSO using SAML or password SSO

+- Programmatically via the Microsoft Graph API or PowerShell

+## How are application objects and service principals related to each other?

+An application has one application object in its home directory that is referenced by one or more service principals in each of the directories where it operates (including the application's home directory).

+![Shows relationship between app objects and service principals][apps_service_principals_directory]

+In the preceding diagram, Microsoft maintains two directories internally (shown on the left) that it uses to publish applications:

+- One for Microsoft Apps (Microsoft services directory)

+- One for pre-integrated third-party applications (App gallery directory)

+Application publishers/vendors who integrate with Azure AD are required to have a publishing directory (shown on the right as "Some software as a service (SaaS) Directory").

+Applications that you add yourself (represented as **App (yours)** in the diagram) include:

+- Apps you developed (integrated with Azure AD)

+- Apps you connected for SSO

+- Apps you published using the Azure AD application proxy

+### Notes and exceptions

+- Not all service principals point back to an application object. When Azure AD was originally built the services provided to applications were more limited, and the service principal was sufficient for establishing an application identity. The original service principal was closer in shape to the Windows Server Active Directory service account. For this reason, it's still possible to create service principals through different pathways, such as using Azure AD PowerShell, without first creating an application object. The Microsoft Graph API requires an application object before creating a service principal.

+- Not all of the information described above is currently exposed programmatically. The following are only available in the UI:

+ - Claims transformation rules

+ - Attribute mappings (User provisioning)

+- For more detailed information on the service principal and application objects, see the Microsoft Graph API reference documentation:

+ - [Application](/graph/api/resources/application)

+ - [Service Principal](/graph/api/resources/serviceprincipal)

+## Why do applications integrate with Azure AD?

+Applications are added to Azure AD to use one or more of the services it provides including:

+- Application authentication and authorization

+- User authentication and authorization

+- SSO using federation or password

+- User provisioning and synchronization

+- Role-based access control (RBAC) - Use the directory to define application roles to perform role-based authorization checks in an application

+- OAuth authorization services - Used by Microsoft 365 and other Microsoft applications to authorize access to APIs/resources

+- Application publishing and proxy - Publish an application from a private network to the internet

+- Directory schema extension attributes - [Extend the schema of service principal and user objects](active-directory-schema-extensions.md) to store additional data in Azure AD

+## Who has permission to add applications to my Azure AD instance?

+While there are some tasks that only global administrators can do (such as adding applications from the app gallery, and configuring an application to use the Application Proxy) by default all users in your directory have rights to register application objects that they're developing and discretion over which applications they share/give access to their organizational data through consent. If a person is the first user in your directory to sign in to an application and grant consent, that will create a service principal in your tenant. Otherwise, the consent grant information will be stored on the existing service principal.

+Allowing users to register and consent to applications might initially sound concerning, but keep the following reasons in mind:

+- Applications have been able to use Windows Server Active Directory for user authentication for many years without requiring the application to be registered or recorded in the directory. Now the organization will have improved visibility to exactly how many applications are using the directory and for what purpose.

+- Delegating these responsibilities to users negates the need for an admin-driven application registration and publishing process. With Active Directory Federation Services (ADFS) it was likely that an admin had to add an application as a relying party on behalf of their developers. Now developers can self-service.

+- Users signing in to applications using their organization accounts for business purposes is a good thing. If they subsequently leave the organization they'll automatically lose access to their account in the application they were using.

+- Having a record of what data was shared with which application is a good thing. Data is more transportable than ever and it's useful to have a clear record of who shared what data with which applications.

+- API owners who use Azure AD for OAuth decide exactly what permissions users are able to grant to applications and which permissions require an admin to agree to. Only admins can consent to larger scopes and more significant permissions, while user consent is scoped to the users' own data and capabilities.

+- When a user adds or allows an application to access their data, the event can be audited so you can view the Audit Reports within the Azure portal to determine how an application was added to the directory.

+If you still want to prevent users in your directory from registering applications and from signing in to applications without administrator approval, there are two settings that you can change to turn off those capabilities:

+- To change the user consent settings in your organization, see [Configure how users consent to applications](../manage-apps/configure-user-consent.md).

+- To prevent users from registering their own applications:

+ 1. In the Azure portal, go to the [User settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings) section under **App registrations**

+ 2. Change **Users can register applications** to **No**.

+<!--Image references-->

+[apps_service_principals_directory]: ../media/active-directory-how-applications-are-added/HowAppsAreAddedToAAD.jpg

+ Title: How to integrate with the Microsoft identity platform

+description: Learn the benefits of integrating your application with the Microsoft identity platform, and get resources for features like simplified sign-in, identity management, multi-factor authentication, and access control.

+# Integrating with the Microsoft identity platform

+In this article, you learn about the benefits of integrating your application with the Microsoft identity platform and get resources for integration. The Microsoft identity platform and Azure Active Directory (AD) provides organizations with enterprise-grade identity management for cloud applications. The Microsoft identity platform integration gives your users a streamlined sign-in experience, and helps your application conform to IT policy.

+## How to integrate

+There are several ways for your application to integrate with the Microsoft identity platform. Take advantage of as many or as few of these scenarios as is appropriate for your application.

+### Support the Microsoft identity platform as a way to sign in to your application

+**Reduce sign in friction and reduce support costs.** By using the Microsoft identity platform to sign in to your application, your users won't have one more name and password to remember. As a developer, you'll have one less password to store and protect. Not having to handle forgotten password resets may be a significant savings alone. The Microsoft identity platform powers sign in for some of the world's most popular cloud applications, including Microsoft 365 and Microsoft Azure. With hundreds of millions users from millions of organizations, chances are your user is already signed in to the Microsoft identity platform. Learn more about [adding support for the Microsoft identity platform sign in](./authentication-vs-authorization.md).

+**Simplify sign up for your application.** During sign up for your application, the Microsoft identity platform can send essential information about a user so that you can pre-fill your sign up form or eliminate it completely. Users can sign up for your application using their Azure AD account via a familiar consent experience similar to those found in social media and mobile applications. Any user can sign up and sign in to an application that is integrated with the Microsoft identity platform without requiring IT involvement. Learn more about [signing-up your application for Azure AD Account login](../../app-service/configure-authentication-provider-aad.md).

+### Browse for users, manage user provisioning, and control access to your application

+**Browse for users in the directory.** Use the Microsoft Graph API to help users search and browse for other people in their organization when inviting others or granting access, instead of requiring them to type email addresses. Users can browse using a familiar address book style interface, including viewing the details of the organizational hierarchy. Learn more about the [Microsoft Graph API](/graph/overview).

+**Re-use Active Directory groups and distribution lists your customer is already managing.** Azure AD contains the groups that your customer is already using for email distribution and managing access. Using the Microsoft Graph API, re-use these groups instead of requiring your customer to create and manage a separate set of groups in your application. Group information can also be sent to your application in sign in tokens. Learn more about the [Microsoft Graph API](/graph/overview).

+**Use the Microsoft identity platform to control who has access to your application.** Administrators and application owners in Azure AD can assign access to applications to specific users and groups. Using the Microsoft Graph API, you can read this list and use it to control provisioning and de-provisioning of resources and access within your application.

+**Use the Microsoft identity platform for Roles Based Access Control.** Administrators and application owners can assign users and groups to roles that you define when you register your application in Microsoft identity platform. Role information is sent to your application in sign in tokens and can also be read using the Microsoft Graph API. Learn more about [using the Microsoft identity platform for authorization](https://cloudblogs.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/).

+### Get access to users' profile, calendar, email, contacts, files, and more

+**The Microsoft identity platform is the authorization server for Microsoft 365 and other Microsoft business services.** If you support the Microsoft identity platform for sign in to your application or support linking your current user accounts to Azure AD user accounts using OAuth 2.0, you can request read and write access to a user's profile, calendar, email, contacts, files, and other information. You can seamlessly write events to user's calendar, and read or write files to their OneDrive. Learn more about [the Microsoft 365 APIs](/graph/overview).

+### Promote your application in the Azure and Microsoft 365 Marketplaces

+**Promote your application to the millions of organizations who are already using Azure AD.** Users who search and browse these marketplaces are already using one or more cloud services, making them qualified cloud service customers. Learn more about promoting your application in [the Azure Marketplace](https://azure.microsoft.com/marketplace/partner-program/).

+**When users sign up for your application, it will appear in their Azure AD access panel and Microsoft 365 app launcher.** Users will be able to quickly and easily return to your application later, improving user engagement. Learn more about the [Azure AD access panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+### Secure device-to-service and service-to-service communication

+**Using the Microsoft identity platform for identity management of services and devices reduces the code you need to write and enables IT to manage access.** Services and devices can get tokens from the Microsoft identity platform using OAuth and use those tokens to access web APIs. Using the Microsoft identity platform you can avoid writing complex authentication code. Since the identities of the services and devices are stored in Azure AD, IT can manage keys and revocation in one place instead of having to do this separately in your application.

+## Benefits of integration

+Integration with the Microsoft identity platform comes with benefits that do not require you to write additional code.

+### Integration with enterprise identity management

+**Help your application comply with IT policies.** Organizations integrate their enterprise identity management systems with Microsoft identity platform, so when a person leaves an organization, they will automatically lose access to your application without IT needing to take extra steps. IT can manage who can access your application and determine what access policies are required - for example multi-factor authentication - reducing your need to write code to comply with complex corporate policies. Azure AD provides administrators with a detailed audit log of who signed in to your application so IT can track usage.

+**Azure AD extends Active Directory to the cloud so that your application can integrate with AD.** Many organizations around the world use Active Directory as their principal sign-in and identity management system, and require their applications to work with AD. Integrating with Azure AD integrates your app with Active Directory.

+### Advanced security features

+**Multi-factor authentication.** The Microsoft identity platform provides native multi-factor authentication. IT administrators can require multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn more about [Multi-Factor Authentication](/azure/multi-factor-authentication/).

+**Anomalous sign in detection.** The Microsoft identity platform processes more than a billion sign-ins a day, while using machine learning algorithms to detect suspicious activity and notify IT administrators of possible problems. By supporting the Microsoft identity platform sign-in, your application gets the benefit of this protection. Learn more about [viewing Azure Active Directory access report](../reports-monitoring/overview-reports.md).

+**Conditional Access.** In addition to multi-factor authentication, administrators can require specific conditions be met before users can sign-in to your application. Conditions that can be set include the IP address range of client devices, membership in specified groups, and the state of the device being used for access. Learn more about [Azure Active Directory Conditional Access](../conditional-access/overview.md).

+### Easy development

+**Industry standard protocols.** Microsoft is committed to supporting industry standards. The Microsoft identity platform supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. Learn more about the [Microsoft identity platform authentication protocols](active-directory-v2-protocols.md).

+**Open source libraries.** Microsoft provides fully supported open source libraries for popular languages and platforms to speed development. The source code is licensed under Apache 2.0, and you are free to fork and contribute back to the projects. Learn more about the [Microsoft Authentication Library (MSAL)](reference-v2-libraries.md).

+### Worldwide presence and high availability

+**Azure AD is deployed in datacenters around the world and is managed and monitored around the clock.** Azure AD is the identity management system for Microsoft Azure and Microsoft 365 and is deployed in 28 datacenters around the world. Directory data is guaranteed to be replicated to at least three datacenters. Global load balancers ensure users access the closest copy of Azure AD containing their data, and automatically re-route requests to other datacenters if a problem is detected.

+## Next steps

+[Get started writing code](v2-overview.md#getting-started).

+[Sign users in using the Microsoft identity platform](./authentication-vs-authorization.md)

+ Title: Optional claims reference

+description: Claims reference with details on the optional claims that can be included in tokens in the Microsoft identity platform.

+# Optional claims reference

+You can use optional claims to:

+- Select claims to include in tokens for your application.

+- Change the behavior of certain claims that the Microsoft identity platform returns in tokens.

+- Add and access custom claims for your application.

+While optional claims are supported in both v1.0 and v2.0 format tokens and SAML tokens, they provide most of their value when moving from v1.0 to v2.0. In the Microsoft identity platform, smaller token sizes are used to ensure optimal performance by clients. As a result, several claims formerly included in the access and ID tokens are no longer present in v2.0 tokens and must be asked for specifically on a per-application basis.

+| Account Type | v1.0 tokens | v2.0 tokens |

+|--|-|-|

+| Personal Microsoft account | N/A | Supported |

+| Azure AD account | Supported | Supported |

+## v1.0 and v2.0 optional claims set

+The set of optional claims available by default for applications to use are listed in the following table. You can use custom data in extension attributes and directory extensions to add optional claims for your application. When you add claims to the access token, the claims apply to access tokens requested *for* the application (a web API), not claims requested *by* the application. No matter how the client accesses your API, the right data is present in the access token that's used to authenticate against your API.

+> [!NOTE]

+>The majority of these claims can be included in JWTs for v1.0 and v2.0 tokens, but not SAML tokens, except where noted in the Token Type column. Consumer accounts support a subset of these claims, marked in the User Type column. Many of the claims listed don't apply to consumer users (they have no tenant, so `tenant_ctry` has no value).

+The following table lists the v1.0 and v2.0 optional claim set.

+| Name | Description | Token Type | User Type | Notes |

+||-||--|-|

+| `acct` | Users account status in tenant | JWT, SAML | | If the user is a member of the tenant, the value is `0`. If they're a guest, the value is `1`. |

+| `auth_time` | Time when the user last authenticated. | JWT | | |

+| `ctry` | User's country/region | JWT | | This claim is returned if it's present and the value of the field is a standard two-letter country/region code, such as FR, JP, SZ, and so on. |

+| `email` | The reported email address for this user | JWT, SAML | MSA, Azure AD | This value is included if the user is a guest in the tenant. For managed users (the users inside the tenant), it must be requested through this optional claim or, on v2.0 only, with the OpenID scope. This value isn't guaranteed to be correct, and is mutable over time - never use it for authorization or to save data for a user. For more information, see [Secure applications and APIs by validating claims](claims-validation.md). If you require an addressable email address in your app, request this data from the user directly, using this claim as a suggestion or prefill in your UX. |

+| `fwd` | IP address | JWT | | Adds the original IPv4 address of the requesting client (when inside a VNET). |

+| `groups` | Optional formatting for group claims | JWT, SAML | | The `groups` claim is used with the GroupMembershipClaims setting in the [application manifest](reference-app-manifest.md), which must be set as well. |

+| `idtyp` | Token type | JWT access tokens | Special: only in app-only access tokens | The value is `app` when the token is an app-only token. This claim is the most accurate way for an API to determine if a token is an app token or an app+user token. |

+| `login_hint` | Login hint | JWT | MSA, Azure AD | An opaque, reliable login hint claim that's base64 encoded. Don't modify this value. This claim is the best value to use for the `login_hint` OAuth parameter in all flows to get SSO. It can be passed between applications to help them silently SSO as well - application A can sign in a user, read the `login_hint` claim, and then send the claim and the current tenant context to application B in the query string or fragment when the user selects on a link that takes them to application B. To avoid race conditions and reliability issues, the `login_hint` claim *doesn't* include the current tenant for the user, and defaults to the user's home tenant when used. In a guest scenario where the user is from another tenant, a tenant identifier must be provided in the sign-in request. and pass the same to apps you partner with. This claim is intended for use with your SDK's existing `login_hint` functionality, however that it exposed. |

+| `sid` | Session ID, used for per-session user sign out | JWT | Personal and Azure AD accounts. | |

+| `tenant_ctry` | Resource tenant's country/region | JWT | | Same as `ctry` except set at a tenant level by an admin. Must also be a standard two-letter value. |

+| `tenant_region_scope` | Region of the resource tenant | JWT | | |

+| `upn` | UserPrincipalName | JWT, SAML | | An identifier for the user that can be used with the `username_hint` parameter. Not a durable identifier for the user and shouldn't be used for authorization or to uniquely identity user information (for example, as a database key). Instead, use the user object ID (`oid`) as a database key. For more information, see [Secure applications and APIs by validating claims](claims-validation.md). Users signing in with an [alternate login ID](../authentication/howto-authentication-use-email-signin.md) shouldn't be shown their User Principal Name (UPN). Instead, use the following ID token claims for displaying sign-in state to the user: `preferred_username` or `unique_name` for v1 tokens and `preferred_username` for v2 tokens. Although this claim is automatically included, you can specify it as an optional claim to attach other properties to modify its behavior in the guest user case. You should use the `login_hint` claim for `login_hint` use - human-readable identifiers like UPN are unreliable. |

+| `verified_primary_email` | Sourced from the user's PrimaryAuthoritativeEmail | JWT | | |

+| `verified_secondary_email` | Sourced from the user's SecondaryAuthoritativeEmail | JWT | | |

+| `vnet` | VNET specifier information. | JWT | | |

+| `xms_cc` | Client Capabilities | JWT | Azure AD | Indicates whether the client application that acquired the token is capable of handling claims challenges. Service applications (resource servers) can make use of this claim to authorize access to protected resources. This claim is commonly used in Conditional Access and Continuous Access Evaluation scenarios. The service application that issues the token controls the presence of the claim in it. This optional claim should be configured as part of the service app's registration. For more information, see [Claims challenges, claims requests and client capabilities](claims-challenge.md?tabs=dotnet). |

+| `xms_pdl` | Preferred data location | JWT | | For Multi-Geo tenants, the preferred data location is the three-letter code showing the geographic region the user is in. For more information, see the [Azure AD Connect documentation about preferred data location](../hybrid/how-to-connect-sync-feature-preferreddatalocation.md). |

+| `xms_pl` | User preferred language | JWT | | The user's preferred language, if set. Sourced from their home tenant, in guest access scenarios. Formatted LL-CC ("en-us"). |

+| `xms_tpl` | Tenant preferred language| JWT | | The resource tenant's preferred language, if set. Formatted LL ("en"). |

+| `ztdid` | Zero-touch Deployment ID | JWT | | The device identity used for `Windows AutoPilot`. |

+> [!WARNING]

+> Never use `email` or `upn` claim values to store or determine whether the user in an access token should have access to data. Mutable claim values like these can change over time, making them insecure and unreliable for authorization.

+## v2.0-specific optional claims set

+These claims are always included in v1.0 tokens, but not included in v2.0 tokens unless requested. These claims are only applicable for JWTs (ID tokens and access tokens).

+| JWT Claim | Name | Description | Notes |

+|--||-|-|

+| `ipaddr` | IP Address | The IP address the client logged in from. | |

+| `onprem_sid` | On-premises Security Identifier | | |

+| `pwd_exp` | Password Expiration Time | The number of seconds after the time in the `iat` claim at which the password expires. This claim is only included when the password is expiring soon (as defined by "notification days" in the password policy). | |

+| `pwd_url` | Change Password URL | A URL that the user can visit to change their password. This claim is only included when the password is expiring soon (as defined by "notification days" in the password policy). | |

+| `in_corp` | Inside Corporate Network | Signals if the client is logging in from the corporate network. If they're not, the claim isn't included. | Based off of the [trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips) settings in MFA. |

+| `family_name` | Last Name | Provides the last name, surname, or family name of the user as defined in the user object. For example, `"family_name":"Miller"`. | Supported in MSA and Azure AD. Requires the `profile` scope. |

+| `given_name` | First name | Provides the first or "given" name of the user, as set on the user object. For example, `"given_name": "Frank"`. | Supported in MSA and Azure AD. Requires the `profile` scope. |

+| `upn` | User Principal Name | An identifier for the user that can be used with the `username_hint` parameter. Not a durable identifier for the user and shouldn't be used for authorization or to uniquely identity user information (for example, as a database key). For more information, see [Secure applications and APIs by validating claims](claims-validation.md). Instead, use the user object ID (`oid`) as a database key. Users signing in with an [alternate login ID](../authentication/howto-authentication-use-email-signin.md) shouldn't be shown their User Principal Name (UPN). Instead, use the following `preferred_username` claim for displaying sign-in state to the user. | Requires the `profile` scope. |

+## v1.0-specific optional claims set

+Some of the improvements of the v2 token format are available to apps that use the v1 token format, as they help improve security and reliability. These improvements only apply to JWTs, not SAML tokens.

+| JWT Claim | Name | Description | Notes |

+|--||-|-|

+|`aud` | Audience | Always present in JWTs, but in v1 access tokens it can be emitted in various ways - any appID URI, with or without a trailing slash, and the client ID of the resource. This randomization can be hard to code against when performing token validation. Use `additionalProperties` for this claim to ensure it's always set to the resource's client ID in v1 access tokens. | v1 JWT access tokens only|

+|`preferred_username` | Preferred username | Provides the preferred username claim within v1 tokens. This claim makes it easier for apps to provide username hints and show human readable display names, regardless of their token type. It's recommended that you use this optional claim instead of using, `upn` or `unique_name`. | v1 ID tokens and access tokens |

+### `additionalProperties` of optional claims

+Some optional claims can be configured to change the way the claim is returned. These `additionalProperties` are mostly used to help migration of on-premises applications with different data expectations. For example, `include_externally_authenticated_upn_without_hash` helps with clients that can't handle hash marks (`#`) in the UPN.

+| Property name | `additionalProperty` name | Description |

+||--|-|

+| `upn` | | Can be used for both SAML and JWT responses, and for v1.0 and v2.0 tokens. |

+| | `include_externally_authenticated_upn` | Includes the guest UPN as stored in the resource tenant. For example, `foo_hometenant.com#EXT#@resourcetenant.com`. |

+| | `include_externally_authenticated_upn_without_hash` | Same as listed previously, except that the hash marks (`#`) are replaced with underscores (`_`), for example `foo_hometenant.com_EXT_@resourcetenant.com`. |

+| `aud` | | In v1 access tokens, this claim is used to change the format of the `aud` claim. This claim has no effect in v2 tokens or either version's ID tokens, where the `aud` claim is always the client ID. Use this configuration to ensure that your API can more easily perform audience validation. Like all optional claims that affect the access token, the resource in the request must set this optional claim, since resources own the access token. |

+| | `use_guid` | Emits the client ID of the resource (API) in GUID format as the `aud` claim always instead of it being runtime dependent. For example, if a resource sets this flag, and its client ID is `bb0a297b-6a42-4a55-ac40-09a501456577`, any app that requests an access token for that resource receives an access token with `aud` : `bb0a297b-6a42-4a55-ac40-09a501456577`. Without this claim set, an API could get tokens with an `aud` claim of `api://MyApi.com`, `api://MyApi.com/`, `api://myapi.com/AdditionalRegisteredField` or any other value set as an app ID URI for that API, and the client ID of the resource. |

+#### `additionalProperties` example

+```json

+"optionalClaims": {

+ "idToken": [

+ {

+ "name": "upn",

+ "essential": false,

+ "additionalProperties": [

+ "include_externally_authenticated_upn"

+ ]

+ }

+ ]

+}

+```

+This `optionalClaims` object causes the ID token returned to the client to include a `upn` claim with the other home tenant and resource tenant information. The `upn` claim is only changed in the token if the user is a guest in the tenant (that uses a different IDP for authentication).

+## See also

+- [Access token](access-tokens.md)

+- [ID token](id-tokens.md)

+## Next steps

+- Learn more about [configuring optional claims](optional-claims.md).

+ Title: Configure optional claims

+description: Learn how to configure optional claims in tokens issued by Microsoft identity platform.

+# Configure optional claims

+> [!IMPORTANT]

+> Access tokens are **always** generated using the manifest of the resource, not the client. In the request `...scope=https://graph.microsoft.com/user.read...`, the resource is the Microsoft Graph API. The access token is created using the Microsoft Graph API manifest, not the client's manifest. Changing the manifest for your application never causes tokens for the Microsoft Graph API to look different. To validate that your `accessToken` changes are in effect, request a token for your application, not another app.

+> The number of groups emitted in a token are limited to 150 for SAML assertions and 200 for JWT, including nested groups. For more information about group limits and important caveats for group claims from on-premises attributes, see [Configure group claims for applications](../hybrid/how-to-connect-fed-group-claims.md).

+- [Access tokens](access-tokens.md)

+- [Optional claims reference](optional-claims-reference.md)

+| AADSTS230109 | CachedCredentialNonGWAuthNRequestsNotSupported - Backup Auth Service only allows AuthN requests from AAD Gateway. This error is returned when traffic targets the backup auth service directly instead of going through the reverse proxy. |

+## Samples and guides

+Use the tabs to sort the samples by application type, or your preferred language/framework.

+# [**By app type**](#tab/apptype)

+### Single-page applications

+> | Angular | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call .NET Core web API](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>&#8226; [Call .NET Core web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>&#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>&#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/4-Deployment/README.md)| [MSAL Angular](/javascript/api/@azure/msal-angular/) | &#8226; Authorization code with PKCE<br/>&#8226; On-behalf-of (OBO) <br/>&#8226; Continuous Access Evaluation (CAE) |

+> | Blazor WebAssembly | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/MyOrg/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/B2C/README.md)<br/>&#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-graph-user/Call-MSGraph/README.md)<br/>&#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/Deploy-to-Azure/README.md) | [MSAL.js](/javascript/api/overview/msal-overview) | Implicit Flow |

+> | JavaScript | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api/README.md)<br/>&#8226; [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/README.md)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph/README.md)<br/>&#8226; [Call Node.js web API via OBO and CA](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/2-call-api-api-c)| [MSAL.js](/javascript/api/overview/msal-overview) | &#8226; Authorization code with PKCE<br/>&#8226; On-behalf-of (OBO) <br/>&#8226; Conditional Access |

+> | React | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md)<br/>&#8226; [Sign-in users on both server and client side apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/4-sign-in-hybrid/README.md)<br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call Azure REST API and Azure Storage](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/2-call-arm)<br/>&#8226; [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>&#8226; [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>&#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>&#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>&#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/1-deploy-storage/README.md)<br/>&#8226; [Deploy to Azure Static Web Apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/2-deploy-static/README.md)<br/>&#8226; [Use step-up authentication to call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/3-call-api-acrs/README.md)| [MSAL React](/javascript/api/@azure/msal-react) | &#8226; Authorization code with PKCE<br/>&#8226; On-behalf-of (OBO) <br/>&#8226; Conditional Access (CA) <br/>&#8226; Conditional Access Auth Context (acrs) <br/>&#8226; Continuous Access Evaluation (CAE) |

+### Web applications

+> | ASP.NET Core| ASP.NET Core Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/README.md) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-5-B2C/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md) <br/> &#8226; [Customize token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-2-TokenCache/README.md) <br/> &#8226; [Call Graph (multi-tenant)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md) <br/> &#8226; [Call Azure REST APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/3-WebApp-multi-APIs/README.md) <br/> &#8226; [Protect web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README.md) <br/> &#8226; [Protect web API (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) <br/> &#8226; [Protect multi-tenant web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/Readme.md) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) <br/> &#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/6-Deploy-to-Azure/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | &#8226; OpenID connect <br/> &#8226; Authorization code <br/> &#8226; On-Behalf-Of|

+> | Blazor | Blazor Server Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> &#8226; [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | [MSAL.NET](/entra/msal/dotnet) | Implicit/Hybrid flow|

+> | ASP.NET Core|[Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | On-Behalf-Of (OBO) |

+> | ASP.NET Core|[Use the Conditional Access auth context to perform step\-up authentication](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | Authorization code |

+> | ASP.NET Core|[Active Directory FS to Azure AD migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | &#8226; SAML <br/> &#8226; OpenID connect |

+> | ASP.NET | &#8226; [Microsoft Graph Training Sample](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) <br/> &#8226; [Sign in users and call Microsoft Graph with admin restricted scope](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) <br/> &#8226; [Quickstart: Sign in users](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) | [MSAL.NET](/entra/msal/dotnet) | &#8226; OpenID connect <br/> &#8226; Authorization code |

+> | Java </p> Spring |Azure AD Spring Boot Starter Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) <br/> &#8226; [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | &#8226; [MSAL Java](/java/api/com.microsoft.aad.msal4j) <br/> &#8226; Azure AD Boot Starter | Authorization code |

+> | Java </p> Servlets | Spring-less Servlet Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Authorization code |

+> | Node.js </p> Express | Express web app series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/1-sign-in/README.md)<br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/2-sign-in-b2c/README.md)<br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/2-Authorization/1-call-graph/README.md)<br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/3-Deployment/README.md)<br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/1-app-roles/README.md)<br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/2-security-groups/README.md) <br/> &#8226; [Web app that sign in users](https://github.com/Azure-Samples/ms-identity-node) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization code |

+> | Python </p> Flask | Flask Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/>&#8226; [A template to sign in AAD or B2C users, and optionally call a downstream API (Microsoft Graph)](https://github.com/Azure-Samples/ms-identity-python-webapp) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

+> | Python </p> Django | Django Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/2-Authorization-I/call-graph) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/3-Deployment/deploy-to-azure-app-service)| [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

+### Web API

+> | ASP.NET | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapi-onbehalfof) | [MSAL.NET](/entra/msal/dotnet) | On-Behalf-Of (OBO) |

+> | ASP.NET Core | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | [MSAL.NET](/entra/msal/dotnet) | On-Behalf-Of (OBO) |

+> | Java | [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | On-Behalf-Of (OBO) |

+> | Node.js | &#8226; [Protect a Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api) <br/> &#8226; [Protect a Node.js Web API with Azure AD B2C](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization bearer |

+### Desktop

+> | .NET Core | &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/1-Calling-MSGraph/1-1-AzureAD) <br/> &#8226; [Call Microsoft Graph with token cache](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/2-TokenCache) <br/> &#8226; [Call Microsoft Graph with custom web UI HTML](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/3-CustomWebUI/3-1-CustomHTML) <br/> &#8226; [Call Microsoft Graph with custom web browser](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/3-CustomWebUI/3-2-CustomBrowser) <br/> &#8226; [Sign in users with device code flow](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/4-DeviceCodeFlow) <br/> &#8226; [Authenticate users with MSAL.NET in a WinUI desktop application](https://github.com/Azure-Samples/ms-identity-netcore-winui) | [MSAL.NET](/entra/msal/dotnet) |&#8226; Authorization code with PKCE <br/> &#8226; Device code |

+> | .NET | [Invoke protected API with integrated Windows authentication](https://github.com/azure-samples/active-directory-dotnet-iwa-v2) | [MSAL.NET](/entra/msal/dotnet) | Integrated Windows authentication |

+> | Java | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Integrated-Windows-Auth-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Integrated Windows authentication |

+> | Node.js | [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-desktop) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization code with PKCE |

+> | PowerShell | [Call Microsoft Graph by signing in users using username/password](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | [MSAL.NET](/entra/msal/dotnet) | Resource owner password credentials |

+> | Python | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | [MSAL Python](/python/api/msal/overview-msal) | Resource owner password credentials |

+> | Universal Window Platform (UWP) | [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/2-With-broker) | [MSAL.NET](/entra/msal/dotnet) | Web account manager |

+> | Windows Presentation Foundation (WPF) | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+> | XAML | &#8226; [Sign in users and call ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+### Mobile

+> | .NET Core | &#8226; [Call Microsoft Graph using MAUI](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppBasic) <br/> &#8226; [Call Microsoft Graph using MAUI with broker](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppWithBroker) <br/> &#8226; [Call Active Directory B2C tenant using MAUI](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppB2C) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+> | iOS | &#8226; [Call Microsoft Graph native](https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc) <br/> &#8226; [Call Microsoft Graph with Azure AD nxoauth](https://github.com/azure-samples/active-directory-ios-native-nxoauth2-v2) | [MSAL iOS](https://github.com/AzureAD/microsoft-authentication-library-for-objc) | Authorization code with PKCE |

+> | Java | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-android-java) | [MSAL Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) | Authorization code with PKCE |

+> | Kotlin | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-android-kotlin) | [MSAL Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) | Authorization code with PKCE |

+> | Xamarin | &#8226; [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/1-Basic) <br/>&#8226; [Sign in users with broker and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/2-With-broker) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+### Service / daemon

+> | .NET Core | &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi) <br/> &#8226; [Using managed identity and Azure key vault](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/3-Using-KeyVault)| [MSAL.NET](/entra/msal/dotnet) | Client credentials grant|

+> | ASP.NET |[Multi-tenant with Microsoft identity platform endpoint](https://github.com/Azure-Samples/ms-identity-aspnet-daemon-webapp) | [MSAL.NET](/entra/msal/dotnet) | Client credentials grant|

+> | Java | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-certificate)| [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Client credentials grant|

+> | Node.js | [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) | [MSAL Node](/javascript/api/@azure/msal-node) | Client credentials grant |

+> | Python | &#8226; [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/1-Call-MsGraph-WithSecret) <br/> &#8226; [Call Microsoft Graph with certificate](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/2-Call-MsGraph-WithCertificate) | [MSAL Python](/python/api/msal/overview-msal)| Client credentials grant|

+### Azure Functions as web APIs

+> | .NET | [.NET Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-dotnet-webapi-azurefunctions) | [MSAL.NET](/entra/msal/dotnet) | Authorization code |

+> | Node.js | [Node.js Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization bearer |

+> | Node.js | [Call Microsoft Graph API on behalf of a user](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-onbehalfof-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | On-Behalf-Of (OBO)|

+> | Python | [Python Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

+### Headless

+> | .NET Core | [Invoke protected API from text-only device](https://github.com/azure-samples/active-directory-dotnetcore-devicecodeflow-v2) | [MSAL.NET](/entra/msal/dotnet) | Device code|

+> | Java | [Sign in users and invoke protected API from text-only device](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Device-Code-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Device code |

+> | Python | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-devicecodeflow) | [MSAL Python](/python/api/msal/overview-msal) | Device code |

+### Microsoft Teams applications

+> | Node.js | [Teams Tab app: single sign-on (SSO) and call Microsoft Graph](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/nodejs) | [MSAL Node](/javascript/api/@azure/msal-node) | On-Behalf-Of (OBO) |

+### Multi-tenant SaaS

+> | ASP.NET Core | [ASP.NET Core MVC web application calls Microsoft Graph API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-3-Multi-Tenant) | [MSAL.NET](/entra/msal/dotnet) | OpenID connect |

+> | ASP.NET Core | [ASP.NET Core MVC web application calls ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-3-AnyOrg) | [MSAL.NET](/entra/msal/dotnet) | Authorization code |

+> | Angular | [Angular single-page application calls ASP.NET Core web API](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/6-AdvancedScenarios/2-call-api-mt) | [MSAL Angular](/javascript/api/@azure/msal-angular/) | Authorization code |

+# [**By language/framework**](#tab/framework)

+### C#

+The following samples show how to build applications using the C# language and frameworks

+#### .NET

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Desktop | [Invoke protected API with integrated Windows authentication](https://github.com/azure-samples/active-directory-dotnet-iwa-v2) | [MSAL.NET](/entra/msal/dotnet) | Integrated Windows authentication |

+> | Headless | [.NET Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-dotnet-webapi-azurefunctions) | [MSAL.NET](/entra/msal/dotnet) | Authorization code |

+#### .NET Core

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Desktop | &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/1-Calling-MSGraph/1-1-AzureAD) <br/> &#8226; [Call Microsoft Graph with token cache](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/2-TokenCache) <br/> &#8226; [Call Microsoft Graph with custom web UI HTML](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/3-CustomWebUI/3-1-CustomHTML) <br/> &#8226; [Call Microsoft Graph with custom web browser](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/3-CustomWebUI/3-2-CustomBrowser) <br/> &#8226; [Sign in users with device code flow](https://github.com/Azure-Samples/ms-identity-dotnet-desktop-tutorial/tree/master/4-DeviceCodeFlow) <br/> &#8226; [Authenticate users with MSAL.NET in a WinUI desktop application](https://github.com/Azure-Samples/ms-identity-netcore-winui) | [MSAL.NET](/entra/msal/dotnet) |&#8226; Authorization code with PKCE <br/> &#8226; Device code |

+> | Mobile | &#8226; [Call Microsoft Graph using MAUI](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppBasic) <br/> &#8226; [Call Microsoft Graph using MAUI with broker](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppWithBroker) <br/> &#8226; [Call Active Directory B2C tenant using MAUI](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui/tree/main/MauiAppB2C) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+> | Headless | [Invoke protected API from text-only device](https://github.com/azure-samples/active-directory-dotnetcore-devicecodeflow-v2) | [MSAL.NET](/entra/msal/dotnet) | Device code|

+> | Service/</div>daemon | &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi) <br/> &#8226; [Using managed identity and Azure key vault](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/3-Using-KeyVault)| [MSAL.NET](/entra/msal/dotnet) | Client credentials grant|

+#### ASP.NET

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application | &#8226; [Microsoft Graph Training Sample](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) <br/> &#8226; [Sign in users and call Microsoft Graph with admin restricted scope](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) <br/> &#8226; [Quickstart: Sign in users](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) | [MSAL.NET](/entra/msal/dotnet) | &#8226; OpenID connect <br/> &#8226; Authorization code |

+> | Web API | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapi-onbehalfof) | [MSAL.NET](/entra/msal/dotnet) | On-Behalf-Of (OBO) |

+> | Service/</br>daemon |[Multi-tenant with Microsoft identity platform endpoint](https://github.com/Azure-Samples/ms-identity-aspnet-daemon-webapp) | [MSAL.NET](/entra/msal/dotnet) | Client credentials grant|

+#### ASP.NET Core

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application| &#8226; [Sign in users](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/README.md) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-5-B2C/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md) <br/> &#8226; [Customize token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-2-TokenCache/README.md) <br/> &#8226; [Call Graph (multi-tenant)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md) <br/> &#8226; [Call Azure REST APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/3-WebApp-multi-APIs/README.md) <br/> &#8226; [Protect web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README.md) <br/> &#8226; [Protect web API (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) <br/> &#8226; [Protect multi-tenant web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/Readme.md) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) <br/> &#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/6-Deploy-to-Azure/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | &#8226; OpenID connect <br/> &#8226; Authorization code <br/> &#8226; On-Behalf-Of|

+> | Web application |[Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | On-Behalf-Of (OBO) |

+> | Web application |[Use the Conditional Access auth context to perform step\-up authentication](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | Authorization code |

+> | Web application |[Active Directory FS to Azure AD migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | &#8226; SAML <br/> &#8226; OpenID connect |

+> | Web API | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | [MSAL.NET](/entra/msal/dotnet) | On-Behalf-Of (OBO) |

+> | Multi-tenant SaaS | [ASP.NET Core MVC web application calls Microsoft Graph API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-3-Multi-Tenant) | [MSAL.NET](/entra/msal/dotnet) | OpenID connect |

+> | Multi-tenant SaaS | [ASP.NET Core MVC web application calls ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-3-AnyOrg) | [MSAL.NET](/entra/msal/dotnet) | Authorization code |

+#### Blazor

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Single-page application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/MyOrg/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-OIDC/B2C/README.md)<br/>&#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/WebApp-graph-user/Call-MSGraph/README.md)<br/>&#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-blazor-wasm/blob/main/Deploy-to-Azure/README.md) | [MSAL.js](/javascript/api/overview/msal-overview) | Implicit Flow |

+> | Web application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> &#8226; [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | [MSAL.NET](/entra/msal/dotnet) | Implicit/Hybrid flow|

+#### Xamarin

+The following samples show how to build applications for the Xamarin platform.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Mobile | &#8226; [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/1-Basic) <br/>&#8226; [Sign in users with broker and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/2-With-broker) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+### iOS

+The following samples show how to build applications for the iOS platform.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Mobile | &#8226; [Call Microsoft Graph native](https://github.com/Azure-Samples/ms-identity-mobile-apple-swift-objc) <br/> &#8226; [Call Microsoft Graph with Azure AD nxoauth](https://github.com/azure-samples/active-directory-ios-native-nxoauth2-v2) | [MSAL iOS](https://github.com/AzureAD/microsoft-authentication-library-for-objc) | Authorization code with PKCE |

+### JavaScript

+The following samples show how to build applications for the JavaScript language and platform.

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Single-page application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api/README.md)<br/>&#8226; [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/2-call-api-b2c/README.md)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/1-call-api-graph/README.md)<br/>&#8226; [Call Node.js web API via OBO and CA](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/4-AdvancedGrants/2-call-api-api-c)| [MSAL.js](/javascript/api/overview/msal-overview) | &#8226; Authorization code with PKCE<br/>&#8226; On-behalf-of (OBO) <br/>&#8226; Conditional Access |

+#### Angular

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Single-page application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call .NET Core web API](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>&#8226; [Call .NET Core web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>&#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>&#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/4-Deployment/README.md)| [MSAL Angular](/javascript/api/@azure/msal-angular/) | &#8226; Authorization code with PKCE<br/>&#8226; On-behalf-of (OBO) <br/>&#8226; Continuous Access Evaluation (CAE) |

+> | Multi-tenant SaaS | [Angular single-page application calls ASP.NET Core web API](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/6-AdvancedScenarios/2-call-api-mt) | [MSAL Angular](/javascript/api/@azure/msal-angular/) | Authorization code |

+#### Node.js

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web API | &#8226; [Protect a Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/tree/main/3-Authorization-II/1-call-api) <br/> &#8226; [Protect a Node.js Web API with Azure AD B2C](https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization bearer |

+> | Desktop | [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-desktop) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization code with PKCE |

+> | Azure Functions as web APIs | [Node.js Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization bearer |

+> | Azure Functions as web APIs | [Call Microsoft Graph API on behalf of a user](https://github.com/Azure-Samples/ms-identity-nodejs-webapi-onbehalfof-azurefunctions) | [MSAL Node](/javascript/api/@azure/msal-node) | On-Behalf-Of (OBO) |

+> | Service, daemon | [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-console) | [MSAL Node](/javascript/api/@azure/msal-node) | Client credentials grant |

+> | Microsoft Teams applications | [Teams Tab app: single sign-on (SSO) and call Microsoft Graph](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/tab-sso/nodejs) | [MSAL Node](/javascript/api/@azure/msal-node) | On-Behalf-Of (OBO) |

+#### Node.js (Express)

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/1-sign-in/README.md)<br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/2-sign-in-b2c/README.md)<br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/2-Authorization/1-call-graph/README.md)<br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/3-Deployment/README.md)<br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/1-app-roles/README.md)<br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/2-security-groups/README.md) <br/> &#8226; [Web app that sign in users](https://github.com/Azure-Samples/ms-identity-node) | [MSAL Node](/javascript/api/@azure/msal-node) | Authorization code |

+#### React

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Single-page application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/1-sign-in/README.md)<br/>&#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/1-Authentication/2-sign-in-b2c/README.md)<br/>&#8226; [Sign-in users on both server and client side apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/4-sign-in-hybrid/README.md)<br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph/README.md)<br/>&#8226; [Call Azure REST API and Azure Storage](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/2-call-arm)<br/>&#8226; [Call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/1-call-api)<br/>&#8226; [Call Node.js web API (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/3-Authorization-II/2-call-api-b2c)<br/>&#8226; [Call Microsoft Graph via OBO](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/6-AdvancedScenarios/1-call-api-obo/README.md)<br/>&#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/1-call-api-roles/README.md)<br/>&#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/5-AccessControl/2-call-api-groups/README.md)<br/>&#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/1-deploy-storage/README.md)<br/>&#8226; [Deploy to Azure Static Web Apps](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/4-Deployment/2-deploy-static/README.md)<br/>&#8226; [Use step-up authentication to call Node.js web API](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/blob/main/6-AdvancedScenarios/3-call-api-acrs/README.md)| [MSAL React](/javascript/api/@azure/msal-react) | &#8226; Authorization code with PKCE<br/>&#8226; On-behalf-of (OBO) <br/>&#8226; Conditional Access (CA) <br/>&#8226; Conditional Access Auth Context (acrs) <br/>&#8226; Continuous Access Evaluation (CAE) |

+### Java

+The following samples show how to build applications for the Java language and platform.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web API | [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | On-Behalf-Of (OBO) |

+> | Desktop | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Integrated-Windows-Auth-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Integrated Windows authentication |

+> | Mobile | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-android-java) | [MSAL Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) | Authorization code with PKCE |

+> | Headless | [Sign in users and invoke protected API from text-only device](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/2.%20Client-Side%20Scenarios/Device-Code-Flow) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Device code |

+> | Service/</br>daemon | &#8226; [Call Microsoft Graph with Secret](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-secret) <br/> &#8226; [Call Microsoft Graph with Certificate](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/1.%20Server-Side%20Scenarios/msal-client-credential-certificate)| [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Client credentials grant|

+#### Java Spring

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application |Azure AD Spring Boot Starter Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) <br/> &#8226; [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/3-Authorization-II/protect-web-api) | &#8226; [MSAL Java](/java/api/com.microsoft.aad.msal4j) <br/> &#8226; Azure AD Boot Starter | Authorization code |

+#### Java Servlet

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application | Spring-less Servlet Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/roles) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/4-Deployment/deploy-to-azure-app-service) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Authorization code |

+### Python

+The following samples show how to build applications for the Python language and platform.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Azure Functions as web APIs | [Python Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

+> | Desktop | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | [MSAL Python](/python/api/msal/overview-msal) | Resource owner password credentials |

+> | Headless | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-devicecodeflow) | [MSAL Python](/python/api/msal/overview-msal) | Device code |

+> | Daemon | &#8226; [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/1-Call-MsGraph-WithSecret) <br/> &#8226; [Call Microsoft Graph with certificate](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/2-Call-MsGraph-WithCertificate) | [MSAL Python](/python/api/msal/overview-msal)| Client credentials grant|

+#### Flask

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/>&#8226; [A template to sign in AAD or B2C users, and optionally call a downstream API (Microsoft Graph)](https://github.com/Azure-Samples/ms-identity-python-webapp) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

+#### Django

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/2-Authorization-I/call-graph) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/3-Deployment/deploy-to-azure-app-service)| [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

+### Kotlin

+The following samples show how to build applications with Kotlin.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Mobile | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-android-kotlin) | [MSAL Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) | Authorization code with PKCE |

+### PowerShell

+The following samples show how to build applications with PowerShell.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Desktop | [Call Microsoft Graph by signing in users using username/password](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | [MSAL.NET](/entra/msal/dotnet) | Resource owner password credentials |

+### Ruby

+The following samples show how to build applications with Ruby.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Web application | Graph Training <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/microsoftgraph/msgraph-training-rubyrailsapp) | OmniAuth OAuth2 | Authorization code |

+### XAML

+The following samples show how to build applications with XAML.

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Desktop | &#8226; [Sign in users and call ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+### Universal Windows Platform (UWP)

+The following samples show how to build applications with Universal Windows Platform (UWP).

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Desktop | [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/2-With-broker) | [MSAL.NET](/entra/msal/dotnet) | Web account manager |

+### Windows Presentation Foundation (WPF)

+The following samples show how to build applications with Windows Presentation Foundation (WPF).

+> [!div class="mx-tdCol2BreakAll"]

+> | App type | Code sample(s) <br/> on GitHub |Auth<br/> libraries |Auth flow |

+> | -- | -- |-- |-- |

+> | Desktop | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+- More user properties can be added as columns including city, country/region, employee ID, employee type, and external user state

+1. To add an attribute, select **Add**. In the **Add an attribute** pane, enter the following values:

+ - **Name** - Provide a name for the custom attribute. For example, "Loyalty number."

+ :::image type="content" source="media/how-to-define-custom-attributes/add-attribute.png" alt-text="Screenshot of the pane for adding an attribute." lightbox="media/how-to-define-custom-attributes/add-attribute.png":::

+## Include the attributes in a sign-up flow

+Follow these steps to add sign-up attributes to a user flow you've already created. (For a new user flow, see [Create a sign-up and sign-in user flow for customers](how-to-user-flow-sign-up-sign-in-customers.md).)

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter in the top menu to switch to your customer tenant.

+1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**.

+1. Select the user flow from the list.

+1. Select **User attributes**. The list includes any custom attributes you defined as described in the previous section. For example, the new **Rewards number** attribute now appears in the list. Choose the attributes you want to collect from the user during sign-up.

+ :::image type="content" source="media/how-to-define-custom-attributes/user-attributes.png" alt-text="Screenshot of the user attribute options on the Create a user flow page." lightbox="media/how-to-define-custom-attributes/user-attributes.png":::

+1. Select **Save**.

+ :::image type="content" source="media/how-to-define-custom-attributes/page-layouts.png" alt-text="Screenshot of page layout options for a user flow." lightbox="media/how-to-define-custom-attributes/page-layouts.png":::

+ Title: Tutorial - Handle authentication flows in a vanilla JavaScript single-page app

+# Tutorial: Handle authentication flows in a vanilla JavaScript single-page app

+In the [previous article](./how-to-single-page-app-vanillajs-prepare-app.md), you created a vanilla JavaScript (JS) single-page application (SPA) and a server to host it. In this article, you'll configure the application to authenticate and authorize users to access protected resources. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview/).

+In this tutorial you'll;

+> [!div class="checklist"]

+> * Configure the settings for the application

+> * Add code to *authRedirect.js* to handle the authentication flow

+> * Add code to *authPopup.js* to handle the authentication flow

+## Edit the authentication configuration file

+1. Open *public/authConfig.js* and add the following code snippet:

+1. Replace the following values with the values from the Azure portal:

+ - Find the `Enter_the_Application_Id_Here` value and replace it with the **application ID (clientId)** of the app you registered in the Microsoft Entra admin center.

+ - In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is *caseyjensen@onmicrosoft.com*, the value you should enter is *casyjensen*.

+## Adding code to the redirection file

+A redirection file is required to handle the response from the sign-in page. It is used to extract the access token from the URL fragment and use it to call the protected API. It is also used to handle errors that occur during the authentication process.

+1. Open *public/authRedirect.js* and add the following code snippet:

+## Adding code to the *authPopup.js* file

+1. Open *public/authPopup.js* and add the following code snippet:

+> [Sign in and sign out of the Vanilla JS SPA](./how-to-single-page-app-vanillajs-sign-in-sign-out.md)

+ Title: Tutorial - Prepare a vanilla JavaScript single-page app (SPA) for authentication in a customer tenant

+# Tutorial: Prepare a vanilla JavaScript single-page app (SPA) for authentication in a customer tenant

+In the [previous article](./how-to-single-page-app-vanillajs-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (AD) for customers tenant. This article shows you how to create a vanilla JavaScript SPA

+In this tutorial you'll;

+> [!div class="checklist"]

+> * Create a vanilla Javascript project in Visual Studio Code

+> * Install required packages

+> * Add code to *server.js* to create a server

+* Completion of the prerequisites and steps in [Prepare your customer tenant to authenticate a Vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-prepare-tenant.md).

+* Although any integrated development environment (IDE) that supports Vanilla JS applications can be used, **Visual Studio Code** is recommended for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page.

+* [Node.js](https://nodejs.org/en/download/).

+## Create a new Vanilla JS project and install dependencies

+1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project.

+1. Open a new terminal by selecting **Terminal** > **New Terminal**.

+1. Run the following command to create a new vanilla JS project:

+## Edit the *server.js* file

+**Express** is a web application framework for **Node.js**. It's used to create a server that hosts the application. **Morgan** is the middleware that logs HTTP requests to the console. The server file is used to host these dependencies and contains the routes for the application. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview/).

+> [Configure SPA for authentication](how-to-single-page-app-vanillajs-configure-authentication.md)

+ Title: Tutorial - Prepare your customer tenant to authenticate users in a Vanilla JavaScript single-page application

+description: Learn how to configure your Azure Active Directory (AD) for customers tenant for authentication with a Vanilla JavaScript single-page app (SPA).

+#Customer intent: As a developer, I want to learn how to configure a Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant.

+# Tutorial: Prepare your customer tenant to authenticate a Vanilla JavaScript single-page app (SPA)

+This tutorial series demonstrates how to build a Vanilla JavaScript single-page application (SPA) and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for JavaScript](/javascript/api/overview/msal-overview) library to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences.

+In this tutorial, you'll;

+> [!div class="checklist"]

+> * Register a web application in the Microsoft Entra admin center, and record its identifiers

+> * Create a client secret for the web application

+> * Define the platform and URLs

+> * Grant permissions to the web application to access the Microsoft Graph API

+> * Create a sign in and sign out user flow in the Microsoft Entra admin center

+> * Associate your web application with the user flow

+- An Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions:

+ * Application administrator

+ * Application developer

+ * Cloud application administrator

+- An Azure AD for customers tenant. If you haven't already, [create one now](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl). You can use an existing customer tenant if you have one.

+## Register the SPA and record identifiers

+## Add a platform redirect URL

+ Title: Tutorial - Add sign-in and sign-out to a Vanilla JavaScript single-page app (SPA) for a customer tenant

+description: Learn how to configure a Vanilla JavaScript single-page app (SPA) to sign in and sign out users with your Azure Active Directory (AD) for customers tenant.

+#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant.

+# Tutorial: Add sign-in and sign-out to a Vanilla JavaScript single-page app (SPA) for a customer tenant

+In the [previous article](how-to-single-page-app-vanillajs-configure-authentication.md), you edited the popup and redirection files that handle the sign-in page response. This tutorial demonstrates how to build a responsive user interface (UI) that contains a **Sign-In** and **Sign-Out** button and run the project to test the sign-in and sign-out functionality.

+In this tutorial you'll;

+> [!div class="checklist"]

+> * Add code to the *https://docsupdatetracker.net/index.html* file to create the user interface (UI)

+> * Add code to the *signout.html* file to create the sign-out page

+> * Sign in and sign out of the application

+## Add code to the *https://docsupdatetracker.net/index.html* file

+The main page of the SPA, *https://docsupdatetracker.net/index.html*, is the first page that is loaded when the application is started. It's also the page that is loaded when the user selects the **Sign-Out** button.

+1. Open *public/https://docsupdatetracker.net/index.html* and add the following code snippet:

+## Add code to the *signout.html* file

+1. Open *public/signout.html* and add the following code snippet:

+## Add code to the *ui.js* file

+When authorization has been configured, the user interface can be created to allow users to sign in and sign out when the project is run. To build the user interface (UI) for the application, [Bootstrap](https://getbootstrap.com/) is used to create a responsive UI that contains a **Sign-In** and **Sign-Out** button.

+1. Open *public/ui.js* and add the following code snippet:

+## Add code to the *styles.css* file

+1. Open *public/styles.css* and add the following code snippet:

+## Next steps

+- [Enable self-service password reset](./how-to-enable-password-reset-customers.md)

+ Title: Tutorial - Prepare a React single-page app (SPA) for authentication in a customer tenant

+# Tutorial: Prepare a React single-page app (SPA) for authentication in a customer tenant

+In the [previous article](./how-to-single-page-application-react-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (AD) for customers tenant. This tutorial demonstrates how to create a React single-page app using `npm` and create files needed for authentication and authorization.

+In this tutorial you'll;

+> [!div class="checklist"]

+> * Create a React project in Visual Studio Code

+> * Install identity and bootstrap packages

+> * Configure the settings for the application

+* Completion of the prerequisites and steps in [Prepare your customer tenant to authenticate users in a React single-page app (SPA)](./how-to-single-page-application-react-prepare-tenant.md).

+* Although any integrated development environment (IDE) that supports React applications can be used, this tutorial uses **Visual Studio Code**. You can download it [here](https://visualstudio.microsoft.com/downloads/).

+* [Node.js](https://nodejs.org/en/download/).

+## Create a React project

+Identity related **npm** packages must be installed in the project to enable user authentication. For project styling, we'll use **Bootstrap**.

+1. In the **Terminal** bar, select the **+** icon to create a new terminal. A new terminal window will open enabling the other terminal to continue running in the background.

+1. If necessary, navigate to the *reactspalocal* again and enter the following commands into the terminal to install the relevant `msal` and `bootstrap` packages.

+## Create the authentication configuration file, *authConfig.js*

+1. Navigate to the *src* folder, and create a new file called *authConfig.js*.

+ ```javascript

+ * Copyright (c) Microsoft Corporation. All rights reserved.

+ * Licensed under the MIT License.

+ */

+

+

+ * Configuration object to be passed to MSAL instance on creation.

+ * For a full list of MSAL.js configuration parameters, visit:

+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md

+ */

+

+ authority: 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace the placeholder with your tenant subdomain

+

+ * Scopes you add here will be prompted for user consent during sign-in.

+ * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.

+ * For more information about OIDC scopes, visit:

+ * https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes

+ */

+

+ * An optional silentRequest object can be used to achieve silent SSO

+ * between applications by providing a "login_hint" property.

+ */

+ // scopes: ["openid", "profile"],

+ // loginHint: "example@domain.net"

+1. Replace the following values with the values from the Azure portal:

+ - Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the **Overview** page of the registered application.

+## Modify *index.js* to include the authentication provider

+ ```javascript

+ import React from 'react';

+ import ReactDOM from 'react-dom/client';

+ import App from './App';

+ import { PublicClientApplication, EventType } from '@azure/msal-browser';

+ import { msalConfig } from './authConfig';

+

+ import 'bootstrap/dist/css/bootstrap.min.css';

+ import './styles/index.css';

+

+ /**

+ * MSAL should be instantiated outside of the component tree to prevent it from being re-instantiated on re-renders.

+ * For more, visit: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-react/docs/getting-started.md

+ */

+ const msalInstance = new PublicClientApplication(msalConfig);

+

+ // Default to using the first account if no account is active on page load

+ if (!msalInstance.getActiveAccount() && msalInstance.getAllAccounts().length > 0) {

+ // Account selection logic is app dependent. Adjust as needed for different use cases.

+ msalInstance.setActiveAccount(msalInstance.getActiveAccount()[0]);

+ }

+

+ // Listen for sign-in event and set active account

+ msalInstance.addEventCallback((event) => {

+ if (event.eventType === EventType.LOGIN_SUCCESS && event.payload.account) {

+ const account = event.payload.account;

+ msalInstance.setActiveAccount(account);

+ }

+ });

+

+ const root = ReactDOM.createRoot(document.getElementById('root'));

+ root.render(

+ <App instance={msalInstance}/>

+ );

+ ```

+> [Sign in and sign out of the React SPA](./how-to-single-page-application-react-sign-in-out.md)

+ Title: Tutorial - Prepare your customer tenant to authenticate users in a React single-page app (SPA)

+# Tutorial: Prepare your customer tenant to authenticate users in a React single-page app (SPA)

+This tutorial series demonstrates how to build a React single-page application from scratch and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for JavaScript](/javascript/api/overview/msal-overview) library to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences.

+In this tutorial, you'll;

+> [!div class="checklist"]

+> * Register a web application in the Microsoft Entra admin center, and record its identifiers

+> * Create a client secret for the web application

+> * Define the platform and URLs

+> * Grant permissions to the web application to access the Microsoft Graph API

+> * Create a sign in and sign out user flow in the Microsoft Entra admin center

+> * Associate your web application with the user flow

+- An Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions:

+ * Application administrator

+ * Application developer

+ * Cloud application administrator

+- An Azure AD for customers tenant. If you haven't already, [create one now](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl). You can use an existing customer tenant if you have one.

+## Register the SPA and record identifiers

+> [Prepare React SPA](./how-to-single-page-application-react-prepare-app.md)

+ Title: Tutorial - Add sign-in and sign-out to a React single-page app (SPA) for a customer tenant

+# Tutorial: Add sign-in and sign-out to a React single-page app (SPA) for a customer tenant

+In the [previous article](./how-to-single-page-application-react-prepare-app.md), you created a React single-page app (SPA) in Visual Studio Code and configured it for authentication.

+In this tutorial you'll;

+> [!div class="checklist"]

+> * Add functional components to the application

+> * Create a page layout and add the sign in and sign out experience

+> * Replace the default function to render authenticated information

+> * Sign in and sign out of the application using the user flow

+* Completion of the prerequisites and steps in [Prepare an single-page app for authentication](./how-to-single-page-application-react-prepare-app.md).

+## Add components to the application

+Functional components are the building blocks of React apps, and are used to build the sign in and sign out experiences in a React SPA.

+1. Right click on *components* and using the **New File** option, create the following files to create a structure as depicted in the following code block;

+ ```txt

+ reactspalocal/

+ Γö£ΓöÇΓöÇ src/

+ Γöé Γö£ΓöÇΓöÇ components/

+ Γöé Γöé Γö£ΓöÇΓöÇ PageLayout.jsx

+ Γöé Γöé Γö£ΓöÇΓöÇ SignInButton.jsx

+ Γöé Γöé ΓööΓöÇΓöÇ SignOutButton.jsx

+ Γöé ΓööΓöÇΓöÇ ...

+ ΓööΓöÇΓöÇ ...

+ ```

+### Add the page layout

+### Add the sign in experience

+1. Open *SignInButton.jsx* and add the following code, which creates a button that signs in the user using either a pop-up or redirect. The `useMsal` hook is used to retrieve an access token to allow user sign in:

+### Add the sign out experience

+By default, the application runs via a JavaScript file called *App.js*. It needs to be changed to a *.jsx* file, which is an extension that allows a developer to write HTML in React.

+1. Rename *App.js* to *App.jsx*.

+1. Replace the existing imports with the following snippet:

+1. Replace the default function `App()` to render authenticated information with the following code:

+ ```javascript

+ /**

+ * If a user is authenticated the ProfileContent component above is rendered. Otherwise a message indicating a user is not authenticated is rendered.

+ */

+ const MainContent = () => {

+ return (

+ <div className="App">

+ <AuthenticatedTemplate>

+ <ProfileContent />

+ </AuthenticatedTemplate>

+

+ <UnauthenticatedTemplate>

+ <h5>

+ <center>

+ Please sign-in to see your profile information.

+ </center>

+ </h5>

+ </UnauthenticatedTemplate>

+ </div>

+ );

+ };

+

+ export default function App() {

+ return (

+ <PageLayout>

+ <center>

+ <MainContent />

+ </center>

+ </PageLayout>

+ );

+ }

+ ```

+All the required code snippets have been added, so the application can now be tested in a web browser.

+1. The application should already be running in your terminal. If not, run the following command to start your app.

+1. Open a web browser and navigate to `http://localhost:3000/` if you are not automatically redirected.

+1. For the purposes of this tutorial, choose the **Sign in using Popup** option.

+> [Enable self-service password reset](./how-to-enable-password-reset-customers.md)

+1. Under **User attributes**, choose the attributes you want to collect from the user during sign-up.

+ :::image type="content" source="media/how-to-user-flow-sign-up-sign-in-customers/user-attributes.png" alt-text="Screenshot of the user attribute options on the Create a user flow page." lightbox="media/how-to-user-flow-sign-up-sign-in-customers/user-attributes.png":::

+1. Select **Show more** to choose from the full list of attributes, including **Job Title**, **Display Name**, and **Postal Code**.

+ This list also includes any [custom attributes you defined](how-to-define-custom-attributes.md). Select the checkbox next to each attribute you want to collect from the user during sign-up

+ :::image type="content" source="media/how-to-user-flow-sign-up-sign-in-customers/user-attributes-show-more.png" alt-text="Screenshot of the user attribute pane after selecting Show more." lightbox="media/how-to-user-flow-sign-up-sign-in-customers/user-attributes-show-more.png":::

+ Title: Tutorial - Prepare an ASP.NET web app for authentication in a customer tenant

+description: Learn how to prepare an ASP.NET web app for authentication with your Azure Active Directory (Azure AD) for customers tenant.

+# Tutorial: Prepare an ASP.NET web app for authentication in a customer tenant

+In the [previous article](./how-to-web-app-dotnet-sign-in-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (Azure AD) for customers tenant.

+In this tutorial you'll;

+> [!div class="checklist"]

+> * Create an ASP.NET project in Visual Studio Code

+> * Add the required NuGet packages

+> * Configure the settings for the application

+> * Add code to implement authentication

+* Completion of the prerequisites and steps in [Prepare your customer tenant for building an ASP.NET web app](./how-to-web-app-dotnet-sign-in-prepare-tenant.md).

+* Although any integrated development environment (IDE) that supports ASP.NET applications can be used, this tutorial uses **Visual Studio Code**. You can download it [here](https://visualstudio.microsoft.com/downloads/).

+* [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet).

+1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project.

+1. Open a new terminal by selecting **Terminal** > **New Terminal**.

+1. Enter the following command to make a Model View Controller (MVC) ASP.NET project.

+## Install identity packages

+Identity related NuGet packages must be installed in the project to authenticate users.

+1. Enter the following commands to change into the *aspnet_webapp* folder and install the relevant NuGet package:

+ ```powershell

+ cd aspnet_webapp

+ dotnet add package Microsoft.Identity.Web.UI

+ ```

+## Add authorization to *HomeController.cs*

+The *HomeController.cs* file contains the code for the home page of the application and needs to have the capability to authorize the user. The `Microsoft.AspNetCore.Authorization` namespace provides the classes and interfaces to implement authorization to the web app, and the `[Authorize]` attribute is used to specify that only authenticated users can use the web app.

+1. In your code editor, open *Controllers\HomeController.cs* file.

+1. Authorization needs to be added to the controller, add `Microsoft.AspNetCore.Authorization` so that the top of the file is identical to the following snippet:

+ ```cshtml

+ using System.Diagnostics;

+ using Microsoft.AspNetCore.Authorization;

+ using Microsoft.AspNetCore.Mvc;

+ using aspnet_webapp.Models;

+ ```

+1. Additionally, add the `[Authorize]` attribute directly above the `HomeController` class definition.

+ ```csharp

+ [Authorize]

+ ```

+## Add authentication and authorization to *Program.cs*

+The *Program.cs* needs to be modified to add authentication and authorization to the web app. This includes adding namespaces for authentication and authorization, and being able to sign in users with the Microsoft identity platform.

+1. To add the required namespaces, open *Program.cs* and add the following snippet to the top of the file:

+ ```csharp

+ using Microsoft.AspNetCore.Authentication.OpenIdConnect;

+ using Microsoft.AspNetCore.Authorization;

+ using Microsoft.AspNetCore.Mvc.Authorization;

+ using Microsoft.Identity.Web;

+ using Microsoft.Identity.Web.UI;

+ using System.IdentityModel.Tokens.Jwt;

+ ```

+1. Next, add the authentication services to the application which will enable the web app to sign in users with the Microsoft identity platform. You can replace the rest of the code in *Program.cs* with the following snippet:

+ ```csharp

+ var builder = WebApplication.CreateBuilder(args);

+ // Add services to the container.

+ builder.Services.AddControllersWithViews();

+ // This is required to be instantiated before the OpenIdConnectOptions starts getting configured.

+ // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications.

+ // For instance, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles' claim.

+ // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token

+ JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

+ // Sign-in users with the Microsoft identity platform

+ builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

+ .AddMicrosoftIdentityWebApp(builder.Configuration)

+ .EnableTokenAcquisitionToCallDownstreamApi()

+ .AddInMemoryTokenCaches();

+ builder.Services.AddControllersWithViews(options =>

+ {

+ var policy = new AuthorizationPolicyBuilder()

+ .RequireAuthenticatedUser()

+ .Build();

+ options.Filters.Add(new AuthorizeFilter(policy));

+ }).AddMicrosoftIdentityUI();

+ var app = builder.Build();

+ // Configure the HTTP request pipeline.

+ if (!app.Environment.IsDevelopment())

+ {

+ app.UseExceptionHandler("/Home/Error");

+ // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.

+ app.UseHsts();

+ }

+ app.UseHttpsRedirection();

+ app.UseStaticFiles();

+ app.UseRouting();

+ app.UseAuthorization();

+ app.MapControllerRoute(

+ name: "default",

+ pattern: "{controller=Home}/{action=Index}/{id?}");

+ app.Run();

+ ```

+> [Sign in and sign out](how-to-web-app-dotnet-sign-in-sign-out.md)

+ Title: Tutorial - Prepare your customer tenant to authenticate users in an ASP.NET web app

+description: Learn how to configure your Azure Active Directory (Azure AD) for customers tenant for authentication with an ASP.NET web application

+# Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app

+This tutorial series demonstrates how to build an ASP.NET web application from scratch and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for .NET](/entra/msal/dotnet) and [Microsoft Identity Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) libraries to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences.

+In this tutorial, you'll;

+> [!div class="checklist"]

+> * Register a web application in the Microsoft Entra admin center, and record its identifiers

+> * Create a client secret for the web application

+> * Define the platform and URLs

+> * Grant permissions to the web application to access the Microsoft Graph API

+> * Create a sign in and sign out user flow in the Microsoft Entra admin center

+> * Associate your web application with the user flow

+- An Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions:

+ * Application administrator

+ * Application developer

+ * Cloud application administrator

+- An Azure AD for customers tenant. If you haven't already, [create one now](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl). You can use an existing customer tenant if you have one.

+## Register the web app and record identifiers

+## Add a platform redirect URL

+> [Prepare ASP.NET web app](how-to-web-app-dotnet-sign-in-prepare-app.md)

+ Title: Tutorial - Add sign-in and sign-out to an ASP.NET web application for a customer tenant

+description: Learn how to configure an ASP.NET web application to sign in and sign out users with your Azure Active Directory (Azure AD) for customers tenant.

+# Tutorial: Add sign-in and sign-out to an ASP.NET web application for a customer tenant

+In the [previous article](./how-to-web-app-dotnet-sign-in-prepare-app.md), you created an ASP.NET project in Visual Studio Code and configured it for authentication.

+In this tutorial you'll:

+> [!div class="checklist"]

+> * Add sign-in and sign-out experiences

+> * Add code to view ID token claims

+> * Sign-in and sign-out of the application using the user flow

+## Prerequisites

+- Completion of the prerequisites and steps in [Prepare an ASP.NET web app for authentication in a customer tenant](./how-to-web-app-dotnet-sign-in-prepare-app.md).

+After installing the NuGet packages and adding necessary code for authentication, we need to add the sign-in and sign out experiences. The code reads the ID token claims to check that the user is authenticated and uses `User.Claims` to extract ID token claims.

+1. Open *_LoginPartial.cshtml* and add the following code for adding the sign in and sign out experience.

+The web app is now configured to sign in users with the Microsoft identity platform. The next step is to add code that allows us to view the ID token claims. The app will check that the user is authenticated using `User.Identity.IsAuthenticated`, and lists out the ID token claims by looping through each item in `User.Claims`, returning their `Type` and `Value`.

+1. Open *Views/Home/Index.cshtml* and replace the contents of the file with the following snippet:

+ ```csharp

+ @{

+ ViewData["Title"] = "Home Page";

+

+ <style>

+ table {

+ border-collapse: collapse;

+ width: 100%;

+ }

+ th, td {

+ text-align: justify;

+ padding: 8px;

+ border-bottom: 1px solid #ddd;

+ border-top: 1px solid #ddd;

+ }

+ </style>

+

+ <div class="text-center">

+ <h1 class="display-4">Welcome</h1>

+

+ @if (@User.Identity is not null && @User.Identity.IsAuthenticated)

+ {

+ <p>You are signed in! Below are the claims in your ID token. For more information, visit: <a href="https://learn.microsoft.com/azure/active-directory/develop/id-tokens">Microsoft identity platform ID tokens</a></p>

+ <table>

+ <tbody>

+

+ @foreach (var item in @User.Claims)

+ {

+ <tr>

+ <td>@item.Type</td>

+ <td>@item.Value</td>

+ </tr>

+ }

+ </tbody>

+ </table>

+ }

+

+ <br />

+ <p>Learn about <a href="https://learn.microsoft.com/azure/active-directory/develop/v2-overview">building web apps with Microsoft identity platform</a>.</p>

+ </div>

+ ```

+1. Open a new private browser, and enter the application URI into the browser, in this case `https://localhost:7274`.

+1. To test the sign-up user flow you configured earlier, select **No account? Create one**.

+> [Enable self-service password reset](./how-to-enable-password-reset-customers.md)

+ Title: Add Azure AD Account as an identity provider

+description: Use Azure Active Directory to enable an external user (guest) to sign in to your Azure AD apps with their Azure AD work or school account.

+# Customer intent: As a tenant administrator, I want to add Azure AD as an identity provider for external guest users.

+# Add Azure Active Directory (Azure AD) as an identity provider for External Identities

+Azure Active Directory is available as an identity provider option for B2B collaboration by default. If an external guest user has an Azure AD account through work or school, they can redeem your B2B collaboration invitations or complete your sign-up user flows using their Azure AD account.

+## Guest sign-in using Azure Active Directory accounts

+If you want to enable guest users to sign in with their Azure AD account, you can use either the invitation flow or a self-service sign-up user flow. No additional configuration is required.

+### Azure AD account in the invitation flow

+When you [invite a guest user](add-users-administrator.md) to B2B collaboration, you can specify their Azure AD account as the **Email address** they'll use to sign in.

+### Azure AD account in self-service sign-up user flows

+Azure AD account is an identity provider option for your self-service sign-up user flows. Users can sign up for your applications using their own Azure AD accounts. First, you'll need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. Then you can set up a user flow for the application and select Azure Active Directory as one of the sign-in options.

+## Verifying the application's publisher domain

+As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../develop/howto-configure-publisher-domain.md), ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../develop/publisher-verification-overview.md) about this change.) For Azure AD user flows, the publisherΓÇÖs domain appears only when using a [Microsoft account](microsoft-account.md) or other Azure AD tenant as the identity provider. To meet these new requirements, follow these steps:

+1. [Verify your company identity using your Microsoft Partner Network (MPN) account](/partner-center/verification-responses). This process verifies information about your company and your companyΓÇÖs primary contact.

+1. Complete the publisher verification process to associate your MPN account with your app registration using one of the following options:

+ - If the app registration for the Microsoft account identity provider is in an Azure AD tenant, [verify your app in the App Registration portal](../develop/mark-app-as-publisher-verified.md).

+ - If your app registration for the Microsoft account identity provider is in an Azure AD B2C tenant, [mark your app as publisher verified using Microsoft Graph APIs](../develop/troubleshoot-publisher-verification.md#making-microsoft-graph-api-calls) (for example, using Graph Explorer).

+## Next steps

+- [Microsoft account](microsoft-account.md)

+- [Add Azure Active Directory B2B collaboration users](add-users-administrator.md)

+- [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)

+- **Azure Active Directory accounts**: Guest users can use their Azure AD work or school accounts to redeem your B2B collaboration invitations or complete your sign-up user flows. [Azure Active Directory](default-account.md) is one of the allowed identity providers by default. No additional configuration is needed to make this identity provider available for user flows.

+- [Add Azure Active Directory (Azure AD) as an identity provider for External Identities](default-account.md)

+## External access blocked by policy error on the login screen

+When you try to login to your tenant, you might see this error message: "Your network administrator has restricted what organizations can be accessed. Contact your IT department to unblock access." This error is related to tenant restriction settings. To resolve this issue, ask your IT team to follow the instructions in [this article](/azure/active-directory/manage-apps/tenant-restrictions).

+- [Azure Active Directory](default-account.md) Minor text updates.

+- [Add Azure Active Directory (Azure AD) as an identity provider for External Identities](default-account.md)

+Azure Active Directory (Azure AD) stores its Customer Data in a geographical location based on the country/region you provided when you signed up for a Microsoft Online service. Microsoft Online services include Microsoft 365 and Azure.

+ Title: Azure Active Directory B2C deployment plans

+description: Azure Active Directory B2C deployment guide for planning, implementation, and monitoring

+# Azure Active Directory B2C deployment plans

+Azure Active Directory B2C (Azure AD B2C) is an identity and access management solution that can ease integration with your infrastructure. Use the following guidance to help understand requirements and compliance throughout an Azure AD B2C deployment.

+## Plan an Azure AD B2C deployment

+### Requirements

+- Assess the primary reason to turn off systems

+ - See, [What is Azure Active Directory B2C?](../../active-directory-b2c/overview.md)

+- For a new application, plan the design of the Customer Identity Access Management (CIAM) system

+ - See, [Planning and design](../../active-directory-b2c/best-practices.md#planning-and-design)

+- Identify customer locations and create a tenant in the corresponding datacenter

+ - See, [Tutorial: Create an Azure Active Directory B2C tenant](../../active-directory-b2c/tutorial-create-tenant.md)

+- Confirm your application types and supported technologies:

+ - [Overview of the Microsoft Authentication Library (MSAL)](../develop/msal-overview.md)

+ - [Develop with open source languages, frameworks, databases, and tools in Azure](https://azure.microsoft.com/free/open-source/search/?OCID=AID2200277_SEM_f63bcafc4d5f1d7378bfaa2085b249f9:G:s&ef_id=f63bcafc4d5f1d7378bfaa2085b249f9:G:s&msclkid=f63bcafc4d5f1d7378bfaa2085b249f9).

+ - For back-end services, use the [client credentials](../develop/msal-authentication-flows.md#client-credentials) flow

+- To migrate from an identity provider (IdP):

+ - [Seamless migration](../../active-directory-b2c/user-migration.md#seamless-migration)

+ - Go to [azure-ad-b2c-user-migration](https://github.com/azure-ad-b2c/user-migration)

+- Select protocols

+ - If you use Kerberos, Microsoft Windows NT LAN Manager (NTLM), and Web Services Federation (WS-Fed), see the video, [Azure Active Directory: Application and identity migration to Azure AD B2C](https://www.bing.com/videos/search?q=application+migration+in+azure+ad+b2c&docid=608034225244808069&mid=E21B87D02347A8260128E21B87D02347A8260128&view=detail&FORM=VIRE)

+After migration, your applications can support modern identity protocols such as OAuth 2.0 and OpenID Connect (OIDC).

+### Stakeholders

+Technology project success depends on managing expectations, outcomes, and responsibilities.

+- Identify the application architect, technical program manager, and owner

+- Create a distribution list (DL) to communicate with the Microsoft account or engineering teams

+ - Ask questions, get answers, and receive notifications

+- Identify a partner or resource outside your organization to support you

+Learn more: [Include the right stakeholders](deployment-plans.md)

+### Communications

+Communicate proactively and regularly with your users about pending and current changes. Inform them about how the experience changes, when it changes, and provide a contact for support.

+### Timelines

+Help set realistic expectations and make contingency plans to meet key milestones:

+- Pilot date

+- Launch date

+- Dates that affect delivery

+- Dependencies

+## Implement an Azure AD B2C deployment

+* **Deploy applications and user identities** - Deploy client application and migrate user identities

+* **Client application onboarding and deliverables** - Onboard the client application and test the solution

+* **Security** - Enhance the identity solution security

+* **Compliance** - Address regulatory requirements

+* **User experience** - Enable a user-friendly service

+### Deploy authentication and authorization

+* Before your applications interact with Azure AD B2C, register them in a tenant you manage

+ * See, [Tutorial: Create an Azure Active Directory B2C tenant](../../active-directory-b2c/tutorial-create-tenant.md)

+* For authorization, use the Identity Experience Framework (IEF) sample user journeys

+ * See, [Azure Active Directory B2C: Custom CIAM User Journeys](https://github.com/azure-ad-b2c/samples#local-account-policy-enhancements)

+* Use policy-based control for cloud-native environments

+ * Go to openpolicyagent.org to learn about [Open Policy Agent](https://www.openpolicyagent.org/) (OPA)

+Learn more with the Microsoft Identity PDF, [Gaining expertise with Azure AD B2C](https://aka.ms/learnaadb2c), a course for developers.

+### Checklist for personas, permissions, delegation, and calls

+* Identify the personas that access to your application

+* Define how you manage system permissions and entitlements today, and in the future

+* Confirm you have a permission store and if there are permissions to add to the directory

+* Define how you manage delegated administration

+ * For example, your customers' customers management

+* Verify your application calls an API Manager (APIM)

+ * There might be a need to call from the IdP before the application is issued a token

+### Deploy applications and user identities

+Azure AD B2C projects start with one or more client applications.

+* [The new App registrations experience for Azure Active Directory B2C](../../active-directory-b2c/app-registrations-training-guide.md)

+ * Refer to [Azure Active Directory B2C code samples](../../active-directory-b2c/integrate-with-app-code-samples.md) for implementation

+* Set up your user journey based on custom user flows

+ * [Comparing user flows and custom policies](../../active-directory-b2c/user-flow-overview.md#comparing-user-flows-and-custom-policies)

+ * [Add an identity provider to your Azure Active Directory B2C tenant](../../active-directory-b2c/add-identity-provider.md)

+ * [Migrate users to Azure AD B2C](../../active-directory-b2c/user-migration.md)

+ * [Azure Active Directory B2C: Custom CIAM User Journeys](https://github.com/azure-ad-b2c/samples) for advanced scenarios

+### Application deployment checklist

+* Applications included in the CIAM deployment

+* Applications in use

+ * For example, web applications, APIs, single-page apps (SPAs), or native mobile applications

+* Authentication in use:

+ * For example, forms federated with SAML, or federated with OIDC

+ * If OIDC, confirm the response type: code or id_token

+* Determine where front-end and back-end applications are hosted: on-premises, cloud, or hybrid-cloud

+* Confirm the platforms or languages in use:

+ * For example ASP.NET, Java, and Node.js

+ * See, [Quickstart: Set up sign in for an ASP.NET application using Azure AD B2C](../../active-directory-b2c/quickstart-web-app-dotnet.md)

+* Verify where user attributes are stored

+ * For example, Lightweight Directory Access Protocol (LDAP) or databases

+### User identity deployment checklist

+* Confirm the number of users accessing applications

+* Determine the IdP types needed:

+ * For example, Facebook, local account, and Active Directory Federation Services (AD FS)

+ * See, [Active Directory Federation Services](/windows-server/identity/active-directory-federation-services)

+* Outline the claim schema required from your application, Azure AD B2C, and IdPs if applicable

+ * See, [ClaimsSchema](../../active-directory-b2c/claimsschema.md)

+* Determine the information to collect during sign-in and sign-up

+ * [Set up a sign-up and sign-in flow in Azure Active Directory B2C](../../active-directory-b2c/add-sign-up-and-sign-in-policy.md?pivots=b2c-user-flow)

+### Client application onboarding and deliverables

+Use the following checklist for onboarding an application

+|Area|Description|

+|||

+|Application target user group | Select among end customers, business customers, or a digital service. </br>Determine a need for employee sign-in.|

+|Application business value| Understand the business need and/or goal to determine the best Azure AD B2C solution and integration with other client applications.|

+|Your identity groups| Cluster identities into groups with requirements, such as business-to-consumer (B2C), business-to-business (B2B) business-to-employee (B2E), and business-to-machine (B2M) for IoT device sign-in and service accounts.|

+|Identity provider (IdP)| See, [Select an identity provider](../../active-directory-b2c/add-identity-provider.md#select-an-identity-provider). For example, for a customer-to-customer (C2C) mobile app use an easy sign-in process. </br>B2C with digital services has compliance requirements. </br>Consider email sign-in. |

+|Regulatory constraints | Determine a need for remote profiles or privacy policies. |

+|Sign-in and sign-up flow | Confirm email verification or email verification during sign-up. </br>For check-out processes, see [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md). </br>See the video, [Azure AD: Azure AD B2C user migration using Microsoft Graph API](https://www.youtube.com/watch?v=c8rN1ZaR7wk&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=4). |

+|Application and authentication protocol| Implement client applications such as Web application, single-page application (SPA), or native. </br>Authentication protocols for client application and Azure AD B2C: OAuth, OIDC, and SAML. </br>See the video, [Azure AD: Protecting Web APIs with Azure AD](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=9).|

+| User migration | Confirm if you'll [migrate users to Azure AD B2C](../../active-directory-b2c/user-migration.md): Just-in-time (JIT) migration and bulk import/export. </br>See the video, [Azure Active Directory: Azure AD B2C user migration strategies](https://www.youtube.com/watch?v=lCWR6PGUgz0&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=2).|

+Use the following checklist for delivery.

+|Area| Description|

+|||

+|Protocol information| Gather the base path, policies, and metadata URL of both variants. </br>Specify attributes such as sample sign-in, client application ID, secrets, and redirects.|

+|Application samples | See, [Azure Active Directory B2C code samples](../../active-directory-b2c/integrate-with-app-code-samples.md).|

+|Penetration testing | Inform your operations team about pen tests, then test user flows including the OAuth implementation. </br>See, [Penetration testing](../../security/fundamentals/pen-testing.md) and [Penetration testing rules of engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement).

+| Unit testing | Unit test and generate tokens. </br>See, [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md). </br>If you reach the Azure AD B2C token limit, see [Azure AD B2C: File Support Requests](../../active-directory-b2c/find-help-open-support-ticket.md). </br>Reuse tokens to reduce investigation on your infrastructure. </br>[Set up a resource owner password credentials flow in Azure Active Directory B2C](../../active-directory-b2c/add-ropc-policy.md?pivots=b2c-user-flow&tabs=app-reg-ga).|

+| Load testing | Learn about [Azure AD B2C service limits and restrictions](../../active-directory-b2c/service-limits.md). </br>Calculate the expected authentications and user sign-ins per month. </br>Assess high load traffic durations and business reasons: holiday, migration, and event. </br>Determine expected peak rates for sign-up, traffic, and geographic distribution, for example per second.

+### Security

+Use the following checklist to enhance application security.

+* Authentication method, such as multi-factor authentication (MFA):

+ * MFA is recommended for users that trigger high-value transactions or other risk events. For example, banking, finance, and check-out processes.

+ * See, [What authentication and verification methods are available in Azure AD?](../authentication/concept-authentication-methods.md)

+* Confirm use of anti-bot mechanisms

+* Assess the risk of attempts to create a fraudulent account or sign-in

+ * See, [Tutorial: Configure Microsoft Dynamics 365 Fraud Protection with Azure Active Directory B2C](../../active-directory-b2c/partner-dynamics-365-fraud-protection.md)

+* Confirm needed conditional postures as part of sign-in or sign-up

+#### Conditional Access and identity protection

+* The modern security perimeter now extends beyond an organization's network. The perimeter includes user and device identity.

+ * See, [What is Conditional Access?](../conditional-access/overview.md)

+* Enhance the security of Azure AD B2C with Azure AD identity protection

+ * See, [Identity Protection and Conditional Access in Azure AD B2C](../../active-directory-b2c/conditional-access-identity-protection-overview.md)

+### Compliance

+To help comply with regulatory requirements and enhance back-end system security you can use virtual networks (VNets), IP restrictions, Web Application Firewall (WAF), etc. Consider the following requirements:

+* Your regulatory compliance requirements

+ * For example, Payment Card Industry Data Security Standard (PCI-DSS)

+ * Go to pcisecuritystandards.org to learn more about the [PCI Security Standards Council](https://www.pcisecuritystandards.org/)

+* Data storage into a separate database store

+ * Determine if this information can't be written into the directory

+### User experience

+Use the following checklist to help define user experience requirements.

+* Identify integrations to extend CIAM capabilities and build seamless end-user experiences

+ * [Azure Active Directory B2C ISV partners](../../active-directory-b2c/partner-gallery.md)

+* Use screenshots and user stories to show the application end-user experience

+ * For example, screenshots of sign-in, sign-up, sign-up/sign-in (SUSI), profile edit, and password reset

+* Look for hints passed through by using queryString parameters in your CIAM solution

+* For high user-experience customization, consider a using front-end developer

+* In Azure AD B2C, you can customize HTML and CSS

+ * See, [Guidelines for using JavaScript](../../active-directory-b2c/javascript-and-page-layout.md?pivots=b2c-custom-policy#guidelines-for-using-javascript)

+* Implement an embedded experience by using iframe support:

+ * See, [Embedded sign-up or sign-in experience](../../active-directory-b2c/embedded-login.md?pivots=b2c-custom-policy)

+ * For a single-page application, use a second sign-in HTML page that loads into the `<iframe>` element

+## Monitoring auditing, and logging

+Use the following checklist for monitoring, auditing, and logging.

+* Monitoring

+ * [Monitor Azure AD B2C with Azure Monitor](../../active-directory-b2c/azure-monitor.md)

+ * See the video [Azure Active Directory: Monitoring and reporting Azure AD B2C using Azure Monitor](https://www.youtube.com/watch?v=Mu9GQy-CbXI&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=1)

+* Auditing and logging

+ * [Accessing Azure AD B2C audit logs](../../active-directory-b2c/view-audit-logs.md)

+## Resources

+- [Register a Microsoft Graph application](../../active-directory-b2c/microsoft-graph-get-started.md)

+- [Manage Azure AD B2C with Microsoft Graph](../../active-directory-b2c/microsoft-graph-operations.md)

+- [Deploy custom policies with Azure Pipelines](../../active-directory-b2c/deploy-custom-policies-devops.md)

+- [Manage Azure AD B2C custom policies with Azure PowerShell](../../active-directory-b2c/manage-custom-policies-powershell.md)

+## Next steps

+[Recommendations and best practices for Azure Active Directory B2C](../../active-directory-b2c/best-practices.md)

+ Title: 'Parallel and combined identity infrastructure options'

+description: This article describes the various options available for organizations to run multiple tenants and multicloud scenarios

+ na

+# Parallel and combined identity infrastructure options

+Microsoft delivers a range of technologies and solutions to integrate between their different on-premises and cloud components of their identity infrastructure. Often customers are unclear on which technologies are most right and may incorrectly think "the most recent release covers all scenarios of earlier technology releases."

+This article covers scenarios when your company is going through a complex scenario outlined below and looking to combine your identity information. Ideally, an organization with a single HR source, a single Active Directory forest, and a single Azure Active Directory (Azure AD) tenant, all integrated with the same people in each, will have the best identity experience for their Microsoft Online Services. However, in practice, an enterprise customer may not always be in a situation where that is possible. For example, the customer may be going through a merger, or have a need for isolation for some users or applications. A customer who has multiple HR, multiple AD, or multiple Azure AD tenants must decide on whether to combine to fewer instances of each or keep them in parallel.

+Based on our customer feedback, the following are some of the common scenarios and requirements.

+## Scenarios that come up for multicloud and multi-org identities

+- Mergers and acquisitions (M&A) ΓÇô refers to a situation where, usually Company A buys Company B.

+- Rebranding ΓÇô A company name or brand change and typically an e-mail domain name change.

+- Azure AD or Office 365 tenant consolidation - Companies with more than one Office 365 tenant may want to combine because of compliance or historic requirements.

+- Active Directory Domain or forest consolidation - Companies evaluating to perform Active Directory domain or forest consolidation.

+- Divestitures ΓÇô Where a division or business group of a company is sold or becomes independent.

+- User information privacy ΓÇô Where companies have requirements to keep certain data (attributes) from not being publicly visible and only right delegated groups or users can read, change, and update it.

+## Requirements that stem out from these scenarios

+- Bring all users' and groups' data to a single place, including email and status availability for meeting scheduling by creating a central or **universal directory**.

+- Maintain a **single username and credentials** while reducing the need to enter usernames and passwords across all applications by implementing Single Sign On.

+- Streamline user on-boarding so it doesn't take weeks or months.

+- Prepare the organization for future acquisitions and access management demands.

+- Enable and improve cross-company collaboration and productivity.

+- Reduce the likelihood of a security breach or data exfiltration with security policies deployed centrally and consistently!

+## Scenarios not covered in this article

+- Partial M&A. For example, an organization buys part of another organization.

+- Divesture or splitting organizations

+- Renaming organizations.

+- Joint ventures or temporary partners

+This article outlines various multicloud or multi-org identity environments including M&A scenarios that Microsoft supports today and outline how an organization might select the right technologies depending upon how they approach consolidation.

+## Consolidation options for a hypothetical M&A scenario

+The following sections cover four main scenarios for a hypothetical M&A scenario:

+Suppose Contoso is an enterprise customer, and their IT has a single (on-premises) HR system, single Active Directory forest, single tenant Azure AD for their apps, running as expected. Users are brought in from their HR system into Active Directory and projected into Azure AD and from there into SaaS apps. This scenario is illustrated with the diagram below, with the arrows showing the flow of identity information. The same model is also applicable to customers with cloud HR system such as Workday or SuccessFactors provisioning Active Directory, not just customers using Microsoft Identity Manager (MIM).

+

+

+Next, Contoso has begun to merge with Litware, which has previously been running their own IT independently. Contoso IT will handle the merger and expects that Contoso's IT will continue to have Contoso's apps remain unchanged, but they want to be able to have Litware's users receive access to them and collaborate within those apps. For Microsoft apps, third-party SaaS, and custom apps, the end state should be that Contoso and Litware users conceptually have access to the same data.

+The first IT decision is how much they wish to combine infrastructure. They could choose to not rely upon any of Litware's identity infrastructure. Or they could consider using Litware's infrastructure and converging over time while minimizing disruption to Litware's environment. In some cases, the customer may wish to keep Litware's existing identity infrastructure independent and not converging it, while still using it to give Litware employee access to Contoso apps.

+If the customer chooses to keep some or all Litware's identity infrastructure, then there are tradeoffs on how much of Litware's Active Directory Domain Services or Azure AD are used to give Litware users access to Contoso resources. This section looks at workable options, based on what Contoso would use for Litware's users:

+- Scenario A - Don't use *any* of Litware's identity infrastructure.

+- Scenario B - Use Litware's Active Directory forests, but not Litware's Azure AD (if they've one)

+- Scenario C - Use Litware's Azure AD.

+- Scenario D - Use Litware's non-Microsoft identity infrastructure (if Litware isn't using Active Directory/Azure AD)

+The following table summarizes each option with the technologies for how the customer could achieve those outcomes, the constraints, and benefits of each.

+| Considerations | A1: Single HR, single IAM & tenant | A2: Separate HR, single IAM, and tenant | B3: Active Directory forest trust, single Azure AD Connect | B4: Azure AD Connect their Active Directory to the single tenant | B5: Azure AD Connect cloud sync their Active Directory | C6: parallel provision multiple tenants into apps | C7: read from their tenant and B2B invite their users | C8: single IAM and B2B users as needed | D9: DF with their non-Azure AD IDP |

+|:-|:-|:-|:-|:-|:-|:-|:-|:-|:-|

+| Migration effort | High | Medium effort | Lower effort | Low effort | Low effort | None | None | None | None |

+| Deployment effort | Less effort | Medium effort | Medium effort | Medium effort | Low | Low | High | High | Very High |

+| End-user impact during migration | High | High | Medium | Medium | Medium | None | None | None | None |

+| Operating effort | Low cost | Low cost | Low cost | Low cost | Low cost | High | High | High | Very High |

+| Privacy and data capabilities (geo location/data boundaries) | None (Major roadblock for geo-location scenarios) | Limited isolation even though challenging | Limited isolation on-prem but not on the cloud | Limited isolation on-prem but not on the cloud | Limited isolation on-prem but not on the cloud | Good isolation both on-prem and on the cloud | Limited isolation both on-prem and cloud | Limited isolation both on-prem and cloud | Isolation both on-prem and on the cloud |

+| Isolation (separate delegation and setup different admin models) Note: as defined in source system (HR) | Not possible | Possible | Possible | Possible | Possible | Highly Possible | Highly possible | Highly possible | Possible |

+| Collaboration capabilities | Excellent | Excellent | Excellent | Excellent | Excellent | Poor | Average | Average | Poor |

+| IT admin model supported (centralized vs. separated) | Centralized | Centralized | Centralized | Centralized | Centralized | Decentralized | Decentralized | Decentralized | Actively Decentralized |

+| Limitations | No isolation | Limited isolation | Limited isolation | Limited isolation | Limited isolation. No writeback capabilities | Won't work for Microsoft Online Services apps. Highly dependent on app capability | Requires apps to be B2B aware | Requires apps to be B2B aware | Require apps to be B2B aware. Uncertainty in how it all works together |

+Table details

+- The employee effort tries to predict the required expertise and extra work required to implement the solution in an organization.

+- Operating effort tries to predict the cost and effort it takes to keep the solution running.

+- Privacy and data capabilities show if the solution allows support for geo location and data boundaries.

+- Isolation shows if this solution supplies the ability to separate or delegate admin models.

+- Collaboration capabilities show the level of collaboration the solution supports, more integrated solutions supply higher fidelity of teamwork.

+- The IT admin model shows if the admin model requires to centralized or can be decentralized.

+- Limitations: any issues of challenges worth listing.

+### Decision tree

+Use the following decision tree to help you decide which scenario would work best for your organization.

+[](media/parallel-identity-options/identity-decision-tree.png#lightbox)

+The rest of this document, will outline four scenarios A-D with various options supporting them.

+## Scenario A - If Contoso doesn't wish to rely upon Litware's existing identity infrastructure

+For this option, Litware may not have any identity systems (for example, a small business), or the customer may wish to turn off Litware's infrastructure. Or they wish to leave it untouched, for use by Litware employees to authenticate to Litware's apps but give Litware employees new identities as part of Contoso. For example, if Alice Smith was a Litware employee, she might have two identities ΓÇô Alice@litware.com and ASmith123@contoso.com. Those identities would be entirely distinct from each other.

+### Option 1 - Combine into a single HR system

+Typically, customers would bring the Litware employees into the Contoso HR system. This option would trigger those employees to receive accounts and the right access to Contoso's directories and apps. A Litware user would then have a new Contoso identity, which they could use to request access to the right Contoso apps.

+### Option 2 - Keep Litware HR system

+Sometimes converging the HR systems may not be possible, at least not in the short term. Instead, the customer would connect their provisioning system, for example, MIM, to read from *both* HR systems. In this diagram, the top HR is the existing Contoso environment, and the second HR is Litware's addition to the overall infrastructure.

+

+The same scenario would also be possible using Azure AD Workday or SuccessFactors inbound ΓÇô Contoso could bring in users from Litware's Workday HR source alongside existing Contoso employees.

+### Outcomes of consolidating all identity infrastructure

+- Reduced IT infrastructure, only one identity system to manage, no network connectivity requirements except for an HR system.

+- Consistent end user and administrative experience

+### Constraints of consolidating all identity infrastructure

+- Any data that is needed by Contoso employees that originated in Litware must be migrated to the Contoso environment.

+- Any Active Directory or Azure AD-integrated apps from Litware that will be needed for Contoso must be reconfigured to the Contoso environment. This reconfiguration may require changes to the configuration, which groups it uses for access, or potentially to the apps themselves.

+## Scenario B - If Contoso wishes to keep Litware's Active Directory forests, but not use Litware's Azure AD

+Litware may have many existing Active Directory-based apps that they rely on, and so Contoso may wish to continue to have Litware employees keep their own identities in their existing AD. A Litware employee would then use their existing identity for their authentication of their existing resources and authentication of Contoso resources. In this scenario, Litware doesn't have any cloud identities in Microsoft Online Services ΓÇô either Litware wasn't an Azure AD customer, nothing of Litware's cloud assets were to be shared with Contoso, or Contoso migrated Litware's cloud assets to be part of Contoso's tenant.

+### Option 3 - Forest trust with the acquired forest

+Using an [Active Directory forest trust](/windows-server/identity/ad-ds/plan/forest-design-models), Contoso and Litware can connect their Active Directory domains. This trust enables Litware users to authenticate Contoso's Active Directory-integrated apps. Also [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) can also read from Litware's Active Directory forest so that Litware users authenticate with Contoso's Azure AD integrated apps. This deployment topology requires a network route set up between the two domains, and TCP/IP network connectivity between any Litware user and Contoso Active Directory-integrated app. It's also straightforward to set up bidirectional trusts, so that Contoso users can access Litware AD-integrated apps (if any).

+

+### Outcome of setting up a forest trust

+- All Litware employees can authenticate Contoso's Active Directory or Azure AD-integrated apps, and Contoso can use current AD-based tools to manage authorization.

+### Constraints of setting up a forest trust

+- Requires TCP/IP connectivity between users who are domain joined to one forest and resources joined to the other forest.

+- Requires the Active Directory-based apps in the Contoso forest to be multi-forest-aware

+### Option 4 - Configure Azure AD Connect to the acquired forest without forest trust

+A customer can also configure Azure AD Connect to read from another forest. This configuration enables the Litware users to authenticate to Contoso's Azure AD integrated apps but doesn't supply access to Contoso's Active Directory integrated apps to the Litware user ΓÇô those Contoso apps don't recognize Litware users. This deployment topology requires TCP/IP network connectivity between Azure AD Connect and Litware's domain controllers. For example, if Azure AD Connect is on a Contoso IaaS VM, they would need to establish a tunnel also to Litware's network as well.

+

+### Outcome of using Azure AD Connect to provision one tenant

+- All Litware employees can authenticate Contoso's Azure AD integrated apps.

+### Constraints of using Azure AD Connect to provision one tenant

+- Requires TCP/IP connectivity between Contoso's Azure AD Connect and Litware's Active Directory domains.

+- Doesn't permit Litware users to have access to Contoso's Active Directory based applications

+### Option 5 - Deploy Azure AD Connect cloud sync in the acquired forest

+[Azure AD Connect cloud provisioning](../cloud-sync/what-is-cloud-sync.md) removes the network connectivity requirement, but you can only have one Active Directory to Azure AD linking for a given user with cloud sync. Litware users can authenticate Contoso's Azure AD integrated apps, but not Contoso's Active Directory-integrated apps. This topology doesn't require any TCP/IP connectivity between Litware and Contoso's on-premises environments.

+

+### Outcome of deploying Azure AD Connect cloud sync in the acquired forest

+- All Litware employees can authenticate Contoso's Azure AD-integrated apps.

+### Constraints of using Azure AD Connect cloud sync in the acquired forest

+- Doesn't permit Litware users to have access to Contoso's AD-based applications

+## Scenario C - If Contoso wants to keep Litware's Azure AD

+Litware may be a Microsoft Online Services or Azure customer or may have one or more Azure AD-based apps that they rely on. So, Contoso may want to continue to have Litware employees keep their own identities for access to those resources. A Litware employee would then use their existing identity for their authentication of their existing resources and authentication of Contoso resources.

+This scenario is suitable in cases where:

+- Litware has an extensive Azure or Microsoft Online Services investment including multiple Office 365 tenants that would be costly or time consuming to migrate to another tenant.

+- Litware may be spun out in future or is a partnership that will run independently.

+- Litware doesn't have on-premises infrastructure

+### Option 6 - Maintain parallel provisioning and SSO for apps in each Azure AD

+One option is for each Azure AD to independently provide SSO and [provision](../app-provisioning/user-provisioning.md) users from their directory into the target app. For example, if Contoso IT are using an app such as Salesforce, they would provide Litware with administrative rights to create users in the same Salesforce subscription.

+

+### Outcome of parallel provisioning

+- Users can authenticate apps using their existing identity, without making changes to Contoso's infrastructure.

+### Constraints of parallel provisioning

+- If using federation, it requires applications to support multiple federation providers for the same subscription.

+- Not possible for Microsoft apps such as Office or Azure

+- Contoso doesn't have visibility in their Azure AD of application access for Litware users

+### Option 7 - Configure B2B accounts for users from the acquired tenant

+If Litware has been running its own tenant, then Contoso can read the users from that tenant, and through the B2B API, invite each of those users into the Contoso tenant. (This bulk invite process can be done through the [MIM graph connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph), for example.) If Contoso also has AD-based apps that they wish to make available to Litware users, then MIM could also create users in Active Directory that would map to the UPNs of Azure AD users, so that the app proxy could perform KCD on behalf of a representation of a Litware user in Contoso's Active Directory.

+Then when a Litware employee wishes to access a Contoso app, they can do so by authenticating to their own directory, with access assignment to the resource tenant.

+

+### Outcome of setting up B2B accounts for users from the other tenant

+- Litware users can authenticate Contoso apps, and Contoso controls that access in their tenant.

+### Constraints of setting up B2B accounts for users from the other tenant

+- It requires a duplicate account for each Litware user who requires access to Contoso resources.

+- Requires the apps to be B2B capable for SSO.

+### Option 8 - Configure B2B but with a common HR feed for both directories

+In some situations, after acquisition the organization may converge on a single HR platform, but still run existing identity management systems. In this scenario, MIM could provision users into multiple Active Directory systems, depending on with part of the organization the user is affiliated with. They could continue to use B2B so that users authenticate their existing directory, and have a unified GAL.

+

+### Outcome of setting up B2B guest users from a common HR system feed

+- Litware users can authenticate to Contoso apps, and Contoso control that access in their tenant.

+- Litware and Contoso have a unified GAL.

+- No change to Litware's Active Directory or Azure AD

+### Constraints of setting up B2B guest users from a common HR system feed

+- Requires changes to Contoso's provisioning to also send users to Litware's Active Directory, and connectivity between Litware's domains and Contoso's domains.

+- Requires the apps to be B2B capable for SSO.

+## Scenario D - If Litware is using non-Active Directory infrastructure

+Finally, if Litware is using another directory service, either on-premises or in the cloud, then Contoso IT can still configure that Litware employees authenticate and can get access to Contoso's resources using their existing identity.

+### Option 9 - Use B2B direct federation (public preview)

+In this scenario, Litware is assumed to have:

+- Some existing directories, such as OpenLDAP or even an SQL database or flat file of users with their email addresses that they can regularly share with Contoso.

+- An identity provider that supports SAML, such as PingFederate or OKTA.

+- A publicly routed DNS domain such as Litware.com and users with email addresses in that domain

+In this approach, Contoso would configure a [direct federation](../external-identities/direct-federation.md) relationship from their tenant for that domain to Litware's identity provider, and then regularly read updates to Litware users from their directory to invite the Litware users into Contoso's Azure AD. This update can be done with a MIM Graph connector. If Contoso also has Active Directory-based apps that they wish to make available to Litware users, then MIM could also create users in Active Directory that would map to the UPNs of Azure AD users, so that the app proxy could perform KCD on behalf of a representation of a Litware user in Contoso's Active Directory.

+

+### Outcome of using B2B direct federation

+- Litware users authenticate to Contoso's Azure AD with their existing identity provider and access Contoso's cloud and on-premises web apps,

+### Constraints of using B2B direct federation

+- Require the Contoso apps to able to support B2B user SSO.

+## Next steps

+- [What is Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md)

+- [Setup Inbound provisioning for Azure AD](../app-provisioning/plan-cloud-hr-provision.md)

+- [Setup B2B direct federation](../external-identities/direct-federation.md)

+- [Multi-tenant user management options](multi-tenant-user-management-introduction.md)

+- [What is application provisioning?](../app-provisioning/user-provisioning.md)

+* Organizations that span multiple countries/regions, and companies hosted in a single Azure AD Tenant. For example, what settings and licenses are used in different countries/regions, or business subsidiaries.

+* [Best practices](secure-best-practices.md)

+SigninLogs

+| where ResourceDisplayName == "Device Registration Service"

+| where ConditionalAccessStatus == "success"

+| where AuthenticationRequirement <> "multiFactorAuthentication"

+| New country/region sign-in risk detection| Varies| Azure AD Risk Detection logs| UX: New country/region<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md) |

+* the countries/regions your users operate from.

+* whether there are groups of users that remain stationary within a network location or country/region.

+| Failed authentications from countries/regions you don't operate out of.| Medium| Azure AD Sign-ins log| Location = \<unapproved location\>| Monitor and alert on any entries. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Authentication occurring at times and days of the week when countries/regions don't conduct normal business operations.| Low| Azure AD Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>-and-<br>Location = \<location\><br>-and-<br>Day\Time = \<not normal working hours\>| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml) |

+| Successful authentications from countries/regions your organization doesn't operate out of.| Medium| Azure AD Sign-ins log| Status = success<br>Location = \<unapproved country/region\>| Monitor and alert on any entries not equal to the city names you provide.<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Authentications at days and times of the week or year that countries/regions do not conduct normal business operations.| Low| Azure AD Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>Location = \<location\><br>Date\Time = \<not normal working hours\>| Monitor and alert on authentications days and times of the week or year that countries/regions do not conduct normal business operations.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+- User location, based on country/region or IP address

+To learn more about the differences between Azure AD Connect sync and Azure AD Connect cloud provisioning, see the article [What is Azure AD Connect cloud provisioning?](../cloud-sync/what-is-cloud-sync.md). For more information on deployment options with multiple HR sources or directories, then see the article [parallel and combined identity infrastructure options](../../fundamentals/parallel-identity-options.md).

+Learn more about how, and why, apps are added to your directory, see [How applications are added to Azure AD](../develop/how-applications-are-added.md).

+You can grant tenant-wide admin consent through *Enterprise applications* if the application has already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application. For more information, see [How and why applications are added to Azure Active Directory](../develop/how-applications-are-added.md).

+As an administrator, you can [grant tenant-wide admin consent](grant-admin-consent.md) to an application. Tenant-wide admin consent is necessary when an application requires permissions that regular users aren't allowed to grant. Granting tenant-wide admin consent also allows organizations to implement their own review processes. Always carefully review the permissions the application is requesting before granting consent. When an application has been granted tenant-wide admin consent, all users are able to sign into the application unless it has been configured to require user assignment.

+ Title: Privileged Identity Management (PIM) for Groups

+# Privileged Identity Management (PIM) for Groups

+- [Bring groups into Privileged Identity Management](groups-discover-groups.md)

+- [Assign eligibility for a group in Privileged Identity Management](groups-assign-member-owner.md)

+- [Approve activation requests for group members and owners](groups-approval-workflow.md)

+ Title: Activate your group membership or ownership in Privileged Identity Management

+# Activate your group membership or ownership in Privileged Identity Management

+1. Select **Azure AD Privileged Identity Management -> My roles -> Groups**.

+1. Select **Azure AD Privileged Identity Management -> My requests -> Groups**.

+1. Select **Azure AD Privileged Identity Management -> My requests -> Groups**.

+- [Approve activation requests for group members and owners](groups-approval-workflow.md)

+ Title: Approve activation requests for group members and owners

+description: Learn how to approve activation requests for group members and owners in Azure AD Privileged Identity Management (PIM).

+# Approve activation requests for group members and owners

+1. Select **Azure AD Privileged Identity Management -> Approve requests -> Groups**.

+- [Configure PIM for Groups settings](groups-role-settings.md)

+ Title: Assign eligibility for a group in Privileged Identity Management

+description: Learn how to assign eligibility for a group in Privileged Identity Management.

+# Assign eligibility for a group in Privileged Identity Management

+1. Select **Azure AD Privileged Identity Management -> Groups** and view groups that are already enabled for PIM for Groups.

+1. If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on the group's settings, the check box might not appear or might not be editable. For more information, check out the [Configure PIM for Groups settings in Privileged Identity Management](groups-role-settings.md#assignment-duration) article.

+1. Select **Azure AD Privileged Identity Management -> Groups** and view groups that are already enabled for PIM for Groups.

+- [Approve activation requests for group members and owners](groups-approval-workflow.md)

+ Title: Audit activity history for group assignments in Privileged Identity Management

+description: View activity and audit activity history for group assignments in Azure AD Privileged Identity Management (PIM).

+# Audit activity history for group assignments in Privileged Identity Management

+1. Select **Azure AD Privileged Identity Management -> Groups**.

+1. Select **Azure AD Privileged Identity Management -> Groups**.

+- [Assign eligibility for a group in Privileged Identity Management](groups-assign-member-owner.md)

+ Title: Bring groups into Privileged Identity Management

+description: Learn how to bring groups into Privileged Identity Management.

+# Bring groups into Privileged Identity Management

+1. Select **Azure AD Privileged Identity Management -> Groups** and view groups that are already enabled for PIM for Groups.

+1. Select **Groups** to return to the list of groups enabled in PIM for Groups.

+- [Assign eligibility for a group in Privileged Identity Management](groups-assign-member-owner.md)

+- [Approve activation requests for group members and owners](groups-approval-workflow.md)

+ Title: Extend or renew PIM for groups assignments

+description: Learn how to extend or renew PIM for groups assignments.

+# Extend or renew PIM for groups assignments

+- [Approve activation requests for group members and owners](groups-approval-workflow.md)

+- [Configure PIM for Groups settings](groups-role-settings.md)

+ Title: Configure PIM for Groups settings

+description: Learn how to configure PIM for Groups settings.

+# Configure PIM for Groups settings

+1. Select **Azure AD Privileged Identity Management -> Groups**.

+> User may not be prompted for multi-factor authentication if they authenticated with strong credentials, or provided multi-factor authentication earlier in this session. If your goal is to ensure that users have to provide authentication during activation, you can use [On activation, require Azure AD Conditional Access authentication context](pim-how-to-change-default-settings.md#on-activation-require-azure-ad-conditional-access-authentication-context) together with [Authentication Strengths](../authentication/concept-authentication-strengths.md) to require users to authenticate during activation using methods different from the one they used to sign-in to the machine. For example, if users sign-in to the machine using Windows Hello for Business, you can use ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥ and Authentication Strengths to require users to do Passwordless sign-in with Microsoft Authenticator when they activate the role. After the user provides Passwordless sign-in with Microsoft Authenticator once in this example, they'll be able to do their next activation in this session without additional authentication because Passwordless sign-in with Microsoft Authenticator will already be part of their token.

+### On activation, require Azure AD Conditional Access authentication context

+To learn more about approvals, see [Approve activation requests for PIM for Groups members and owners](groups-approval-workflow.md).

+- [Assign eligibility for a group in Privileged Identity Management](groups-assign-member-owner.md)

+> User may not be prompted for multi-factor authentication if they authenticated with strong credentials, or provided multi-factor authentication earlier in this session. If your goal is to ensure that users have to provide authentication during activation, you can use [On activation, require Azure AD Conditional Access authentication context](pim-how-to-change-default-settings.md#on-activation-require-azure-ad-conditional-access-authentication-context) together with [Authentication Strengths](../authentication/concept-authentication-strengths.md) to require users to authenticate during activation using methods different from the one they used to sign-in to the machine. For example, if users sign-in to the machine using Windows Hello for Business, you can use ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥ and Authentication Strengths to require users to do Passwordless sign-in with Microsoft Authenticator when they activate the role. After the user provides Passwordless sign-in with Microsoft Authenticator once in this example, they'll be able to do their next activation in this session without additional authentication because Passwordless sign-in with Microsoft Authenticator will already be part of their token.

+### On activation, require Azure AD Conditional Access authentication context

+> User may not be prompted for multi-factor authentication if they authenticated with strong credentials, or provided multi-factor authentication earlier in this session. If your goal is to ensure that users have to provide authentication during activation, you can use [On activation, require Azure AD Conditional Access authentication context](pim-how-to-change-default-settings.md#on-activation-require-azure-ad-conditional-access-authentication-context) together with [Authentication Strengths](../authentication/concept-authentication-strengths.md) to require users to authenticate during activation using methods different from the one they used to sign-in to the machine. For example, if users sign-in to the machine using Windows Hello for Business, you can use ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥ and Authentication Strengths to require users to do Passwordless sign-in with Microsoft Authenticator when they activate the role. After the user provides Passwordless sign-in with Microsoft Authenticator once in this example, they'll be able to do their next activation in this session without additional authentication because Passwordless sign-in with Microsoft Authenticator will already be part of their token.

+### On activation, require Azure AD Conditional Access authentication context

+We use IDs in our daily lives. We have drivers licenses that we use as evidence of our ability to operate a car. Universities issue diplomas that prove we attained a level of education. We use passports to prove who we are to authorities as we arrive to other countries/regions. The data model describes how we could handle these types of scenarios when working over the internet but in a secure manner that respects users' privacy. You can get additional information in The [Verifiable Credentials Data Model 1.0](https://www.w3.org/TR/vc-data-model/).

+ such as firstname, lastname, number, country/region, gender, birth-date, and nationality or any other credential type.

+Your organization may have specific compliance needs related to your industry, type of transactions, or country/region of operation.

+ * **Authorization**: Based on the application requirements, the applications might consume the VC attributes for fine-grained authorization decisions and auditing. For example, if an e-commerce website offers discounts to employees of the organizations in a particular location, they can validate this based on the country/region claim in the VC (if present).

+Credentials are a part of our daily lives; driver's licenses are used to assert that we're capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries/regions. Verifiable Credentials provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. [The W3C Verifiable Credentials spec](https://www.w3.org/TR/vc-data-model/) explains verifiable credentials in further detail.

+ containers:

+If your Azure Files resources are protected with a private endpoint, you must create your own storage class. Make sure that you've [configured your DNS settings to resolve the private endpoint IP address to the FQDN of the connection string][azure-private-endpoint-dns]. Customize the following parameters:

+The provisioning state on the managed cluster or agent pool should be **Canceled**. Use the REST API [Get Managed Clusters](/rest/api/aks/managed-clusters/get) or [Get Agent Pools](/rest/api/aks/agent-pools/get) to verify the operation. The provisioning state should update to **Canceled** within a few seconds of the abort request being accepted. The operation status of last running operation ID on the managed cluster/agent pool, which can be retrieved by performing a GET operation against the Managed Cluster or agent pool, should show a status of **Canceling**.

+<!-- LINKS - internal -->

+[install-azure-cli]: /cli/azure/install-azure-cli

+| 1.27 | Apr 2023 | Jun 2023 | Jul 2023 | Jul 2024

+Note important changes to make, before you upgrade to any of the available minor versions per below.

+|Kubernetes Version | AKS Managed Addons | AKS Components | OS components | Breaking Changes | Notes

+|--||-||-||

+| 1.24 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload Identity V1.1.1<br>ASC Defender 1.0.56<br>AAD Pod Identity 1.8.13.6<br>Gitops 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 18.04 Cgroups V1 <br>ContainerD 1.7<br>| No Breaking Changes | None

+| 1.25 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload Identity V1.1.1<br>ASC Defender 1.0.56<br>AAD Pod Identity 1.8.13.6<br>Gitops 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 18.04 Cgroups V1 <br>ContainerD 1.7<br>| Ubuntu 22.04 by default with cgroupv2 and Overlay VPA 0.13.0 |CgroupsV2 - If you deploy Java applications with the JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which fully support cgroup v2

+| 1.26 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload Identity V1.1.1<br>ASC Defender 1.0.56<br>AAD Pod Identity 1.8.13.6<br>Gitops 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7<br>|No Breaking Changes |None

+| 1.27 Preview | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.10.0<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload Identity V1.1.1<br>ASC Defender 1.0.56<br>AAD Pod Identity 1.8.13.6<br>Gitops 1.7.0<br>KMS 0.5.0|Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V1 <br>ContainerD 1.7<br>|Keda 2.10.0 |None

+| US DoD Central | ✅ | | ✅ |

+address1=$(az network nic show --name myNic1 --resource-group myResourceGroupAG | grep "\"privateIPAddress\":" | grep -oE '[^ ]+$' | tr -d '",')

+address2=$(az network nic show --name myNic2 --resource-group myResourceGroupAG | grep "\"privateIPAddress\":" | grep -oE '[^ ]+$' | tr -d '",')

+|**EY**| [**EY**](https://ey.com/) (Ernst & Young Global Limited) is a multinational professional services network that helps to create long-term value for clients and build trust in the capital markets. Enabled by data and technology, diverse EY teams in over 150 countries/regions to help clients grow, transform, and operate. EY teams work across assurance, consulting, law, strategy, tax, and transactions to find solutions for complex issues facing our world today. The EY Technology team collaborated with Microsoft to build a platform that hastens invoice extraction and contract comparison processes. Azure Form Recognizer and Custom Vision partnered to enable EY teams to automate and improve the OCR and document handling processes for its transactions services clients. | [Customer story](https://customers.microsoft.com/story/1404985164224935715-ey-professional-services-azure-form-recognizer)|

+ * [**prebuilt-businessCard**](concept-business-card.md). Address parse support to extract subfields for address components like address, city, state, country/region, and zip code.

+A dimension is one or more categorical values. The combination of those values identifies a particular univariate time series, for example: country/region, language, tenant, and so on.

+|**Dimension** | Categorical values. A combination of different values identifies a particular single-dimension time series, for example: country/region, language, tenant. You can select zero or more columns as dimensions. Note: be cautious when selecting a non-string column as a dimension. | Optional. |

+| Row ID | Timestamp | Country/Region | Language | Income |

+ | Country/Region | Language | Income |

+ - Fraction-based metrics. This includes ratio, percentage, etc. For example, you should not add the unemployment rate of each state to calculate the unemployment rate of the entire country/region.

+|**Dimension** | Categorical values. A combination of different values identifies a particular single-dimension time series. Examples include country/region, language, and tenant. You can select none, or an arbitrary number of columns as dimensions. If you're selecting a non-string column as dimension, be cautious with dimension explosion. | Optional. |

+# Custom TCB baseline enforcement for SGX attestation (preview)

+TCB identifier: ΓÇ£10ΓÇ¥

+ 15 (TCB release date: 2/14/2023)

+ TCB identifier : 15

+ TCB evaluation data number : 15

+ Minimum PSW Linux version : 2.17

+ Minimum PSW Windows version : 2.16

+ 14 (TCB release date: 11/8/2022)

+ TCB identifier : 14

+ TCB evaluation data number : 14

+ Minimum PSW Linux version : 2.17

+ Minimum PSW Windows version : 2.16

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](migrate-run-as-accounts-managed-identity.md?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](migrate-run-as-accounts-managed-identity.md?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.

+Membership can be assigned to **ALL** users in the tenant at the directory level, which is the default behavior. You can grant membership to either role at the directory level. For more information, see [Who has permission to add applications to my Azure AD instance?](../active-directory/develop/how-applications-are-added.md#who-has-permission-to-add-applications-to-my-azure-ad-instance).

+| VMware | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) | TKGm 2.2; upstream K8s v1.25.7+vmware.2 <br> TKGm 2.1.0; upstream K8s v1.24.9+vmware.1 <br> TKGm 1.6.0; upstream K8s v1.23.8+vmware.2 <br>TKGm 1.5.3; upstream K8s v1.22.8+vmware.1 <br>TKGm 1.4.0; upstream K8s v1.21.2+vmware.1 <br>TKGm 1.3.1; upstream K8s v1.20.5+vmware.2 <br>TKGm 1.2.1; upstream K8s v1.19.3+vmware.1 |

+* The Extension Service agent can use up to 5% of the CPU to install, upgrade, run, and delete extensions. Some extensions may apply more restrictive CPU limits once installed. The following exceptions apply:

+ | Extension type | Operating system | CPU limit |

+ | -- | - | |

+ | AzureMonitorLinuxAgent | Linux | 60% |

+ | AzureMonitorWindowsAgent | Windows | 100% |

+ | AzureSecurityLinuxAgent | Linux | 30% |

+ | LinuxOsUpdateExtension | Linux | 60% |

+ | MDE.Linux | Linux | 30% |

+ | MicrosoftDnsAgent | Windows | 100% |

+ | MicrosoftMonitoringAgent | Windows | 60% |

+ | OmsAgentForLinux | Windows | 60%|

+## Version 1.27 - February 2023

+Download for [Windows](https://download.microsoft.com/download/8/4/5/845d5e04-bb09-4ed2-9ca8-bb51184cddc9/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### Fixed

+- The extension service now correctly restarts when the Azure Connected Machine agent is upgraded by Update Management Center

+- Resolved issues with the hybrid connectivity component that could result in the "himds" service crashing, the server showing as "disconnected" in Azure, and connectivity issues with Windows Admin Center and SSH

+- Improved handling of resource move scenarios that could impact Windows Admin Center and SSH connectivity

+- Improved reliability when changing the [agent configuration mode](security-overview.md#local-agent-security-controls) from "monitor" mode to "full" mode.

+- Increased the [resource limits](agent-overview.md#agent-resource-governance) for the Microsoft Sentinel DNS extension to improve log collection reliability

+- Tenant IDs are better validated when connecting the server

+- The agent retains extension allow and blocklists when switching the agent from monitoring mode to full mode. Use [azcmagent config clear](azcmagent-config.md) to reset individual configuration settings to the default state.

+- Renamed the `--use-private-link` flag on [azcmagent check](azcmagent-check.md) to `--enable-pls-check` to more accurately represent its function

+- The network connectivity check during onboarding now verifies private endpoint configuration if you specify a private link scope. You can run the same check anytime by running [azcmagent check](azcmagent-check.md) with the new `--use-private-link` parameter.

+- Local configuration of agent settings now available using the [azcmagent config command](azcmagent-config.md).

+## Version 1.31 - June 2023

+Download for [Windows](https://download.microsoft.com/download/e/b/2/eb2f2d87-6382-463e-9d01-45b40c93c05b/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### New features

+- Added support for Amazon Linux 2023

+- [azcmagent show](azcmagent-show.md) no longer requires administrator privileges

+- You can now filter the output of [azcmagent show](azcmagent-show.md) by specifying the properties you wish to output

+### Fixed

+- Added an error message when a pending reboot on the machine affects extension operations

+- The scheduled task that checks for agent updates no longer outputs a file

+- Improved formatting for clock skew calculations

+- Improved reliability when upgrading extensions by explicitly asking extensions to stop before trying to upgrade.

+- Increased the [resource limits](agent-overview.md#agent-resource-governance) for the Update Management Center extension for Linux, Microsoft Defender Endpoint for Linux, and Azure Security Agent for Linux to prevent timeouts during installation

+- [azcmagent disconnect](azcmagent-disconnect.md) now closes any active SSH or Windows Admin Center connections

+- Improved output of the [azcmagent check](azcmagent-check.md) command

+- Better handling of spaces in the `--location` parameter of [azcmagent connect](azcmagent-connect.md)

+### New features

+- Introduced a scheduled task that checks for agent updates on a daily basis. Currently, the update mechanism is inactive and no changes are made to your server even if a newer agent version is available. In the future, you'll be able to schedule updates of the Azure Connected Machine agent from Azure. For more information, see [Automatic agent upgrades](manage-agent.md#automatic-agent-upgrades).

+- The agent now compares the time on the local system and Azure service when checking network connectivity and creating the resource in Azure. If the clocks are offset by more than 120 seconds (2 minutes), a nonblocking error is shown. You may encounter TLS connection errors if the time of your computer doesn't match the time in Azure.

+- `azcmagent show` now supports an `--os` flag to print extra OS information to the console

+> [!NOTE]

+> **azcmagent show** does not require administrator privileges

+azcmagent show [property1] [property2] ... [propertyN] [flags]

+Show only the agent status and last heartbeat time (using display names)

+```

+azcmagent show "Agent Status" "Agent Last Heartbeat"

+```

+Show only the agent status and last heartbeat time (using JSON keys)

+```

+azcmagent show status lastHeartbeat

+```

+`[property]`

+The name of a property to include in the output. If you want to show more than one property, separate them by spaces. You can use either the display name or the JSON key name to specify a property. For display names with spaces, enclose the property in quotes.

+After initial deployment of the Azure Connected Machine agent, you may need to reconfigure the agent, upgrade it, or remove it from the computer. These routine maintenance tasks can be done manually or through automation (which reduces both operational error and expenses). This article describes the operational aspects of the agent. See the [azcmagent CLI documentation](azcmagent.md) for command line reference information.

+### Automatic agent upgrades

+The Azure Connected Machine agent will support automatic and manual upgrades of the agent, initiated by Azure, in an upcoming release. To facilitate this capability, the agent enables a scheduled task on Windows or cron job on Linux that runs daily to see if the agent should be upgraded. The scheduler job will be installed when you install agent versions 1.30 or higher. While the scheduler job is currently enabled, the complete automatic upgrade experience is not yet available, so no changes will be made to your system even if a newer version of the Azure Connected Machine agent is available.

+To view these scheduler jobs in Windows through PowerShell, run the following command:

+To view these scheduler jobs in Linux, run the following command:

+3. Use the **azcmagent** tool with the [Disconnect](azcmagent-disconnect.md) parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. You can run this manually while logged on interactively, with a Microsoft identity [access token](../../active-directory/develop/access-tokens.md), or with the service principal you used for onboarding (or with a [new service principal that you create](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale).

+4. Re-register the Connected Machine agent with Azure Arc-enabled servers. Run the `azcmagent` tool with the [Connect](azcmagent-connect.md) parameter to complete this step. The agent will default to using the computer's current hostname, but you can choose your own resource name by passing the `--resource-name` parameter to the connect command.

+2. Use the **azcmagent** tool with the [Disconnect](azcmagent-disconnect.md) parameter to disconnect the machine from Azure Arc and delete the machine resource from Azure. You can run this manually while logged on interactively, with a Microsoft identity platform [access token](../../active-directory/develop/access-tokens.md), or with the service principal you used for onboarding (or with a [new service principal that you create](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale)).

+3. Run the `azcmagent` tool with the [Connect](azcmagent-connect.md) parameter to re-register the Connected Machine agent with Azure Arc-enabled servers in the other region.

+* Amazon Linux 2 and 2023

+<a name="footnote1"></a>¹If this GPO is enabled and applies to machines with the Connected Machine agent, it deletes the user profile associated with the built-in account specified for the *himds* service. As a result, it also deletes the authentication certificate used to communicate with the service that is cached in the local certificate store for 30 days. Before the 30-day limit, an attempt is made to renew the certificate. To resolve this issue, follow the steps to [disconnect the agent](azcmagent-disconnect.md) and then re-register it with the service running `azcmagent connect`.

+Azure Fluid Relay stores customer data. By default, customer data is replicated to the paired region. However, the customer can choose to keep it within the same region by selecting the Basic SKU during provisioning. This option is available in select regions where the paired region is outside the boundary of the primary country/region data is stored. For more information, go to [Data storage in Azure Fluid Relay](../concepts/data-storage.md).

+ Title: Guide to the standalone Durable Functions PowerShell SDK

+description: Learn about the standalone Durable Functions PowerShell SDK, and how to upgrade to it

+# Guide to the standalone Durable Functions PowerShell SDK

+The Durable Functions (DF) PowerShell SDK is now available, _in preview_, as a standalone package in the PowerShell Gallery: [`AzureFunctions.PowerShell.Durable.SDK`](https://www.powershellgallery.com/packages/AzureFunctions.PowerShell.Durable.SDK).

+Once this SDK package is GA, it will be the recommended means of authoring Durable Functions apps with PowerShell. In this article, we explain the benefits of this change, and what changes you can expect when adopting this new package.

+> [!NOTE]

+> This package is currently in **preview.**

+## Motivation behind the standalone SDK

+The previous DF SDK was built into the PowerShell language worker. This approach came with the benefit that Durable Functions apps could be authored out of the box for Azure Functions PowerShell users.

+However, it also came with various shortcomings:

+- New features, bug fixes, and other changes were dependent on the PowerShell worker's release cadence.

+- Due to the auto-upgrading nature of the PowerShell worker, the DF SDK needed to be conservative about fixing bugs as any behavior changes could constitute a breaking change.

+- The replay algorithm utilized by the built-in DF SDK was outdated: other DF SDKs already utilized a faster and more reliable implementation.

+By creating a standalone DF PowerShell SDK package, we're able to overcome these shortcomings. These are the benefits of utilizing this new standalone SDK package:

+- This SDK includes many highly requested improvements such as better exception and null-value handling, and serialization fixes.

+- The package is versioned independently of the PowerShell worker. This allows users to incorporate new features and fixes as soon as they're available, while also avoiding breaking changes from automatic upgrades.

+- The replay logic is faster, and more reliable: it uses the same replay engine as the DF isolated SDK for C#.

+## Deprecation plan for the built-in DF PowerShell SDK

+The built-in DF SDK in the PowerShell worker will remain available for PowerShell 7.2 and prior releases. This means that existing apps will be able to continue using the built-in SDK as long as they continue using PowerShell 7.2 or an older release.

+Starting from PowerShell 7.4 onwards, the PowerShell worker will not contain a built-in DF SDK. Therefore, users will need to install the SDK separately using this standalone package; the installation steps are described below.

+## Install and enable the SDK

+See this section to learn how to install and enable new standalone SDK in your existing app.

+### Prerequisites

+The standalone PowerShell SDK requires the following minimum versions:

+- [Azure Functions Runtime](../functions-versions.md) v4.16+

+- [Azure Functions Core Tools](../functions-run-local.md) v4.0.5095+ (if running locally)

+- Azure Functions PowerShell app for PowerShell 7.2 or greater

+### Opt in to the standalone DF SDK

+The following application setting is required to run the standalone PowerShell SDK while it is in preview:

+- Name: `ExternalDurablePowerShellSDK`

+- Value: `"true"`

+If you're running locally using [Azure Functions Core Tools](../functions-run-local.md), you should add this setting to your `local.settings.json` file. If you're running in Azure, follow these steps with the tool of your choice:

+# [Azure CLI](#tab/azure-cli-set-indexing-flag)

+Replace `<FUNCTION_APP_NAME>` and `<RESOURCE_GROUP_NAME>` with the name of your function app and resource group, respectively.

+```azurecli

+az functionapp config appsettings set --name <FUNCTION_APP_NAME> --resource-group <RESOURCE_GROUP_NAME> --settings ExternalDurablePowerShellSDK="true"

+```

+# [Azure PowerShell](#tab/azure-powershell-set-indexing-flag)

+Replace `<FUNCTION_APP_NAME>` and `<RESOURCE_GROUP_NAME>` with the name of your function app and resource group, respectively.

+```azurepowershell

+Update-AzFunctionAppSetting -Name <FUNCTION_APP_NAME> -ResourceGroupName <RESOURCE_GROUP_NAME> -AppSetting @{"ExternalDurablePowerShellSDK" = "'true'"}

+```

+# [VS Code](#tab/vs-code-set-indexing-flag)

+1. Make sure you have the [Azure Functions extension for VS Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) installed

+1. Press <kbd>F1</kbd> to open the command palette. In the command palette, search for and select `Azure Functions: Add New Setting...`.

+1. Choose your subscription and function app when prompted

+2. For the name, type `ExternalDurablePowerShellSDK` and press <kbd>Enter</kbd>.

+3. For the value, type `"true"` and press <kbd>Enter</kbd>.

+### Install and import the SDK

+You have two options for installing the SDK package: it can be installed as a [managed dependency](./../functions-reference-powershell.md#dependency-management), or as a [custom module](./../functions-reference-powershell.md#custom-modules).

+In this section, we describe both options, but only one of them is needed.

+#### Installation option 1: Use managed dependencies

+To install the SDK as a managed dependency, you'll need to follow the [managed dependencies guidance](./../functions-reference-powershell.md#dependency-management). Please review the guidance for details.

+In summary, you first need to ensure your `host.json` contains a `managedDependency` section with an `enabled` property set to `true`. Below is an example `host.json` that satisfies this requirement:

+```JSON

+{

+ "version": "2.0",

+ "managedDependency": {

+ "enabled": true

+ },

+ "extensionBundle": {

+ "id": "Microsoft.Azure.Functions.ExtensionBundle",

+ "version": "[3.*, 4.0.0)"

+ },

+}

+```

+Then you simply need to specify an entry for the DF SDK in your `requirements.psd1` file, as in the example below:

+```PowerShell

+# This file enables modules to be automatically managed by the Functions service.

+# See https://aka.ms/functionsmanageddependency for additional information.

+#

+@{

+ # For latest supported version, go to 'https://www.powershellgallery.com/packages/AzureFunctions.PowerShell.Durable.SDK/'.

+ 'AzureFunctions.PowerShell.Durable.SDK' = '1.*'

+}

+```

+#### Installation option 2: Use custom modules

+To install the standalone DF SDK as a custom module, you need to follow the [guidance regarding creating an app-level modules folder](./../functions-reference-powershell.md#function-app-level-modules-folder). Make sure to review the aforementioned docs for details.

+In summary, you'll need to place the SDK package inside a `".\Modules"` directory located at the root of your app.

+For example, from within your application's root, and after creating a `".\Modules"` directory, you may download the standalone SDK into the modules directory as such:

+```powershell

+Save-Module -Name AzureFunctions.PowerShell.Durable.SDK -AllowPrerelease -Path ".\Modules"

+```

+#### Importing the SDK

+The final step is importing the SDK into your code's session. To do this, import the PowerShell SDK via `Import-Module AzureFunctions.PowerShell.Durable.SDK -ErrorAction Stop` in your `profile.ps1` file.

+For example, if your app was scaffolded through templates, your `profile.ps1` file may end up looking as such:

+```powershell

+# Azure Functions profile.ps1

+#

+# This profile.ps1 will get executed every "cold start" of your Function App.

+# "cold start" occurs when:

+#

+# * A Function App starts up for the very first time

+# * A Function App starts up after being de-allocated due to inactivity

+#

+# You can define helper functions, run commands, or specify environment variables

+# NOTE: any variables defined that are not environment variables will get reset after the first execution

+# Authenticate with Azure PowerShell using MSI.

+# Remove this if you are not planning on using MSI or Azure PowerShell.

+if ($env:MSI_SECRET) {

+ Disable-AzContextAutosave -Scope Process | Out-Null

+ Connect-AzAccount -Identity

+}

+# Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell.

+# Enable-AzureRmAlias

+# You can also define functions or aliases that can be referenced in any of your PowerShell functions.

+# Import standalone PowerShell SDK

+Import-Module AzureFunctions.PowerShell.Durable.SDK -ErrorAction Stop

+```

+These are all the steps needed to utilize the next PowerShell SDK. Run your app as normal, via `func host start` in your terminal to start using the SDK.

+### Migration guide

+In this section, we describe the interface and behavioral changes you can expect when utilizing the new SDK.

+#### New CmdLets

+* `Invoke-DurableSubOrchestrator -FunctionName <Name> -Input <Input>` is a new CmdLet that allows users to utilize suborchestrators in their workflows.

+#### Modified CmdLets

+* The CmdLet `Get-DurableTaskResult -Task <task>` now only accepts a single Task as it's argument, instead of accepting a list of Tasks.

+#### Behavioral changes

+* Exceptions thrown by activities scheduled with `Wait-DurableTask` (as in the Fan-Out/Fan-In pattern) are no longer silently ignored. Instead, on an exception, the CmdLet propagates that exception to the orchestrator so that it may be handled by user-code.

+* Null values are no longer dropped from the result list of a `Wait-DurableTask` (i.e., WhenAll) invocation. This means that a successful invocation of `Wait-DurableTask` without the `-Any` flag should return an array of the same size as the number of tasks it scheduled.

+#### Where to get support, provide feedback, and suggest changes

+During the preview phase of this release, the standalone SDK may introduce a few more changes. These changes can be influenced by the community so report any feedback and suggestions to the SDK's [_new GitHub repo_](https://github.com/Azure/azure-functions-durable-powershell).

+> [!NOTE]

+> The next version of the DF PowerShell is now in preview and may be downloaded from the PowerShell Gallery.

+> Learn about it and how to try it out in the [guide to the standalone PowerShell SDK](./durable-functions-powershell-v2-sdk-migration-guide.md).

+> You may follow the guide's [installation section](./durable-functions-powershell-v2-sdk-migration-guide.md#install-and-enable-the-sdk) for instructions compatible with this quickstart on how to enable it.

+The EAR is applicable to dual-use items that have both commercial and military applications and to items with purely commercial application. The BIS has provided guidance that cloud service providers (CSP) aren't exporters of customersΓÇÖ data due to the customersΓÇÖ use of cloud services. Moreover, in the [final rule](https://www.federalregister.gov/documents/2016/06/03/2016-12734/revisions-to-definitions-in-the-export-administration-regulations) published on 3 June 2016, BIS clarified that EAR licensing requirements wouldn't apply if the transmission and storage of unclassified technical data and software were encrypted end-to-end using Federal Information Processing Standard (FIPS) 140 validated cryptographic modules and not intentionally stored in a military-embargoed country/region, that is, Country/Region Group D:5 as described in [Supplement No. 1 to Part 740](https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-740?toc=1) of the EAR, or in the Russian Federation. The US Department of Commerce has made it clear that, when data or software is uploaded to the cloud, the customer, not the cloud provider, is the *exporter* who has the responsibility to ensure that transfers, storage, and access to that data or software complies with the EAR.

+DDTC [revised the ITAR rules](https://www.federalregister.gov/documents/2019/12/26/2019-27438/international-traffic-in-arms-regulations-creation-of-definition-of-activities-that-are-not-exports) effective 25 March 2020 to align them more closely with the EAR. These ITAR revisions introduced an end-to-end data encryption carve-out that incorporated many of the same terms that the US Department of Commerce adopted in 2016 for the EAR. Specifically, the revised ITAR rules state that activities that don't constitute exports, re-exports, re-transfers, or temporary imports include (among other activities) the sending, taking, or storing of technical data that is 1) unclassified, 2) secured using end-to-end encryption, 3) secured using FIPS 140 compliant cryptographic modules as prescribed in the regulations, 4) not intentionally sent to a person in or stored in a [country/region proscribed in § 126.1](https://www.ecfr.gov/current/title-22/chapter-I/subchapter-M/part-126?toc=1) or the Russian Federation, and 5) not sent from a country/region proscribed in § 126.1 or the Russian Federation. Moreover, DDTC clarified that data in-transit via the Internet isn't deemed to be stored. End-to-end encryption implies the data is always kept encrypted between the originator and intended recipient, and the means of decryption isn't provided to any third party.

+OFAC sanctions are in place to prevent &#8220;conducting business with a sanctions target&#8221;, that is, preventing transactions involving trade, payments, financial instruments, and so on. OFAC sanctions aren't intended to prevent a resident of a proscribed country/region from viewing a public web site.

+- **Ability to control data location** ΓÇô You have visibility as to where your [data is stored](https://azure.microsoft.com/global-infrastructure/data-residency/), and robust tools to restrict data storage to a single geography or country/region. For example, you may therefore ensure that data is stored in the United States or your country/region of choice and minimize transfer of controlled technology/technical data outside the target country/region. Your data isn't *intentionally stored* in a non-conforming location, consistent with the EAR and ITAR rules.

+**Data sovereignty** implies data residency; however, it also introduces rules and requirements that define who has control over customer data stored in the cloud. In many cases, data sovereignty mandates that customer data be subject to the laws and legal jurisdiction of the country/region in which data resides. These laws can have direct implications on data access even for platform maintenance or customer-initiated support requests. You can use Azure public multi-tenant cloud in combination with Azure Stack products for on-premises and edge solutions to meet your data sovereignty requirements, as described later in this article. These other products can be deployed to put you solely in control of your data, including storage, processing, transmission, and remote access.

+Azure Storage redundancy options can have implications on data residency as Azure relies on [paired regions](../availability-zones/cross-region-replication-azure.md) to deliver [geo-redundant storage](../storage/common/storage-redundancy.md#geo-redundant-storage) (GRS). For example, if you're concerned about geo-replication across regions that span country boundaries, you may want to choose LRS or ZRS to keep Azure Storage data at rest within the geographic boundaries of the country in which the primary region is located. Similarly, [geo replication for Azure SQL Database](/azure/azure-sql/database/active-geo-replication-overview) can be obtained by configuring asynchronous replication of transactions to any region in the world, although it's recommended that paired regions be used for this purpose as well. If you need to keep relational data inside the geographic boundaries of your country/region, you shouldn't configure Azure SQL Database asynchronous replication to a region outside that country/region.

+- **Cloud applications to meet data sovereignty:** Deploy a single application differently depending on the country/region. You can develop and deploy applications in Azure, with full flexibility to deploy on-premises with Azure Stack Hub based on the need to meet data sovereignty or custom compliance requirements. For example, with Azure Stack Hub architecture for [data sovereignty](/azure/architecture/solution-ideas/articles/data-sovereignty-and-gravity), you can transmit data from an Azure VNet to Azure Stack Hub VNet over private connection and ultimately store data in a SQL Server database running in a VM on Azure Stack Hub. You can use Azure Stack Hub to accommodate even more restrictive requirements such as the need to deploy solutions in a disconnected environment managed by security-cleared, in-country/region personnel. These disconnected environments may not be permitted to connect to the Internet for any purpose because of the security classification they operate at.

+Microsoft provides Azure Stack Hub as an on-premises, cloud-consistent experience for customers who don't have the ability to connect directly to the Internet, or where certain workload types are required to be hosted in-country/region due to law, compliance, or sentiment. Azure Stack Hub offers IaaS and PaaS services and shares the same APIs as the global Azure cloud. Azure Stack Hub is available in scale units of 4, 8, and 16 servers in a single-server rack, and 4 servers in a military-specification, ruggedized set of transit cases, or multiple racks in a modular data center configuration.

+- For geo-political or security reasons, the host organization may require cloud management by non-Microsoft entities, or in-country/region by security-cleared personnel.

+- Microsoft doesn't have an in-country/region cloud presence and therefore can't meet data sovereignty requirements.

+**Azure** has the broadest [compliance coverage](../compliance/index.yml) in the industry, including key independent certifications and attestations such as ISO 27001, ISO 27017, ISO 27018, ISO 22301, ISO 9001, ISO 20000-1, SOC 1/2/3, PCI DSS Level 1, PCI 3DS, HITRUST, CSA STAR Certification, CSA STAR Attestation, US FedRAMP High, Australia IRAP, Germany C5, Japan ISMAP, Korea K-ISMS, Singapore MTCS Level 3, Spain ENS High, UK G-Cloud and Cyber Essentials Plus, and many more. Azure compliance portfolio includes more than 100 compliance offerings spanning globally applicable certifications, US Government-specific programs, industry assurances, and country/region-specific offerings. You can use these offerings when addressing your own compliance obligations across regulated industries and markets worldwide.

+Azure compliance and certification resources are intended to help you address your own compliance obligations with various standards and regulations. You may have an established cloud adoption mandate in your country/region and the corresponding regulation to facilitate cloud onboarding. Or you may still operate traditional on-premises datacenters and are in the process of formulating your cloud adoption strategy. AzureΓÇÖs extensive compliance portfolio can help you irrespective of your cloud adoption maturity level.

+- **Data location:** How does Microsoft keep data within a specific country/regionΓÇÖs boundaries? In what cases does data leave? What data attributes leave? **Answer:** Microsoft provides [strong customer commitments](https://azure.microsoft.com/global-infrastructure/data-residency/) regarding cloud services data residency and transfer policies:

+- **Air-gapped (sovereign) cloud deployment:** Why doesnΓÇÖt Microsoft deploy an air-gapped, sovereign, physically isolated cloud instance in every country/region? **Answer:** Microsoft is actively pursuing air-gapped cloud deployments where a business case can be made with governments across the world. However, physical isolation or ΓÇ£air gappingΓÇ¥, as a strategy, is diametrically opposed to the strategy of hyperscale cloud. The value proposition of the cloud, rapid feature growth, resiliency, and cost-effective operation, are diminished when the cloud is fragmented and physically isolated. These strategic challenges compound with each extra air-gapped cloud or fragmentation within an air-gapped cloud. Whereas an air-gapped cloud might prove to be the right solution for certain customers, it isn't the only available option.

+- **Air-gapped (sovereign) cloud customer options:** How can Microsoft support governments who need to operate cloud services completely in-country/region by local security-cleared personnel? What options does Microsoft have for cloud services operated entirely on-premises within customer owned datacenter where government employees exercise sole operational and data access control? **Answer:** You can use [Azure Stack Hub](https://azure.microsoft.com/products/azure-stack/hub/) to deploy a private cloud on-premises managed by your own security-cleared, in-country/region personnel. You can run many types of VM instances, App Services, Containers (including Cognitive Services containers), Functions, Azure Monitor, Key Vault, Event Hubs, and other services while using the same development tools, APIs, and management processes that you use in Azure. With Azure Stack Hub, you have sole control of your data, including storage, processing, transmission, and remote access.

+- **Local jurisdiction:** Is Microsoft subject to local country/region jurisdiction based on the availability of Azure public cloud service? **Answer:** Yes, Microsoft must comply with all applicable local laws; however, government requests for customer data must also comply with applicable laws. A subpoena or its local equivalent is required to request non-content data. A warrant, court order, or its local equivalent is required for content data. Government requests for customer data follow a strict procedure according to [Microsoft practices for responding to government requests](https://blogs.microsoft.com/datalaw/our-practices/). Every year, Microsoft rejects many law enforcement requests for customer data. Challenges to government requests can take many forms. In many of these cases, Microsoft simply informs the requesting government that it's unable to disclose the requested information and explains the reason for rejecting the request. Where appropriate, Microsoft challenges requests in court. Our [Law Enforcement Request Report](https://www.microsoft.com/corporate-responsibility/law-enforcement-requests-report?rtc=1) and [US National Security Order Report](https://www.microsoft.com/corporate-responsibility/us-national-security-orders-report) are updated every six months and show that most of our customers are never impacted by government requests for data. For example, in the second half of 2019, Microsoft received 39 requests from law enforcement for accounts associated with enterprise cloud customers. Of those requests, only one warrant resulted in disclosure of customer content related to a non-US enterprise customer whose data was stored outside the United States.

+- **Data flow restrictions:** What provisions exist for approval and documentation of all data exchange between customer and Microsoft for local, in-country/region deployed cloud services? **Answer:** Options vary based on the cloud deployment model.

+A line layer can be used to render `LineString` and `MultiLineString` features as paths or routes on the map. A line layer can also be used to render the outline of `Polygon` and `MultiPolygon` features. A data source is connected to a line layer to provide it with data to render.

+The following screenshot shows a sample of the above functionality.

+<!--

+-->

+The following sample demonstrates how to add arrow icons along a line on the map. When using a symbol layer, set the "placement" option to "line". This option will render the symbols along the line and rotate the icons (0 degrees = right).

+```javascript

+function InitMap()

+{

+ var map = new atlas.Map('myMap', {

+ center: [-122.135, 47.65],

+ zoom: 11,

+ view: "Auto",

+ //Add authentication details for connecting to Azure Maps.

+ authOptions: {

+ authType: 'subscriptionKey',

+ subscriptionKey: '{Your-Azure-Maps-Subscription-key}'

+ }

+ });

+ var datasource;

+ //Wait until the map resources are ready.

+ map.events.add('ready', function () {

+ //Load the custom image icon into the map resources.

+ map.imageSprite.add('arrow-icon', 'https://s3-us-west-2.amazonaws.com/s.cdpn.io/1717245/purpleArrowRight.png').then(function () {

+ //Create a data source and add it to the map.

+ datasource = new atlas.source.DataSource();

+ map.sources.add(datasource);

+ //Create a line and add it to the data source.

+ datasource.add(new atlas.data.Feature(new atlas.data.LineString([

+ [-122.18822, 47.63208],

+ [-122.18204, 47.63196],

+ [-122.17243, 47.62976],

+ [-122.16419, 47.63023],

+ [-122.15852, 47.62942],

+ [-122.15183, 47.62988],

+ [-122.14256, 47.63451],

+ [-122.13483, 47.64041],

+ [-122.13466, 47.64422],

+ [-122.13844, 47.65440],

+ [-122.13277, 47.66515],

+ [-122.12779, 47.66712],

+ [-122.11595, 47.66712],

+ [-122.11063, 47.66735],

+ [-122.10668, 47.67035],

+ [-122.10565, 47.67498]

+ ])));

+ //Add a layers for rendering data.

+ map.layers.add([

+ //Add a line layer for displaying the line.

+ new atlas.layer.LineLayer(datasource, null, {

+ strokeColor: 'DarkOrchid',

+ strokeWidth: 3

+ }),

+ //Add a symbol layer for rendering the arrow along the line.

+ new atlas.layer.SymbolLayer(datasource, null, {

+ //Specify how much space should be between the symbols in pixels.

+ lineSpacing: 100,

+ //Tell the symbol layer that the symbols are being rendered along a line.

+ placement: 'line',

+ iconOptions: {

+ image: 'arrow-icon',

+ allowOverlap: true,

+ anchor: 'center',

+ size: 0.8

+ }

+ })

+ ]);

+ });

+ });

+}

+```

+This code will create a map that appears as follows:

+<!--

+-->

+For a fully functional sample that shows how to apply a stroke gradient to a line on the map, see [Line with Stroke Gradient] in the [Azure Maps Samples].

+<!--

+-->

+The Line layer has several styling options. For a fully functional sample that interactively demonstrates the line options, see [Line Layer Options] in the [Azure Maps Samples].

+<!--

+-->

+[Line with Stroke Gradient]: https://samples.azuremaps.com/?search=line&sample=line-with-stroke-gradient

+[Azure Maps Samples]: https://samples.azuremaps.com

+[Line Layer Options]: https://samples.azuremaps.com/?search=line&sample=line-layer-options

+This approach however will only snap to the road segments that are loaded within the map view. When zoomed out at country/region level there may be no road data, so snapping canΓÇÖt be done, however at that zoom level a single pixel can represent the area of several city blocks so snapping isnΓÇÖt needed. To address this, the snapping logic can be applied every time the map has finished moving. To see a fully functional example of this snapping logic, see the [Basic snap to road logic] sample in the Azure Maps samples.

+* [Structured address geocoding]: Specify the parts of a single address, such as the street name, city, country/region, and postal code and process the request immediately. This service is recommended if you need to geocode individual addresses quickly and the data is already parsed into its individual address parts.

+In Bing Maps, administrative boundaries for countries, states, counties, cities, and postal codes are made available via the Geodata API. This API takes in either a coordinate or query to geocode. If a query is passed in, it's geocoded and the coordinates from the first result is used. This API takes the coordinates and retrieves the boundary of the specified entity type that intersects the coordinate. This API didn't necessarily return the boundary for the query that was passed in. If a query for `"Seattle, WA"` is passed in, but the entity type value is set to country/region, the boundary for the USA would be returned.

+* Visualize sales or revenue results by country/region or state.

+| Location | Geospatial area with a boundary, such as country/region, state, city, county or postal code. Street and address aren't supported in filled map. |

+The **Location** field in the Azure Maps Power BI Visual can accept multiple values, such as country/region, state, city, street address and zip code. By providing multiple sources of location information in the Location field, you help to guarantee more accurate results and eliminate ambiguity that would prevent a specific location to be determined. For example, there are over 20 different cities in the United States named *Franklin*.

+| 2 | The double arrow drills to the next level of the hierarchy for all locations at once. For example, if you're currently looking at countries and then use this option to move to the next level, states, Power BI displays state data for all countries. For geocoding, Power BI sends Azure Maps state data (no country/region data) for all locations. This option is useful if each level of your hierarchy is unrelated to the level above it. |

+| 3 | Similar to the drill-down option, except that you don't need to click on the map. It expands down to the next level of the hierarchy remembering the current level's context. For example, if you're currently looking at countries and select this icon, you move down in the hierarchy to the next level--states. For geocoding, Power BI sends data for each state and its corresponding country/region to help Azure Maps geocode more accurately. In most maps, you'll either use this option or the drill-down option on the far right. This will send Azure as much information as possible and result in more accurate location information. |

+| Location | Used to enter easily understandable geographical data such as country/region, state, and city. |

+| Γ£ô | Country/region is provided with detailed data. |

+| Γùæ | Country/region is provided with simplified data. |

+| Country/region is missing | Country/region data isn't provided. |

+See the dedicated [troubleshooting article](/troubleshoot/azure/azure-monitor/app-insights/troubleshoot-webpages-issues).

+For a list of supported autoinstrumentation scenarios, see [Supported environments, languages, and resource providers](codeless-overview.md#supported-environments-languages-and-resource-providers).

+Your Java functions might have slow startup times if you adopted this feature before February 2023. From the function app **Overview** pane, go to **Configuration** in the left-hand side navigation menu. Then select **Application settings** and use the following steps to fix the issue.

+#### Duplicate logs

+If you're using log4j or logback for console logging, distributed tracing for Java Functions creates duplicate logs. These duplicate logs are then sent to Application Insights. To avoid this behavior, use the following workarounds.

+##### Log4j

+Add the following filter to your log4j.xml:

+```xml

+<Filters>

+ <ThresholdFilter level="ALL" onMatch="DENY" onMismatch="NEUTRAL"/>

+</Filters>

+```

+Example:

+```xml

+<?xml version="1.0" encoding="UTF-8"?>

+<Configuration status="WARN">

+ <Appenders>

+ <Console name="Console" target="SYSTEM_OUT">

+ <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>

+ <Filters>

+ <ThresholdFilter level="ALL" onMatch="DENY" onMismatch="NEUTRAL"/>

+ </Filters>

+ </Console>

+ </Appenders>

+ <Loggers>

+ <Root level="error">

+ <AppenderRef ref="Console"/>

+ </Root>

+ </Loggers>

+</Configuration>

+```

+##### Logback

+Add the following filter to your logback.xml:

+```xml

+<filter class="ch.qos.logback.classic.filter.ThresholdFilter">

+ <level>OFF</level>

+</filter>

+```

+Example:

+```xml

+<configuration debug="true">

+ <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">

+ <!-- encoders are by default assigned the type

+ ch.qos.logback.classic.encoder.PatternLayoutEncoder -->

+ <encoder>

+ <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} -%kvp- %msg%n</pattern>

+ <filter class="ch.qos.logback.classic.filter.ThresholdFilter">

+ <level>OFF</level>

+ </filter>

+ </encoder>

+ </appender>

+ <root level="debug">

+ <appender-ref ref="STDOUT" />

+ </root>

+</configuration>

+```

+export autoscaleName=vmss-autoscalesetting=002

+export resourceGroupName=rg-vmss-001

+az monitor autoscale profile create \

+--autoscale-name $autoscaleName \

+--count 2 \

+--name Thursdays \

+--resource-group $resourceGroupName \

+--max-count 10 \

+--min-count 1 \

+--recurrence week thu \

+--start 06:00 \

+--end 22:50 \

+--timezone "Pacific Standard Time"

+az monitor autoscale rule create \

+--autoscale-name $autoscaleName \

+-g $resourceGroupName \

+--scale in 1 \

+--condition "Percentage CPU < 25 avg 5m" \

+--profile-name Thursdays

+az monitor autoscale rule create \

+--autoscale-name $autoscaleName \

+-g $resourceGroupName \

+--scale out 2 \

+--condition "Percentage CPU > 50 avg 5m" \

+--profile-name Thursdays

+az monitor autoscale profile list \

+--autoscale-name $autoscaleName \

+--resource-group $resourceGroupName

+

+The example below shows how to create default profile and a recurring autoscale profile, recurring on Wednesdays and Fridays between 09:00 and 23:00.

+The default profile uses the `CpuIn` and `CpuOut` Rules. The recurring profile uses the `BandwidthIn` and `BandwidthOut` rules.

+$ResourceGroupName="rg-vmss-001"

+$TargetResourceId="/subscriptions/abc123456-987-f6e5-d43c-9a8d8e7f6541/resourceGroups/rg-vmss-001/providers/Microsoft.Compute/virtualMachineScaleSets/vmss-001"

+$ScaleSettingName="vmss-autoscalesetting=001"

+$CpuOut=New-AzAutoscaleScaleRuleObject `

+ -MetricTriggerMetricName "Percentage CPU" `

+ -MetricTriggerMetricResourceUri "$TargetResourceId" `

+ -MetricTriggerTimeGrain ([System.TimeSpan]::New(0,1,0)) `

+ -MetricTriggerStatistic "Average" `

+ -MetricTriggerTimeWindow ([System.TimeSpan]::New(0,5,0)) `

+ -MetricTriggerTimeAggregation "Average" `

+ -MetricTriggerOperator "GreaterThan" `

+ -MetricTriggerThreshold 50 `

+ -MetricTriggerDividePerInstance $false `

+ -ScaleActionDirection "Increase" `

+ -ScaleActionType "ChangeCount" `

+ -ScaleActionValue 1 `

+ -ScaleActionCooldown ([System.TimeSpan]::New(0,5,0))

+$CpuIn=New-AzAutoscaleScaleRuleObject `

+ -MetricTriggerMetricName "Percentage CPU" `

+ -MetricTriggerMetricResourceUri "$TargetResourceId" `

+ -MetricTriggerTimeGrain ([System.TimeSpan]::New(0,1,0)) `

+ -MetricTriggerStatistic "Average" `

+ -MetricTriggerTimeWindow ([System.TimeSpan]::New(0,5,0)) `

+ -MetricTriggerTimeAggregation "Average" `

+ -MetricTriggerOperator "LessThan" `

+ -MetricTriggerThreshold 30 `

+ -MetricTriggerDividePerInstance $false `

+ -ScaleActionDirection "Decrease" `

+ -ScaleActionType "ChangeCount" `

+ -ScaleActionValue 1 `

+ -ScaleActionCooldown ([System.TimeSpan]::New(0,5,0))

+$defaultProfile=New-AzAutoscaleProfileObject `

+ -Name "Default" `

+ -CapacityDefault 1 `

+ -CapacityMaximum 5 `

+ -CapacityMinimum 1 `

+ -Rule $CpuOut, $CpuIn

+$BandwidthIn=New-AzAutoscaleScaleRuleObject `

+ -MetricTriggerMetricName "VM Cached Bandwidth Consumed Percentage" `

+ -MetricTriggerMetricResourceUri "$TargetResourceId" `

+ -MetricTriggerTimeGrain ([System.TimeSpan]::New(0,1,0)) `

+ -MetricTriggerStatistic "Average" `

+ -MetricTriggerTimeWindow ([System.TimeSpan]::New(0,5,0)) `

+ -MetricTriggerTimeAggregation "Average" `

+ -MetricTriggerOperator "LessThan" `

+ -MetricTriggerThreshold 30 `

+ -MetricTriggerDividePerInstance $false `

+ -ScaleActionDirection "Decrease" `

+ -ScaleActionType "ChangeCount" `

+ -ScaleActionValue 1 `

+ -ScaleActionCooldown ([System.TimeSpan]::New(0,5,0))

+$BandwidthOut=New-AzAutoscaleScaleRuleObject `

+ -MetricTriggerMetricName "VM Cached Bandwidth Consumed Percentage" `

+ -MetricTriggerMetricResourceUri "$TargetResourceId" `

+ -MetricTriggerTimeGrain ([System.TimeSpan]::New(0,1,0)) `

+ -MetricTriggerStatistic "Average" `

+ -MetricTriggerTimeWindow ([System.TimeSpan]::New(0,5,0)) `

+ -MetricTriggerTimeAggregation "Average" `

+ -MetricTriggerOperator "GreaterThan" `

+ -MetricTriggerThreshold 60 `

+ -MetricTriggerDividePerInstance $false `

+ -ScaleActionDirection "Increase" `

+ -ScaleActionType "ChangeCount" `

+ -ScaleActionValue 1 `

+ -ScaleActionCooldown ([System.TimeSpan]::New(0,5,0))

+$RecurringProfile=New-AzAutoscaleProfileObject `

+ -Name "Wednesdays and Fridays" `

+ -CapacityDefault 1 `

+ -CapacityMaximum 10 `

+ -CapacityMinimum 1 `

+ -RecurrenceFrequency week `

+ -ScheduleDay "Wednesday","Friday" `

+ -ScheduleHour 09 `

+ -ScheduleMinute 00 `

+ -ScheduleTimeZone "Pacific Standard Time" `

+ -Rule $BandwidthIn, $BandwidthOut

+$DefaultProfile2=New-AzAutoscaleProfileObject `

+ -Name "Back to default after Wednesday and Friday" `

+ -CapacityDefault 1 `

+ -CapacityMaximum 5 `

+ -CapacityMinimum 1 `

+ -RecurrenceFrequency week `

+ -ScheduleDay "Wednesday","Friday" `

+ -ScheduleHour 23 `

+ -ScheduleMinute 00 `

+ -ScheduleTimeZone "Pacific Standard Time" `

+ -Rule $CpuOut, $CpuIn

+Update-AzAutoscaleSetting `

+-name $ScaleSettingName `

+-ResourceGroup $ResourceGroupName `

+-Enabled $true `

+-TargetResourceUri $TargetResourceId `

+-Profile $DefaultProfile, $RecurringProfile, $DefaultProfile2

+> [!NOTE]

+> You can't specify an end date for recurring profiles in PowerShell. To end a recurring profile, create a copy of default profile with the same recurrence parameters as the recurring profile. Set the start time to be the time you want the recurring profile to end. Each recurring profile requires its own copy of the default profile to specify an end time.

+$DefaultProfileSundayProfile = New-AzAutoscaleProfile -DefaultCapacity "1" -MaximumCapacity "10" -MinimumCapacity "1" -Rule $CpuOut,$CpuIn -Name "Defalut for Sunday" -RecurrenceFrequency week -ScheduleDay "Sunday" -ScheduleHour 19 -ScheduleMinute 00 -ScheduleTimeZone "Pacific Standard Time"`

+$DefaultProfileThursdayProfile = New-AzAutoscaleProfile -DefaultCapacity "1" -MaximumCapacity "10" -MinimumCapacity "1" -Rule $CpuOut,$CpuIn -Name "Default for Thursday" -RecurrenceFrequency week -ScheduleDay "Thursday" -ScheduleHour 19 -ScheduleMinute 00 -ScheduleTimeZone "Pacific Standard Time"`

+Workspaces cannot be created in or moved to the **Standard** or **Premium** pricing tiers since October 1, 2016. Workspaces already in these pricing tiers can continue to use them, but if a workspace is moved out of these tiers, it can't be moved back. The Standard and Preium pricing tiers have fixed data retention of 30 days and 365 days, respectively. Workspaces in these pricing tiers don't support the use of [Basic Logs](basic-logs-configure.md) and Data Archive. Data ingestion meters on your Azure bill for these legacy tiers are called "Data Analyzed."

+Azure Workbooks map visualizations aid in pinpointing issues in specific regions and showing high-level aggregated views of the monitoring data. Maps aggregate all the data mapped to each location or country/region.

+### Product Lifecycle Management

+* [Use Teamcenter PLM with Azure NetApp Files](/azure/architecture/example-scenario/manufacturing/teamcenter-plm-netapp-files)

+### Mainframe refactor

+* [General mainframe refactor to Azure - Azure Example Scenarios](/azure/architecture/example-scenario/mainframe/general-mainframe-refactor)

+* [Refactor mainframe applications with Advanced - Azure Example Scenarios](/azure/architecture/example-scenario/mainframe/refactor-mainframe-applications-advanced)

+* [Refactor mainframe applications with Astadia ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/mainframe/refactor-mainframe-applications-astadia)

+* [Refactor mainframe computer systems that run Adabas & Natural - Azure Example Scenarios](/azure/architecture/example-scenario/mainframe/refactor-adabas-aks)

+* [Refactor IBM z/OS mainframe coupling facility (CF) to Azure - Azure Example Scenarios](/azure/architecture/reference-architectures/zos/refactor-zos-coupling-facility)

+* [Refactor mainframe applications to Azure with Raincode compilers - Azure Example Scenarios](/azure/architecture/reference-architectures/app-modernization/raincode-reference-architecture)

+>[!IMPORTANT]

+> Customers using Oracle 19c and higher must ensure they **are patched for Oracle bug 32931941**. Most of the patch bundles currently in use by Oracle customers do **\*not\*** include this patch. The patch has only been included in a subset of recent patch bundles.

+>[!IMPORTANT]

+> Customers using Oracle dNFS with NFSv4.1 on Azure NetApp Files volumes must ensure to take actions mentioned under [Are there any patches required for use of Oracle dNFS with NFSv4.1?](#are-there-any-patches-required-for-use-of-oracle-dnfs-with-nfsv41).

+### Are there any patches required for use of Oracle dNFS with NFSv4.1?

+>[!IMPORTANT]

+> If your databases are using Oracle dNFS with NFSv4.1, they **need to be patched for Oracle bugs 33132050 and 33676296**. You may have to request a backport for other versions of Oracle. For example, at the time of writing, these patches are available for 19.11, but not yet 19.3. If you cite these bug numbers in the support case, Oracle's support engineers know what to do.

+- [Integration FAQs](faq-integration.md)

+Within Azure, there are additional IP addresses reserved in each subnet, which include the first four and the last IP address, totaling five reserved IP addresses. For instance, in the case of the IP address range `192.168.1.0/24`, the following addresses are reserved:

+- `192.168.1.0` : Network address.

+- `192.168.1.1` : Reserved by Azure for the default gateway.

+- `192.168.1.2`, `192.168.1.3` : Reserved by Azure to map the Azure DNS IPs to the VNet space.

+- `192.168.1.255` : Network broadcast address.

+| network | Yes | string | String containing an IP network to convert. The provided string must be in the correct networking format. |

+| hostIndex | Yes | int | The index determines the host IP address to be returned. If you use the value `0`, it gives you the first usable IP address for a non-Azure network. However, if you use `3`, it provides you with the first usable IP address for an Azure subnet.|

+The following example calculates the first five usable host IP addresses from the specified /24 on non-Azure networks:

+The following example calculates the first five usable host IP addresses from the specified /52 on non-Azure networks:

+- For a description of the sections in a Bicep file, see [Understand the structure and syntax of Bicep files](./file.md).

+- If the upload from URL failed, make sure that the URL is valid and accessible by Video Indexer. Make sure that the URL isn't from a streaming service such as YouTube. Make sure that the media file isn't encrypted, protected by DRM, corrupted, or damaged. Make sure that the media file format is supported by Video Indexer. For a list of supported formats, see [supported media formats](https://learn.microsoft.com/azure/media-services/latest/encode-media-encoder-standard-formats-reference).

+## Video: Deploy Azure VMware Solution with Azure NetApp Files datastore

+> [!VIDEO https://learn-video.azurefd.net/vod/player?show=inside-azure-for-it&ep=how-to-deploy-azure-vmware-solution-with-azure-netapp-files-datastore]

+<a name="ultra-disk-backup">Ultra SSD disks</a> | Supported with [Enhanced policy](backup-azure-vms-enhanced-policy.md). The support is currently in preview. <br><br> Supported region(s) - Sweden Central, South Central US, East US, East US 2, West US 2, West Europe and North Europe. <br><br> To enroll your subscription for this feature, [fill this form](https://forms.office.com/r/1GLRnNCntU). <br><br> - Configuration of Ultra disk protection is supported via Recovery Services vault only. This configuration is currently not supported via virtual machine blade. <br><br> - Cross-region restore is currently not supported for machines using Ultra disks.

+## Before beginning

+- Filter requests based on a specific IP address or country/region.

+> Image captioning in Image Analysis 4.0 is only available in the following Azure data center regions at this time: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia. You must use a Computer Vision resource located in one of these regions to get results from Caption and Dense Captions features.

+> Background removal is only available in the following Azure regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

+Visual features 'Captions' and 'DenseCaptions' are only supported in the following Azure regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

+> These APIs are only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

+* Once you have your Azure subscription, <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision" title="Create a Computer Vision resource" target="_blank">create a Computer Vision resource </a> in the Azure portal to get your key and endpoint. Be sure to create it in one of the permitted geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

+|**Generate image captions** | Generate a caption of an image in human-readable language, using complete sentences. Computer Vision's algorithms generate captions based on the objects identified in the image. <br/><br/>The version 4.0 image captioning model is a more advanced implementation and works with a wider range of input images. It is only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia. <br/><br/>Version 4.0 also lets you use dense captioning, which generates detailed captions for individual objects that are found in the image. The API returns the bounding box coordinates (in pixels) of each object found in the image, plus a caption. You can use this functionality to generate descriptions of separate parts of an image.<br/><br/>:::image type="content" source="Images/description.png" alt-text="Photo of cows with a simple description on the right.":::| [Generate image captions (v3.2)](concept-describing-images.md)<br/>[(v4.0 preview)](concept-describe-images-40.md)|

+|**Get the area of interest / smart crop** |Analyze the contents of an image to return the coordinates of the *area of interest* that matches a specified aspect ratio. Computer Vision returns the bounding box coordinates of the region, so the calling application can modify the original image as desired. <br/><br/>The version 4.0 smart cropping model is a more advanced implementation and works with a wider range of input images. It is only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia. | [Generate a thumbnail (v3.2)](concept-generating-thumbnails.md)<br/>[(v4.0 preview)](concept-generate-thumbnails-40.md)|

+These APIs are only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

+1. [Create a project](how-to-custom-voice.md) to contain your data, voice models, tests, and endpoints. Each project is specific to a country/region and language. If you are going to create multiple voices, it's recommended that you create a project for each voice.

+Content for [Custom Neural Voice](https://aka.ms/customvoice) like data, models, tests, and endpoints are organized into projects in Speech Studio. Each project is specific to a country/region and language, and the gender of the voice you want to create. For example, you might create a project for a female voice for your call center's chat bots that use English in the United States.

+ * Document Translation is supported in paid tiers. The Language Studio only supports the S1 or D3 instance tiers. We suggest you select the Standard S1 instance tier to try Document Translation.

+ Azure sovereign clouds are isolated in-country/region platforms with independent authentication, storage, and compliance requirements. Sovereign clouds are often used within geographical boundaries where there's a strict data residency requirement. Translator is currently deployed in the following sovereign clouds:

+ * Additional government and country/region specific entity categories for Named Entity Recognition.

+Azure OpenAI Service includes a content filtering system that works alongside core models. This system works by running both the prompt and completion through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Variations in API configurations and application design may affect completions and thus filtering behavior. The content filtering system supports the following languages: English, German, Japanese, Spanish, French, Italian, Portuguese, and Chinese. It might not be able to detect inappropriate content in languages that it has not been trained or tested to process.

+In addition to the content filtering system, the Azure OpenAI Service performs monitoring to detect content and/or behaviors that suggest use of the service in a manner that may violate applicable product terms. For more information about understanding and mitigating risks associated with your application, see the [Transparency Note for Azure OpenAI](/legal/cognitive-services/openai/transparency-note?tabs=text). For more information about how data is processed in connection with content filtering and abuse monitoring, see [Data, privacy, and security for Azure OpenAI Service](/legal/cognitive-services/openai/data-privacy?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext#preventing-abuse-and-harmful-content-generation).

+The following sections provide information about the content filtering categories, the filtering severity levels, and API scenarios to be considered in application design and implementation.

+## Content filtering categories

+The content filtering system integrated in Azure OpenAI Service contains neural multi-class classification models aimed at detecting and filtering harmful content; the models cover four categories (hate, sexual, violence, and self-harm) across four severity levels (safe, low, medium, and high). Content detected at the 'safe' severity level is labeled in annotations but isn't subject to filtering.

+The default content filtering configuration is set to filter at the medium severity threshold for all four content harms categories for both prompts and completions. That means that content that is detected at severity level medium or high is filtered, while content detected at severity level low is not filtered by the content filters.

+### Categories

+|Category|Description|

+|--|--|

+| Hate |The hate category describes language attacks or uses that include pejorative or discriminatory language with reference to a person or identity group on the basis of certain differentiating attributes of these groups including but not limited to race, ethnicity, nationality, gender identity and expression, sexual orientation, religion, immigration status, ability status, personal appearance, and body size. |

+| Sexual | The sexual category describes language related to anatomical organs and genitals, romantic relationships, acts portrayed in erotic or affectionate terms, physical sexual acts, including those portrayed as an assault or a forced sexual violent act against oneΓÇÖs will, prostitution, pornography, and abuse. |

+| Violence | The violence category describes language related to physical actions intended to hurt, injure, damage, or kill someone or something; describes weapons, etc. |

+| Self-Harm | The self-harm category describes language related to physical actions intended to purposely hurt, injure, or damage oneΓÇÖs body, or kill oneself.|

+### Severity levels

+|Category|Description|

+|--|--|

+|Safe | Content may be related to violence, self-harm, sexual, or hate categories but the terms are used in general, journalistic, scientific, medical, and similar professional contexts, which are appropriate for most audiences. |

+|Low | Content that expresses prejudiced, judgmental, or opinionated views, includes offensive use of language, stereotyping, use cases exploring a fictional world (for example, gaming, literature) and depictions at low intensity.|

+| Medium | Content that uses offensive, insulting, mocking, intimidating, or demeaning language towards specific identity groups, includes depictions of seeking and executing harmful instructions, fantasies, glorification, promotion of harm at medium intensity. |

+|High | Content that displays explicit and severe harmful instructions, actions, damage, or abuse; includes endorsement, glorification, or promotion of severe harmful acts, extreme or illegal forms of harm, radicalization, or non-consensual power exchange or abuse.|

+When the content filtering system detects harmful content, you'll receive either an error on the API call if the prompt was deemed inappropriate or the `finish_reason` on the response will be `content_filter` to signify that some of the completion was filtered. When building your application or system, you'll want to account for these scenarios where the content returned by the Completions API is filtered, which may result in content that is incomplete. How you act on this information will be application specific. The behavior can be summarized in the following points:

+- Prompts that are classified at a filtered category and severity level will return an HTTP 400 error.

+- Non-streaming completions calls won't return any content when the content is filtered. The `finish_reason` value will be set to content_filter. In rare cases with longer responses, a partial result can be returned. In these cases, the `finish_reason` will be updated.

+- For streaming completions calls, segments will be returned back to the user as they're completed. The service will continue streaming until either reaching a stop token, length, or when content that is classified at a filtered category and severity level is detected.

+### Scenario: You send a non-streaming completions call asking for multiple outputs; no content is classified at a filtered category and severity level

+| 200 | In the cases when all generation passes the filters as configured, no content moderation details are added to the response. The `finish_reason` for each generation will be either stop or length. |

+| 200 |The generations that were filtered will have a `finish_reason` value of `content_filter`.

+|400 |The API call will fail when the prompt triggers a content filter as configured. Modify the prompt and try again.|

+### Scenario: You make a streaming completions call; no output content is classified at a filtered category and severity level

+|200|In this case, the call will stream back with the full generation and `finish_reason` will be either 'length' or 'stop' for each generated response.|

+### Scenario: You make a streaming completions call asking for multiple completions and at least a portion of the output content is filtered

+| 200 | For a given generation index, the last chunk of the generation will include a non-null `finish_reason` value. The value will be `content_filter` when the generation was filtered.|

+### Scenario: Content filtering system doesn't run on the completion

+| 200 | If the content filtering system is down or otherwise unable to complete the operation in time, your request will still complete without content filtering. You can determine that the filtering wasn't applied by looking for an error message in the `content_filter_result` object.|

+## Annotations (preview)

+When annotations are enabled as shown in the code snippet below, the following information is returned via the API: content filtering category (hate, sexual, violence, self-harm); within each content filtering category, the severity level (safe, low, medium or high); filtering status (true or false).

+Annotations are currently in preview for Completions and Chat Completions (GPT models); the following code snippet shows how to use annotations in preview:

+```python

+# Note: The openai-python library support for Azure OpenAI is in preview.

+# os.getenv() for the endpoint and key assumes that you are using environment variables.

+import os

+import openai

+openai.api_type = "azure"

+openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT")

+openai.api_version = "2023-06-01-preview" # API version required to test out Annotations preview

+openai.api_key = os.getenv("AZURE_OPENAI_KEY")

+response = openai.Completion.create(

+ engine="text-davinci-003", # engine = "deployment_name".

+ prompt="{Example prompt where a severity level of low is detected}"

+ # Content that is detected at severity level medium or high is filtered,

+ # while content detected at severity level low isn't filtered by the content filters.

+)

+print(response)

+```

+### Output

+```json

+{

+ "choices": [

+ {

+ "content_filter_results": {

+ "hate": {

+ "filtered": false,

+ "severity": "safe"

+ },

+ "self_harm": {

+ "filtered": false,

+ "severity": "safe"

+ },

+ "sexual": {

+ "filtered": false,

+ "severity": "safe"

+ },

+ "violence": {

+ "filtered": false,

+ "severity": "low"

+ }

+ },

+ "finish_reason": "length",

+ "index": 0,

+ "logprobs": null,

+ "text": {"\")(\"Example model response will be returned\").}"

+ }

+ ],

+ "created": 1685727831,

+ "id": "cmpl-7N36VZAVBMJtxycrmiHZ12aK76a6v",

+ "model": "text-davinci-003",

+ "object": "text_completion",

+ "prompt_annotations": [

+ {

+ "content_filter_results": {

+ "hate": {

+ "filtered": false,

+ "severity": "safe"

+ },

+ "self_harm": {

+ "filtered": false,

+ "severity": "safe"

+ },

+ "sexual": {

+ "filtered": false,

+ "severity": "safe"

+ },

+ "violence": {

+ "filtered": false,

+ "severity": "safe"

+ }

+ },

+ "prompt_index": 0

+ }

+ ],

+ "usage": {

+ "completion_tokens": 16,

+ "prompt_tokens": 5,

+ "total_tokens": 21

+ }

+}

+```

+The following code snippet shows how to retrieve annotations when content was filtered:

+```python

+# Note: The openai-python library support for Azure OpenAI is in preview.

+# os.getenv() for the endpoint and key assumes that you are using environment variables.

+import os

+import openai

+openai.api_type = "azure"

+openai.api_base = os.getenv("AZURE_OPENAI_ENDPOINT")

+openai.api_version = "2023-06-01-preview" # API version required to test out Annotations preview

+openai.api_key = os.getenv("AZURE_OPENAI_KEY")

+try:

+ openai.Completion.create(

+ prompt="<HARMFUL_PROMPT>",

+ engine="<MODEL_DEPLOYMENT_NAME>",

+ )

+except openai.error.InvalidRequestError as e:

+ if e.error.code == "content_filter" and e.error.innererror:

+ content_filter_result = e.error.innererror.content_filter_result

+ # print the formatted JSON

+ print(content_filter_result)

+ # or access the individual categories and details

+ for category, details in content_filter_result.items():

+ print(f"{category}:\n filtered={details['filtered']}\n severity={details['severity']}")

+```

+For details on the inference REST API endpoints for Azure OpenAI and how to create Chat and Completions please follow [Azure OpenAI Service REST API reference guidance](../reference.md). Annotations are returned for all scenarios when using `2023-06-01-preview`.

+### Example scenario: An input prompt containing content that is classified at a filtered category and severity level is sent to the completions API

+```json

+{

+ "error": {

+ "message": "The response was filtered due to the prompt triggering Azure Content management policy.

+ Please modify your prompt and retry. To learn more about our content filtering policies

+ please read our documentation: https://go.microsoft.com/fwlink/?linkid=21298766",

+ "type": null,

+ "param": "prompt",

+ "code": "content_filter",

+ "status": 400,

+ "innererror": {

+ "code": "ResponsibleAIPolicyViolation",

+ "content_filter_result": {

+ "hate": {

+ "filtered": true,

+ "severity": "high"

+ },

+ "self-harm": {

+ "filtered": true,

+ "severity": "high"

+ },

+ "sexual": {

+ "filtered": false,

+ "severity": "safe"

+ },

+ "violence": {

+ "filtered":true,

+ "severity": "medium"

+ }

+ }

+ }

+ }

+}

+```

+As part of your application design, consider the following best practices to deliver a positive experience with your application while minimizing potential harms:

+- Decide how you want to handle scenarios where your users send prompts containing content that is classified at a filtered category and severity level or otherwise misuse your application.

+- Check the `finish_reason` to see if a completion is filtered.

+- Check that there's no error object in the `content_filter_result` (indicating that content filters didn't run).

+- Learn more about the [underlying models that power Azure OpenAI](../concepts/models.md).

+- Apply for modified content filters via [this form](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu).

+- Azure OpenAI content filtering is powered by the models that power [Azure AI Content Safety](https://azure.microsoft.com/products/cognitive-services/ai-content-safety).

+- Learn more about understanding and mitigating risks associated with your application: [Overview of Responsible AI practices for Azure OpenAI models](/legal/cognitive-services/openai/overview?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext).

+- Learn more about how data is processed in connection with content filtering and abuse monitoring: [Data, privacy, and security for Azure OpenAI Service](/legal/cognitive-services/openai/data-privacy?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext#preventing-abuse-and-harmful-content-generation).

+> [!IMPORTANT]

+> The currently listed deprecation dates in Azure AI Studio and via REST API for gpt-35-turbo (0301) is a temporary placeholder. Deprecation will not happen prior to October 1st 2023.

+> [!IMPORTANT]

+> The currently listed deprecation dates in Azure AI Studio and via REST API for the gpt-4 and gpt-4-32k (0314) models are temporary placeholders. Deprecation will not happen prior to October 1st 2023.

+| text-embedding-ada-002 (version 1) | East US, South Central US, West Europe | N/A |2,046 | Sep 2021 |

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+- `2023-06-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-06-01-preview/inference.json)

+Numbers are billed on a per month basis, and pricing differs based on the type of a number and the source (country/region) of the number. Once a number is purchased, Customers can make / receive calls using that number and are billed on a per minute basis. PSTN call pricing is based on the type of number and location in which a call is terminated (destination), with few scenarios having rates based on origination location.

+- Check SMS FAQ for questions regarding [SMS](../sms/sms-faq.md)

+- From Pending to Verdict (Verfied/Rejected/More info needed) = **4-5 weeks**. The toll-free aggregator is currently facing a high volume of applications due to which applications can take around 8 weeks to get approved.

+The whole toll-free verification process takes about **5-6 weeks**. These timelines are subject to change depending on the volume of applications to the toll-free messaging aggregator and the [quality](#what-is-considered-a-high-quality-toll-free-verification-application) of your application. The toll-free aggregator is currently facing a high volume of applications due to which applications can take around 8 weeks to get approved.

+To ensure that we continue offering the high quality of service consistent with our SLAs, Azure Communication Services applies rate limits (different for each primitive). Developers who call our APIs beyond the limit receives a 429 HTTP Status Code Response.

+|Send Message|Toll-Free|Per Number|60|200*|200|

+|Send Message|Short Code |Per Number|60|6000*|6000|

+|Send Message|Alphanumeric Sender ID |Per resource|60|600*|600|

+*If your company has requirements that exceed the rate-limits, email us at phone@microsoft.com and we will enable higher throughput.

+> [!IMPORTANT]

+> Toll-free verification is meant for the end business actually sending the message traffic and not for resellers. ISVs are required to surface this verification form to the businesses or fill out the all information including company information, program details and opt-in information on behalf of the customer .

+This is the most crucial step in the verification application and providing the correct information will ensure faster approval times. If proof of opt-in is not provided in Opt-in URL field, URL is inaccessible, or if opt-in process is unclear, the application will be rejected.

+When working with calls in Azure Communication Services, you may encounter issues that affect your customers. To help with this, Azure Communication Services provides a feature called "User Facing Diagnostics" (UFD) that can be used to examine various properties of a call to determine what the issue might be. User Facing Diagnostics are events that are fired off that could indicate due to some underlying issue (poor network, user has their microphone muted) that a user might have a poor experience. After a User Facing Diagnostic is fired, you should consider giving feedback to an end-user that they might be having some underlying issue. However, the User Facing Diagnostic output is informational only, and the calling stack does not make any changes based on a User Facing Diagnostic being fired.

+zone_pivot_groups: acs-plat-web-ios-android-windows

+UDR is only supported on the workload profiles environment. The following application and network rules must be added to the allowlist for your firewall depending on which resources you're using.

+| Azure Container Registry (ACR) | *AzureContainerRegistry* | When using ACR with Azure Container Apps, you'll need to configure these application rules used by Azure Container Registry. |

+> For Azure resources you are using with Azure Firewall not listed in this article, please refer to the [service tags documentation](../virtual-network/service-tags-overview.md#available-service-tags).

+- **Custom DNS**: If your VNet uses a custom DNS server instead of the default Azure-provided DNS server, configure your DNS server to forward unresolved DNS queries to `168.63.129.16`. [Azure recursive resolvers](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) uses this IP address to resolve requests. When configuring your NSG or Firewall, don't block the `168.63.129.16` address, otherwise, your Container Apps environment won't function.

+The name of the resource group created in the Azure subscription where your environment is hosted is prefixed with `MC_` by default, and the resource group name *can't* be customized during container app creation. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer.

+- One standard static [public IP](https://azure.microsoft.com/pricing/details/ip-addresses/) for egress. If you need more IPs for egress due to SNAT issues, [open a support ticket to request an override](https://azure.microsoft.com/support/create-ticket/).

+* All the Regions from the source account.

+Azure Cosmos DB for PostgreSQL allows you to configure [the managed PgBouncer parameters](./reference-parameters.md#managed-pgbouncer-parameters) as coordinator node parameters.

+* General availability: [Managed PgBouncer settings](./reference-parameters.md#managed-pgbouncer-parameters) are now configurable on all clusters.

+ * Learn more about [connection pooling](./concepts-connection-pool.md).

+> Clusters running older versions of [the Citus extension](./reference-versions.md#citus-and-other-extension-versions) may not

+Sets the policy to use when choosing nodes for SELECT queries. If it's set to 'always', then the planner queries only nodes that are

+cluster\_name is set, the planner queries worker nodes in that

+Sets the time to wait before checking for distributed deadlocks. In particular,

+the time to wait is this value multiplied by PostgreSQL\'s

+Changing this GUC doesn't take effect until PostgreSQL is restarted.

+shards are placed, and defaults to 1. This parameter can be set at run-time

+Azure Cosmos DB for PostgreSQL sends either the local or distributed tables to nodes as

+ΓÇ£conversion.ΓÇ¥ If a local table is converted, then it is sent to any

+converted, then it is collected in the coordinator to support the join.

+The Azure Cosmos DB for PostgreSQL planner sends only the necessary rows doing a conversion.

+* **auto:** (Default) Azure Cosmos DB for PostgreSQL converts either all local or all distributed

+ convert using a heuristic. It converts distributed tables if they're

+* **never:** Azure Cosmos DB for PostgreSQL doesn't allow joins between local and distributed tables.

+* **prefer-local:** Azure Cosmos DB for PostgreSQL prefers converting local tables to support local

+* **prefer-distributed:** Azure Cosmos DB for PostgreSQL prefers converting distributed tables to

+ are used on which nodes (that is, stronger memory residency

+Queries exceeding the limit are canceled and produce an error

+- **log:** Logs statement at LOG severity level. The log line

+ includes the SQL query that was run.

+fails with an error message. However setting

+By default, an INSERT INTO … SELECT statement that can’t be pushed down

+attempts to repartition rows from the SELECT statement and transfer them between

+up subsequent commands. Increasing this value reduces the latency of

+multi-shard queries, but also increases overhead on the workers.

+Simulates the deprecated and now nonexistent real-time executor. This parameter is used

+When this GUC is enabled, Azure Cosmos DB for PostgreSQL forces the adaptive executor to use as many

+query execution throughput. Internally, setting this to `true` ends up using one

+One place where this parameter is useful is in a transaction whose first query is

+distributed query. In most cases, the explain output is similar across

+tasks. Occasionally, some of the tasks are planned differently or have much

+parameter, after which the EXPLAIN output includes all tasks. Explaining

+## Managed PgBouncer parameters

+The following [managed PgBouncer](./concepts-connection-pool.md) parameters can be configured on single node or coordinator.

+| Parameter Name | Description | Default |

+|-|--|-|

+| pgbouncer.default_pool_size | Set this parameter value to the number of connections per user/database pair. | 295 |

+| pgbouncer.ignore_startup_parameters | Comma-separated list of parameters that PgBouncer can ignore. For example, you can let PgBouncer ignore `extra_float_digits` parameter. Some parameters are allowed, all others raise error. This ability is needed to tolerate overenthusiastic JDBC wanting to unconditionally set 'extra_float_digits=2' in startup packet. Use this option if the library you use report errors such as `pq: unsupported startup parameter: extra_float_digits`. | extra_float_digits, ssl_renegotiation_limit |

+| pgBouncer.max_client_conn | Set this parameter value to the highest number of client connections to PgBouncer that you want to support. | 2000 |

+| pgBouncer.min_pool_size | Add more server connections to pool if below this number. | 0 (Disabled) |

+| pgBouncer.pool_mode | Set this parameter value to TRANSACTION for transaction pooling (which is the recommended setting for most workloads). | TRANSACTION |

+| pgbouncer.query_wait_timeout | Maximum time (in seconds) queries are allowed to spend waiting for execution. If the query isn't assigned to a server during that time, the client is disconnected. | 20s |

+| pgbouncer.server_idle_timeout | If a server connection has been idle more than this many seconds, it is closed. If 0 then this timeout is disabled. | 60s |

+* [cursor_tuple_fraction](https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-CURSOR-TUPLE-FRACTION) - Sets the planner's estimate of the fraction of a cursor's rows that are retrieved

+* [log_autovacuum_min_duration](https://www.postgresql.org/docs/current/runtime-config-autovacuum.html#) - Sets the minimum execution time above which autovacuum actions are logged

+* [log_min_duration_statement](https://www.postgresql.org/docs/current/runtime-config-logging.html#GUC-LOG-MIN-DURATION-STATEMENT) - Sets the minimum execution time (in milliseconds) above which statements are logged. -1 disables logging statement durations

+- The storage account must not have a firewall configured.

+- The storage account configuration must have the **Permitted scope for copy operations (preview)** option set to **From any storage account**.

+You can configure alerts based on your actual cost or forecasted cost to ensure that your spending is within your organizational spending limit. Notifications are triggered when the budget thresholds you've created are exceeded. Resources are not affected, and your consumption isn't stopped. You can use budgets to compare and track spending as you analyze costs.

+┬▓ You continue to pay by invoice/wire transfer under the MCA but will need to send your payments to a different bank account. For information about where to send your payment, see [Pay your bill](../understand/pay-bill.md#wire-bank-details) after you select your country/region in the list.

+Learn more about [The Client ID and Secret](https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/) and [How and why applications are added to Azure AD](../active-directory/develop/how-applications-are-added.md).

+# Enable Microsoft Defender for SQL servers on machines

+ - [Azure Arc-enabled SQL Server](/sql/sql-server/azure-arc/overview)

+ - [SQL Server running on Windows machines without Azure Arc](../azure-monitor/agents/agent-windows.md)

+ - [Connect your AWS accounts to Microsoft Defender for Cloud](quickstart-onboard-aws.md)

+ - [Connect your GCP project to Microsoft Defender for Cloud](quickstart-onboard-gcp.md)

+### Step 2. Provision the Log Analytics agent on your SQL server's host

+ - **Deploy Azure Arc** - You can connect any Windows machine to Defender for Cloud. However, Azure Arc provides deeper integration across *all* of your Azure environment. If you set up Azure Arc, you'll see the **SQL Server ΓÇô Azure Arc** page in the portal and your security alerts will appear on a dedicated **Security** tab on that page. So the first and recommended option is to [set up Azure Arc on the host](../azure-arc/servers/onboard-portal.md#install-and-validate-the-agent-on-windows) and follow the instructions for **SQL Server on Azure Arc**, above.

+ - **Connect the Windows machine without Azure Arc** - If you choose to connect a SQL Server running on a Windows machine without using Azure Arc, follow the instructions in [Connect Windows machines to Azure Monitor](../azure-monitor/agents/agent-windows.md).

+### Step 3. Enable the optional plan in Defender for Cloud's environment settings page

+1. Set the option for **SQL servers on machines** plan to **On**.

+ >[!TIP]

+1. Optionally, configure email notification for security alerts.

+ - Enable SQL Server's auditing feature for further investigations. If you're a Microsoft Sentinel user, you can upload the SQL auditing logs from the Windows Security Log events to Sentinel and enjoy a rich investigation experience. [Learn more about SQL Server Auditing](/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification?preserve-view=true&view=sql-server-ver15).

+ - To improve your security posture, use Defender for Cloud's recommendations for the host machine indicated in each alert to reduce the risks of future attacks.

+### If I enable this Microsoft Defender plan on my subscription, are all SQL servers on the subscription protected?

+The focus of **Microsoft Defender for SQL on machines** is obviously security. But we also care about your business and so we've prioritized performance to ensure the minimal effect on your SQL servers.

+The service has a split architecture to balance data uploading and speed with performance:

+#### Private Endpoint is supported out-of-the-box

+[Private endpoints](../private-link/private-endpoint-overview.md) provide secure connectivity to your Azure storage services, eliminating public internet exposure, and are considered a best practice.

+> [API Security with Defender for APIs](episode-thirty-two.md)

+ Title: API Security with Defender for APIs | Defender for Cloud in the field

+description: Learn about API security with Defender for APIs

+# API Security with Defender for APIs

+**Episode description**: In this episode of Defender for Cloud in the Field, Preetham Naik joins Yuri Diogenes to talk about API security with Defender for APIs. Preetham explains the importance of API security and why the threats in this area are growing. Preetham introduces the new Defender for APIs plan released in public preview and gives an overview of all its capabilities. Preetham also demonstrates the step-by-step process to onboard this plan and demonstrates how to address API security recommendations.

+<br>

+<br>

+<iframe src="https://aka.ms/docs/player?id=657f8b1b-8072-4075-a244-07c93ecf6556" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+- [02:15](/shows/mdc-in-the-field/api-security#time=02m15s) - Why is API Security important?

+- [05:15](/shows/mdc-in-the-field/api-security#time=05m15s) - The state of the API Security Market

+- [07:06](/shows/mdc-in-the-field/api-security#time=07m06s) - What are the risks associated with API?

+- [11:25](/shows/mdc-in-the-field/api-security#time=11m25s) - What you should expect from Defender for APIs

+- [15:53](/shows/mdc-in-the-field/api-security#time=15m53s) - Demonstration

+-

+## Recommended resources

+ - Learn more about [Defender for APIs](defender-for-apis-introduction.md)

+ - Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)

+ - Learn more about [Microsoft Security](https://msft.it/6002T9HQY)

+- Follow us on social media:

+ - [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ - [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+| Registries and images | **Supported**<br> ΓÇó ACR registries <br> ΓÇó [ACR registries protected with Azure Private Link](../container-registry/container-registry-private-link.md) (Private registries requires access to Trusted Services) <br> ΓÇó Container images in Docker V2 format <br> **Unsupported**<br> ΓÇó Super-minimalist images such as [Docker scratch](https://hub.docker.com/_/scratch/) images<br> ΓÇó "Distroless" images that only contain an application and its runtime dependencies without a package manager, shell, or OS<br> is currently unsupported <br> ΓÇó Images in [Open Container Initiative (OCI)](https://github.com/opencontainers/image-spec/blob/main/spec.md) <br> ΓÇó Windows images<br>|

+| [Changes to the Defender for DevOps recommendations environment source and resource ID](#changes-to-the-defender-for-devops-recommendations-environment-source-and-resource-id) | July 2023 |

+| [Changes to the Defender for DevOps recommendations environment source and resource ID](#changes-to-the-defender-for-devops-recommendations-environment-source-and-resource-id) | July 2023 |

+| [DevOps Resource Deduplication for Defender for DevOps](#devops-resource-deduplication-for-defender-for-devops) | July 2023 |

+| [General availability release of agentless container posture in Defender CSPM](#general-availability-ga-release-of-agentless-container-posture-in-defender-cspm) | July 2023 |

+| [Business model and pricing updates for Defender for Cloud plans](#business-model-and-pricing-updates-for-defender-for-cloud-plans) | July 2023 |

+### Business model and pricing updates for Defender for Cloud plans

+**Estimated date for change: July 2023**

+Microsoft Defender for Cloud has three plans that offer service layer protection:

+- Defender for Key Vault

+- Defender for Azure Resource Manager

+- Defender for DNS

+These plans are transitioning to a new business model with different pricing and packaging to address customer feedback regarding spending predictability and simplifying the overall cost structure.

+**Business model and pricing changes summary**:

+

+Existing customers of Defender for Key-Vault, Defender for Azure Resource Manager, and Defender for DNS will keep their current business model and pricing unless they actively choose to switch to the new business model and price.

+

+- **Defender for Azure Resource Manager**: This plan will have a fixed price per subscription per month. Customers will have the option to switch to the new business model by selecting the Defender for Azure Resource Manager new per-subscription model.

+- **Defender for Key Vault**: This plan will have a fixed price per vault at per month with no overage charge. Customers will have the option to switch to the new business model by selecting the Defender for Key Vault new per-vault model

+- **Defender for DNS**: Defender for Servers Plan 2 customers will gain access to Defender for DNS value as part of Defender for Servers Plan 2 at no extra cost. Customers that have both Defender for Server Plan 2 and Defender for DNS will no longer be charged for Defender for DNS. Defender for DNS will no longer be available as a standalone plan.

+For more information on all of these plans, check out the [Defender for Cloud pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h)

+| **Secure your vulnerable devices** | Devices with this recommendation are found with one or more vulnerabilities with a critical severity. <br><br> We recommend that you follow the steps listed by the device vendor or CISA (Cybersecurity & Infrastructure Agency). <br><br> To see required remediation steps: <br><br> 1. Choose a device from the list of unhealthy devices to see its full list of vulnerabilities. <br> 2. From the **Vulnerabilities** tab, choose the link in the **Name** column for the critical CVE you are mitigating. Full details are opened in the NVD (National Vulnerability Database). <br> 3. Scroll to the NVD **References to Advisories, Solutions, and Tools** section and choose any of the listed links for more information. An advisory page opens, either from the vendor or from CISA. <br> 4. Find and perform the remediation steps listed for your scenario. Note that some vulnerabilities cannot be remediated with a patch. |

+| **Set a secure password for devices with missing authentication** | Devices with this recommendation are found without authentication based on successful sign-ins. <br><br> We recommend that you enable authentication, and that you set a stronger password with minimum length and complexity. |

+| **Set a stronger password with minimum length and complexity** | Devices with this recommendation are found with weak passwords based on successful sign-ins. <br><br> We recommend that you change the device password to a password that has 8 or more characters and that contains characters from 3 of the following categories: <br><br> - Uppercase letters <br> - Lowercase letters <br> - Special characters <br> - Numbers (0-9) |

+- [Security recommendations for OT networks for insecure or missing passwords](recommendations.md#supported-security-recommendations)

+| **OT networks** | [OT plans billed by site-based licenses](#ot-plans-billed-by-site-based-licenses) <br> [Security recommendations for OT networks for insecure passwords and critical CVEs](#security-recommendations-for-ot-networks-for-insecure-passwords-and-critical-cves) |

+### Security recommendations for OT networks for insecure passwords and critical CVEs

+Defender for IoT now provides security recommendations for insecure passwords and for critical CVEs to help customers manage their OT/IoT network security posture.

+You can see the following new security recommendations from the Azure portal for detected devices across your networks:

+- **Secure your vulnerable devices**: Devices with this recommendation are found with one or more vulnerabilities with a critical severity. We recommend that you follow the steps listed by the device vendor or CISA (Cybersecurity & Infrastructure Agency).

+- **Set a secure password for devices with missing authentication**: Devices with this recommendation are found without authentication based on successful sign-ins. We recommend that you enable authentication, and that you set a stronger password with minimum length and complexity.

+- **Set a stronger password with minimum length and complexity**: Devices with this recommendation are found with weak passwords based on successful sign-ins. We recommend that you change the device password to a stronger password with minimum length and complexity.

+For more information, see [Supported security recommendations](recommendations.md#supported-security-recommendations).

+The [Jobs API](/rest/api/digital-twins/dataplane/jobs) is a data plane API that allows you to import a set of models, twins, and/or relationships in a single API call. Jobs API operations are also included with the [CLI commands](/cli/azure/dt/job) and [data plane SDKs](#data-plane-apis). Using the Jobs API requires use of [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md).

+Now you can proceed with calling the [Jobs API](/rest/api/digital-twins/dataplane/jobs). For detailed instructions on importing a full graph in one API call, see [Upload models, twins, and relationships in bulk with the Jobs API](how-to-manage-graph.md#upload-models-twins-and-relationships-in-bulk-with-the-jobs-api). You can also use the Jobs API to import each resource type independently. For more information on using the Jobs API with individual resource types, see Jobs API instructions for [models](how-to-manage-model.md#upload-large-model-sets-with-the-jobs-api), [twins](how-to-manage-twin.md#create-twins-in-bulk-with-the-jobs-api), and [relationships](how-to-manage-graph.md#create-relationships-in-bulk-with-the-jobs-api).

+It's also possible to cancel a running import job with the [Cancel operation](/rest/api/digital-twins/dataplane/jobs/import-jobs-cancel?tabs=HTTP) from the Jobs API. Once the job has been canceled and is no longer running, you can delete it.

+* Import Jobs are not atomic operations. There is no rollback in the case of failure, partial job completion, or usage of the [Cancel operation](/rest/api/digital-twins/dataplane/jobs/import-jobs-cancel?tabs=HTTP).

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+Then, the file can be used in an [Jobs API](/rest/api/digital-twins/dataplane/jobs) call. You'll provide the blob storage URL of the input file, as well as a new blob storage URL to indicate where you'd like the output log to be stored when it's created by the service.

+Metrics having to do with bulk operations from the [Jobs API](/rest/api/digital-twins/dataplane/jobs):

+ | `download.microsoft.com` | 443 | Required by the self-hosted integration runtime for downloading the updates. If you have disabled autoupdate, you can skip configuring this domain. |