Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Enable Authentication Spa App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/enable-authentication-spa-app.md | To specify your Azure AD B2C user flows, do the following: 1. Replace `B2C_1_SUSI` with your sign-in Azure AD B2C Policy name. 1. Replace `B2C_1_EditProfile` with your edit profile Azure AD B2C policy name.-1. Replace all instances of `contoso` with your [Azure AD B2C tenant name](./ tenant-management-read-tenant-name.md#get-your-tenant-name). +1. Replace all instances of `contoso` with your [Azure AD B2C tenant name](./tenant-management-read-tenant-name.md#get-your-tenant-name). ## Step 7: Use the MSAL to sign in the user |
active-directory | Application Provisioning Config Problem No Users Provisioned | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned.md | For the next 3 months, the behavior will continue as it is today. Users with the For questions about these changes, please reach out to provisioningfeedback@microsoft.com ## Next steps -[Azure AD Connect sync: Understanding Declarative Provisioning](../hybrid/concept-azure-ad-connect-sync-declarative-provisioning.md) +[Azure AD Connect sync: Understanding Declarative Provisioning](../hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning.md) |
active-directory | Application Provisioning Log Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-log-analytics.md | AADProvisioningLogs Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong. -To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md). +To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-create-new-alert-rule.md). Alert when there's a spike in failures. Replace the jobID with the jobID for your application. We're taking an open source and community-based approach to application provisio - [Log analytics](../reports-monitoring/howto-analyze-activity-logs-log-analytics.md) - [Get started with queries in Azure Monitor logs](../../azure-monitor/logs/get-started-queries.md) - [Create and manage alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md)-- [Install and use the log analytics views for Azure Active Directory](../reports-monitoring/howto-install-use-log-analytics-views.md)+- [Install and use the log analytics views for Azure Active Directory](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) - [Provisioning logs API](/graph/api/resources/provisioningobjectsummary?preserve-view=true&view=graph-rest-beta) |
active-directory | Customize Application Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md | Selecting this option forces a resynchronization of all users while the provisio - The attribute `IsSoftDeleted` is often part of the default mappings for an application. `IsSoftdeleted` can be true in one of four scenarios: 1) The user is out of scope due to being unassigned from the application. 2) The user is out of scope due to not meeting a scoping filter. 3) The user has been soft deleted in Azure AD. 4) The property `AccountEnabled` is set to false on the user. It's not recommended to remove the `IsSoftDeleted` attribute from your attribute mappings. - The Azure AD provisioning service doesn't support provisioning null values. - They primary key, typically "ID", shouldn't be included as a target attribute in your attribute mappings. -- The role attribute typically needs to be mapped using an expression, rather than a direct mapping. For more information about role mapping, see [Provisioning a role to a SCIM app](#Provisioning a role to a SCIM app). +- The role attribute typically needs to be mapped using an expression, rather than a direct mapping. For more information about role mapping, see [Provisioning a role to a SCIM app](#provisioning-a-role-to-a-scim-app). - While you can disable groups from your mappings, disabling users isn't supported. ## Next steps |
active-directory | Define Conditional Rules For Provisioning User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md | Scoping filters are configured as part of the attribute mappings for each Azure ## Common scoping filters | Target Attribute| Operator | Value | Description| |-|-|-|-|-|userPrincipalName|REGEX MATCH|`.\*@domain.com`|All users with `userPrincipal` that have the domain `@domain.com` are in scope for provisioning. | -|userPrincipalName|NOT REGEX MATCH|`.\*@domain.com`|All users with `userPrincipal` that has the domain `@domain.com` are out of scope for provisioning. | +|userPrincipalName|REGEX MATCH|`.*\@domain.com`|All users with `userPrincipal` that have the domain `@domain.com` are in scope for provisioning. | +|userPrincipalName|NOT REGEX MATCH|`.*\@domain.com`|All users with `userPrincipal` that has the domain `@domain.com` are out of scope for provisioning. | |department|EQUALS|`sales`|All users from the sales department are in scope for provisioning| |workerID|REGEX MATCH|`(1[0-9][0-9][0-9][0-9][0-9][0-9])`| All employees with `workerID` between 1000000 and 2000000 are in scope for provisioning.| |
active-directory | How Provisioning Works | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/how-provisioning-works.md | Confirm the mapping for *active* for your application. If you're using an applic **Configure your application to delete a user** The scenario triggers a disable or a delete: -* A user is soft-deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false). Thirty days after a user is deleted in Azure AD, they're permanently deleted from the tenant. At this point, the provisioning service sends a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can [manually delete a user permanently](../fundamentals/active-directory-users-restore.md), which sends a delete request to the application. +* A user is soft-deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false). Thirty days after a user is deleted in Azure AD, they're permanently deleted from the tenant. At this point, the provisioning service sends a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can [manually delete a user permanently](../fundamentals/users-restore.md), which sends a delete request to the application. * A user is permanently deleted / removed from the recycle bin in Azure AD. * A user is unassigned from an app. * A user goes from in scope to out of scope (doesn't pass a scoping filter anymore). |
active-directory | On Premises Application Provisioning Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md | -![Diagram that shows the architecture for on-premises application provisioning.](.\media\on-premises-application-provisioning-architecture\arch-3.png) +![Diagram that shows the architecture for on-premises application provisioning.](./media/on-premises-application-provisioning-architecture/arch-3.png) There are three primary components to provisioning users into an on-premises application: There are three primary components to provisioning users into an on-premises app You don't need to open inbound connections to the corporate network. The provisioning agents only use outbound connections to the provisioning service, which means there's no need to open firewall ports for incoming connections. You also don't need a perimeter (DMZ) network because all connections are outbound and take place over a secure channel. -The required outbound endpoints for the provisioning agents are detailed [here](../cloud-sync/how-to-prerequisites.md#firewall-and-proxy-requirements). +The required outbound endpoints for the provisioning agents are detailed [here](../hybrid/cloud-sync/how-to-prerequisites.md#firewall-and-proxy-requirements). ## ECMA Connector Host architecture The ECMA Connector Host has several areas it uses to achieve on-premises provisioning. The diagram below is a conceptual drawing that presents these individual areas. The table below describes the areas in more detail. -[![ECMA connector host](.\media\on-premises-application-provisioning-architecture\ecma-2.png)](.\media\on-premises-application-provisioning-architecture\ecma-2.png#lightbox) +[![ECMA connector host](./media/on-premises-application-provisioning-architecture/ecma-2.png)](./media/on-premises-application-provisioning-architecture/ecma-2.png#lightbox) However, for a data source such as SQL, which is flat, not hierarchical, the DN This can be achieved by checking **Autogenerated** in the checkbox when configuring the genericSQL connector. When you choose DN to be autogenerated, the ECMA host will generate a DN in an LDAP format: CN=<anchorvalue>,OBJECT=<type>. This also assumes that the DN is Anchor **unchecked** in the Connectivity page. - [![DN is Anchor unchecked](.\media\on-premises-application-provisioning-architecture\user-2.png)](.\media\on-premises-application-provisioning-architecture\user-2.png#lightbox) + [![DN is Anchor unchecked](./media/on-premises-application-provisioning-architecture/user-2.png)](./media/on-premises-application-provisioning-architecture/user-2.png#lightbox) The genericSQL connector expects the DN to be populated using an LDAP format. The Generic SQL connector is using the LDAP style with the component name "OBJECT=". This allows it to use partitions (each object type is a partition). Since ECMA Connector Host currently only supports the USER object type, the OBJE 1. The Azure AD provisioning service queries the ECMA Connector Host to see if the user exists. It uses the **matching attribute** as the filter. This attribute is defined in the Azure portal under Enterprise applications -> On-premises provisioning -> provisioning -> attribute matching. It is denoted by the 1 for matching precedence. You can define one or more matching attribute(s) and prioritize them based on the precedence. Should you want to change the matching attribute you can also do so.- [![Matching attribute](.\media\on-premises-application-provisioning-architecture\match-1.png)](.\media\on-premises-application-provisioning-architecture\match-1.png#lightbox) + [![Matching attribute](./media/on-premises-application-provisioning-architecture/match-1.png)](./media/on-premises-application-provisioning-architecture/match-1.png#lightbox) 2. ECMA Connector Host receives the GET request and queries its internal cache to see if the user exists and has based imported. This is done using the matching attribute(s) above. If you define multiple matching attributes, the Azure AD provisioning service will send a GET request for each attribute and the ECMA host will check its cache for a match until it finds one. This article lists the versions and features of Azure Active Directory Connect P Microsoft provides direct support for the latest agent version and one version before. ### Download link-On-premises app provisioning has been rolled into the provisioning agent and is available from the portal. See [installing the provisioning agent](../cloud-sync/how-to-install.md). +On-premises app provisioning has been rolled into the provisioning agent and is available from the portal. See [installing the provisioning agent](../hybrid/cloud-sync/how-to-install.md). ### 1.1.892.0 |
active-directory | On Premises Ecma Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md | By default, the agent emits minimal error messages and stack trace information. To gather more information for troubleshooting agent-related problems: - 1. Install the AADCloudSyncTools PowerShell module as described in [AADCloudSyncTools PowerShell Module for Azure AD Connect cloud sync](../../active-directory/cloud-sync/reference-powershell.md#install-the-aadcloudsynctools-powershell-module). + 1. Install the AADCloudSyncTools PowerShell module as described in [AADCloudSyncTools PowerShell Module for Azure AD Connect cloud sync](../hybrid/cloud-sync/reference-powershell.md#install-the-aadcloudsynctools-powershell-module). 2. Use the `Export-AADCloudSyncToolsLogs` PowerShell cmdlet to capture the information. Use the following switches to fine-tune your data collection. Use: - **SkipVerboseTrace** to only export current logs without capturing verbose logs (default = false). |
active-directory | Plan Auto User Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md | Consider your organizational needs to determine the strategy for deploying user ### Engage the right stakeholders -When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure you're engaging the right stakeholders](../fundamentals/deployment-plans.md) and that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities. +When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure you're engaging the right stakeholders](../architecture/deployment-plans.md) and that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities. ### Plan communications Communication is critical to the success of any new service. Proactively communi ### Plan a pilot -We recommend that the initial configuration of automatic user provisioning is in a test environment with a small subset of users before scaling it to all users in production. See [best practices](../fundamentals/deployment-plans.md#best-practices-for-a-pilot) for running a pilot. +We recommend that the initial configuration of automatic user provisioning is in a test environment with a small subset of users before scaling it to all users in production. See [best practices](../architecture/deployment-plans.md#best-practices-for-a-pilot) for running a pilot. #### Best practices for a pilot   |
active-directory | Plan Cloud Hr Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md | You also need a valid Azure AD Premium P1 or higher subscription license for eve - A test and production instance of the cloud HR app. - Administrator permissions in the cloud HR app to create a system integration user and make changes to test employee data for testing purposes. - For user provisioning to Active Directory, a server running Windows Server 2016 or greater is required to host the Azure AD Connect provisioning agent. This server should be a tier 0 server based on the Active Directory administrative tier model.-- [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) for synchronizing users between Active Directory and Azure AD.+- [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) for synchronizing users between Active Directory and Azure AD. ### Training resources The following key steps are indicated in the diagram:   2. **Azure AD provisioning service** runs the scheduled cycles from the cloud HR app tenant and identifies changes to process for sync with Active Directory. 3. **Azure AD provisioning service** invokes the Azure AD Connect provisioning agent with a request payload that contains Active Directory account create, update, enable, and disable operations. 4. **Azure AD Connect provisioning agent** uses a service account to manage Active Directory account data.-5. **Azure AD Connect** runs delta [sync](../hybrid/how-to-connect-sync-whatis.md) to pull updates in Active Directory. +5. **Azure AD Connect** runs delta [sync](../hybrid/connect/how-to-connect-sync-whatis.md) to pull updates in Active Directory. 6. **Active Directory** updates are synced with Azure AD. 7. **Azure AD provisioning service** write backs email attribute and username from Azure AD to the cloud HR app tenant. Consider your organizational needs while you determine the strategy for this dep ### Engage the right stakeholders -When technology projects fail, they typically do so owing to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/deployment-plans.md). Also make sure that stakeholder roles in the project are well understood. Document the stakeholders and their project input and accountabilities. +When technology projects fail, they typically do so owing to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../architecture/deployment-plans.md). Also make sure that stakeholder roles in the project are well understood. Document the stakeholders and their project input and accountabilities. Include a representative from the HR organization who can provide inputs on existing HR business processes and worker identity plus job data-processing requirements. Communication is critical to the success of any new service. Proactively communi Integrating HR business processes and identity workflows from the cloud HR app to target systems requires a considerable amount of data validation, data transformation, data cleansing, and end-to-end testing before you can deploy the solution into production. -Run the initial configuration in a [pilot environment](../fundamentals/deployment-plans.md#best-practices-for-a-pilot) before you scale it to all users in production. +Run the initial configuration in a [pilot environment](../architecture/deployment-plans.md#best-practices-for-a-pilot) before you scale it to all users in production. ## Select cloud HR provisioning connector apps The cloud HR app to Active Directory user provisioning solution requires the dep To prepare the on-premises environment, the Azure AD Connect provisioning agent configuration wizard registers the agent with your Azure AD tenant, [opens ports](../app-proxy/application-proxy-add-on-premises-application.md#open-ports), [allows access to URLs](../app-proxy/application-proxy-add-on-premises-application.md#allow-access-to-urls), and supports [outbound HTTPS proxy configuration](../saas-apps/workday-inbound-tutorial.md#how-do-i-configure-the-provisioning-agent-to-use-a-proxy-server-for-outbound-http-communication). -The provisioning agent configures a [Global Managed Service Account (GMSA)](../cloud-sync/how-to-prerequisites.md#group-managed-service-accounts) +The provisioning agent configures a [Global Managed Service Account (GMSA)](../hybrid/cloud-sync/how-to-prerequisites.md#group-managed-service-accounts) to communicate with the Active Directory domains. You can select domain controllers that should handle provisioning requests. If you have several geographically distributed domain controllers, install the provisioning agent in the same site as your preferred domain controllers. This positioning improves the reliability and performance of the end-to-end solution. Deployment topology one is the most common deployment topology. Use this topolog **Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover. -* Use the [provisioning agent configuration wizard](../cloud-sync/how-to-install.md#install-the-agent) to register your AD domain with your Azure AD tenant. +* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register your AD domain with your Azure AD tenant. * When configuring the provisioning app, select the AD domain from the dropdown of registered domains. * If you're using scoping filters, configure [skip out of scope deletions flag](skip-out-of-scope-deletions.md) to prevent accidental account deactivations. For example: In the diagram, the provisioning apps are set up for each geographi **Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover. -* Use the [provisioning agent configuration wizard](../cloud-sync/how-to-install.md#install-the-agent) to register all child AD domains with your Azure AD tenant. +* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register all child AD domains with your Azure AD tenant. * Create a separate HR2AD provisioning app for each target domain. * When configuring the provisioning app, select the respective child AD domain from the dropdown of available AD domains. * Use [scoping filters](define-conditional-rules-for-provisioning-user-accounts.md) in the provisioning app to define users that each app processes. For example: In the diagram, the provisioning apps are set up for each geographi **Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover. -* Configure [referral chasing](../cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. -* Use the [provisioning agent configuration wizard](../cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant. +* Configure [referral chasing](../hybrid/cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. +* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant. * Create a separate HR2AD provisioning app for each target domain. * When configuring each provisioning app, select the parent AD domain from the dropdown of available AD domains. Selecting the parent domain ensures forest-wide lookup while generating unique values for attributes like *userPrincipalName*, *samAccountName* and *mail*. * Use *parentDistinguishedName* with expression mapping to dynamically create user in the correct child domain and [OU container](#configure-active-directory-ou-container-assignment). For example: In the diagram, a single provisioning app manages users present in **Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover. -* Configure [referral chasing](../cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. -* Use the [provisioning agent configuration wizard](../cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant. +* Configure [referral chasing](../hybrid/cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. +* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant. * Create a single HR2AD provisioning app for the entire forest. * When configuring the provisioning app, select the parent AD domain from the dropdown of available AD domains. Selecting the parent domain ensures forest-wide lookup while generating unique values for attributes like *userPrincipalName*, *samAccountName* and *mail*. * Use *parentDistinguishedName* with expression mapping to dynamically create user in the correct child domain and [OU container](#configure-active-directory-ou-container-assignment). Use this topology if your IT infrastructure has disconnected/disjoint AD forests **Salient configuration aspects** * Setup two different sets of provisioning agents for high availability and failover, one for each forest. * Create two different provisioning apps, one for each forest. -* If you need to resolve cross domain references within the forest, enable [referral chasing](../cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. +* If you need to resolve cross domain references within the forest, enable [referral chasing](../hybrid/cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. * Create a separate HR2AD provisioning app for each disconnected forest. * When configuring each provisioning app, select the appropriate parent AD domain from the dropdown of available AD domain names. * Configure [skip out of scope deletions flag](skip-out-of-scope-deletions.md) to prevent accidental account deactivations. In large organizations, it isn't uncommon to have multiple HR systems. During bu **Salient configuration aspects** * Setup two different sets of provisioning agents for high availability and failover, one for each forest. -* If you need to resolve cross domain references within the forest, enable [referral chasing](../cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. +* If you need to resolve cross domain references within the forest, enable [referral chasing](../hybrid/cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent. * Create a separate HR2AD provisioning app for each HR system and on-premises Active Directory combination. * When configuring each provisioning app, select the appropriate parent AD domain from the dropdown of available AD domain names. * Configure [skip out of scope deletions flag](skip-out-of-scope-deletions.md) to prevent accidental account deactivations. To review these events and all other activities performed by the provisioning se All activities performed by the provisioning service are recorded in the Azure AD audit logs. You can route Azure AD audit logs to Azure Monitor logs for further analysis. With Azure Monitor logs (also known as Log Analytics workspace), you can query data to find events, analyze trends, and perform correlation across various data sources. Watch this [video](https://youtu.be/MP5IaCTwkQg) to learn the benefits of using Azure Monitor logs for Azure AD logs in practical user scenarios. -Install the [log analytics views for Azure AD activity logs](../reports-monitoring/howto-install-use-log-analytics-views.md) to get access to [prebuilt reports](https://github.com/AzureAD/Deployment-Plans/tree/master/Log%20Analytics%20Views) around provisioning events in your environment. +Install the [log analytics views for Azure AD activity logs](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) to get access to [prebuilt reports](https://github.com/AzureAD/Deployment-Plans/tree/master/Log%20Analytics%20Views) around provisioning events in your environment. For more information, see how to [analyze the Azure AD activity logs with your Azure Monitor logs](../reports-monitoring/howto-analyze-activity-logs-log-analytics.md). |
active-directory | Provisioning Workbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provisioning-workbook.md | This workbook: ## Enabling provisioning logs -You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](../cloud-sync/how-to-troubleshoot.md). +You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](../hybrid/cloud-sync/how-to-troubleshoot.md). ## Source and Target At the top of the workbook, using the drop-down, specify the source and target identities. You can create custom queries and show the data on Azure dashboards. To learn ho Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong. -To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md). +To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-create-new-alert-rule.md). ## Next steps -- [What is provisioning?](../cloud-sync/what-is-provisioning.md)-- [Error codes](../cloud-sync/reference-error-codes.md)+- [What is provisioning?](../hybrid/what-is-provisioning.md) +- [Error codes](../hybrid/cloud-sync/reference-error-codes.md) |
active-directory | User Provisioning Sync Attributes For Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md | Adding missing attributes needed for an application will start in either on-prem First, identify which users in your Azure AD tenant will need access to the application and therefore are going to be in scope of being provisioned into the application. >[!NOTE]-> For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md). Both of these solutions automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect) or [use Azure AD Connect cloud sync](#create-an-extension-attribute-using-cloud-sync). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service. +> For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md). Both of these solutions automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect) or [use Azure AD Connect cloud sync](#create-an-extension-attribute-using-cloud-sync). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service. 1. Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they are not, extend the AD DS schema in the domains where those users have accounts.- 1. Configure [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or Azure AD Connect cloud sync to synchronize the users with their extension attribute from Active Directory to Azure AD. Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as `sAMAccountName`) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service. + 1. Configure [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) or Azure AD Connect cloud sync to synchronize the users with their extension attribute from Active Directory to Azure AD. Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as `sAMAccountName`) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service. 1. If the users in on-premises Active Directory do not already have the required attributes, you will need to update the users in Active Directory. This can be done either by reading the properties from [Workday](../saas-apps/workday-inbound-tutorial.md), from [SAP SuccessFactors](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md), or if you are using a different HR system, using Microsoft Identity Manager (MIM). 1. Wait for Azure AD Connect to synchronize those updates you made in the Active Directory schema and the Active Directory users into Azure AD. Cloud sync will automatically discover your extensions in on-premises Active Dir 8. Fill in the type of mapping you want and click **Apply**. [![Custom attribute mapping](media/user-provisioning-sync-attributes-for-mapping/schema-1.png)](media/user-provisioning-sync-attributes-for-mapping/schema-1.png#lightbox) -For more information, see [Cloud Sync Custom Attribute Mapping](../cloud-sync/custom-attribute-mapping.md) +For more information, see [Cloud Sync Custom Attribute Mapping](../hybrid/cloud-sync/custom-attribute-mapping.md) |
active-directory | Application Proxy Add On Premises Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-add-on-premises-application.md | To enable TLS 1.2: Start by enabling communication to Azure data centers to prepare your environment for Azure AD Application Proxy. If there's a firewall in the path, make sure it's open. An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy. > [!IMPORTANT]-> If you are installing the connector for Azure Government cloud follow the [prerequisites](../hybrid/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). This requires enabling access to a different set of URLs and an additional parameter to run the installation. +> If you are installing the connector for Azure Government cloud follow the [prerequisites](../hybrid/connect/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/connect/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). This requires enabling access to a different set of URLs and an additional parameter to run the installation. ### Open ports You did these things: You're ready to configure the application for single sign-on. Use the following link to choose a single sign-on method and to find single sign-on tutorials. > [!div class="nextstepaction"]-> [Configure single sign-on](../manage-apps/sso-options.md#choosing-a-single-sign-on-method) +> [Configure single sign-on](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method) |
active-directory | Application Proxy Configure Native Client Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-native-client-application.md | After you edit the MSAL code with these parameters, your users can authenticate For more information about the native application flow, see [mobile](../develop/authentication-flows-app-scenarios.md#mobile-app-that-calls-a-web-api-on-behalf-of-an-interactive-user) and [desktop](../develop/authentication-flows-app-scenarios.md#desktop-app-that-calls-a-web-api-on-behalf-of-a-signed-in-user) apps in Azure Active Directory. -Learn about setting up [Single sign-on to applications in Azure Active Directory](../manage-apps/sso-options.md#choosing-a-single-sign-on-method). +Learn about setting up [Single sign-on to applications in Azure Active Directory](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method). |
active-directory | Application Proxy Configure Single Sign On On Premises Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md | The protocol diagrams below describe the single sign-on sequence for both a serv 4. Select **SAML** as the single sign-on method. -5. First set up SAML SSO to work while on the corporate network, see the basic SAML configuration section of [Configure SAML-based single sign-on](../manage-apps/configure-saml-single-sign-on.md) to configure SAML-based authentication for the application. +5. First set up SAML SSO to work while on the corporate network, see the basic SAML configuration section of [Configure SAML-based single sign-on](../develop/single-sign-on-saml-protocol.md) to configure SAML-based authentication for the application. 6. Add at least one user to the application and make sure the test account has access to the application. While connected to the corporate network, use the test account to see if you have single sign-on to the application. |
active-directory | Application Proxy Configure Single Sign On Password Vaulting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md | -Application Proxy supports several [single sign-on modes](../manage-apps/sso-options.md#choosing-a-single-sign-on-method). Password-based sign-on is intended for applications that use a username/password combination for authentication. When you configure password-based sign-on for your application, your users have to sign in to the on-premises application once. After that, Azure Active Directory stores the sign-in information and automatically provides it to the application when your users access it remotely. +Application Proxy supports several [single sign-on modes](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method). Password-based sign-on is intended for applications that use a username/password combination for authentication. When you configure password-based sign-on for your application, your users have to sign in to the on-premises application once. After that, Azure Active Directory stores the sign-in information and automatically provides it to the application when your users access it remotely. You should already have published and tested your app with Application Proxy. If not, follow the steps in [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md) then come back here. |
active-directory | Application Proxy Configure Single Sign On With Headers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md | Before you get started with single sign-on for header-based applications, you sh 5. Select **Add new header**. Provide a **Name** for the header and select either **Attribute** or **Transformation** and select from the drop-down which header your application needs. - To learn more about the list of attribute available, see [Claims Customizations- Attributes](../develop/saml-claims-customization.md#attributes). - To learn more about the list of transformation available, see [Claims Customizations- Claim Transformations](../develop/saml-claims-customization.md#claim-transformations). - - You may also add a **Group Header**, to send all the groups a user is part of, or the groups assigned to the application as a header. To learn more about configuring groups as a value see: [Configure group claims for applications](../hybrid/how-to-connect-fed-group-claims.md#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration). + - You may also add a **Group Header**, to send all the groups a user is part of, or the groups assigned to the application as a header. To learn more about configuring groups as a value see: [Configure group claims for applications](../hybrid/connect/how-to-connect-fed-group-claims.md#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration). 6. Select Save. ## Test your app |
active-directory | Application Proxy Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connectors.md | Import-module AppProxyPSModule Register-AppProxyConnector -EnvironmentName "AzureCloud" ``` -For government, use `-EnvironmentName "AzureUSGovernment"`. For more details, see [Install Agent for the Azure Government Cloud](../hybrid/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). +For government, use `-EnvironmentName "AzureUSGovernment"`. For more details, see [Install Agent for the Azure Government Cloud](../hybrid/connect/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). To learn more about how to verify the certificate and troubleshoot problems see [Verify Machine and backend components support for Application Proxy trust certificate](./application-proxy-connector-installation-problem.md#verify-machine-and-backend-components-support-for-application-proxy-trust-certificate). |
active-directory | Application Proxy Deployment Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-deployment-plan.md | The following capabilities can be used to support Azure AD Application Proxy: * User and location-based Conditional Access: Keep sensitive data protected by limiting user access based on geo-location or an IP address with [location-based Conditional Access policies](../conditional-access/location-condition.md). -* Device-based Conditional Access: Ensure only enrolled, approved, and compliant devices can access corporate data with [device-based Conditional Access](../conditional-access/require-managed-devices.md). +* Device-based Conditional Access: Ensure only enrolled, approved, and compliant devices can access corporate data with [device-based Conditional Access](../conditional-access/concept-conditional-access-grant.md). -* Application-based Conditional Access: Work doesn't have to stop when a user isn't on the corporate network. [Secure access to corporate cloud and on-premises apps](../conditional-access/app-based-conditional-access.md) and maintain control with Conditional Access. +* Application-based Conditional Access: Work doesn't have to stop when a user isn't on the corporate network. [Secure access to corporate cloud and on-premises apps](../conditional-access/howto-policy-approved-app-or-app-protection.md) and maintain control with Conditional Access. * Risk-based Conditional Access: Protect your data from malicious hackers with a [risk-based Conditional Access policy](https://www.microsoft.com/cloud-platform/conditional-access) that can be applied to all apps and all users, whether on-premises or in the cloud. |
active-directory | Application Proxy High Availability Load Balancing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-high-availability-load-balancing.md | Refer to your software vendor's documentation to understand the load-balancing r - [Enable single-sign on](application-proxy-configure-single-sign-on-with-kcd.md) - [Enable Conditional Access](./application-proxy-integrate-with-sharepoint-server.md) - [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)-- [Learn how Azure AD architecture supports high availability](../fundamentals/active-directory-architecture.md)+- [Learn how Azure AD architecture supports high availability](../architecture/architecture.md) |
active-directory | Application Proxy Integrate With Sharepoint Server Saml | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server-saml.md | To complete this configuration, you need the following resources: - An Azure AD tenant with a plan that includes Application Proxy. Learn more about [Azure AD plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). - A [custom, verified domain](../fundamentals/add-custom-domain.md) in the Azure AD tenant. The verified domain must match the SharePoint URL suffix. - An SSL certificate is required. See the details in [custom domain publishing](./application-proxy-configure-custom-domain.md).+ - On-premises Active Directory users must be synchronized with Azure AD Connect, and must be configure to [sign in to Azure](../hybrid/connect/plan-connect-user-signin.md). - For cloud-only and B2B guest users, you need to [grant access to a guest account to SharePoint on-premises in the Azure portal](../saas-apps/sharepoint-on-premises-tutorial.md#manage-guest-users-access). - An Application Proxy connector installed and running on a machine within the corporate domain. |
active-directory | Application Proxy Integrate With Sharepoint Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server.md | To perform the configuration, you need the following resources: - A SharePoint 2013 farm or newer. - An Azure AD tenant with a plan that includes Application Proxy. Learn more about [Azure AD plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). - A [custom, verified domain](../fundamentals/add-custom-domain.md) in the Azure AD tenant.-- On-premises Active Directory synchronized with Azure AD Connect, through which users can [sign in to Azure](../hybrid/plan-connect-user-signin.md).+- On-premises Active Directory synchronized with Azure AD Connect, through which users can [sign in to Azure](../hybrid/connect/plan-connect-user-signin.md). - An Application Proxy connector installed and running on a machine within the corporate domain. Configuring SharePoint with Application Proxy requires two URLs: |
active-directory | Application Proxy Ping Access Publishing Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md | Your users wonΓÇÖt notice anything different when they sign in to use your corpo Since this scenario comes from a partnership between Azure Active Directory and PingAccess, you need licenses for both services. However, Azure Active Directory Premium subscriptions include a basic PingAccess license that covers up to 20 applications. If you need to publish more than 20 header-based applications, you can purchase an additional license from PingAccess. -For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md). +For more information, see [Azure Active Directory editions](../fundamentals/whatis.md). ## Publish your application in Azure Example to include email address into the access_token that PingAccess will cons [Claims Mapping Policy (preview)](../develop/reference-claims-mapping-policy-type.md#claims-mapping-policy-properties) for attributes which do not exist in AzureAD. Claims mapping allows you to migrate old on-prem apps to the cloud by adding additional custom claims that are backed by your ADFS or user objects -To make your application use a custom claim and include additional fields, be sure you've also [created a custom claims mapping policy and assigned it to the application](../develop/active-directory-claims-mapping.md). +To make your application use a custom claim and include additional fields, be sure you've also [created a custom claims mapping policy and assigned it to the application](../develop/saml-claims-customization.md). > [!NOTE] > To use a custom claim, you must also have a custom policy defined and assigned to the application. This policy should include all required custom attributes. >-> You can do policy definition and assignment through PowerShell or Microsoft Graph. If you're doing them in PowerShell, you may need to first use `New-AzureADPolicy` and then assign it to the application with `Add-AzureADServicePrincipalPolicy`. For more information, see [Claims mapping policy assignment](../develop/active-directory-claims-mapping.md). +> You can do policy definition and assignment through PowerShell or Microsoft Graph. If you're doing them in PowerShell, you may need to first use `New-AzureADPolicy` and then assign it to the application with `Add-AzureADServicePrincipalPolicy`. For more information, see [Claims mapping policy assignment](../develop/saml-claims-customization.md). Example: ```powershell |
active-directory | Application Proxy Register Connector Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-register-connector-powershell.md | For the [Application Proxy connector](application-proxy-connectors.md) to work, There are two steps for an unattended installation. First, install the connector. Second, register the connector with Azure AD. > [!IMPORTANT]-> If you are installing the connector for Azure Government cloud review the [pre-requisites](../hybrid/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). This requires enabling access to a different set of URLs and an additional parameter to run the installation. +> If you are installing the connector for Azure Government cloud review the [pre-requisites](../hybrid/connect/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/connect/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). This requires enabling access to a different set of URLs and an additional parameter to run the installation. ## Install the connector Use the following steps to install the connector without registering it: |
active-directory | Application Proxy Release Version History | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-release-version-history.md | July 22, 2020: Released for download This version is only available for install via the download page. ### New features and improvements-- Improved support for Azure Government cloud environments. For steps on how to properly install the connector for Azure Government cloud review the [pre-requisites](../hybrid/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud).+- Improved support for Azure Government cloud environments. For steps on how to properly install the connector for Azure Government cloud review the [pre-requisites](../hybrid/connect/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/connect/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). - Support for using the Remote Desktop Services web client with Application Proxy. See [Publish Remote Desktop with Azure AD Application Proxy](application-proxy-integrate-with-remote-desktop-services.md) for more details. - Improved websocket extension negotiations. - Support for optimized routing between connector groups and Application Proxy cloud services based on region. See [Optimize traffic flow with Azure Active Directory Application Proxy](application-proxy-network-topology.md) for more details. |
active-directory | Application Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy.md | Application Proxy works with: * Applications hosted behind a [Remote Desktop Gateway](./application-proxy-integrate-with-remote-desktop-services.md) * Rich client apps that are integrated with the Microsoft Authentication Library (MSAL) -Application Proxy supports single sign-on. For more information on supported methods, see [Choosing a single sign-on method](../manage-apps/sso-options.md#choosing-a-single-sign-on-method). +Application Proxy supports single sign-on. For more information on supported methods, see [Choosing a single sign-on method](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method). Application Proxy is recommended for giving remote users access to internal resources. Application Proxy replaces the need for a VPN or reverse proxy. It is not intended for internal users on the corporate network. These users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues. The following diagram shows how Azure AD and Application Proxy work together to | On-premises application | Finally, the user is able to access an on-premises application. ## Next steps-To start using Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy](application-proxy-add-on-premises-application.md). +To start using Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy](application-proxy-add-on-premises-application.md). |
active-directory | What Is Application Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/what-is-application-proxy.md | App Proxy also supports the following authentication protocols with third-party * [**Forms- or password-based authentication**](./application-proxy-configure-single-sign-on-password-vaulting.md). With this authentication method, users sign on to the application with a username and password the first time they access it. After the first sign-on, Azure AD supplies the username and password to the application. In this scenario, authentication is handled by Azure AD. * [**SAML authentication**](./application-proxy-configure-single-sign-on-on-premises-apps.md). SAML-based single sign-on is supported for applications that use either SAML 2.0 or WS-Federation protocols. With SAML single sign-on, Azure AD authenticates to the application by using the user's Azure AD account. -For more information on supported methods, see [Choosing a single sign-on method](../manage-apps/sso-options.md#choosing-a-single-sign-on-method). +For more information on supported methods, see [Choosing a single sign-on method](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method). ### Security benefits |
active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/whats-new-docs.md | Welcome to what's new in Azure Active Directory application proxy documentation. ### Updated articles -- [Integrate with Azure Active Directory Application Proxy on a Network Device Enrollment Service (NDES) server](active-directory-app-proxy-protect-ndes.md)+- [Integrate with Azure Active Directory Application Proxy on a Network Device Enrollment Service (NDES) server](./app-proxy-protect-ndes.md) - [Plan an Azure AD Application Proxy deployment](application-proxy-deployment-plan.md) - [Active Directory (Azure AD) Application Proxy frequently asked questions](application-proxy-faq.yml) - [Integrate Azure Active Directory Application Proxy with SharePoint (SAML)](application-proxy-integrate-with-sharepoint-server-saml.md) Application proxy content has moved out of the [application management content s ## March 2021 -To learn about new and updated content in March, see the [what's new in application management](../manage-apps/whats-new-docs.md) content page. +To learn about new and updated content in March, see the [what's new in application management](../manage-apps/whats-new-docs.md) content page. |
active-directory | Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/architecture.md | -Azure Active Directory (Azure AD) enables you to securely manage access to Azure services and resources for your users. Included with Azure AD is a full suite of identity management capabilities. For information about Azure AD features, see [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md) +Azure Active Directory (Azure AD) enables you to securely manage access to Azure services and resources for your users. Included with Azure AD is a full suite of identity management capabilities. For information about Azure AD features, see [What is Azure Active Directory?](../fundamentals/whatis.md) -With Azure AD, you can create and manage users and groups, and enable permissions to allow and deny access to enterprise resources. For information about identity management, see [The fundamentals of Azure identity management](../fundamentals/active-directory-whatis.md). +With Azure AD, you can create and manage users and groups, and enable permissions to allow and deny access to enterprise resources. For information about identity management, see [The fundamentals of Azure identity management](../fundamentals/whatis.md). ## Azure AD architecture |
active-directory | Auth Oauth2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-oauth2.md | Rich client and modern app scenarios and RESTful web API access. * [Integrating applications with Azure AD](../saas-apps/tutorial-list.md) -* [OAuth 2.0 and OpenID Connect protocols on the Microsoft Identity Platform](../develop/active-directory-v2-protocols.md) +* [OAuth 2.0 and OpenID Connect protocols on the Microsoft Identity Platform](../develop/v2-protocols.md) * [Application types and OAuth2](../develop/v2-app-types.md) - |
active-directory | Auth Oidc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-oidc.md | There is a need for user consent and for web sign in. * [Integrating applications with Azure AD](../saas-apps/tutorial-list.md) -* [OAuth 2.0 and OpenID Connect protocols on the Microsoft Identity Platform](../develop/active-directory-v2-protocols.md) +* [OAuth 2.0 and OpenID Connect protocols on the Microsoft Identity Platform](../develop/v2-protocols.md) * [Microsoft identity platform and OpenID Connect protocol](../develop/v2-protocols-oidc.md) |
active-directory | Auth Saml | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-saml.md | While one of most important use cases that SAML addresses is SSO, especially by * [Configuring SAML based single sign-on for non-gallery applications](../manage-apps/add-application-portal.md) -* [How Azure AD uses the SAML protocol](../develop/active-directory-saml-protocol-reference.md) +* [How Azure AD uses the SAML protocol](../develop/saml-protocol-reference.md) |
active-directory | Automate Provisioning To Applications Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/automate-provisioning-to-applications-solutions.md | As customers transition identity management to the cloud, more users and groups 3. When an external user from a partner organization is created in Azure AD using B2B, MIM can automatically provision them [into AD DS](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario) and give those guests access to [on-premises Windows-Integrated Authentication or Kerberos-based applications](../external-identities/hybrid-cloud-to-on-premises.md). Alternatively, customers can user [PowerShell scripts](https://github.com/Azure-Samples/B2B-to-AD-Sync) to automate the creation of guest accounts on-premises. -1. When a group is created in Azure AD, it can be automatically synchronized to AD DS using [Azure AD Connect sync](../hybrid/how-to-connect-group-writeback-v2.md). +1. When a group is created in Azure AD, it can be automatically synchronized to AD DS using [Azure AD Connect sync](../hybrid/connect/how-to-connect-group-writeback-v2.md). 1. When users need access to cloud apps that still rely on legacy access protocols (for example, LDAP and Kerberos/NTLM), [Azure AD Domain Services](https://azure.microsoft.com/services/active-directory-ds/) synchronizes identities between Azure AD and a managed AD domain. |No.| What | From | To | Technology | | - | - | - | - | - |-| 1 |Users, groups| AD DS| Azure AD| [Azure AD Connect Cloud Sync](../cloud-sync/what-is-cloud-sync.md) | -| 2 |Users, groups, devices| AD DS| Azure AD| [Azure AD Connect Sync](../hybrid/whatis-azure-ad-connect.md) | -| 3 |Groups| Azure AD| AD DS| [Azure AD Connect Sync](../hybrid/how-to-connect-group-writeback-v2.md) | +| 1 |Users, groups| AD DS| Azure AD| [Azure AD Connect Cloud Sync](../hybrid/cloud-sync/what-is-cloud-sync.md) | +| 2 |Users, groups, devices| AD DS| Azure AD| [Azure AD Connect Sync](../hybrid/connect/whatis-azure-ad-connect.md) | +| 3 |Groups| Azure AD| AD DS| [Azure AD Connect Sync](../hybrid/connect/how-to-connect-group-writeback-v2.md) | | 4 |Guest accounts| Azure AD| AD DS| [MIM](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario), [PowerShell](https://github.com/Azure-Samples/B2B-to-AD-Sync)| | 5 |Users, groups| Azure AD| Managed AD| [Azure AD Domain Services](https://azure.microsoft.com/services/active-directory-ds/) | Organizations often need a complete audit trail of what users have access to app ### Next steps 1. Automate provisioning with any of your applications that are in the [Azure AD app gallery](../saas-apps/tutorial-list.md), support [SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md), [SQL](../app-provisioning/on-premises-sql-connector-configure.md), or [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md).-2. Evaluate [Azure AD Cloud Sync](../cloud-sync/what-is-cloud-sync.md) for synchronization between AD DS and Azure AD -3. Use the [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for complex provisioning scenarios +2. Evaluate [Azure AD Cloud Sync](../hybrid/cloud-sync/what-is-cloud-sync.md) for synchronization between AD DS and Azure AD +3. Use the [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for complex provisioning scenarios |
active-directory | Backup Authentication System Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/backup-authentication-system-apps.md | The backup authentication system doesn't currently support the [authorization co ##### Web applications & services -The backup authentication system doesn't currently support web applications and services that are configured as confidential clients. Protection for the [authorization code grant flow](../develop/v2-oauth2-auth-code-flow.md) and subsequent token acquisition using refresh tokens and client secrets or [certificate credentials](../develop/active-directory-certificate-credentials.md) isn't currently supported. The OAuth 2.0 [on-behalf-of flow](../develop/v2-oauth2-on-behalf-of-flow.md) isn't currently supported. +The backup authentication system doesn't currently support web applications and services that are configured as confidential clients. Protection for the [authorization code grant flow](../develop/v2-oauth2-auth-code-flow.md) and subsequent token acquisition using refresh tokens and client secrets or [certificate credentials](../develop/certificate-credentials.md) isn't currently supported. The OAuth 2.0 [on-behalf-of flow](../develop/v2-oauth2-on-behalf-of-flow.md) isn't currently supported. #### SAML 2.0 single sign-on (SSO) The backup authentication system doesn't currently support service principal-bas - [Azure AD's backup authentication system](backup-authentication-system.md) - [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) - [Introduction to the backup authentication system](https://azure.microsoft.com/blog/advancing-service-resilience-in-azure-active-directory-with-its-backup-authentication-service/)-- [Resilience Defaults for Conditional Access](../conditional-access/resilience-defaults.md)+- [Resilience Defaults for Conditional Access](../conditional-access/resilience-defaults.md) |
active-directory | Deployment Plans | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/deployment-plans.md | Title: Azure Active Directory deployment plans description: Guidance on Azure Active Directory deployment, such as authentication, devices, hybrid scenarios, governance, and more. -+ Use the following list to help deploy applications and devices. The following list describes features and services for productivity gains in hybrid scenarios. * **Active Directory Federation Services (AD FS)** - Migrate user authentication from federation to cloud with pass-through authentication or password hash sync:- * See, [What is federation with Azure AD?](../hybrid/whatis-fed.md) - * See, [Migrate from federation to cloud authentication](../hybrid/migrate-from-federation-to-cloud-authentication.md) + * See, [What is federation with Azure AD?](../hybrid/connect/whatis-fed.md) + * See, [Migrate from federation to cloud authentication](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md) * **Azure AD Application Proxy** - Enable employees to be productive at any place or time, and from a device. Learn about software as a service (SaaS) apps in the cloud and corporate apps on-premises. Azure AD Application Proxy enables access without virtual private networks (VPNs) or demilitarized zones (DMZs): * See, [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy.md) * See, [Plan an Azure AD Application Proxy deployment](../app-proxy/application-proxy-deployment-plan.md) * **Seamless single sign-on (Seamless SSO)** - Use Seamless SSO for user sign-in, on corporate devices connected to a corporate network. Users don't need to enter passwords to sign in to Azure AD, and usually don't need to enter usernames. Authorized users access cloud-based apps without extra on-premises components:- * See, [Azure Active Directory SSO: Quickstart](../hybrid/how-to-connect-sso-quick-start.md) - * See, [Azure Active Directory Seamless SSO: Technical deep dive](../hybrid/how-to-connect-sso-how-it-works.md) + * See, [Azure Active Directory SSO: Quickstart](../hybrid/connect/how-to-connect-sso-quick-start.md) + * See, [Azure Active Directory Seamless SSO: Technical deep dive](../hybrid/connect/how-to-connect-sso-how-it-works.md) ## Users |
active-directory | Govern Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/govern-service-accounts.md | We recommend the following practices for service account privileges. >`Get-AzureADDirectoryRoleMember`, and filter for objectType "Service Principal", or use</br> >`Get-AzureADServicePrincipal | % { Get-AzureADServiceAppRoleAssignment -ObjectId $_ }` -* See, [Introduction to permissions and consent](../develop/v2-permissions-and-consent.md) to limit the functionality a service account can access on a resource +* See, [Introduction to permissions and consent](../develop/permissions-consent-overview.md) to limit the functionality a service account can access on a resource * Service principals and managed identities can use OAuth 2.0 scopes in a delegated context impersonating a signed-on user, or as service account in the application context. In the application context, no one is signed in. * Confirm the scopes service accounts request for resources * If an account requests Files.ReadWrite.All, evaluate if it needs File.Read.All |
active-directory | Monitor Sign In Health For Resilience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/monitor-sign-in-health-for-resilience.md | Use the following instructions to create email alerts based on the queries refle - The successful usage drops by 90% from the same hour two days ago, as shown in the preceding hourly usage graph example. - The failure rate increases by 90% from the same hour two days ago, as shown in the preceding hourly failure rate graph example. -To configure the underlying query and set alerts, complete the following steps using the sample query as the basis for your configuration. The query structure description appears at the end of this section. Learn how to create, view, and manage log alerts using Azure Monitor in [Manage log alerts](../../azure-monitor/alerts/alerts-log.md). +To configure the underlying query and set alerts, complete the following steps using the sample query as the basis for your configuration. The query structure description appears at the end of this section. Learn how to create, view, and manage log alerts using Azure Monitor in [Manage log alerts](../../azure-monitor/alerts/alerts-create-new-alert-rule.md). 1. In the workbook, select **Edit** as shown in the following screenshot. Select the **query icon** in the upper right corner of the graph. |
active-directory | Multi Tenant Common Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-common-considerations.md | One of the most useful features of **Set-MailUser** is the ability to manipulate ### Microsoft SharePoint Online -SharePoint Online has its own service-specific permissions depending on whether the user (internal or external) is of type member or guest in the Azure Active Directory tenant. [Office 365 external sharing and Azure Active Directory B2B collaboration](../external-identities/o365-external-user.md) describes how you can enable integration with SharePoint and OneDrive to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management. +SharePoint Online has its own service-specific permissions depending on whether the user (internal or external) is of type member or guest in the Azure Active Directory tenant. [Office 365 external sharing and Azure Active Directory B2B collaboration](../external-identities/what-is-b2b.md) describes how you can enable integration with SharePoint and OneDrive to share files, folders, list items, document libraries, and sites with people outside your organization, while using Azure B2B for authentication and management. After you enable external sharing in SharePoint Online, the ability to search for guest users in the SharePoint Online people picker is **OFF** by default. This setting prohibits guest users from being discoverable when they're hidden from the Exchange Online GAL. You can enable guest users to become visible in two ways (not mutually exclusive): |
active-directory | Multi Tenant User Management Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-user-management-introduction.md | The following conceptual and how-to articles provide information about Azure AD ### Conceptual articles - [B2B best practices](../external-identities/b2b-fundamentals.md) features recommendations for providing the smoothest experience for users and administrators.-- [B2B and Office 365 external sharing](../external-identities/o365-external-user.md) explains the similarities and differences among sharing resources through B2B, Office 365, and SharePoint/OneDrive.+- [B2B and Office 365 external sharing](../external-identities/what-is-b2b.md) explains the similarities and differences among sharing resources through B2B, Office 365, and SharePoint/OneDrive. - [Properties on an Azure AD B2B collaboration user](../external-identities/user-properties.md) describes the properties and states of the external user object in Azure AD. The description provides details before and after invitation redemption. - [B2B user tokens](../external-identities/user-token.md) provides examples of the bearer tokens for B2B for an external user. - [Conditional Access for B2B](../external-identities/authentication-conditional-access.md) describes how Conditional Access and MFA work for external users. Microsoft mechanisms for creating and managing the lifecycle of your external us - [Multi-tenant user management scenarios](multi-tenant-user-management-scenarios.md) describes three scenarios for which you can use multi-tenant user management features: end user-initiated, scripted, and automated. - [Common considerations for multi-tenant user management](multi-tenant-common-considerations.md) provides guidance for these considerations: cross-tenant synchronization, directory object, Azure AD Conditional Access, additional access control, and Office 365. - [Common solutions for multi-tenant user management](multi-tenant-common-solutions.md) when single tenancy doesn't work for your scenario, this article provides guidance for these challenges: automatic user lifecycle management and resource allocation across tenants, sharing on-premises apps across tenants.-- [Multi-tenant synchronization from Active Directory](../hybrid/plan-connect-topologies.md) describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect sync as the key integration solution.+- [Multi-tenant synchronization from Active Directory](../hybrid/connect/plan-connect-topologies.md) describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect sync as the key integration solution. |
active-directory | Multi Tenant User Management Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-user-management-scenarios.md | For example, a global professional services firm collaborates with subcontractor Here are the most widely used ways to invite end users to access tenant resources. -- [**Application-based invitations.**](../external-identities/o365-external-user.md) Microsoft applications (such as Teams and SharePoint) can enable external user invitations. Configure B2B invitation settings in both Azure AD B2B and in the relevant applications.-- [**MyApps.**](../manage-apps/my-apps-deployment-plan.md) Users can invite and assign external users to applications using MyApps. The user account must have [application self-service sign up](../manage-apps/manage-self-service-access.md) approver permissions. Group owners can invite external users to their groups.+- [**Application-based invitations.**](../external-identities/what-is-b2b.md) Microsoft applications (such as Teams and SharePoint) can enable external user invitations. Configure B2B invitation settings in both Azure AD B2B and in the relevant applications. +- [**MyApps.**](../manage-apps/myapps-overview.md) Users can invite and assign external users to applications using MyApps. The user account must have [application self-service sign up](../manage-apps/manage-self-service-access.md) approver permissions. Group owners can invite external users to their groups. - [**Entitlement management.**](../governance/entitlement-management-overview.md) Enable admins or resource owners to create access packages with resources, allowed external organizations, external user expiration, and access policies. Publish access packages to enable external user self-service sign-up for resource access. - [**Azure portal.**](../external-identities/add-users-administrator.md) End users with the [Guest Inviter role](../external-identities/external-collaboration-settings-configure.md) can sign in to the Azure portal and invite external users from the **Users** menu in Azure AD. - [**Programmatic (PowerShell, Graph API).**](../external-identities/customize-invitation-api.md) End users with the [Guest Inviter role](../external-identities/external-collaboration-settings-configure.md) can use PowerShell or Graph API to invite external users. |
active-directory | Ops Guide Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/ops-guide-auth.md | Use the table below to find the recommended solution for mitigating the issue th | Issue | Recommendation | | :- | :- | | No mechanism to protect against weak passwords | Enable Azure AD [self-service password reset (SSPR)](../authentication/concept-sspr-howitworks.md) and [password protection](../authentication/concept-password-ban-bad-on-premises.md) |-| No mechanism to detect leaked passwords | Enable [password hash sync](../hybrid/how-to-connect-password-hash-synchronization.md) (PHS) to gain insights | +| No mechanism to detect leaked passwords | Enable [password hash sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (PHS) to gain insights | | Using AD FS and unable to move to managed authentication | Enable [AD FS Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection) and / or [Azure AD Smart Lockout](../authentication/howto-password-smart-lockout.md) | | Password policy uses complexity-based rules such as length, multiple character sets, or expiration | Reconsider in favor of [Microsoft Recommended Practices](https://www.microsoft.com/research/publication/password-guidance/?from=http%3A%2F%2Fresearch.microsoft.com%2Fpubs%2F265143%2Fmicrosoft_password_guidance.pdf) and switch your approach to password management and deploy [Azure AD password protection](../authentication/concept-password-ban-bad.md). | | Users aren't registered to use multi-factor authentication (MFA) | [Register all user's security information](../identity-protection/howto-identity-protection-configure-mfa-policy.md) so it can be used as a mechanism to verify the user's identity along with their password | | There is no revocation of passwords based on user risk | Deploy Azure AD [Identity Protection user risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md) to force password changes on leaked credentials using SSPR |-| There's no smart lockout mechanism to protect malicious authentication from bad actors coming from identified IP addresses | Deploy cloud-managed authentication with either password hash sync or [pass-through authentication](../hybrid/how-to-connect-pta-quick-start.md) (PTA) | +| There's no smart lockout mechanism to protect malicious authentication from bad actors coming from identified IP addresses | Deploy cloud-managed authentication with either password hash sync or [pass-through authentication](../hybrid/connect/how-to-connect-pta-quick-start.md) (PTA) | #### Password policies recommended reading If your on-premises organization is lacking an outage resiliency strategy or has ![password hash sync flow](./media/ops-guide-auth/ops-img5.png) -To better understand your authentication options, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](../hybrid/choose-ad-authn.md). +To better understand your authentication options, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](../hybrid/connect/choose-ad-authn.md). ### Programmatic usage of credentials -Azure AD scripts using PowerShell or applications using the Microsoft Graph API require secure authentication. Poor credential management executing those scripts and tools increase the risk of credential theft. If you're using scripts or applications that rely on hard-coded passwords or password prompts you should first review passwords in config files or source code, then replace those dependencies and use Azure Managed Identities, Integrated-Windows Authentication, or [certificates](../reports-monitoring/tutorial-access-api-with-certificates.md) whenever possible. For applications where the previous solutions aren't possible, consider using [Azure Key Vault](https://azure.microsoft.com/services/key-vault/). +Azure AD scripts using PowerShell or applications using the Microsoft Graph API require secure authentication. Poor credential management executing those scripts and tools increase the risk of credential theft. If you're using scripts or applications that rely on hard-coded passwords or password prompts you should first review passwords in config files or source code, then replace those dependencies and use Azure Managed Identities, Integrated-Windows Authentication, or [certificates](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) whenever possible. For applications where the previous solutions aren't possible, consider using [Azure Key Vault](https://azure.microsoft.com/services/key-vault/). If you determine that there are service principals with password credentials and you're unsure how those password credentials are secured by scripts or applications, contact the owner of the application to better understand usage patterns. Microsoft also recommends you contact application owners to understand usage pat ### On-premises authentication -Federated Authentication with integrated Windows authentication (IWA) or Seamless Single Sign-On (SSO) managed authentication with password hash sync or pass-through authentication is the best user experience when inside the corporate network with line-of-sight to on-premises domain controllers. It minimizes credential prompt fatigue and reduces the risk of users falling prey to phishing attacks. If you're already using cloud-managed authentication with PHS or PTA, but users still need to type in their password when authenticating on-premises, then you should immediately [deploy Seamless SSO](../hybrid/how-to-connect-sso.md). On the other hand, if you're currently federated with plans to eventually migrate to cloud-managed authentication, then you should implement Seamless SSO as part of the migration project. +Federated Authentication with integrated Windows authentication (IWA) or Seamless Single Sign-On (SSO) managed authentication with password hash sync or pass-through authentication is the best user experience when inside the corporate network with line-of-sight to on-premises domain controllers. It minimizes credential prompt fatigue and reduces the risk of users falling prey to phishing attacks. If you're already using cloud-managed authentication with PHS or PTA, but users still need to type in their password when authenticating on-premises, then you should immediately [deploy Seamless SSO](../hybrid/connect/how-to-connect-sso.md). On the other hand, if you're currently federated with plans to eventually migrate to cloud-managed authentication, then you should implement Seamless SSO as part of the migration project. ### Device trust access policies Like a user in your organization, a device is a core identity you want to protec You can carry out this goal by bringing device identities and managing them in Azure AD by using one of the following methods: - Organizations can use [Microsoft Intune](/intune/what-is-intune) to manage the device and enforce compliance policies, attest device health, and set Conditional Access policies based on whether the device is compliant. Microsoft Intune can manage iOS devices, Mac desktops (Via JAMF integration), Windows desktops (natively using Mobile Device Management for Windows 10, and co-management with Microsoft Configuration Manager) and Android mobile devices.-- [Hybrid Azure AD join](../devices/hybrid-azuread-join-managed-domains.md) provides management with Group Policies or Microsoft Configuration Manager in an environment with Active Directory domain-joined computers devices. Organizations can deploy a managed environment either through PHS or PTA with Seamless SSO. Bringing your devices to Azure AD maximizes user productivity through SSO across your cloud and on-premises resources while enabling you to secure access to your cloud and on-premises resources with [Conditional Access](../conditional-access/overview.md) at the same time.+- [Hybrid Azure AD join](../devices/how-to-hybrid-join.md) provides management with Group Policies or Microsoft Configuration Manager in an environment with Active Directory domain-joined computers devices. Organizations can deploy a managed environment either through PHS or PTA with Seamless SSO. Bringing your devices to Azure AD maximizes user productivity through SSO across your cloud and on-premises resources while enabling you to secure access to your cloud and on-premises resources with [Conditional Access](../conditional-access/overview.md) at the same time. -If you have domain-joined Windows devices that aren't registered in the cloud, or domain-joined Windows devices that are registered in the cloud but without Conditional Access policies, then you should register the unregistered devices and, in either case, [use Hybrid Azure AD join as a control](../conditional-access/require-managed-devices.md) in your Conditional Access policies. +If you have domain-joined Windows devices that aren't registered in the cloud, or domain-joined Windows devices that are registered in the cloud but without Conditional Access policies, then you should register the unregistered devices and, in either case, [use Hybrid Azure AD join as a control](../conditional-access/concept-conditional-access-grant.md) in your Conditional Access policies. ![A screenshot of grant in Conditional Access policy requiring hybrid device](./media/ops-guide-auth/ops-img6.png) -If you're managing devices with MDM or Microsoft Intune, but not using device controls in your Conditional Access policies, then we recommend using [Require device to be marked as compliant](../conditional-access/require-managed-devices.md#require-device-to-be-marked-as-compliant) as a control in those policies. +If you're managing devices with MDM or Microsoft Intune, but not using device controls in your Conditional Access policies, then we recommend using [Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md#require-device-to-be-marked-as-compliant) as a control in those policies. ![A screenshot of grant in Conditional Access policy requiring device compliance](./media/ops-guide-auth/ops-img7.png) Finally, if you have an Azure AD app gallery and use applications that support S ### Migration of AD FS applications to Azure AD -[Migrating apps from AD FS to Azure AD](../manage-apps/migrate-adfs-apps-to-azure.md) enables additional capabilities on security, more consistent manageability, and a better collaboration experience. If you have applications configured in AD FS that support SSO with Azure AD, then you should reconfigure those applications to use SSO with Azure AD. If you have applications configured in AD FS with uncommon configurations unsupported by Azure AD, you should contact the app owners to understand if the special configuration is an absolute requirement of the application. If it isn't required, then you should reconfigure the application to use SSO with Azure AD. +[Migrating apps from AD FS to Azure AD](../manage-apps/migrate-adfs-apps-stages.md) enables additional capabilities on security, more consistent manageability, and a better collaboration experience. If you have applications configured in AD FS that support SSO with Azure AD, then you should reconfigure those applications to use SSO with Azure AD. If you have applications configured in AD FS with uncommon configurations unsupported by Azure AD, you should contact the app owners to understand if the special configuration is an absolute requirement of the application. If it isn't required, then you should reconfigure the application to use SSO with Azure AD. ![Azure AD as the primary identity provider](./media/ops-guide-auth/ops-img9.png) > [!NOTE]-> [Azure AD Connect Health for ADFS](../hybrid/how-to-connect-health-adfs.md) can be used to collect configuration details about each application that can potentially be migrated to Azure AD. +> [Azure AD Connect Health for ADFS](../hybrid/connect/how-to-connect-health-adfs.md) can be used to collect configuration details about each application that can potentially be migrated to Azure AD. ### Assign users to applications -[Assigning users to applications](../manage-apps/assign-user-or-group-access-portal.md) is best mapped by using groups because they allow greater flexibility and ability to manage at scale. The benefits of using groups include [attribute-based dynamic group membership](../enterprise-users/groups-dynamic-membership.md) and [delegation to app owners](../fundamentals/active-directory-accessmanagement-managing-group-owners.md). Therefore, if you're already using and managing groups, we recommend you take the following actions to improve management at scale: +[Assigning users to applications](../manage-apps/assign-user-or-group-access-portal.md) is best mapped by using groups because they allow greater flexibility and ability to manage at scale. The benefits of using groups include [attribute-based dynamic group membership](../enterprise-users/groups-dynamic-membership.md) and [delegation to app owners](../fundamentals/how-to-manage-groups.md). Therefore, if you're already using and managing groups, we recommend you take the following actions to improve management at scale: - Delegate group management and governance to application owners. - Allow self-service access to the application. If you already own Azure AD Premium P2 licenses that support using risk in acces ### Client application access policies -Microsoft Intune Application Management (MAM) provides the ability to push data protection controls such as storage encryption, PIN, remote storage cleanup, etc. to compatible client mobile applications such as Outlook Mobile. In addition, Conditional Access policies can be created to [restrict access](../conditional-access/app-based-conditional-access.md) to cloud services such as Exchange Online from approved or compatible apps. +Microsoft Intune Application Management (MAM) provides the ability to push data protection controls such as storage encryption, PIN, remote storage cleanup, etc. to compatible client mobile applications such as Outlook Mobile. In addition, Conditional Access policies can be created to [restrict access](../conditional-access/howto-policy-approved-app-or-app-protection.md) to cloud services such as Exchange Online from approved or compatible apps. If your employees install MAM-capable applications such as Office mobile apps to access corporate resources such as Exchange Online or SharePoint Online, and you also support BYOD (bring your own device), we recommend you deploy application MAM policies to manage the application configuration in personally owned devices without MDM enrollment and then update your Conditional Access policies to only allow access from MAM-capable clients. Having access to sign-in activity, audits and risk events for Azure AD is crucia - [Azure Active Directory audit API reference](/graph/api/resources/directoryaudit) - [Azure Active Directory sign-in activity report API reference](/graph/api/resources/signin)-- [Get data using the Azure AD Reporting API with certificates](../reports-monitoring/tutorial-access-api-with-certificates.md)+- [Get data using the Azure AD Reporting API with certificates](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) - [Microsoft Graph for Azure Active Directory Identity Protection](../identity-protection/howto-identity-protection-graph-api.md) - [Office 365 Management Activity API reference](/office/office-365-management-api/office-365-management-activity-api-reference) - [How to use the Azure Active Directory Power BI Content Pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md) |
active-directory | Ops Guide Govern | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/ops-guide-govern.md | There are changes that require special considerations when testing, from simple | Scenario| Recommendation | |-|-|-|Changing the authentication type from federated to PHS/PTA or vice-versa| Use [staged rollout](../hybrid/how-to-connect-staged-rollout.md) to test the impact of changing the authentication type.| +|Changing the authentication type from federated to PHS/PTA or vice-versa| Use [staged rollout](../hybrid/connect/how-to-connect-staged-rollout.md) to test the impact of changing the authentication type.| |Rolling out a new Conditional Access policy or Identity Protection Policy|Create a new Conditional Access policy and assign to test users.| |Onboarding a test environment of an application|Add the application to a production environment, hide it from the MyApps panel, and assign it to test users during the quality assurance (QA) phase.| |Changing of sync rules|Perform the changes in a test Azure AD Connect with the same configuration that is currently in production, also known as staging mode, and analyze CSExport Results. If satisfied, swap to production when ready.| Hackers often target admin accounts and other elements of privileged access to r If no process exists in your organization to manage privileged accounts, or you currently have admins who use their regular user accounts to manage services and resources, you should immediately begin using separate accounts, for example one for regular day-to-day activities; the other for privileged access and configured with MFA. Better yet, if your organization has an Azure AD Premium P2 subscription, then you should immediately deploy [Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md#license-requirements) (PIM). In the same token, you should also review those privileged accounts and [assign less privileged roles](../roles/security-planning.md) if applicable. -Another aspect of privileged account management that should be implemented is in defining [access reviews](../governance/access-reviews-overview.md) for those accounts, either manually or [automated through PIM](../privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review.md). +Another aspect of privileged account management that should be implemented is in defining [access reviews](../governance/access-reviews-overview.md) for those accounts, either manually or [automated through PIM](../privileged-identity-management/pim-perform-roles-and-resource-roles-review.md). #### Privileged account management recommended reading |
active-directory | Ops Guide Iam | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/ops-guide-iam.md | As you review your list, you may find you need to either assign an owner for tas ### Identify and resolve synchronization issues -Microsoft recommends you have a good baseline and understanding of the issues in your on-premises environment that can result in synchronization issues to the cloud. Since automated tools such as [IdFix](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) and [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md#why-use-azure-ad-connect-health) can generate a high volume of false positives, we recommend you identify synchronization errors that have been left unaddressed for more than 100 days by cleaning up those objects in error. Long term unresolved synchronization errors can generate support incidents. [Troubleshooting errors during synchronization](../hybrid/tshoot-connect-sync-errors.md) provides an overview of different types of sync errors, some of the possible scenarios that cause those errors and potential ways to fix the errors. +Microsoft recommends you have a good baseline and understanding of the issues in your on-premises environment that can result in synchronization issues to the cloud. Since automated tools such as [IdFix](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) and [Azure AD Connect Health](../hybrid/connect/whatis-azure-ad-connect.md#why-use-azure-ad-connect-health) can generate a high volume of false positives, we recommend you identify synchronization errors that have been left unaddressed for more than 100 days by cleaning up those objects in error. Long term unresolved synchronization errors can generate support incidents. [Troubleshooting errors during synchronization](../hybrid/connect/tshoot-connect-sync-errors.md) provides an overview of different types of sync errors, some of the possible scenarios that cause those errors and potential ways to fix the errors. ### Azure AD Connect Sync configuration Examples of objects to exclude are: > [!NOTE] > If a single human identity has multiple accounts provisioned from something such as a legacy domain migration, merger, or acquisition, you should only synchronize the account used by the user on a day-to-day basis, for example, what they use to log in to their computer. -Ideally, you'll want to reach a balance between reducing the number of objects to synchronize and the complexity in the rules. Generally, a combination between OU/container [filtering](../hybrid/how-to-connect-sync-configure-filtering.md) plus a simple attribute mapping to the cloudFiltered attribute is an effective filtering combination. +Ideally, you'll want to reach a balance between reducing the number of objects to synchronize and the complexity in the rules. Generally, a combination between OU/container [filtering](../hybrid/connect/how-to-connect-sync-configure-filtering.md) plus a simple attribute mapping to the cloudFiltered attribute is an effective filtering combination. > [!IMPORTANT] > If you use group filtering in production, you should transition to another filtering approach. If your Azure AD Connect version is more than six months behind, you should upgr #### Source anchor -Using **ms-DS-consistencyguid** as the [source anchor](../hybrid/plan-connect-design-concepts.md) allows an easier migration of objects across forests and domains, which is common in AD Domain consolidation/cleanup, mergers, acquisitions, and divestitures. +Using **ms-DS-consistencyguid** as the [source anchor](../hybrid/connect/plan-connect-design-concepts.md) allows an easier migration of objects across forests and domains, which is common in AD Domain consolidation/cleanup, mergers, acquisitions, and divestitures. If you're currently using **ObjectGuid** as the source anchor, we recommend you switch to using **ms-DS-ConsistencyGuid**. If you're currently provisioning apps in an ad-hoc manner or using things like C It's important to understand the volume of changes in your organization and make sure that it isn't taking too long to have a predictable synchronization time. -The [default delta sync](../hybrid/how-to-connect-sync-feature-scheduler.md) frequency is 30 minutes. If the delta sync is taking longer than 30 minutes consistently, or there are significant discrepancies between the delta sync performance of staging and production, you should investigate and review the [factors influencing the performance of Azure AD Connect](../hybrid/plan-connect-performance-factors.md). +The [default delta sync](../hybrid/connect/how-to-connect-sync-feature-scheduler.md) frequency is 30 minutes. If the delta sync is taking longer than 30 minutes consistently, or there are significant discrepancies between the delta sync performance of staging and production, you should investigate and review the [factors influencing the performance of Azure AD Connect](../hybrid/connect/plan-connect-performance-factors.md). #### Azure AD Connect troubleshooting recommended reading - [Prepare directory attributes for synchronization with Microsoft 365 by using the IdFix tool](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix)-- [Azure AD Connect: Troubleshooting Errors during synchronization](../hybrid/tshoot-connect-sync-errors.md)+- [Azure AD Connect: Troubleshooting Errors during synchronization](../hybrid/connect/tshoot-connect-sync-errors.md) ## Summary |
active-directory | Ops Guide Ops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/ops-guide-ops.md | Unless one has been established, you should define a process to upgrade these co #### Hybrid management recommended reading -- [Azure AD Connect: Automatic upgrade](../hybrid/how-to-connect-install-automatic-upgrade.md)+- [Azure AD Connect: Automatic upgrade](../hybrid/connect/how-to-connect-install-automatic-upgrade.md) - [Understand Azure AD Application Proxy connectors | Automatic updates](../app-proxy/application-proxy-connectors.md#automatic-updates) ### Azure AD Connect Health alert baseline -Organizations should deploy [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md#what-is-azure-ad-connect-health) for monitoring and reporting of Azure AD Connect and AD FS. Azure AD Connect and AD FS are critical components that can break lifecycle management and authentication and therefore lead to outages. Azure AD Connect Health helps monitor and gain insights into your on-premises identity infrastructure thus ensuring the reliability of your environment. +Organizations should deploy [Azure AD Connect Health](../hybrid/connect/whatis-azure-ad-connect.md#what-is-azure-ad-connect-health) for monitoring and reporting of Azure AD Connect and AD FS. Azure AD Connect and AD FS are critical components that can break lifecycle management and authentication and therefore lead to outages. Azure AD Connect Health helps monitor and gain insights into your on-premises identity infrastructure thus ensuring the reliability of your environment. ![Azure AD Connect Heath architecture](./media/ops-guide-auth/ops-img16.png) As you monitor the health of your environment, you must immediately address any #### Azure AD Connect Health recommended reading -- [Azure AD Connect Health Agent Installation](../hybrid/how-to-connect-health-agent-install.md)+- [Azure AD Connect Health Agent Installation](../hybrid/connect/how-to-connect-health-agent-install.md) ### On-premises agents logs Some identity and access management services require on-premises agents to enabl - [Troubleshoot Application Proxy](../app-proxy/application-proxy-troubleshoot.md) - [Self-service password reset troubleshooting](../authentication/troubleshoot-sspr.md) - [Understand Azure AD Application Proxy connectors](../app-proxy/application-proxy-connectors.md)-- [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/tshoot-connect-pass-through-authentication.md#collecting-pass-through-authentication-agent-logs)+- [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/connect/tshoot-connect-pass-through-authentication.md#collecting-pass-through-authentication-agent-logs) - [Troubleshoot error codes for the Azure AD MFA NPS extension](../authentication/howto-mfa-nps-extension-errors.md) ### On-premises agents management Adopting best practices can help the optimal operation of on-premises agents. Co #### On-premises agents management recommended reading - [Understand Azure AD Application Proxy connectors](../app-proxy/application-proxy-connectors.md)-- [Azure AD Pass-through Authentication - quickstart](../hybrid/how-to-connect-pta-quick-start.md#step-4-ensure-high-availability)+- [Azure AD Pass-through Authentication - quickstart](../hybrid/connect/how-to-connect-pta-quick-start.md#step-4-ensure-high-availability) ## Management at scale Microsoft sends email communications to administrators to notify various changes There are two "From" addresses used by Azure AD: <o365mc@email2.microsoft.com>, which sends Message Center notifications; and <azure-noreply@microsoft.com>, which sends notifications related to: - [Azure AD Access Reviews](../governance/access-reviews-overview.md)-- [Azure AD Connect Health](../hybrid/how-to-connect-health-operations.md#enable-email-notifications)+- [Azure AD Connect Health](../hybrid/connect/how-to-connect-health-operations.md#enable-email-notifications) - [Azure AD Identity Protection](../identity-protection/howto-identity-protection-configure-notifications.md) - [Azure AD Privileged Identity Management](../privileged-identity-management/pim-email-notifications.md)-- [Enterprise App Expiring Certificate Notifications](../manage-apps/manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration)+- [Enterprise App Expiring Certificate Notifications](../manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration) - Enterprise App Provisioning Service Notifications Refer to the following table to learn the type of notifications that are sent and where to check for them: |
active-directory | Parallel Identity Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/parallel-identity-options.md | Litware may have many existing Active Directory-based apps that they rely on, an ### Option 3 - Forest trust with the acquired forest -Using an [Active Directory forest trust](/windows-server/identity/ad-ds/plan/forest-design-models), Contoso and Litware can connect their Active Directory domains. This trust enables Litware users to authenticate Contoso's Active Directory-integrated apps. Also [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) can also read from Litware's Active Directory forest so that Litware users authenticate with Contoso's Azure AD integrated apps. This deployment topology requires a network route set up between the two domains, and TCP/IP network connectivity between any Litware user and Contoso Active Directory-integrated app. It's also straightforward to set up bidirectional trusts, so that Contoso users can access Litware AD-integrated apps (if any). +Using an [Active Directory forest trust](/windows-server/identity/ad-ds/plan/forest-design-models), Contoso and Litware can connect their Active Directory domains. This trust enables Litware users to authenticate Contoso's Active Directory-integrated apps. Also [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) can also read from Litware's Active Directory forest so that Litware users authenticate with Contoso's Azure AD integrated apps. This deployment topology requires a network route set up between the two domains, and TCP/IP network connectivity between any Litware user and Contoso Active Directory-integrated app. It's also straightforward to set up bidirectional trusts, so that Contoso users can access Litware AD-integrated apps (if any). ![forest trust with single tenant](media/parallel-identity-options/identity-combined-3.png) A customer can also configure Azure AD Connect to read from another forest. This ### Option 5 - Deploy Azure AD Connect cloud sync in the acquired forest -[Azure AD Connect cloud provisioning](../cloud-sync/what-is-cloud-sync.md) removes the network connectivity requirement, but you can only have one Active Directory to Azure AD linking for a given user with cloud sync. Litware users can authenticate Contoso's Azure AD integrated apps, but not Contoso's Active Directory-integrated apps. This topology doesn't require any TCP/IP connectivity between Litware and Contoso's on-premises environments. +[Azure AD Connect cloud provisioning](../hybrid/cloud-sync/what-is-cloud-sync.md) removes the network connectivity requirement, but you can only have one Active Directory to Azure AD linking for a given user with cloud sync. Litware users can authenticate Contoso's Azure AD integrated apps, but not Contoso's Active Directory-integrated apps. This topology doesn't require any TCP/IP connectivity between Litware and Contoso's on-premises environments. ![Deploy Azure AD Connect cloud sync in the acquired forest](media/parallel-identity-options/identity-combined-5.png) In this approach, Contoso would configure a [direct federation](../external-iden ## Next steps -- [What is Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md)+- [What is Azure AD Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md) - [Setup Inbound provisioning for Azure AD](../app-provisioning/plan-cloud-hr-provision.md) - [Setup B2B direct federation](../external-identities/direct-federation.md) - [Multi-tenant user management options](multi-tenant-user-management-introduction.md) |
active-directory | Protect M365 From On Premises Attacks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/protect-m365-from-on-premises-attacks.md | Credentials are a primary attack vector. Implement the following practices to ma - **Deploy multifactor authentication**. For more information, see [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md). - Provision multiple strong credentials by using Azure AD multifactor authentication. That way, access to cloud resources requires an Azure AD managed credential in addition to an on-premises password. For more information, see [Build resilience with credential management](../fundamentals/resilience-in-credentials.md) and [Create a resilient access control management strategy by using Azure AD](./resilience-overview.md). + Provision multiple strong credentials by using Azure AD multifactor authentication. That way, access to cloud resources requires an Azure AD managed credential in addition to an on-premises password. For more information, see [Build resilience with credential management](./resilience-in-credentials.md) and [Create a resilient access control management strategy by using Azure AD](./resilience-overview.md). ### Limitations and tradeoffs Hybrid account password management requires hybrid components such as password protection agents and password writeback agents. If your on-premises infrastructure is compromised, attackers can control the machines on which these agents reside. This vulnerability won't compromise your cloud infrastructure. But your cloud accounts won't protect these components from on-premises compromise. -On-premises accounts synced from Active Directory are marked to never expire in Azure AD. This setting is usually mitigated by on-premises Active Directory password settings. If your instance of Active Directory is compromised and synchronization is disabled, set the [EnforceCloudPasswordPolicyForPasswordSyncedUsers](../hybrid/how-to-connect-password-hash-synchronization.md) option to force password changes. +On-premises accounts synced from Active Directory are marked to never expire in Azure AD. This setting is usually mitigated by on-premises Active Directory password settings. If your instance of Active Directory is compromised and synchronization is disabled, set the [EnforceCloudPasswordPolicyForPasswordSyncedUsers](../hybrid/connect/how-to-connect-password-hash-synchronization.md) option to force password changes. ## Provision user access from the cloud We recommend the following provisioning methods: - Limit guest access to browsing groups and other properties in the directory. Use the external collaboration settings to restrict guests' ability to read groups they're not members of. - Block access to the Azure portal. You can make rare necessary exceptions. Create a Conditional Access policy that includes all guests and external users. Then implement a policy to block access. See [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md). -- **Disconnected forests.** Use Azure AD cloud provisioning to connect to disconnected forests. This approach eliminates the need to establish cross-forest connectivity or trusts, which can broaden the effect of an on-premises breach. For more information, see [What is Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md).+- **Disconnected forests.** Use Azure AD cloud provisioning to connect to disconnected forests. This approach eliminates the need to establish cross-forest connectivity or trusts, which can broaden the effect of an on-premises breach. For more information, see [What is Azure AD Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md). ### Limitations and tradeoffs Use Azure AD Conditional Access to interpret signals and use them to make authen - Use Conditional Access to block legacy authentication protocols whenever possible. Additionally, disable legacy authentication protocols at the application level by using an application-specific configuration. See [Block legacy authentication](../conditional-access/howto-conditional-access-policy-block-legacy.md). - For more information, see [Legacy authentication protocols](../fundamentals/auth-sync-overview.md#legacy-authentication-protocols). Or see specific details for [Exchange Online](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#how-basic-authentication-works-in-exchange-online) and [SharePoint Online](/powershell/module/sharepoint-online/set-spotenant). + For more information, see [Legacy authentication protocols](./auth-sync-overview.md#legacy-authentication-protocols). Or see specific details for [Exchange Online](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#how-basic-authentication-works-in-exchange-online) and [SharePoint Online](/powershell/module/sharepoint-online/set-spotenant). - Implement the recommended identity and device access configurations. See [Common Zero Trust identity and device access policies](/microsoft-365/security/office-365-security/identity-access-policies). Define a log storage and retention strategy, design, and implementation to facil - Network policy servers (NPSs) that have the Azure AD multifactor authentication RADIUS extension - Azure AD Connect - You must deploy Azure AD Connect Health to monitor identity synchronization. See [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). + You must deploy Azure AD Connect Health to monitor identity synchronization. See [What is Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md). ## Next steps |
active-directory | Recover From Misconfigurations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/recover-from-misconfigurations.md | The implementation of some tenant-wide configurations can be scoped, provided th Conditional Access policies are access control configurations that bring together signals to make decisions and enforce organizational policies. -![Screenshot that shows user, location, device, application, and risk signals coming together in Conditional Access policies.](media\recoverability\miscofigurations-conditional-accss-signals.png) +![Screenshot that shows user, location, device, application, and risk signals coming together in Conditional Access policies.](./media/recoverability/miscofigurations-conditional-accss-signals.png) To learn more about Conditional Access policies, see [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md). It's critical that alterations to the intended configuration of an Azure AD tena * Documenting the change, including prior state and intended post-change state. * Using Privileged Identity Management (PIM) to ensure that administrators with intent to change must deliberately escalate their privileges to do so. To learn more about PIM, see [What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md).-* Using a strong approval workflow for changes, for example, requiring [approval of PIM escalation of privileges](../privileged-identity-management/azure-ad-pim-approval-workflow.md). +* Using a strong approval workflow for changes, for example, requiring [approval of PIM escalation of privileges](../privileged-identity-management/pim-approval-workflow.md). ## Monitor for configuration changes |
active-directory | Resilience B2c Developer Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-b2c-developer-best-practices.md | Upon subsequent authentication requests, Azure AD B2C reads and validates the co ### How to configure SSO -[Configure SSO](../hybrid/how-to-connect-sso-quick-start.md) to be tenant-wide (default) to allow multiple applications and user flows in your tenant to share the same user session. Tenant-wide configuration provides most resiliency to fresh authentication. +[Configure SSO](../hybrid/connect/how-to-connect-sso-quick-start.md) to be tenant-wide (default) to allow multiple applications and user flows in your tenant to share the same user session. Tenant-wide configuration provides most resiliency to fresh authentication. ## Safe deployment practices |
active-directory | Resilience Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-client-app.md | Augment standard token claims with optional claims, such as groups. The **Applic Learn more: -* [Provide optional claims to your app](../develop/active-directory-optional-claims.md) -* [Configuring groups optional claims](../develop/active-directory-optional-claims.md#configuring-groups-optional-claims) +* [Provide optional claims to your app](../develop/optional-claims.md) +* [Configuring groups optional claims](../develop/optional-claims.md#configure-groups-optional-claims) We recommend you use and include app roles, which customers manage by using the portal or APIs. Assign roles to users and groups to control access. When a token is issued, the assigned roles are in the token roles claim. Information derived from a token prevents more APIs calls. -See, [Add app roles to your application and receive them in the token](../develop/howto-add-app-roles-in-azure-ad-apps.md) +See, [Add app roles to your application and receive them in the token](../develop/howto-add-app-roles-in-apps.md) Add claims based on tenant information. For example, an extension has an enterprise-specific User ID. |
active-directory | Resilience In Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-in-credentials.md | In addition to individual user resiliency described above, enterprises should pl * Deploy [Passwordless credentials](../authentication/howto-authentication-passwordless-deployment.md) such as Windows Hello for Business, Phone Authentication, and FIDO2 security keys to reduce dependencies. * Deploy the [Microsoft Authenticator App](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) as a second factor.-* Turn on [password hash synchronization](../hybrid/whatis-phs.md) for hybrid accounts that are synchronized from Windows Server Active Directory. This option can be enabled alongside federation services such as Active Directory Federation Services (AD FS) and provides a fallback in case the federation service fails. +* Turn on [password hash synchronization](../hybrid/connect/whatis-phs.md) for hybrid accounts that are synchronized from Windows Server Active Directory. This option can be enabled alongside federation services such as Active Directory Federation Services (AD FS) and provides a fallback in case the federation service fails. * [Analyze usage of Multi-factor authentication methods](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/) to improve user experience. * [Implement a resilient access control strategy](../authentication/concept-resilient-controls.md) |
active-directory | Resilience In Hybrid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-in-hybrid.md | Hybrid authentication allows users to access cloud-based resources with their id Microsoft offers three mechanisms for hybrid authentication. The options are listed in order of resilience. We recommend that you implement password hash synchronization, if possible. -* [Password hash synchronization](../hybrid/whatis-phs.md) (PHS) uses Azure AD Connect to sync the identity and a hash-of-the-hash of the password to Azure AD. It enables users to sign in to cloud-based resources with their password mastered on premises. PHS has on premises dependencies only for synchronization, not for authentication. -* [Pass-through Authentication](../hybrid/how-to-connect-pta.md) (PTA) redirects users to Azure AD for sign-in. Then, the username and password are validated against Active Directory on premises through an agent that is deployed in the corporate network. PTA has an on premises footprint of its Azure AD PTA agents that reside on servers on premises. -* [Federation](../hybrid/whatis-fed.md) customers deploy a federation service such as Active Directory Federation Services (ADFS). Then Azure AD validates the SAML assertion produced by the federation service. Federation has the highest dependency on on-premises infrastructure and, therefore, more failure points. +* [Password hash synchronization](../hybrid/connect/whatis-phs.md) (PHS) uses Azure AD Connect to sync the identity and a hash-of-the-hash of the password to Azure AD. It enables users to sign in to cloud-based resources with their password mastered on premises. PHS has on premises dependencies only for synchronization, not for authentication. +* [Pass-through Authentication](../hybrid/connect/how-to-connect-pta.md) (PTA) redirects users to Azure AD for sign-in. Then, the username and password are validated against Active Directory on premises through an agent that is deployed in the corporate network. PTA has an on premises footprint of its Azure AD PTA agents that reside on servers on premises. +* [Federation](../hybrid/connect/whatis-fed.md) customers deploy a federation service such as Active Directory Federation Services (ADFS). Then Azure AD validates the SAML assertion produced by the federation service. Federation has the highest dependency on on-premises infrastructure and, therefore, more failure points. -You may be using one or more of these methods in your organization. For more information, see [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/choose-ad-authn.md). This article contains a decision tree that can help you decide on your methodology. +You may be using one or more of these methods in your organization. For more information, see [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/connect/choose-ad-authn.md). This article contains a decision tree that can help you decide on your methodology. ## Password hash synchronization -The simplest and most resilient hybrid authentication option for Azure AD is [Password Hash Synchronization](../hybrid/whatis-phs.md). It doesn't have any on premises identity infrastructure dependency when processing authentication requests. After identities with password hashes are synchronized to Azure AD, users can authenticate to cloud resources with no dependency on the on premises identity components. +The simplest and most resilient hybrid authentication option for Azure AD is [Password Hash Synchronization](../hybrid/connect/whatis-phs.md). It doesn't have any on premises identity infrastructure dependency when processing authentication requests. After identities with password hashes are synchronized to Azure AD, users can authenticate to cloud resources with no dependency on the on premises identity components. ![Architecture diagram of PHS](./media/resilience-in-hybrid/admin-resilience-password-hash-sync.png) If you choose this authentication option, you won't experience disruption when o To implement PHS, see the following resources: -* [Implement password hash synchronization with Azure AD Connect](../hybrid/how-to-connect-password-hash-synchronization.md) -* [Enable password hash synchronization](../hybrid/how-to-connect-password-hash-synchronization.md) +* [Implement password hash synchronization with Azure AD Connect](../hybrid/connect/how-to-connect-password-hash-synchronization.md) +* [Enable password hash synchronization](../hybrid/connect/how-to-connect-password-hash-synchronization.md) If your requirements are such that you can't use PHS, use Pass-through Authentication. Pass-through Authentication has a dependency on authentication agents that resid To implement Pass-through Authentication, see the following resources. -* [How Pass-through Authentication works](../hybrid/how-to-connect-pta-how-it-works.md) -* [Pass-through Authentication security deep dive](../hybrid/how-to-connect-pta-security-deep-dive.md) -* [Install Azure AD Pass-through Authentication](../hybrid/how-to-connect-pta-quick-start.md) +* [How Pass-through Authentication works](../hybrid/connect/how-to-connect-pta-how-it-works.md) +* [Pass-through Authentication security deep dive](../hybrid/connect/how-to-connect-pta-security-deep-dive.md) +* [Install Azure AD Pass-through Authentication](../hybrid/connect/how-to-connect-pta-quick-start.md) -* If you're using PTA, define a [highly available topology](../hybrid/how-to-connect-pta-quick-start.md). +* If you're using PTA, define a [highly available topology](../hybrid/connect/how-to-connect-pta-quick-start.md). ## Federation The following diagram shows a topology of an enterprise AD FS deployment that in If you're implementing a federated authentication strategy or want to make it more resilient, see the following resources. -* [What is federated authentication](../hybrid/whatis-fed.md) -* [How federation works](../hybrid/how-to-connect-fed-whatis.md) -* [Azure AD federation compatibility list](../hybrid/how-to-connect-fed-compatibility.md) +* [What is federated authentication](../hybrid/connect/whatis-fed.md) +* [How federation works](../hybrid/connect/how-to-connect-fed-whatis.md) +* [Azure AD federation compatibility list](../hybrid/connect/how-to-connect-fed-compatibility.md) * Follow the [AD FS capacity planning documentation](/windows-server/identity/ad-fs/design/planning-for-ad-fs-server-capacity) * [Deploying AD FS in Azure IaaS](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs)-* [Enable PHS](../hybrid/tutorial-phs-backup.md) along with your federation +* [Enable PHS](../hybrid/connect/tutorial-phs-backup.md) along with your federation ## Next steps If you're implementing a federated authentication strategy or want to make it mo * [Build resilience with device states](resilience-with-device-states.md) * [Build resilience by using Continuous Access Evaluation (CAE)](resilience-with-continuous-access-evaluation.md) * [Build resilience in external user authentication](resilience-b2b-authentication.md)-* [Build resilience in application access with Application Proxy](resilience-on premises-access.md) +* [Build resilience in application access with Application Proxy](./resilience-on-premises-access.md) ### Resilience resources for developers |
active-directory | Resilience With Monitoring Alerting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-with-monitoring-alerting.md | For example, track the following metrics, since a sudden drop in either will lea - **Previous period**: Create temporal charts to show changes in the Total requests and Success rate (%) over some previous period for reference purposes, for example, last week. -- **Alerting**: Using log analytics define [alerts](../../azure-monitor/alerts/alerts-log.md) that get triggered when there are sudden changes in the key indicators. These changes may negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:+- **Alerting**: Using log analytics define [alerts](../../azure-monitor/alerts/alerts-create-new-alert-rule.md) that get triggered when there are sudden changes in the key indicators. These changes may negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example: - Alert against abrupt drop in Total requests: Trigger an alert when number of total requests drop abruptly. For example, when there's a 25% drop in the total number of requests compared to previous period, raise an alert. - Alert against significant drop in Success rate (%): Trigger an alert when success rate of the selected policy significantly drops.- - Upon receiving an alert, troubleshoot the issue using [Log Analytics](../reports-monitoring/howto-install-use-log-analytics-views.md), [Application Insights](../../active-directory-b2c/troubleshoot-with-application-insights.md), and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) for Azure AD B2C. After you resolve the issue and deploy an updated application or policy, it continues to monitor the key indicators until they return back to normal range. + - Upon receiving an alert, troubleshoot the issue using [Log Analytics](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md), [Application Insights](../../active-directory-b2c/troubleshoot-with-application-insights.md), and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) for Azure AD B2C. After you resolve the issue and deploy an updated application or policy, it continues to monitor the key indicators until they return back to normal range. - **Service alerts**: Use the [Azure AD B2C service level alerts](../../service-health/service-health-overview.md) to get notified of service issues, planned maintenance, health advisory, and security advisory. |
active-directory | Road To The Cloud Establish | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-establish.md | Before you migrate identity and access management (IAM) from Active Directory to If you're using Microsoft Office 365, Exchange Online, or Teams, then you're already using Azure AD. Your next step is to establish more Azure AD capabilities: -* Establish hybrid identity synchronization between Active Directory and Azure AD by using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md). +* Establish hybrid identity synchronization between Active Directory and Azure AD by using [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md). -* [Select authentication methods](../hybrid/choose-ad-authn.md). We strongly recommend password hash synchronization. +* [Select authentication methods](../hybrid/connect/choose-ad-authn.md). We strongly recommend password hash synchronization. * Secure your hybrid identity infrastructure by following [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md). |
active-directory | Road To The Cloud Implement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-implement.md | You can enrich user attributes in Azure AD to make more user attributes availabl These two links provide guidance on making schema changes: -* [Understand the Azure AD schema and custom expressions](../cloud-sync/concept-attributes.md) +* [Understand the Azure AD schema and custom expressions](../hybrid/cloud-sync/concept-attributes.md) -* [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md) +* [Attributes synchronized by Azure AD Connect](../hybrid/connect/reference-connect-sync-attributes-synchronized.md) These links provide more information on this topic but aren't specific to changing the schema: -* [Use Azure AD schema extension attributes in claims - Microsoft identity platform](../develop/active-directory-schema-extensions.md) +* [Use Azure AD schema extension attributes in claims - Microsoft identity platform](../develop/schema-extensions.md) * [What are custom security attributes in Azure AD (preview)?](../fundamentals/custom-security-attributes-overview.md) * [Customize Azure Active Directory attribute mappings in application provisioning](../app-provisioning/customize-application-attributes.md) -* [Provide optional claims to Azure AD apps - Microsoft identity platform](../develop/active-directory-optional-claims.md) +* [Provide optional claims to Azure AD apps - Microsoft identity platform](../develop/optional-claims.md) These links provide more information about groups: |
active-directory | Road To The Cloud Migrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-migrate.md | This project has two primary initiatives: For more information, see: -* [Deploy Azure AD-joined VMs in Azure Virtual Desktop](../../virtual-desktop/deploy-azure-ad-joined-vm.md) +* [Deploy Azure AD-joined VMs in Azure Virtual Desktop](../../virtual-desktop/azure-ad-joined-session-hosts.md) * [Windows 365 planning guide](/windows-365/enterprise/planning-guide) When you plan your migration to Azure AD, consider migrating the apps that use m After you move SaaS applications that were federated to Azure AD, there are a few steps to decommission the on-premises federation system: -* [Move application authentication to Azure Active Directory](../manage-apps/migrate-adfs-apps-to-azure.md) +* [Move application authentication to Azure Active Directory](../manage-apps/migrate-adfs-apps-stages.md) * [Migrate from Azure AD Multi-Factor Authentication Server to Azure AD Multi-Factor Authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md) -* [Migrate from federation to cloud authentication](../hybrid/migrate-from-federation-to-cloud-authentication.md) +* [Migrate from federation to cloud authentication](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md) * [Move remote access to internal applications](#move-remote-access-to-internal-applications), if you're using Azure AD Application Proxy |
active-directory | Road To The Cloud Posture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-posture.md | As organizations start a migration of IAM to Azure AD, they must determine the p :::image type="content" source="media/road-to-cloud-posture/road-to-the-cloud-migration.png" alt-text="Chart that shows three major milestones in migrating from Active Directory to Azure AD: establish Azure AD capabilities, implement a cloud-first approach, and move workloads to the cloud." border="false"::: -* **Establish an Azure AD footprint**: Initialize your new Azure AD tenant to support the vision for your end-state deployment. Adopt a [Zero Trust](https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/) approach and a security model that [helps protect your tenant from on-premises compromise](../fundamentals/protect-m365-from-on-premises-attacks.md) early in your journey. +* **Establish an Azure AD footprint**: Initialize your new Azure AD tenant to support the vision for your end-state deployment. Adopt a [Zero Trust](https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/) approach and a security model that [helps protect your tenant from on-premises compromise](./protect-m365-from-on-premises-attacks.md) early in your journey. * **Implement a cloud-first approach**: Establish a policy that all new devices, apps, and services should be cloud-first. New applications and services that use legacy protocols (for example, NTLM, Kerberos, or LDAP) should be by exception only. |
active-directory | Secure Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-best-practices.md | -For general guidance on how to configure Azure Active Directory (Azure AD) tenants (isolated or not), refer to the [Azure AD feature deployment guide](../fundamentals/active-directory-deployment-checklist-p2.md). +For general guidance on how to configure Azure Active Directory (Azure AD) tenants (isolated or not), refer to the [Azure AD feature deployment guide](../fundamentals/concept-secure-remote-workers.md). >[!NOTE] >For all isolated tenants we suggest you use clear and differentiated branding to help avoid human error of working in the wrong tenant. When designing isolated environments, it's important to consider the following p * **Directory-level role assignments** - Avoid or reduce numbers of directory-level role assignments (User Administrator on directory scope instead of AU-scoping) or service-specific directory roles with control plane actions (Knowledge Admin with permissions to manage security group memberships). -In addition to the guidance in the [Azure Active Directory general operations guide](../fundamentals/ops-guide-ops.md), we also recommend the following considerations for isolated environments. +In addition to the guidance in the [Azure Active Directory general operations guide](./ops-guide-ops.md), we also recommend the following considerations for isolated environments. ## Human identity provisioning In addition to the guidance in the [Azure Active Directory general operations gu Provision accounts in the isolated environment for administrative personnel and IT teams who operate the environment. This enables you to add stronger security policies such as device-based access control for [secure workstations](/security/compass/privileged-access-deployment). As discussed in previous sections, nonproduction environments can potentially utilize Azure AD B2B collaboration to onboard privileged accounts to the non-production tenants using the same posture and security controls designed for privileged access in their production environment. -Cloud-only accounts are the simplest way to provision human identities in an Azure AD tenant and it's a good fit for green field environments. However, if there's an existing on-premises infrastructure that corresponds to the isolated environment (for example, pre-production or management Active Directory forest), you could consider synchronizing identities from there. This holds especially true if the on-premises infrastructure described herein is used for IaaS solutions that require server access to manage the solution data plane. For more information on this scenario, see [Protecting Microsoft 365 from on-premises attacks](../fundamentals/protect-m365-from-on-premises-attacks.md). Synchronizing from isolated on-premises environments might also be needed if there are specific regulatory compliance requirements such as smart-card only authentication. +Cloud-only accounts are the simplest way to provision human identities in an Azure AD tenant and it's a good fit for green field environments. However, if there's an existing on-premises infrastructure that corresponds to the isolated environment (for example, pre-production or management Active Directory forest), you could consider synchronizing identities from there. This holds especially true if the on-premises infrastructure described herein is used for IaaS solutions that require server access to manage the solution data plane. For more information on this scenario, see [Protecting Microsoft 365 from on-premises attacks](./protect-m365-from-on-premises-attacks.md). Synchronizing from isolated on-premises environments might also be needed if there are specific regulatory compliance requirements such as smart-card only authentication. >[!NOTE] >There are no technical controls to do identity proofing for Azure AD B2B accounts. External identities provisioned with Azure AD B2B are bootstrapped with a single factor. The mitigation is for the organization to have a process to proof the required identities prior to a B2B invitation being issued, and regular access reviews of external identities to manage the lifecycle. Consider enabling a Conditional Access policy to control the MFA registration. We recommend you use security groups to grant access to Microsoft services that Azure AD cloud native groups can be natively governed from the cloud when combined with [Azure AD access reviews](../governance/access-reviews-overview.md) and [Azure AD entitlement management](../governance/access-reviews-overview.md). Organizations who already have on-premises group governance tools can continue to use those tools and rely on identity synchronization with Azure AD Connect to reflect group membership changes. -Azure AD also supports direct user assignment to third-party SaaS services (for example, Salesforce, Service Now) for single sign-on and identity provisioning. Direct assignments to resources can be natively governed from the cloud when combined with [Azure AD access reviews](../governance/access-reviews-overview.md) and [Azure AD entitlement management](../fundamentals/ops-guide-ops.md). Direct assignment might be a good fit for end-user facing assignment. +Azure AD also supports direct user assignment to third-party SaaS services (for example, Salesforce, Service Now) for single sign-on and identity provisioning. Direct assignments to resources can be natively governed from the cloud when combined with [Azure AD access reviews](../governance/access-reviews-overview.md) and [Azure AD entitlement management](./ops-guide-ops.md). Direct assignment might be a good fit for end-user facing assignment. Some scenarios might require granting access to on-premises resources through on-premises Active Directory security groups. For those cases, consider the synchronization cycle to Azure AD when designing processes SLA. Check this example to [create service principals with self-signed certificate](. ### Access policies -In the following sections are recommendations for Azure solutions. For general guidance on Conditional Access policies for individual environments, check the [Conditional Access Best practices](../conditional-access/overview.md), [Azure AD Operations Guide](../fundamentals/ops-guide-auth.md), and [Conditional Access for Zero Trust](/azure/architecture/guide/security/conditional-access-zero-trust): +In the following sections are recommendations for Azure solutions. For general guidance on Conditional Access policies for individual environments, check the [Conditional Access Best practices](../conditional-access/overview.md), [Azure AD Operations Guide](./ops-guide-auth.md), and [Conditional Access for Zero Trust](/azure/architecture/guide/security/conditional-access-zero-trust): * Define [Conditional Access policies](../conditional-access/workload-identity.md) for the [Microsoft Azure Management](../authentication/howto-password-smart-lockout.md) cloud app to enforce identity security posture when accessing Azure Resource Manager. This should include controls on MFA and device-based controls to enable access only through secure workstations (more on this in the Privileged Roles section under Identity Governance). Additionally, use [Conditional Access to filter for devices](../conditional-access/concept-condition-filters-for-devices.md). In the following sections are recommendations for Azure solutions. For general g * Use [External identities cross-tenant access settings](../external-identities/cross-tenant-access-overview.md) to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](../external-identities/cross-tenant-access-settings-b2b-direct-connect.md). -* For specific device configuration and control, you can use device filters in Conditional Access policies to [target or exclude specific devices](../conditional-access/concept-condition-filters-for-devices.md). This enables you to restrict access to Azure management tools from a designated secure admin workstation (SAW). Other approaches you can take include using [Azure Virtual desktop](../../virtual-desktop/environment-setup.md), [Azure Bastion](../../bastion/bastion-overview.md), or [Cloud PC](/graph/cloudpc-concept-overview). +* For specific device configuration and control, you can use device filters in Conditional Access policies to [target or exclude specific devices](../conditional-access/concept-condition-filters-for-devices.md). This enables you to restrict access to Azure management tools from a designated secure admin workstation (SAW). Other approaches you can take include using [Azure Virtual desktop](../../virtual-desktop/terminology.md), [Azure Bastion](../../bastion/bastion-overview.md), or [Cloud PC](/graph/cloudpc-concept-overview). * Billing management applications such as Azure EA portal or MCA billing accounts aren't represented as cloud applications for Conditional Access targeting. As a compensating control, define separate administration accounts and target Conditional Access policies to those accounts using an "All Apps" condition. Below are some identity governance principles to consider across all the tenant * **Privileged access from secure workstations** - All privileged access should occur from secure, locked down devices. Separating these sensitive tasks and accounts from daily use workstations and devices protect privileged accounts from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, [Pass-the-Hash](https://aka.ms/AzureADSecuredAzure/27a), and Pass-The-Ticket. -Some approaches you can use for [using secure devices as part of your privileged access story](/security/compass/privileged-access-devices) include using Conditional Access policies to [target or exclude specific devices](../conditional-access/concept-condition-filters-for-devices.md), using [Azure Virtual desktop](../../virtual-desktop/environment-setup.md), [Azure Bastion](../../bastion/bastion-overview.md), or [Cloud PC](/graph/cloudpc-concept-overview), or creating Azure-managed workstations or privileged access workstations. +Some approaches you can use for [using secure devices as part of your privileged access story](/security/compass/privileged-access-devices) include using Conditional Access policies to [target or exclude specific devices](../conditional-access/concept-condition-filters-for-devices.md), using [Azure Virtual desktop](../../virtual-desktop/terminology.md), [Azure Bastion](../../bastion/bastion-overview.md), or [Cloud PC](/graph/cloudpc-concept-overview), or creating Azure-managed workstations or privileged access workstations. * **Privileged role process guardrails** - Organizations must define processes and technical guardrails to ensure that privileged operations can be executed whenever needed while complying with regulatory requirements. Examples of guardrails criteria include: All hybrid identity infrastructure OS logs should be archived and carefully moni * NPS that has the Azure AD Multi-Factor Authentication RADIUS extension -[Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md) must be deployed to monitor identity synchronization and federation (when applicable) for all environments. +[Azure AD Connect Health](../hybrid/connect/whatis-azure-ad-connect.md) must be deployed to monitor identity synchronization and federation (when applicable) for all environments. **Log storage retention** - All environments should have a cohesive log storage retention strategy, design, and implementation to facilitate a consistent toolset (for example, SIEM systems such as Azure Sentinel), common queries, investigation, and forensics playbooks. Azure Policy can be used to set up diagnostic settings. The following scenarios must be explicitly monitored and investigated: * **User entity behavioral analytics (UEBA) alerts** - UEBA should be used to get insightful information based on anomaly detection. [Microsoft Microsoft 365 Defender for Cloud Apps](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-cloud-apps) provides [UEBA in the cloud](/defender-cloud-apps/tutorial-ueba). Customers can integrate [on-premises UEBA from Microsoft Microsoft 365 Defender for Identity](/defender-cloud-apps/mdi-integration). MCAS reads signals from Azure AD Identity Protection. -* **Emergency access accounts activity** - Any access using [emergency access accounts](../fundamentals/security-operations-privileged-accounts.md) should be monitored and [alerts](../users-groups-roles/directory-emergency-access.md) created for investigations. This monitoring must include: +* **Emergency access accounts activity** - Any access using [emergency access accounts](./security-operations-privileged-accounts.md) should be monitored and [alerts](../roles/security-emergency-access.md) created for investigations. This monitoring must include: * Sign-ins Similarly, Azure Monitor can be integrated with ITSM systems through the [IT Ser * [Introduction to delegated administration and isolated environments](secure-introduction.md) -* [Azure AD fundamentals](../fundamentals/secure-fundamentals.md) +* [Azure AD fundamentals](./secure-fundamentals.md) * [Azure resource management fundamentals](secure-resource-management.md) |
active-directory | Secure Fundamentals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-fundamentals.md | Some legacy scenarios required a human identity to be used in *non-human* scenar ## Azure AD functional areas -These are the functional areas provided by Azure AD that are relevant to isolated environments. To learn more about the capabilities of Azure AD, see [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md). +These are the functional areas provided by Azure AD that are relevant to isolated environments. To learn more about the capabilities of Azure AD, see [What is Azure Active Directory?](../fundamentals/whatis.md). ### Authentication Azure AD provides industry-leading strong authentication options that organizati ### Administration -**Identity management**. Azure AD provides tools to manage the lifecycle of user, group, and device identities. [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) enables organizations to extend current, on-premises identity management solution to the cloud. Azure AD Connect manages the provisioning, de-provisioning, and updates to these identities in Azure AD. +**Identity management**. Azure AD provides tools to manage the lifecycle of user, group, and device identities. [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) enables organizations to extend current, on-premises identity management solution to the cloud. Azure AD Connect manages the provisioning, de-provisioning, and updates to these identities in Azure AD. Azure AD also provides a portal and the Microsoft Graph API to allow organizations to manage identities or integrate Azure AD identity management into existing workflows or automation. To learn more about Microsoft Graph, see [Use the Microsoft Graph API](/graph/use-the-api). Azure AD also provides information on the actions that are being performed withi * [Resource isolation with multiple tenants](secure-multiple-tenants.md) -* [Best practices](secure-best-practices.md) +* [Best practices](secure-best-practices.md) |
active-directory | Secure Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-introduction.md | To distinguish between human and non-human identities, different terms are emerg * **Workload identity** - In Azure Active Directory (Azure AD), workload identities are applications, service principals, and managed identities. The workload identity is used to authenticate and access other services and resources. -For more information on workload identities, see [What are workload identities](../develop/workload-identities-overview.md). +For more information on workload identities, see [What are workload identities](../workload-identities/workload-identities-overview.md). The Azure AD tenant is an identity security boundary that is under the control of global administrators. Within this security boundary, administration of subscriptions, management groups, and resource groups can be delegated to segment administrative control of Azure resources. While not directly interacting, these groupings are dependent on tenant-wide configurations of policies and settings. And those settings and configurations are under the control of the Azure AD Global Administrators. Administrators manage how identity objects can access resources, and under what * Applications -In a hybrid environment, identities are typically synchronized from the on-premises Active Directory environment using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). +In a hybrid environment, identities are typically synchronized from the on-premises Active Directory environment using [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md). ### Administration of identity services Incorporating zero-trust principles into your Azure AD design strategy can help ## Next steps -* [Azure AD fundamentals](../fundamentals/secure-fundamentals.md) +* [Azure AD fundamentals](./secure-fundamentals.md) * [Azure resource management fundamentals](secure-resource-management.md) |
active-directory | Secure Multiple Tenants | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-multiple-tenants.md | A separate tenant is useful for an organization's IT department to validate tena Deploying a non-production environment in a separate tenant might be necessary during development of custom applications that can change data of production user objects with MS Graph or similar APIs (for example, applications that are granted Directory.ReadWrite.All, or similar wide scope). >[!Note]->Azure AD Connect synchronization to multiple tenants, which might be useful when deploying a non-production environment in a separate tenant. For more information, see [Azure AD Connect: Supported topologies](../hybrid/plan-connect-topologies.md). +>Azure AD Connect synchronization to multiple tenants, which might be useful when deploying a non-production environment in a separate tenant. For more information, see [Azure AD Connect: Supported topologies](../hybrid/connect/plan-connect-topologies.md). ## Outcomes Devices: This tenant contains a reduced number of devices; only those that are n * [Introduction to delegated administration and isolated environments](secure-introduction.md) -* [Azure AD fundamentals](../fundamentals/secure-fundamentals.md) +* [Azure AD fundamentals](./secure-fundamentals.md) * [Azure resource management fundamentals](secure-resource-management.md) |
active-directory | Secure Resource Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-resource-management.md | The following diagram summarizes the resource model we just described. **Azure Lighthouse** - [Azure Lighthouse](../../lighthouse/overview.md) enables resource management across tenants. Organizations can delegate roles at the subscription or resource group level to identities in another tenant. -Subscriptions that enable [delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md) with Azure Lighthouse have attributes that indicate the tenant IDs that can manage subscriptions or resource groups, and mapping between the built-in RBAC role in the resource tenant to identities in the service provider tenant. At runtime, Azure Resource Manager will consume these attributes to authorize tokens coming from the service provider tenant. +Subscriptions that enable [delegated resource management](../../lighthouse/concepts/architecture.md) with Azure Lighthouse have attributes that indicate the tenant IDs that can manage subscriptions or resource groups, and mapping between the built-in RBAC role in the resource tenant to identities in the service provider tenant. At runtime, Azure Resource Manager will consume these attributes to authorize tokens coming from the service provider tenant. It's worth noting that Azure Lighthouse itself is modeled as an Azure resource provider, which means that aspects of the delegation across a tenant can be targeted through Azure Policies. An enterprise agreement can be configured to support multiple tenants by setting It's important to note that the default configuration described above grants the Azure EA Account Owner privileges to manage the resources in any subscriptions they created. For subscriptions holding production workloads, consider decoupling billing and resource management by changing the service administrator of the subscription right after creation. - To further decouple and prevent the account owner from regaining service administrator access to the subscription, the subscription's tenant can be [changed](../fundamentals/active-directory-how-subscriptions-associated-directory.md) after creation. If the account owner doesn't have a user object in the Azure AD tenant the subscription is moved to, they can't regain the service owner role. + To further decouple and prevent the account owner from regaining service administrator access to the subscription, the subscription's tenant can be [changed](../fundamentals/how-subscriptions-associated-directory.md) after creation. If the account owner doesn't have a user object in the Azure AD tenant the subscription is moved to, they can't regain the service owner role. To learn more, visit [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). Azure ABAC builds on Azure RBAC by adding role assignment conditions based on at ## Conditional Access -Azure AD [Conditional Access](../../role-based-access-control/conditional-access-azure-management.md) can be used to manage access to Azure management endpoints. Conditional Access policies can be applied to the Microsoft Azure Management cloud app to protect the Azure resource management endpoints such as: +Azure AD [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) can be used to manage access to Azure management endpoints. Conditional Access policies can be applied to the Microsoft Azure Management cloud app to protect the Azure resource management endpoints such as: * Azure Resource Manager Provider (services) For this isolated model, it's assumed that there's no connectivity to the VNet t * [Introduction to delegated administration and isolated environments](secure-introduction.md) -* [Azure AD fundamentals](../fundamentals/secure-fundamentals.md) +* [Azure AD fundamentals](./secure-fundamentals.md) * [Resource isolation in a single tenant](secure-single-tenant.md) |
active-directory | Secure Single Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-single-tenant.md | Configuration settings such authentication methods allowed, hybrid configuration * [Introduction to delegated administration and isolated environments](secure-introduction.md) -* [Azure AD fundamentals](../fundamentals/secure-fundamentals.md) +* [Azure AD fundamentals](./secure-fundamentals.md) * [Azure resource management fundamentals](secure-resource-management.md) * [Resource isolation with multiple tenants](secure-multiple-tenants.md) -* [Best practices](secure-best-practices.md) +* [Best practices](secure-best-practices.md) |
active-directory | Security Operations Infrastructure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-infrastructure.md | The following are links to specific articles that focus on monitoring and alerti | What to monitor| Risk level| Where| Notes | | - | - | - | - |-| Extranet lockout trends| High| Azure AD Connect Health| See, [Monitor AD FS using Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md) for tools and techniques to help detect extranet lock-out trends. | -| Failed sign-ins|High | Connect Health Portal| Export or download the Risky IP report and follow the guidance at [Risky IP report (public preview)](../hybrid/how-to-connect-health-adfs-risky-ip.md) for next steps. | -| In privacy compliant| Low| Azure AD Connect Health| Configure Azure AD Connect Health to disable data collections and monitoring using the [User privacy and Azure AD Connect Health](../hybrid/reference-connect-health-user-privacy.md) article. | +| Extranet lockout trends| High| Azure AD Connect Health| See, [Monitor AD FS using Azure AD Connect Health](../hybrid/connect/how-to-connect-health-adfs.md) for tools and techniques to help detect extranet lock-out trends. | +| Failed sign-ins|High | Connect Health Portal| Export or download the Risky IP report and follow the guidance at [Risky IP report (public preview)](../hybrid/connect/how-to-connect-health-adfs-risky-ip.md) for next steps. | +| In privacy compliant| Low| Azure AD Connect Health| Configure Azure AD Connect Health to disable data collections and monitoring using the [User privacy and Azure AD Connect Health](../hybrid/connect/reference-connect-health-user-privacy.md) article. | | Potential brute force attack on LDAP| Medium| Microsoft Defender for Identity| Use sensor to help detect potential brute force attacks against LDAP. | | Account enumeration reconnaissance| Medium| Microsoft Defender for Identity| Use sensor to help perform account enumeration reconnaissance. | | General correlation between Azure AD and Azure AD FS|Medium | Microsoft Defender for Identity| Use capabilities to correlate activities between your Azure AD and Azure AD FS environments. | The following are specific things to look for: | Azure AD pass-through authentication errors|Medium | Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin| AADSTS80005 - Validation encountered unpredictable WebException| A transient error. Retry the request. If it continues to fail, contact Microsoft support. | | Azure AD pass-through authentication errors| Medium| Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin| AADSTS80007 - An error occurred communicating with Active Directory| Check the agent logs for more information and verify that Active Directory is operating as expected. | | Azure AD pass-through authentication errors|High | Win32 LogonUserA function API| Log on events 4624(s): An account was successfully logged on<br>- correlate with ΓÇô<br>4625(F): An account failed to log on| Use with the suspected usernames on the domain controller that is authenticating requests. Guidance at [LogonUserA function (winbase.h)](/windows/win32/api/winbase/nf-winbase-logonusera) |-| Azure AD pass-through authentication errors| Medium| PowerShell script of domain controller| See the query after the table. | Use the information at [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/tshoot-connect-pass-through-authentication.md)for guidance. | +| Azure AD pass-through authentication errors| Medium| PowerShell script of domain controller| See the query after the table. | Use the information at [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/connect/tshoot-connect-pass-through-authentication.md)for guidance. | ```Kusto Legacy authentication is captured in the Azure AD Sign-ins log as part of the de Azure AD Connect provides a centralized location that enables account and attribute synchronization between your on-premises and cloud-based Azure AD environment. Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features: -* [Password hash synchronization](../hybrid/whatis-phs.md) - A sign-in method that synchronizes a hash of a userΓÇÖs on-premises AD password with Azure AD. +* [Password hash synchronization](../hybrid/connect/whatis-phs.md) - A sign-in method that synchronizes a hash of a userΓÇÖs on-premises AD password with Azure AD. -* [Synchronization](../hybrid/how-to-connect-sync-whatis.md) - Responsible for creating users, groups, and other objects. And, making sure identity information for your on-premises users and groups matches the cloud. This synchronization also includes password hashes. +* [Synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) - Responsible for creating users, groups, and other objects. And, making sure identity information for your on-premises users and groups matches the cloud. This synchronization also includes password hashes. -* [Health Monitoring](../hybrid/whatis-azure-ad-connect.md) - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity. +* [Health Monitoring](../hybrid/connect/whatis-azure-ad-connect.md) - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity. Synchronizing identity between your on-premises environment and your cloud environment introduces a new attack surface for your on-premises and cloud-based environment. We recommend: For information on what and how to monitor configuration information refer to: * For Microsoft Sentinel, see [Connect to Windows servers to collect security events](/sql/relational-databases/security/auditing/sql-server-audit-records). -* For information on configuring and using Azure AD Connect, see [What is Azure AD Connect?](../hybrid/whatis-azure-ad-connect.md) +* For information on configuring and using Azure AD Connect, see [What is Azure AD Connect?](../hybrid/connect/whatis-azure-ad-connect.md) ### Monitoring and troubleshooting synchronization One function of Azure AD Connect is to synchronize hash synchronization between a userΓÇÖs on-premises password and Azure AD. If passwords aren't synchronizing as expected, the synchronization might affect a subset of users or all users. Use the following to help verify proper operation or troubleshoot issues: -* Information for checking and troubleshooting hash synchronization, see [Troubleshoot password hash synchronization with Azure AD Connect sync](../hybrid/tshoot-connect-password-hash-synchronization.md). +* Information for checking and troubleshooting hash synchronization, see [Troubleshoot password hash synchronization with Azure AD Connect sync](../hybrid/connect/tshoot-connect-password-hash-synchronization.md). * Modifications to the connector spaces, see [Troubleshoot Azure AD Connect objects and attributes](/troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes). For information on what and how to monitor configuration information refer to: | What to monitor | Resources | | - | - |-| Hash synchronization validation|See [Troubleshoot password hash synchronization with Azure AD Connect sync](../hybrid/tshoot-connect-password-hash-synchronization.md) | +| Hash synchronization validation|See [Troubleshoot password hash synchronization with Azure AD Connect sync](../hybrid/connect/tshoot-connect-password-hash-synchronization.md) | Modifications to the connector spaces|see [Troubleshoot Azure AD Connect objects and attributes](/troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes) | | Modifications to rules you configured| Monitor changes to: filtering, domain and OU, attribute, and group-based changes | | SQL and MSDE changes | Changes to logging parameters and addition of custom functions | Monitoring single sign-on and Kerberos activity can help you detect general cred | What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - |-| Errors associated with SSO and Kerberos validation failures|Medium | Azure AD Sign-ins log| | Single sign-on list of error codes at [Single sign-on](../hybrid/tshoot-connect-sso.md). | +| Errors associated with SSO and Kerberos validation failures|Medium | Azure AD Sign-ins log| | Single sign-on list of error codes at [Single sign-on](../hybrid/connect/tshoot-connect-sso.md). | | Query for troubleshooting errors|Medium | PowerShell| See query following table. check in each forest with SSO enabled.| Check in each forest with SSO enabled. | | Kerberos-related events|High | Microsoft Defender for Identity monitoring| | Review guidance available at [Microsoft Defender for Identity Lateral Movement Paths (LMPs)](/defender-for-identity/use-case-lateral-movement-path) | |
active-directory | Security Operations Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-introduction.md | Azure Active Directory creates a common user identity for authentication and aut To achieve hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are: -* [Password hash synchronization (PHS)](../hybrid/whatis-phs.md) -* [Pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) -* [Federation (AD FS)](../hybrid/whatis-fed.md) +* [Password hash synchronization (PHS)](../hybrid/connect/whatis-phs.md) +* [Pass-through authentication (PTA)](../hybrid/connect/how-to-connect-pta.md) +* [Federation (AD FS)](../hybrid/connect/whatis-fed.md) As you audit your current security operations or establish security operations for your Azure environment, we recommend you: If you don't plan to use Microsoft Defender for Identity, monitor your domain co As part of an Azure hybrid environment, the following items should be baselined and included in your monitoring and alerting strategy. -* **PTA Agent** - The pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See [Azure AD Pass-through Authentication agent: Version release history](../hybrid/reference-connect-pta-version-history.md) for information on verifying your agent version and next steps. +* **PTA Agent** - The pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See [Azure AD Pass-through Authentication agent: Version release history](../hybrid/connect/reference-connect-pta-version-history.md) for information on verifying your agent version and next steps. * **AD FS/WAP** - Azure Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs). -* **Azure AD Connect Health Agent** - The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see [Azure AD Connect Health agent installation](../hybrid/how-to-connect-health-agent-install.md). +* **Azure AD Connect Health Agent** - The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see [Azure AD Connect Health agent installation](../hybrid/connect/how-to-connect-health-agent-install.md). -* **Azure AD Connect Sync Engine** - The on-premises component, also called the sync engine. For information on the feature, see [Azure AD Connect sync service features](../hybrid/how-to-connect-syncservice-features.md). +* **Azure AD Connect Sync Engine** - The on-premises component, also called the sync engine. For information on the feature, see [Azure AD Connect sync service features](../hybrid/connect/how-to-connect-syncservice-features.md). * **Password Protection DC agent** - Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md). As part of an Azure cloud-based environment, the following items should be basel * **Azure AD Application Proxy** - This cloud service provides secure remote access to on-premises web applications. For more information, see [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy-connectors.md). -* **Azure AD Connect** - Services used for an Azure AD Connect solution. For more information, see [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). +* **Azure AD Connect** - Services used for an Azure AD Connect solution. For more information, see [What is Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md). -* **Azure AD Connect Health** - Service Health provides you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. For more information, see [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md). +* **Azure AD Connect Health** - Service Health provides you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. For more information, see [Azure AD Connect Health](../hybrid/connect/whatis-azure-ad-connect.md). * **Azure AD multifactor authentication** - Multifactor authentication requires a user to provide more than one form of proof for authentication. This approach can provide a proactive first step to securing your environment. For more information, see [Azure AD multi-factor authentication](../authentication/concept-mfa-howitworks.md). As part of an Azure cloud-based environment, the following items should be basel * **Self-service password reset service** - Azure AD self-service password reset (SSPR) gives users the ability to change or reset their password. The administrator or help desk isn't required. For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md). -* **Device services** - Device identity management is the foundation for [device-based Conditional Access](../conditional-access/require-managed-devices.md). With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see [What is a device identity](../devices/overview.md). +* **Device services** - Device identity management is the foundation for [device-based Conditional Access](../conditional-access/concept-conditional-access-grant.md). With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see [What is a device identity](../devices/overview.md). * **Self-service group management** - You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure AD. The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features aren't available for mail-enabled security groups or distribution lists. For more information, see [Set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md). |
active-directory | Security Operations Privileged Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-privileged-accounts.md | Investigate changes to privileged accounts' authentication rules and privileges, For more information on how to monitor for exceptions to Conditional Access policies, see [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md). -For more information on discovering unused privileged accounts, see [Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). +For more information on discovering unused privileged accounts, see [Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). ## Assignment and elevation |
active-directory | Sync Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/sync-directory.md | Use directory synchronization when you need to synchronize identity data from yo * **Azure AD Connect**: A tool for connecting on premises identity infrastructures to Microsoft Azure AD. The wizard and guided experiences help you to deploy and configure prerequisites and components required for the connection (including sync and sign on from Active Directories to Azure AD). * **Active Directory**: Active Directory is a directory service that is included in most Windows Server operating systems. Servers that run Active Directory Domain Services (AD DS) are called domain controllers. They authenticate and authorize all users and computers in the domain. -Microsoft designed [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md) to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. Azure AD Connect cloud sync uses the Azure AD cloud provisioning agent instead of the Azure AD Connect application. +Microsoft designed [Azure AD Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md) to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. Azure AD Connect cloud sync uses the Azure AD cloud provisioning agent instead of the Azure AD Connect application. ## Implement directory synchronization with Azure AD Explore the following resources to learn more about directory synchronization with Azure AD. -* [What is identity provisioning with Azure AD?](../cloud-sync/what-is-provisioning.md)Provisioning is the process of creating an object based on certain conditions, keeping the object up-to-date and deleting the object when conditions are no longer met. On-premises provisioning involves provisioning from on premises sources (like Active Directory) to Azure AD. -* [Hybrid Identity: Directory integration tools comparison](../hybrid/plan-hybrid-identity-design-considerations-tools-comparison.md) describes differences between Azure AD Connect sync and Azure AD Connect cloud provisioning. -* [Azure AD Connect and Azure AD Connect Health installation roadmap](../hybrid/how-to-connect-install-roadmap.md) provides detailed installation and configuration steps. +* [What is identity provisioning with Azure AD?](../hybrid/what-is-provisioning.md)Provisioning is the process of creating an object based on certain conditions, keeping the object up-to-date and deleting the object when conditions are no longer met. On-premises provisioning involves provisioning from on premises sources (like Active Directory) to Azure AD. +* [Hybrid Identity: Directory integration tools comparison](../hybrid/connect/plan-hybrid-identity-design-considerations-tools-comparison.md) describes differences between Azure AD Connect sync and Azure AD Connect cloud provisioning. +* [Azure AD Connect and Azure AD Connect Health installation roadmap](../hybrid/connect/how-to-connect-install-roadmap.md) provides detailed installation and configuration steps. ## Next steps * [What is hybrid identity with Azure Active Directory?](../../active-directory/hybrid/whatis-hybrid-identity.md) Microsoft's identity solutions span on-premises and cloud-based capabilities. Hybrid identity solutions create a common user identity for authentication and authorization to all resources, regardless of location.-* [Install the Azure AD Connect provisioning agent](../cloud-sync/how-to-install.md) walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal. -* [Azure AD Connect cloud sync new agent configuration](../cloud-sync/how-to-configure.md) guides you through configuring Azure AD Connect cloud sync. +* [Install the Azure AD Connect provisioning agent](../hybrid/cloud-sync/how-to-install.md) walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal. +* [Azure AD Connect cloud sync new agent configuration](../hybrid/cloud-sync/how-to-configure.md) guides you through configuring Azure AD Connect cloud sync. * [Azure Active Directory authentication and synchronization protocol overview](auth-sync-overview.md) describes integration with authentication and synchronization protocols. Authentication integrations enable you to use Azure AD and its security and management features with little or no changes to your applications that use legacy authentication methods. Synchronization integrations enable you to sync user and group data to Azure AD and then user Azure AD management capabilities. Some sync patterns enable automated provisioning. |
active-directory | Sync Ldap | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/sync-ldap.md | Use LDAP synchronization when you need to synchronize identity data between your Explore the following resources to learn more about LDAP synchronization with Azure AD. -* [Hybrid Identity: Directory integration tools comparison](../hybrid/plan-hybrid-identity-design-considerations-tools-comparison.md) describes differences between Azure AD Connect sync and Azure AD Connect cloud provisioning. -* [Azure AD Connect and Azure AD Connect Health installation roadmap](../hybrid/how-to-connect-install-roadmap.md) provides detailed installation and configuration steps. +* [Hybrid Identity: Directory integration tools comparison](../hybrid/connect/plan-hybrid-identity-design-considerations-tools-comparison.md) describes differences between Azure AD Connect sync and Azure AD Connect cloud provisioning. +* [Azure AD Connect and Azure AD Connect Health installation roadmap](../hybrid/connect/how-to-connect-install-roadmap.md) provides detailed installation and configuration steps. * The [Generic LDAP Connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap) enables you to integrate the synchronization service with an LDAP v3 server. > [!NOTE] |
active-directory | Certificate Based Authentication Federation Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-android.md | Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are ## Next steps -If you want to configure certificate-based authentication in your environment, see [Get started with certificate-based authentication on Android](active-directory-certificate-based-authentication-get-started.md) for instructions. +If you want to configure certificate-based authentication in your environment, see [Get started with certificate-based authentication on Android](./certificate-based-authentication-federation-get-started.md) for instructions. <!--Image references--> [1]: ./media/active-directory-certificate-based-authentication-android/ic195031.png |
active-directory | Certificate Based Authentication Federation Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-get-started.md | Configuring this feature eliminates the need to enter a username and password co This topic: - Provides you with the steps to configure and utilize CBA for users of tenants in Office 365 Enterprise, Business, Education, and US Government plans. -- Assumes that you already have a [public key infrastructure (PKI)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831740(v=ws.11)) and [AD FS](../hybrid/how-to-connect-fed-whatis.md) configured.+- Assumes that you already have a [public key infrastructure (PKI)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831740(v=ws.11)) and [AD FS](../hybrid/connect/how-to-connect-fed-whatis.md) configured. ## Requirements As a first step, for the device platform you care about, you need to review the The related information exists for the following device platforms: -- [Android](active-directory-certificate-based-authentication-android.md)-- [iOS](active-directory-certificate-based-authentication-ios.md)+- [Android](./certificate-based-authentication-federation-android.md) +- [iOS](./certificate-based-authentication-federation-ios.md) ## Step 2: Configure the certificate authorities An EAS profile can be configured and placed on the device through the utilizatio ## Next steps -[Additional information about certificate-based authentication on Android devices.](active-directory-certificate-based-authentication-android.md) +[Additional information about certificate-based authentication on Android devices.](./certificate-based-authentication-federation-android.md) -[Additional information about certificate-based authentication on iOS devices.](active-directory-certificate-based-authentication-ios.md) +[Additional information about certificate-based authentication on iOS devices.](./certificate-based-authentication-federation-ios.md) |
active-directory | Certificate Based Authentication Federation Ios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-ios.md | On iOS 9 or later, the native iOS mail client is supported. To determine if this ## Next steps -To configure certificate-based authentication in your environment, see [Get started with certificate-based authentication](active-directory-certificate-based-authentication-get-started.md) for instructions. +To configure certificate-based authentication in your environment, see [Get started with certificate-based authentication](./certificate-based-authentication-federation-get-started.md) for instructions. <!--Image references--> [1]: ./media/active-directory-certificate-based-authentication-ios/ic195031.png |
active-directory | Concept Authentication Strengths | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-strengths.md | The following authentication methods can't be registered as part of combined reg ### Federated user experience -For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider by setting the federatedIdpMfaBehavior. If the federatedIdpMfaBehavior setting is set to enforceMfaByFederatedIdp, the user must authenticate on their federated IdP and can only satisfy the **Federated Multi-Factor** combination of the authentication strength requirement. For more information about the federation settings, see [Plan support for MFA](../hybrid/migrate-from-federation-to-cloud-authentication.md#plan-support-for-mfa). +For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider by setting the federatedIdpMfaBehavior. If the federatedIdpMfaBehavior setting is set to enforceMfaByFederatedIdp, the user must authenticate on their federated IdP and can only satisfy the **Federated Multi-Factor** combination of the authentication strength requirement. For more information about the federation settings, see [Plan support for MFA](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md#plan-support-for-mfa). If a user from a federated domain has multifactor authentication settings in scope for Staged Rollout, the user can complete multifactor authentication in the cloud and satisfy any of the **Federated single-factor + something you have** combinations. For more information about staged rollout, see [Enable Staged Rollout using Azure portal](how-to-mfa-server-migration-utility.md#enable-staged-rollout-using-azure-portal). As a result, users in Contoso can access most of the resources in the tenant usi ## Next steps - [Troubleshoot authentication strengths](troubleshoot-authentication-strengths.md) - |
active-directory | Concept Certificate Based Authentication Certificateuserids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md | To synchronize X509:\<RFC822>RFC822Name, create an outbound synchronization rule > [!NOTE] > Make sure you use the latest version of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594). -For more information about declarative provisioning expressions, see [Azure AD Connect: Declarative Provisioning Expressions](../hybrid/concept-azure-ad-connect-sync-declarative-provisioning-expressions.md). +For more information about declarative provisioning expressions, see [Azure AD Connect: Declarative Provisioning Expressions](../hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning-expressions.md). ## Synchronize alternativeSecurityId attribute from AD to Azure AD CBA CertificateUserIds |
active-directory | Concept Certificate Based Authentication Limitations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-limitations.md | The following scenarios aren't supported: - [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md) - [How to configure Azure AD CBA](how-to-certificate-based-authentication.md) - [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)-- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)+- [Azure AD CBA on mobile devices (Android and iOS)](./concept-certificate-based-authentication-mobile-ios.md) - [CertificateUserIDs](concept-certificate-based-authentication-certificateuserids.md) - [How to migrate federated users](concept-certificate-based-authentication-migration.md) - [FAQ](certificate-based-authentication-faq.yml)-- |
active-directory | Concept Certificate Based Authentication Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-migration.md | This article explains how to migrate from running federated servers such as Acti ## Staged Rollout -[Staged Rollout](../hybrid/how-to-connect-staged-rollout.md) helps customers transition from AD FS to Azure AD by testing cloud authentication with selected groups of users before switching the entire tenant. +[Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md) helps customers transition from AD FS to Azure AD by testing cloud authentication with selected groups of users before switching the entire tenant. ## Enable Staged Rollout for certificate-based authentication on your tenant To configure Staged Rollout, follow these steps: 1. Search for and select **Azure Active Directory**. 1. From the left menu, select **Azure AD Connect**. 1. On the Azure AD Connect page, under the Staged Rollout of cloud authentication, click **Enable Staged Rollout for managed user sign-in**.-1. On the **Enable Staged Rollout** feature page, click **On** for the option [Certificate-based authentication](active-directory-certificate-based-authentication-get-started.md) +1. On the **Enable Staged Rollout** feature page, click **On** for the option [Certificate-based authentication](./certificate-based-authentication-federation-get-started.md) 1. Click **Manage groups** and add groups you want to be part of cloud authentication. To avoid a time-out, ensure that the security groups contain no more than 200 members initially. -For more information, see [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md). +For more information, see [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). >[!NOTE] > When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Azure AD. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail. Azure AD Connect requires a special role named **Hybrid Identity Administrator** ### Can we have privileged accounts with a federated AD FS server? -Although it's possible, Microsoft recommends privileged accounts be cloud-only accounts. Using cloud-only accounts for privileged access limits exposure in Azure AD from a compromised on-premises environment. For more information, see [Protecting Microsoft 365 from on-premises attacks](../fundamentals/protect-m365-from-on-premises-attacks.md). +Although it's possible, Microsoft recommends privileged accounts be cloud-only accounts. Using cloud-only accounts for privileged access limits exposure in Azure AD from a compromised on-premises environment. For more information, see [Protecting Microsoft 365 from on-premises attacks](../architecture/protect-m365-from-on-premises-attacks.md). ### If an organization is a hybrid running both AD FS and Azure CBA, are they still vulnerable to the AD FS compromise? |
active-directory | Concept Certificate Based Authentication Smartcard | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-smartcard.md | Follow these steps to set up Windows smart card sign-in: 1. Join the machine to either Azure AD or a hybrid environment (hybrid join). 1. Configure Azure AD CBA in your tenant as described in [Configure Azure AD CBA](how-to-certificate-based-authentication.md).-1. Make sure the user is either on managed authentication or using [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md). +1. Make sure the user is either on managed authentication or using [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). 1. Present the physical or virtual smart card to the test machine. 1. Select the smart card icon, enter the PIN, and authenticate the user. |
active-directory | Concept Certificate Based Authentication Technical Deep Dive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md | Now we'll walk through each step: :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in.png" alt-text="Screenshot of the Sign-in for MyApps portal."::: -1. Azure AD checks whether CBA is enabled for the tenant. If CBA is enabled, the user sees a link to **Use a certificate or smartcard** on the password page. If the user doesn't see the sign-in link, make sure CBA is enabled on the tenant. For more information, see [How do I enable Azure AD CBA?](certificate-based-authentication-faq.yml#how-can-an-administrator-enable-azure-ad-cba-). +1. Azure AD checks whether CBA is enabled for the tenant. If CBA is enabled, the user sees a link to **Use a certificate or smartcard** on the password page. If the user doesn't see the sign-in link, make sure CBA is enabled on the tenant. For more information, see [How do I enable Azure AD CBA?](./certificate-based-authentication-faq.yml#how-can-an-administrator-enable-azure-ad-cba-). >[!NOTE] > If CBA is enabled on the tenant, all users will see the link to **Use a certificate or smart card** on the password page. However, only the users in scope for CBA will be able to authenticate successfully against an application that uses Azure AD as their Identity provider (IdP). Having both PrincipalName and SKI values from the user's certificate mapped to t ## Understanding the certificate revocation process -The certificate revocation process allows the admin to revoke a previously issued certificate from being used for future authentication. The certificate revocation won't revoke already issued tokens of the user. Follow the steps to manually revoke tokens at [Configure revocation](active-directory-certificate-based-authentication-get-started.md#step-3-configure-revocation). +The certificate revocation process allows the admin to revoke a previously issued certificate from being used for future authentication. The certificate revocation won't revoke already issued tokens of the user. Follow the steps to manually revoke tokens at [Configure revocation](./certificate-based-authentication-federation-get-started.md#step-3-configure-revocation). Azure AD downloads and caches the customers certificate revocation list (CRL) from their certificate authority to check if certificates are revoked during the authentication of the user. For more information about how to enable **Trust multi-factor authentication fro - [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md) - [How to migrate federated users](concept-certificate-based-authentication-migration.md) - [FAQ](certificate-based-authentication-faq.yml)-- [Troubleshoot Azure AD CBA](troubleshoot-certificate-based-authentication.md)+- [Troubleshoot Azure AD CBA](./certificate-based-authentication-faq.yml) |
active-directory | Concept Mfa Licensing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-licensing.md | The following table details the different ways to get Azure AD Multi-Factor Auth | If you're a user of | Capabilities and use cases | | | | | [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business) and [EMS](https://www.microsoft.com/security/business/enterprise-mobility-security) or [Microsoft 365 E3 and E5](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans) | EMS E3, Microsoft 365 E3, and Microsoft 365 Business Premium includes Azure AD Premium P1. EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. You can use the same Conditional Access features noted in the following sections to provide multi-factor authentication to users. |-| [Azure AD Premium P1](../fundamentals/active-directory-get-started-premium.md) | You can use [Azure AD Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. | -| [Azure AD Premium P2](../fundamentals/active-directory-get-started-premium.md) | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. | +| [Azure AD Premium P1](../fundamentals/get-started-premium.md) | You can use [Azure AD Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. | +| [Azure AD Premium P2](../fundamentals/get-started-premium.md) | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. | | [All Microsoft 365 plans](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans) | Azure AD Multi-Factor Authentication can be enabled for all users using [security defaults](../fundamentals/security-defaults.md). Management of Azure AD Multi-Factor Authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Microsoft 365 resources with multi-factor authentication](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication). | | [Office 365 free](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)<br>[Azure AD free](../verifiable-credentials/how-to-create-a-free-developer-account.md) | You can use [security defaults](../fundamentals/security-defaults.md) to prompt users for multi-factor authentication as needed but you don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. | If you don't want to enable Azure AD Multi-Factor Authentication for all users, * [What is Conditional Access](../conditional-access/overview.md) * [What is Identity Protection?](../identity-protection/overview-identity-protection.md) * MFA can also be [enabled on a per-user basis](howto-mfa-userstates.md)- |
active-directory | Concept Password Ban Bad Combined Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md | The following Azure AD password policy requirements apply for all passwords that Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Microsoft Azure AD Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire. > [!NOTE]-> By default, only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Azure AD](../hybrid/how-to-connect-password-hash-synchronization.md#password-expiration-policy). +> By default, only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Azure AD](../hybrid/connect/how-to-connect-password-hash-synchronization.md#password-expiration-policy). You can also use PowerShell to remove the never-expires configuration, or to see user passwords that are set to never expire. |
active-directory | Concept Resilient Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-resilient-controls.md | User lockout can also occur if the following conditions are true: - Your organization uses a hybrid identity solution with pass-through authentication or federation. - Your on-premises identity systems (such as Active Directory, AD FS, or a dependent component) are unavailable. -To be more resilient, your organization should [enable password hash sync](../hybrid/choose-ad-authn.md), because it enables you to [switch to using password hash sync](../hybrid/plan-connect-user-signin.md) if your on-premises identity systems are down. +To be more resilient, your organization should [enable password hash sync](../hybrid/connect/choose-ad-authn.md), because it enables you to [switch to using password hash sync](../hybrid/connect/plan-connect-user-signin.md) if your on-premises identity systems are down. #### Microsoft recommendations Enable password hash sync using the Azure AD Connect wizard, regardless whether your organization uses federation or pass-through authentication. |
active-directory | Concept Sspr Howitworks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-howitworks.md | If you have a hybrid environment, you can configure Azure AD Connect to write pa Azure AD checks your current hybrid connectivity and provides one of the following messages in the Azure portal: * Your on-premises writeback client is up and running.-* Azure AD is online and is connected to your on-premises writeback client. However, it looks like the installed version of Azure AD Connect is out-of-date. Consider [Upgrading Azure AD Connect](../hybrid/how-to-upgrade-previous-version.md) to ensure that you have the latest connectivity features and important bug fixes. -* Unfortunately, we can't check your on-premises writeback client status because the installed version of Azure AD Connect is out-of-date. [Upgrade Azure AD Connect](../hybrid/how-to-upgrade-previous-version.md) to be able to check your connection status. +* Azure AD is online and is connected to your on-premises writeback client. However, it looks like the installed version of Azure AD Connect is out-of-date. Consider [Upgrading Azure AD Connect](../hybrid/connect/how-to-upgrade-previous-version.md) to ensure that you have the latest connectivity features and important bug fixes. +* Unfortunately, we can't check your on-premises writeback client status because the installed version of Azure AD Connect is out-of-date. [Upgrade Azure AD Connect](../hybrid/connect/how-to-upgrade-previous-version.md) to be able to check your connection status. * Unfortunately, it looks like we can't connect to your on-premises writeback client right now. [Troubleshoot Azure AD Connect](./troubleshoot-sspr-writeback.md) to restore the connection. * Unfortunately, we can't connect to your on-premises writeback client because password writeback has not been properly configured. [Configure password writeback](./tutorial-enable-sspr-writeback.md) to restore the connection. * Unfortunately, it looks like we can't connect to your on-premises writeback client right now. This may be due to temporary issues on our end. If the problem persists, [Troubleshoot Azure AD Connect](./troubleshoot-sspr-writeback.md) to restore the connection. |
active-directory | Concept Sspr Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-policy.md | You can also use PowerShell cmdlets to remove the never-expires configuration or This guidance applies to other providers, such as Intune and Microsoft 365, which also rely on Azure AD for identity and directory services. Password expiration is the only part of the policy that can be changed. > [!NOTE]-> By default only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Azure AD](../hybrid/how-to-connect-password-hash-synchronization.md#password-expiration-policy). +> By default only passwords for user accounts that aren't synchronized through Azure AD Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Azure AD](../hybrid/connect/how-to-connect-password-hash-synchronization.md#password-expiration-policy). ### Set or check the password policies by using PowerShell |
active-directory | Concept Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-writeback.md | Azure Active Directory (Azure AD) self-service password reset (SSPR) lets users Password writeback is supported in environments that use the following hybrid identity models: -* [Password hash synchronization](../hybrid/how-to-connect-password-hash-synchronization.md) -* [Pass-through authentication](../hybrid/how-to-connect-pta.md) -* [Active Directory Federation Services](../hybrid/how-to-connect-fed-management.md) +* [Password hash synchronization](../hybrid/connect/how-to-connect-password-hash-synchronization.md) +* [Pass-through authentication](../hybrid/connect/how-to-connect-pta.md) +* [Active Directory Federation Services](../hybrid/connect/how-to-connect-fed-management.md) Password writeback provides the following features: To get started with SSPR writeback, complete either one or both of the following ## Azure AD Connect and cloud sync side-by-side deployment -You can deploy Azure AD Connect and cloud sync side-by-side in different domains to target different sets of users. This helps existing users continue to writeback password changes while adding the option in cases where users are in disconnected domains because of a company merger or split. Azure AD Connect and cloud sync can be configured in different domains so users from one domain can use Azure AD Connect while users in another domain use cloud sync. Cloud sync can also provide higher availability because it doesn't rely on a single instance of Azure AD Connect. For a feature comparison between the two deployment options, see [Comparison between Azure AD Connect and cloud sync](../cloud-sync/what-is-cloud-sync.md#comparison-between-azure-ad-connect-and-cloud-sync). +You can deploy Azure AD Connect and cloud sync side-by-side in different domains to target different sets of users. This helps existing users continue to writeback password changes while adding the option in cases where users are in disconnected domains because of a company merger or split. Azure AD Connect and cloud sync can be configured in different domains so users from one domain can use Azure AD Connect while users in another domain use cloud sync. Cloud sync can also provide higher availability because it doesn't rely on a single instance of Azure AD Connect. For a feature comparison between the two deployment options, see [Comparison between Azure AD Connect and cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md#comparison-between-azure-ad-connect-and-cloud-sync). ## How password writeback works Passwords aren't written back in any of the following situations: * Any administrator cannot use password reset tool to reset their own password for password writeback. > [!WARNING]-> Use of the checkbox "User must change password at next logon" in on-premises AD DS administrative tools like Active Directory Users and Computers or the Active Directory Administrative Center is supported as a preview feature of Azure AD Connect. For more information, see [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md). +> Use of the checkbox "User must change password at next logon" in on-premises AD DS administrative tools like Active Directory Users and Computers or the Active Directory Administrative Center is supported as a preview feature of Azure AD Connect. For more information, see [Implement password hash synchronization with Azure AD Connect sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md). > [!NOTE] > If a user has the option "Password never expires" set in Active Directory (AD), the force password change flag will not be set in Active Directory (AD), so the user will not be prompted to change the password during the next sign-in even if the option to force the user to change their password on next logon option is selected during an administrator-initiated end-user password reset. |
active-directory | Concepts Azure Multi Factor Authentication Prompts Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md | This article details recommended configurations and how different settings work To give your users the right balance of security and ease of use by asking them to sign in at the right frequency, we recommend the following configurations: * If you have Azure AD Premium:- * Enable single sign-on (SSO) across applications using [managed devices](../devices/overview.md) or [Seamless SSO](../hybrid/how-to-connect-sso.md). + * Enable single sign-on (SSO) across applications using [managed devices](../devices/overview.md) or [Seamless SSO](../hybrid/connect/how-to-connect-sso.md). * If reauthentication is required, use a Conditional Access [sign-in frequency policy](../conditional-access/howto-conditional-access-session-lifetime.md). * For users that sign in from non-managed devices or mobile device scenarios, persistent browser sessions may not be preferable, or you might use Conditional Access to enable persistent browser sessions with sign-in frequency policies. Limit the duration to an appropriate time based on the sign-in risk, where a user with less risk has a longer session duration. * If you have Microsoft 365 apps licenses or the free Azure AD tier:- * Enable single sign-on (SSO) across applications using [managed devices](../devices/overview.md) or [Seamless SSO](../hybrid/how-to-connect-sso.md). + * Enable single sign-on (SSO) across applications using [managed devices](../devices/overview.md) or [Seamless SSO](../hybrid/connect/how-to-connect-sso.md). * Keep the *Remain signed-in* option enabled and guide your users to accept it. * For mobile devices scenarios, make sure your users use the Microsoft Authenticator app. This app is used as a broker to other Azure AD federated apps, and reduces authentication prompts on the device. The following table summarizes the recommendations based on licenses: | | Azure AD Free and Microsoft 365 apps | Azure AD Premium | ||--||-| **SSO** | [Azure AD join](../devices/concept-directory-join.md) or [Hybrid Azure AD join](../devices/concept-hybrid-join.md), or [Seamless SSO](../hybrid/how-to-connect-sso.md) for unmanaged devices. | Azure AD join<br />Hybrid Azure AD join | +| **SSO** | [Azure AD join](../devices/concept-directory-join.md) or [Hybrid Azure AD join](../devices/concept-hybrid-join.md), or [Seamless SSO](../hybrid/connect/how-to-connect-sso.md) for unmanaged devices. | Azure AD join<br />Hybrid Azure AD join | | **Reauthentication settings** | Remain signed-in | Use Conditional Access policies for sign-in frequency and persistent browser session | ## Next steps |
active-directory | How To Certificate Based Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-certificate-based-authentication.md | To enable CBA and configure username bindings using Graph API, complete the foll - [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md) - [Limitations with Azure AD CBA](concept-certificate-based-authentication-limitations.md) - [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)-- [Azure AD CBA on mobile devices (Android and iOS)](concept-certificate-based-authentication-mobile.md)+- [Azure AD CBA on mobile devices (Android and iOS)](./concept-certificate-based-authentication-mobile-ios.md) - [Certificate user IDs](concept-certificate-based-authentication-certificateuserids.md) - [How to migrate federated users](concept-certificate-based-authentication-migration.md) - [FAQ](certificate-based-authentication-faq.yml) |
active-directory | How To Mfa Server Migration Utility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md | Take a look at our video for an overview of the MFA Server Migration Utility and ## Limitations and requirements - The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You donΓÇÖt have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically.-- The MFA Server Migration Utility copies the data from the database file onto the user objects in Azure AD. During migration, users can be targeted for Azure AD MFA for testing purposes using [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md). Staged migration lets you test without making any changes to your domain federation settings. Once migrations are complete, you must finalize your migration by making changes to your domain federation settings.+- The MFA Server Migration Utility copies the data from the database file onto the user objects in Azure AD. During migration, users can be targeted for Azure AD MFA for testing purposes using [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). Staged migration lets you test without making any changes to your domain federation settings. Once migrations are complete, you must finalize your migration by making changes to your domain federation settings. - AD FS running Windows Server 2016 or higher is required to provide MFA authentication on any AD FS relying parties, not including Azure AD and Office 365. - Review your AD FS access control policies and make sure none requires MFA to be performed on-premises as part of the authentication process. - Staged rollout can target a maximum of 500,000 users (10 groups containing a maximum of 50,000 users each). Azure MFA Server can provide MFA functionality for third-party solutions that us For RADIUS deployments that canΓÇÖt be upgraded, youΓÇÖll need to deploy an NPS Server and install the [Azure AD MFA NPS extension](howto-mfa-nps-extension.md). -For LDAP deployments that canΓÇÖt be upgraded or moved to RADIUS, [determine if Azure Active Directory Domain Services can be used](../fundamentals/auth-ldap.md). In most cases, LDAP was deployed to support in-line password changes for end users. Once migrated, end users can manage their passwords by using [self-service password reset in Azure AD](tutorial-enable-sspr.md). +For LDAP deployments that canΓÇÖt be upgraded or moved to RADIUS, [determine if Azure Active Directory Domain Services can be used](../architecture/auth-ldap.md). In most cases, LDAP was deployed to support in-line password changes for end users. Once migrated, end users can manage their passwords by using [self-service password reset in Azure AD](tutorial-enable-sspr.md). If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfaserver-adfs-windows-server.md#secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server) on any relying party trusts except for the Office 365 relying party trust, youΓÇÖll need to upgrade to [AD FS 3.0](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server) or federate those relying parties directly to Azure AD if they support modern authentication methods. Determine the best plan of action for each of the dependencies. Set the **Staged Rollout for Azure MFA** to **Off**. Users will once again be re ## Next steps - [Overview of how to migrate from MFA Server to Azure AD Multi-Factor Authentication](how-to-migrate-mfa-server-to-azure-mfa.md)-- [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md)+- [Migrate to cloud authentication using Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md) |
active-directory | How To Migrate Mfa Server To Azure Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md | Microsoft's MFA server can be integrated with many systems, and you must evaluat Common ways to think about moving users in batches include moving them by regions, departments, or roles such as administrators. You should move user accounts iteratively, starting with test and pilot groups, and make sure you have a rollback plan in place. -You can use the [MFA Server Migration Utility](how-to-mfa-server-migration-utility.md) to synchronize MFA data stored in the on-premises Azure MFA Server to Azure AD MFA and use [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md) to reroute users to Azure MFA. Staged Rollout helps you test without making any changes to your domain federation settings. +You can use the [MFA Server Migration Utility](how-to-mfa-server-migration-utility.md) to synchronize MFA data stored in the on-premises Azure MFA Server to Azure AD MFA and use [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md) to reroute users to Azure MFA. Staged Rollout helps you test without making any changes to your domain federation settings. To help users to differentiate the newly added account from the old account linked to the MFA Server, make sure the Account name for the Mobile App on the MFA Server is named in a way to distinguish the two accounts. For example, the Account name that appears under Mobile App on the MFA Server has been renamed to **On-Premises MFA Server**. We therefore recommend that regardless of the migration path you choose, that yo #### Migrating hardware security keys -Azure AD provides support for OATH hardware tokens. You can use the [MFA Server Migration Utility](how-to-mfa-server-migration-utility.md) to synchronize MFA settings between MFA Server and Azure AD MFA and use [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md) to test user migrations without changing domain federation settings. +Azure AD provides support for OATH hardware tokens. You can use the [MFA Server Migration Utility](how-to-mfa-server-migration-utility.md) to synchronize MFA settings between MFA Server and Azure AD MFA and use [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md) to test user migrations without changing domain federation settings. If you only want to migrate OATH hardware tokens, you need to [upload tokens to Azure AD by using a CSV file](concept-authentication-oath-tokens.md#oath-hardware-tokens-preview), commonly referred to as a "seed file". The seed file contains the secret keys, token serial numbers, and other necessary information needed to upload the tokens into Azure AD. Our recommendations: - Use Azure AD for authentication as it enables more robust security and governance - Move applications to Azure AD if possible -To select the best user authentication method for your organization, see [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/choose-ad-authn.md). +To select the best user authentication method for your organization, see [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/connect/choose-ad-authn.md). We recommend that you use Password Hash Synchronization (PHS). ### Passwordless authentication Others might include: - [Moving to Azure AD Multi-Factor Authentication with federation](how-to-migrate-mfa-server-to-mfa-with-federation.md) - [Moving to Azure AD Multi-Factor Authentication and Azure AD user authentication](how-to-migrate-mfa-server-to-mfa-user-authentication.md) - [How to use the MFA Server Migration Utility](how-to-mfa-server-migration-utility.md)- |
active-directory | How To Migrate Mfa Server To Mfa User Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication.md | After you configure the servers, you can add Azure AD MFA as an additional authe ## Prepare Staged Rollout -Now you're ready to enable [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md). Staged Rollout helps you to iteratively move your users to either PHS or PTA while also migrating their on-premises MFA settings. +Now you're ready to enable [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). Staged Rollout helps you to iteratively move your users to either PHS or PTA while also migrating their on-premises MFA settings. -* Be sure to review the [supported scenarios](../hybrid/how-to-connect-staged-rollout.md#supported-scenarios). -* First, you'll need to do either the [prework for PHS](../hybrid/how-to-connect-staged-rollout.md#pre-work-for-password-hash-sync) or the [prework for PTA](../hybrid/how-to-connect-staged-rollout.md#pre-work-for-pass-through-authentication). We recommend PHS. -* Next, you'll do the [prework for seamless SSO](../hybrid/how-to-connect-staged-rollout.md#pre-work-for-seamless-sso). -* [Enable the Staged Rollout of cloud authentication](../hybrid/how-to-connect-staged-rollout.md#enable-a-staged-rollout-of-a-specific-feature-on-your-tenant) for your selected authentication method. +* Be sure to review the [supported scenarios](../hybrid/connect/how-to-connect-staged-rollout.md#supported-scenarios). +* First, you'll need to do either the [prework for PHS](../hybrid/connect/how-to-connect-staged-rollout.md#pre-work-for-password-hash-sync) or the [prework for PTA](../hybrid/connect/how-to-connect-staged-rollout.md#pre-work-for-pass-through-authentication). We recommend PHS. +* Next, you'll do the [prework for seamless SSO](../hybrid/connect/how-to-connect-staged-rollout.md#pre-work-for-seamless-sso). +* [Enable the Staged Rollout of cloud authentication](../hybrid/connect/how-to-connect-staged-rollout.md#enable-a-staged-rollout-of-a-specific-feature-on-your-tenant) for your selected authentication method. * Add the group(s) you created for Staged Rollout. Remember that you'll add users to groups iteratively, and that they can't be dynamic groups or nested groups. ## Register users for Azure AD MFA Detailed Azure AD MFA registration information can be found on the Registration Monitor applications you moved to Azure AD with the App sign-in health workbook or the application activity usage report. -* **App sign-in health workbook**. See [Monitoring application sign-in health for resilience](../fundamentals/monitor-sign-in-health-for-resilience.md) for detailed guidance on using this workbook. +* **App sign-in health workbook**. See [Monitoring application sign-in health for resilience](../architecture/monitor-sign-in-health-for-resilience.md) for detailed guidance on using this workbook. * **Azure AD application activity usage report**. This [report](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsageAndInsightsMenuBlade/Azure%20AD%20application%20activity) can be used to view the successful and failed sign-ins for individual applications as well as the ability to drill down and view sign-in activity for a specific application. ## Clean up tasks We recommend reviewing MFA Server logs to ensure no users or applications are us ### Convert your domains to managed authentication -You should now [convert your federated domains in Azure AD to managed](../hybrid/migrate-from-federation-to-cloud-authentication.md#convert-domains-from-federated-to-managed) and remove the Staged Rollout configuration. +You should now [convert your federated domains in Azure AD to managed](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md#convert-domains-from-federated-to-managed) and remove the Staged Rollout configuration. This conversion ensures new users use cloud authentication without being added to the migration groups. ### Revert claims rules on AD FS and remove MFA Server authentication provider For more information about migrating applications to Azure, see [Resources for m ## Next steps - [Migrate from Microsoft MFA Server to Azure AD MFA (Overview)](how-to-migrate-mfa-server-to-azure-mfa.md)-- [Migrate applications from Windows Active Directory to Azure AD](../manage-apps/migrate-application-authentication-to-azure-active-directory.md)-- [Plan your cloud authentication strategy](../fundamentals/deployment-plans.md)+- [Migrate applications from Windows Active Directory to Azure AD](../manage-apps/migrate-adfs-apps-phases-overview.md) +- [Plan your cloud authentication strategy](../architecture/deployment-plans.md) |
active-directory | How To Migrate Mfa Server To Mfa With Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md | Possible considerations when decommissions the MFA Servers include: ## Next Steps -- [Deploy password hash synchronization](../hybrid/whatis-phs.md)+- [Deploy password hash synchronization](../hybrid/connect/whatis-phs.md) - [Learn more about Conditional Access](../conditional-access/overview.md)-- [Migrate applications to Azure AD](../manage-apps/migrate-application-authentication-to-azure-active-directory.md)+- [Migrate applications to Azure AD](../manage-apps/migrate-adfs-apps-phases-overview.md) |
active-directory | Howto Authentication Methods Activity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-methods-activity.md | The **Usage** report shows which authentication methods are used to sign-in and Using the controls at the top of the list, you can search for a user and filter the list of users based on the columns shown. >[!NOTE]->User accounts that were recently deleted, also known as [soft-deleted users](../fundamentals/active-directory-users-restore.md), are not listed in user registration details. +>User accounts that were recently deleted, also known as [soft-deleted users](../fundamentals/users-restore.md), are not listed in user registration details. The registration details report shows the following information for each user: |
active-directory | Howto Authentication Passwordless Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-deployment.md | The wizard will use your inputs to craft a step-by-step plan for you to follow. ## Plan the project -When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/deployment-plans.md) and that stakeholder roles in the project are well understood. +When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../architecture/deployment-plans.md) and that stakeholder roles in the project are well understood. ### Plan a pilot -When you deploy passwordless authentication, you should first enable one or more pilot groups. You can create groups specifically for this purpose. Add the users who will participate in the pilot to the groups. Then, enable new passwordless authentication methods for the selected groups. See [best practices for a pilot](../fundamentals/deployment-plans.md). +When you deploy passwordless authentication, you should first enable one or more pilot groups. You can create groups specifically for this purpose. Add the users who will participate in the pilot to the groups. Then, enable new passwordless authentication methods for the selected groups. See [best practices for a pilot](../architecture/deployment-plans.md). ### Plan communications Select the user row, and then select the **Authentication Details** tab to view * [Learn how passwordless authentication works](concept-authentication-passwordless.md) -* [Deploy other identity features](../fundamentals/deployment-plans.md) +* [Deploy other identity features](../architecture/deployment-plans.md) |
active-directory | Howto Authentication Sms Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-sms-signin.md | If you receive an error when you try to set a phone number for a user account in <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../fundamentals/sign-up-organization.md-[associate-azure-ad-tenant]: ../fundamentals/active-directory-how-subscriptions-associated-directory.md +[associate-azure-ad-tenant]: ../fundamentals/how-subscriptions-associated-directory.md [concepts-passwordless]: concept-authentication-passwordless.md [tutorial-azure-mfa]: tutorial-enable-azure-mfa.md [tutorial-sspr]: tutorial-enable-sspr.md |
active-directory | Howto Authentication Use Email Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md | A different approach is to synchronize the Azure AD and on-premises UPNs to the | Option | Description | ||| | [Alternate Login ID for AD FS](/windows-server/identity/ad-fs/operations/configuring-alternate-login-id) | Enable sign-in with an alternate attribute (such as Mail) for AD FS users. |-| [Alternate Login ID in Azure AD Connect](../hybrid/plan-connect-userprincipalname.md#alternate-login-id) | Synchronize an alternate attribute (such as Mail) as the Azure AD UPN. | +| [Alternate Login ID in Azure AD Connect](../hybrid/connect/plan-connect-userprincipalname.md#alternate-login-id) | Synchronize an alternate attribute (such as Mail) as the Azure AD UPN. | | Email as an Alternate Login ID | Enable sign-in with verified domain *ProxyAddresses* for Azure AD users. | ## Synchronize sign-in email addresses to Azure AD For more information on hybrid identity operations, see [how password hash sync] <!-- INTERNAL LINKS --> [verify-domain]: ../fundamentals/add-custom-domain.md-[hybrid-auth-methods]: ../hybrid/choose-ad-authn.md -[azure-ad-connect]: ../hybrid/whatis-azure-ad-connect.md -[hybrid-overview]: ../hybrid/cloud-governed-management-for-on-premises.md -[phs-overview]: ../hybrid/how-to-connect-password-hash-synchronization.md -[pta-overview]: ../hybrid/how-to-connect-pta-how-it-works.md +[hybrid-auth-methods]: ../hybrid/connect/choose-ad-authn.md +[azure-ad-connect]: ../hybrid/connect/whatis-azure-ad-connect.md +[hybrid-overview]: ../hybrid/connect/cloud-governed-management-for-on-premises.md +[phs-overview]: ../hybrid/connect/how-to-connect-password-hash-synchronization.md +[pta-overview]: ../hybrid/connect/how-to-connect-pta-how-it-works.md [sign-in-logs]: ../reports-monitoring/concept-sign-ins.md <!-- EXTERNAL LINKS --> |
active-directory | Howto Mfa Getstarted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-getstarted.md | Common use cases to require Azure AD Multi-Factor Authentication include: - To [specific applications](tutorial-enable-azure-mfa.md) - For [all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) - For [Azure management](../conditional-access/howto-conditional-access-policy-azure-management.md)-- From [network locations you don't trust](../conditional-access/untrusted-networks.md)+- From [network locations you don't trust](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) ### Named locations For a guided walkthrough of many of the recommendations in this article, see the ## Next steps -[Deploy other identity features](../fundamentals/deployment-plans.md) +[Deploy other identity features](../architecture/deployment-plans.md) |
active-directory | Howto Mfa Nps Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md | This step may already be complete on your tenant, but it's good to double-check 2. Select **Azure Active Directory** > **Azure AD Connect** 3. Verify that your sync status is **Enabled** and that your last sync was less than an hour ago. -If you need to kick off a new round of synchronization, see [Azure AD Connect sync: Scheduler](../hybrid/how-to-connect-sync-feature-scheduler.md#start-the-scheduler). +If you need to kick off a new round of synchronization, see [Azure AD Connect sync: Scheduler](../hybrid/connect/how-to-connect-sync-feature-scheduler.md#start-the-scheduler). ### Determine which authentication methods your users can use |
active-directory | Howto Mfa Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-reporting.md | The sign-ins report provides you with information about the usage of managed app - How many users are unable to complete the MFA challenge? - What are the common MFA issues end users are running into? -To view the sign-in activity report in the [Azure portal](https://portal.azure.com), complete the following steps. You can also query data using the [reporting API](../reports-monitoring/concept-reporting-api.md). +To view the sign-in activity report in the [Azure portal](https://portal.azure.com), complete the following steps. You can also query data using the [reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md). 1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions. 1. Search for and select **Azure Active Directory**, then choose **Users** from the menu on the left-hand side. |
active-directory | Howto Password Smart Lockout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-password-smart-lockout.md | Using smart lockout doesn't guarantee that a genuine user is never locked out. W Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS. -When using [pass-through authentication](../hybrid/how-to-connect-pta.md), the following considerations apply: +When using [pass-through authentication](../hybrid/connect/how-to-connect-pta.md), the following considerations apply: * The Azure AD lockout threshold is **less** than the AD DS account lockout threshold. Set the values so that the AD DS account lockout threshold is at least two or three times greater than the Azure AD lockout threshold. * The Azure AD lockout duration must be set longer than the AD DS account lockout duration. The Azure AD duration is set in seconds, while the AD duration is set in minutes. |
active-directory | Howto Sspr Authenticationdata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-authenticationdata.md | To use Azure Active Directory (Azure AD) self-service password reset (SSPR), aut You can pre-populate authentication contact information if you meet the following requirements: * You have properly formatted the data in your on-premises directory.-* You have configured [Azure AD Connect](../hybrid/how-to-connect-install-express.md) for your Azure AD tenant. +* You have configured [Azure AD Connect](../hybrid/connect/how-to-connect-install-express.md) for your Azure AD tenant. Phone numbers must be in the format *+CountryCode PhoneNumber*, such as *+1 4251234567*. |
active-directory | Howto Sspr Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-deployment.md | To reset the password, users go to the [password reset portal](https://aka.ms/ss * For hybrid users, SSPR writes back the password to the on-prem Active Directory via the Azure AD Connect service. -Note: For users who have [Password hash synchronization (PHS)](../hybrid/whatis-phs.md) disabled, SSPR stores the passwords in the on-prem Active Directory only. +Note: For users who have [Password hash synchronization (PHS)](../hybrid/connect/whatis-phs.md) disabled, SSPR stores the passwords in the on-prem Active Directory only. ### Best practices Consider your organizational needs while you determine the strategy for this dep ### Engage the right stakeholders -When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you are engaging the right stakeholders](../fundamentals/deployment-plans.md) and that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities. +When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you are engaging the right stakeholders](../architecture/deployment-plans.md) and that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities. #### Required administrator roles When technology projects fail, they typically do so due to mismatched expectatio ### Plan a pilot -We recommend that the initial configuration of SSPR is in a test environment. Start with a pilot group by enabling SSPR for a subset of users in your organization. See [Best practices for a pilot](../fundamentals/deployment-plans.md). +We recommend that the initial configuration of SSPR is in a test environment. Start with a pilot group by enabling SSPR for a subset of users in your organization. See [Best practices for a pilot](../architecture/deployment-plans.md). -To create a group, see how to [create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md). +To create a group, see how to [create a group and add members in Azure Active Directory](../fundamentals/how-to-manage-groups.md). ## Plan configuration At each stage of your deployment from initial pilot groups through organization- ### Plan testing -To ensure that your deployment works as expected, plan a set of test cases to validate the implementation. To assess the test cases, you need a non-administrator test user with a password. If you need to create a user, see [Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md). +To ensure that your deployment works as expected, plan a set of test cases to validate the implementation. To assess the test cases, you need a non-administrator test user with a password. If you need to create a user, see [Add new users to Azure Active Directory](../fundamentals/add-users.md). The following table includes useful test scenarios you can use to document your organizations expected results based on your policies. <br> |
active-directory | Troubleshoot Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-sspr-writeback.md | Or run the following: Invoke-WebRequest -Uri https://ssprdedicatedsbprodscu.servicebus.windows.net -Verbose ``` -For more information, see the [connectivity prerequisites for Azure AD Connect](../hybrid/how-to-connect-install-prerequisites.md). +For more information, see the [connectivity prerequisites for Azure AD Connect](../hybrid/connect/how-to-connect-install-prerequisites.md). ### Restart the Azure AD Connect Sync service The following more specific issues may occur with password writeback. If you hav | The password reset service doesn't start on-premises. Error 6800 appears in the Azure AD Connect machine's application event log. <br> <br> After onboarding, federated, pass-through authentication, or password-hash-synchronized users can't reset their passwords. | When password writeback is enabled, the sync engine calls the writeback library to perform the configuration (onboarding) by communicating to the cloud onboarding service. Any errors encountered during onboarding or while starting the Windows Communication Foundation (WCF) endpoint for password writeback results in errors in the event log, on your Azure AD Connect machine. <br> <br> During restart of the Azure AD Sync (ADSync) service, if writeback was configured, the WCF endpoint starts up. But, if the startup of the endpoint fails, we log event 6800 and let the sync service start up. The presence of this event means that the password writeback endpoint didn't start up. Event log details for this event 6800, along with event log entries generate by the PasswordResetService component, indicate why you can't start up the endpoint. Review these event log errors and try to restart the Azure AD Connect if password writeback still isn't working. If the problem persists, try to disable and then re-enable password writeback. | When a user attempts to reset a password or unlock an account with password writeback enabled, the operation fails. <br> <br> In addition, you see an event in the Azure AD Connect event log that contains: "Synchronization Engine returned an error hr=800700CE, message=The filename or extension is too long" after the unlock operation occurs. | Find the Active Directory account for Azure AD Connect and reset the password so that it contains no more than 256 characters. Next, open the **Synchronization Service** from the **Start** menu. Browse to **Connectors** and find the **Active Directory Connector**. Select it and then select **Properties**. Browse to the **Credentials** page and enter the new password. Select **OK** to close the page. | | At the last step of the Azure AD Connect installation process, you see an error indicating that password writeback couldn't be configured. <br> <br> The Azure AD Connect application event log contains error 32009 with the text "Error getting auth token." | This error occurs in the following two cases: <br><ul><li>You specified an incorrect password for the global administrator account provided at the beginning of the Azure AD Connect installation process.</li><li>You attempted to use a federated user for the global administrator account specified at the beginning of the Azure AD Connect installation process.</li></ul> To fix this problem, make sure that you're not using a federated account for the global administrator you specified at the beginning of the installation process, and that the password specified is correct. |-| The Azure AD Connect machine event log contains error 32002 that is thrown by running PasswordResetService. <br> <br> The error reads: "Error Connecting to ServiceBus. The token provider was unable to provide a security token." | Your on-premises environment isn't able to connect to the Azure Service Bus endpoint in the cloud. This error is normally caused by a firewall rule blocking an outbound connection to a particular port or web address. See [Connectivity prerequisites](../hybrid/how-to-connect-install-prerequisites.md) for more info. After you update these rules, restart the Azure AD Connect server and password writeback should start working again. | +| The Azure AD Connect machine event log contains error 32002 that is thrown by running PasswordResetService. <br> <br> The error reads: "Error Connecting to ServiceBus. The token provider was unable to provide a security token." | Your on-premises environment isn't able to connect to the Azure Service Bus endpoint in the cloud. This error is normally caused by a firewall rule blocking an outbound connection to a particular port or web address. See [Connectivity prerequisites](../hybrid/connect/how-to-connect-install-prerequisites.md) for more info. After you update these rules, restart the Azure AD Connect server and password writeback should start working again. | | After working for some time, federated, pass-through authentication, or password-hash-synchronized users can't reset their passwords. | In some rare cases, the password writeback service can fail to restart when Azure AD Connect has restarted. In these cases, first check if password writeback is enabled on-premises. You can check by using either the Azure AD Connect wizard or PowerShell. If the feature appears to be enabled, try enabling or disabling the feature again either. If this troubleshooting step doesn't work, try a complete uninstall and reinstall of Azure AD Connect. | | Federated, pass-through authentication, or password-hash-synchronized users who attempt to reset their passwords see an error after attempting to submit their password. The error indicates that there was a service problem. <br ><br> In addition to this problem, during password reset operations, you might see an error that the management agent was denied access in your on-premises event logs. | If you see these errors in your event log, confirm that the Active Directory Management Agent (ADMA) account that was specified in the wizard at the time of configuration has the necessary permissions for password writeback. <br> <br> After this permission is given, it can take up to one hour for the permissions to trickle down via the `sdprop` background task on the domain controller (DC). <br> <br> For password reset to work, the permission needs to be stamped on the security descriptor of the user object whose password is being reset. Until this permission shows up on the user object, password reset continues to fail with an access denied message. | | Federated, pass-through authentication, or password-hash-synchronized users who attempt to reset their passwords, see an error after they submit their password. The error indicates that there was a service problem. <br> <br> In addition to this problem, during password reset operations, you might see an error in your event logs from the Azure AD Connect service indicating an "Object could not be found" error. | This error usually indicates that the sync engine is unable to find either the user object in the Azure AD connector space or the linked metaverse (MV) or Azure AD connector space object. <br> <br> To troubleshoot this problem, make sure that the user is indeed synchronized from on-premises to Azure AD via the current instance of Azure AD Connect and inspect the state of the objects in the connector spaces and MV. Confirm that the Active Directory Certificate Services (AD CS) object is connected to the MV object via the "Microsoft.InfromADUserAccountEnabled.xxx" rule.| |
active-directory | Troubleshoot Sspr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-sspr.md | Many elements of the UI are hidden until they're needed. Make sure the option is On-premises password writeback is only visible if you've downloaded Azure AD Connect and have configured the feature. -For more information, see [Getting started with Azure AD Connect](../hybrid/how-to-connect-install-express.md). +For more information, see [Getting started with Azure AD Connect](../hybrid/connect/how-to-connect-install-express.md). ## SSPR reporting |
active-directory | Tutorial Configure Custom Password Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-configure-custom-password-protection.md | To complete this tutorial, you need the following resources and privileges: * If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * An account with *global administrator* privileges. * A non-administrator user with a password you know, such as *testuser*. You test a password change event using this account in this tutorial.- * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md). + * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users.md). * To test the password change operation using a banned password, the Azure AD tenant must be [configured for self-service password reset](tutorial-enable-sspr.md). ## What are banned password lists? |
active-directory | Tutorial Enable Azure Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-azure-mfa.md | To complete this tutorial, you need the following resources and privileges: * An account with *Conditional Access Administrator*, *Security Administrator*, or *Global Administrator* privileges. Some MFA settings can also be managed by an *Authentication Policy Administrator*. For more information, see [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). * A non-administrator account with a password that you know. For this tutorial, we created such an account, named *testuser*. In this tutorial, you test the end-user experience of configuring and using Azure AD Multi-Factor Authentication.- * If you need information about creating a user account, see [Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md). + * If you need information about creating a user account, see [Add or delete users using Azure Active Directory](../fundamentals/add-users.md). * A group that the non-administrator user is a member of. For this tutorial, we created such a group, named *MFA-Test-Group*. In this tutorial, you enable Azure AD Multi-Factor Authentication for this group.- * If you need more information about creating a group, see [Create a basic group and add members using Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md). + * If you need more information about creating a group, see [Create a basic group and add members using Azure Active Directory](../fundamentals/how-to-manage-groups.md). ## Create a Conditional Access policy |
active-directory | Tutorial Enable Cloud Sync Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md | Azure Active Directory Connect cloud sync can synchronize Azure AD password chan - An account with: - [Global Administrator](../roles/permissions-reference.md#global-administrator) role - Azure AD configured for self-service password reset. If needed, complete this tutorial to enable Azure AD SSPR. -- An on-premises AD DS environment configured with [Azure AD Connect cloud sync version 1.1.977.0 or later](../app-provisioning/provisioning-agent-release-version-history.md). Learn how to [identify the agent's current version](../cloud-sync/how-to-automatic-upgrade.md). If needed, configure Azure AD Connect cloud sync using [this tutorial](tutorial-enable-sspr.md). +- An on-premises AD DS environment configured with [Azure AD Connect cloud sync version 1.1.977.0 or later](../app-provisioning/provisioning-agent-release-version-history.md). Learn how to [identify the agent's current version](../hybrid/cloud-sync/how-to-automatic-upgrade.md). If needed, configure Azure AD Connect cloud sync using [this tutorial](tutorial-enable-sspr.md). ## Deployment steps For more information about how to validate or set up the appropriate permissions ## Next steps -- For more information about cloud sync and a comparison between Azure AD Connect and cloud sync, see [What is Azure AD Connect cloud sync?](../cloud-sync/what-is-cloud-sync.md)+- For more information about cloud sync and a comparison between Azure AD Connect and cloud sync, see [What is Azure AD Connect cloud sync?](../hybrid/cloud-sync/what-is-cloud-sync.md) - For a tutorial about setting up password writeback by using Azure AD Connect, see [Tutorial: Enable Azure Active Directory self-service password reset writeback to an on-premises environment](tutorial-enable-sspr-writeback.md). |
active-directory | Tutorial Enable Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-sspr-writeback.md | To complete this tutorial, you need the following resources and privileges: * Azure AD configured for self-service password reset. * If needed, [complete the previous tutorial to enable Azure AD SSPR](tutorial-enable-sspr.md). * An existing on-premises AD DS environment configured with a current version of Azure AD Connect.- * If needed, configure Azure AD Connect using the [Express](../hybrid/how-to-connect-install-express.md) or [Custom](../hybrid/how-to-connect-install-custom.md) settings. + * If needed, configure Azure AD Connect using the [Express](../hybrid/connect/how-to-connect-install-express.md) or [Custom](../hybrid/connect/how-to-connect-install-custom.md) settings. * To use password writeback, domain controllers can run any supported version of Windows Server. ## Configure account permissions for Azure AD Connect |
active-directory | Tutorial Enable Sspr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-sspr.md | To finish this tutorial, you need the following resources and privileges: * If needed, [create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * An account with *Global Administrator* or *Authentication Policy Administrator* privileges. * A non-administrator user with a password you know, like *testuser*. You'll test the end-user SSPR experience using this account in this tutorial.- * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md). + * If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users.md). * A group that the non-administrator user is a member of, likes *SSPR-Test-Group*. You'll enable SSPR for this group in this tutorial.- * If you need to create a group, see [Create a basic group and add members using Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md). + * If you need to create a group, see [Create a basic group and add members using Azure Active Directory](../fundamentals/how-to-manage-groups.md). ## Enable self-service password reset |
active-directory | Active Directory Acs Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/active-directory-acs-migration.md | At a high level, *Azure Active Directory is probably the best choice for your mi If you decide that Azure AD is the best migration path for your applications and services, you should be aware of two ways to integrate your app with Azure AD. -To use WS-Federation or WIF to integrate with Azure AD, we recommend following the approach described in [Configure federated single sign-on for a non-gallery application](../manage-apps/configure-saml-single-sign-on.md). The article refers to configuring Azure AD for SAML-based single sign-on, but also works for configuring WS-Federation. Following this approach requires an Azure AD Premium license. This approach has two advantages: +To use WS-Federation or WIF to integrate with Azure AD, we recommend following the approach described in [Configure federated single sign-on for a non-gallery application](../develop/single-sign-on-saml-protocol.md). The article refers to configuring Azure AD for SAML-based single sign-on, but also works for configuring WS-Federation. Following this approach requires an Azure AD Premium license. This approach has two advantages: - You get the full flexibility of Azure AD token customization. You can customize the claims that are issued by Azure AD to match the claims that are issued by Access Control. This especially includes the user ID or Name Identifier claim. To continue to receive consistent user IDentifiers for your users after you change technologies, ensure that the user IDs issued by Azure AD match those issued by Access Control. - You can configure a token-signing certificate that is specific to your application, and with a lifetime that you control. To use WS-Federation or WIF to integrate with Azure AD, we recommend following t An alternative approach is to follow [this code sample](https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation), which gives slightly different instructions for setting up WS-Federation. This code sample does not use WIF, but rather, the ASP.NET 4.5 OWIN middleware. However, the instructions for app registration are valid for apps using WIF, and don't require an Azure AD Premium license. -If you choose this approach, you need to understand [signing key rollover in Azure AD](../develop/active-directory-signing-key-rollover.md). This approach uses the Azure AD global signing key to issue tokens. By default, WIF does not automatically refresh signing keys. When Azure AD rotates its global signing keys, your WIF implementation needs to be prepared to accept the changes. For more information, see [Important information about signing key rollover in Azure AD](/previous-versions/azure/dn641920(v=azure.100)). +If you choose this approach, you need to understand [signing key rollover in Azure AD](../develop/signing-key-rollover.md). This approach uses the Azure AD global signing key to issue tokens. By default, WIF does not automatically refresh signing keys. When Azure AD rotates its global signing keys, your WIF implementation needs to be prepared to accept the changes. For more information, see [Important information about signing key rollover in Azure AD](/previous-versions/azure/dn641920(v=azure.100)). If you can integrate with Azure AD via the OpenID Connect or OAuth protocols, we recommend doing so. We have extensive documentation and guidance about how to integrate Azure AD into your web application available in our [Azure AD developer guide](../develop/index.yml). |
active-directory | Active Directory Authentication Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/active-directory-authentication-libraries.md | The Azure Active Directory Authentication Library (ADAL) v1.0 enables applicatio > [!WARNING]-> Azure Active Directory Authentication Library (ADAL) has been deprecated. Please use the [Microsoft Authentication Library (MSAL)](/entr). +> Azure Active Directory Authentication Library (ADAL) has been deprecated. Please use the [Microsoft Authentication Library (MSAL)](/entr). ## Microsoft-supported Client Libraries |
active-directory | App Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/app-types.md | These are the five primary application scenarios supported by Azure AD: Follow the links to learn more about each type of app and understand the high-level scenarios before you start working with the code. You can also learn about the differences you need to know when writing a particular app that works with the v1.0 endpoint or v2.0 endpoint. > [!NOTE]-> The v2.0 endpoint doesn't support all Azure AD scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](./azure-ad-endpoint-comparison.md?bc=%2fazure%2factive-directory%2fazuread-dev%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fazuread-dev%2ftoc.json). +> The v2.0 endpoint doesn't support all Azure AD scenarios and features. To determine whether you should use the v2.0 endpoint, read about [v2.0 limitations](./azure-ad-endpoint-comparison.md?bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json&toc=/azure/active-directory/azuread-dev/toc.json). You can develop any of the apps and scenarios described here using various languages and platforms. They are all backed by complete code samples available in the code samples guide: [v1.0 code samples by scenario](sample-v1-code.md) and [v2.0 code samples by scenario](../develop/sample-v2-code.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). You can also download the code samples directly from the corresponding [GitHub sample repositories](https://github.com/Azure-Samples?q=active-directory). For details, learn how to [register an app](../develop/quickstart-register-app.m Provisioning becomes clearer when you understand that there are two categories of applications that can be developed and integrated with Azure AD: * **Single tenant application** - A single tenant application is intended for use in one organization. These are typically line-of-business (LoB) applications written by an enterprise developer. A single tenant application only needs to be accessed by users in one directory, and as a result, it only needs to be provisioned in one directory. These applications are typically registered by a developer in the organization.-* **Multi-tenant application** - A multi-tenant application is intended for use in many organizations, not just one organization. These are typically software-as-a-service (SaaS) applications written by an independent software vendor (ISV). Multi-tenant applications need to be provisioned in each directory where they will be used, which requires user or administrator consent to register them. This consent process starts when an application has been registered in the directory and is given access to the Graph API or perhaps another web API. When a user or administrator from a different organization signs up to use the application, they are presented with a dialog that displays the permissions the application requires. The user or administrator can then consent to the application, which gives the application access to the stated data, and finally registers the application in their directory. For more information, see [Overview of the Consent Framework](../develop/consent-framework.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). +* **Multi-tenant application** - A multi-tenant application is intended for use in many organizations, not just one organization. These are typically software-as-a-service (SaaS) applications written by an independent software vendor (ISV). Multi-tenant applications need to be provisioned in each directory where they will be used, which requires user or administrator consent to register them. This consent process starts when an application has been registered in the directory and is given access to the Graph API or perhaps another web API. When a user or administrator from a different organization signs up to use the application, they are presented with a dialog that displays the permissions the application requires. The user or administrator can then consent to the application, which gives the application access to the stated data, and finally registers the application in their directory. For more information, see [Overview of the Consent Framework](../develop/application-consent-experience.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). ### Additional considerations when developing single tenant or multi-tenant apps Each scenario listed in this document includes a subsection that describes its p ## Next steps -- Learn more about other Azure AD [authentication basics](v1-authentication-scenarios.md)+- Learn more about other Azure AD [authentication basics](v1-authentication-scenarios.md) |
active-directory | Azure Ad Endpoint Comparison | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/azure-ad-endpoint-comparison.md | The permissions set directly on the application registration are **static**. Whi * The app needs to know all of the resources it would ever access ahead of time. It was difficult to create apps that could access an arbitrary number of resources. -With the Microsoft identity platform endpoint, you can ignore the static permissions defined in the app registration information in the Azure portal and request permissions incrementally instead, which means asking for a bare minimum set of permissions upfront and growing more over time as the customer uses additional app features. To do so, you can specify the scopes your app needs at any time by including the new scopes in the `scope` parameter when requesting an access token - without the need to pre-define them in the application registration information. If the user hasn't yet consented to new scopes added to the request, they'll be prompted to consent only to the new permissions. To learn more, see [permissions, consent, and scopes](../develop/v2-permissions-and-consent.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). +With the Microsoft identity platform endpoint, you can ignore the static permissions defined in the app registration information in the Azure portal and request permissions incrementally instead, which means asking for a bare minimum set of permissions upfront and growing more over time as the customer uses additional app features. To do so, you can specify the scopes your app needs at any time by including the new scopes in the `scope` parameter when requesting an access token - without the need to pre-define them in the application registration information. If the user hasn't yet consented to new scopes added to the request, they'll be prompted to consent only to the new permissions. To learn more, see [permissions, consent, and scopes](../develop/permissions-consent-overview.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). Allowing an app to request permissions dynamically through the `scope` parameter gives developers full control over your user's experience. You can also front load your consent experience and ask for all permissions in one initial authorization request. If your app requires a large number of permissions, you can gather those permissions from the user incrementally as they try to use certain features of the app over time. Apps using the Microsoft identity platform endpoint may require the use of a new If your app doesn't request the `offline_access` scope, it won't receive refresh tokens. This means that when you redeem an authorization code in the OAuth 2.0 authorization code flow, you'll only receive back an access token from the `/token` endpoint. That access token remains valid for a short period of time (typically one hour), but will eventually expire. At that point in time, your app will need to redirect the user back to the `/authorize` endpoint to retrieve a new authorization code. During this redirect, the user may or may not need to enter their credentials again or reconsent to permissions, depending on the type of app. -To learn more about OAuth 2.0, `refresh_tokens`, and `access_tokens`, check out the [Microsoft identity platform protocol reference](../develop/active-directory-v2-protocols.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). +To learn more about OAuth 2.0, `refresh_tokens`, and `access_tokens`, check out the [Microsoft identity platform protocol reference](../develop/v2-protocols.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). ### OpenID, profile, and email The information that the `openid` scope affords your app access to is now restri * The `email` scope allows your app access to the user's primary email address through the `email` claim in the id_token, assuming the user has an addressable email address. * The `profile` scope affords your app access to all other basic information about the user, such as their name, preferred username, object ID, and so on, in the id_token. -These scopes allow you to code your app in a minimal-disclosure fashion so you can only ask the user for the set of information that your app needs to do its job. For more information on these scopes, see [the Microsoft identity platform scope reference](../develop/v2-permissions-and-consent.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). +These scopes allow you to code your app in a minimal-disclosure fashion so you can only ask the user for the set of information that your app needs to do its job. For more information on these scopes, see [the Microsoft identity platform scope reference](../develop/permissions-consent-overview.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). ## Token claims -The Microsoft identity platform endpoint issues a smaller set of claims in its tokens by default to keep payloads small. If you have apps and services that have a dependency on a particular claim in a v1.0 token that is no longer provided by default in a Microsoft identity platform token, consider using the [optional claims](../develop/active-directory-optional-claims.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) feature to include that claim. +The Microsoft identity platform endpoint issues a smaller set of claims in its tokens by default to keep payloads small. If you have apps and services that have a dependency on a particular claim in a v1.0 token that is no longer provided by default in a Microsoft identity platform token, consider using the [optional claims](../develop/optional-claims.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) feature to include that claim. > [!IMPORTANT] > v1.0 and v2.0 tokens can be issued by both the v1.0 and v2.0 endpoints! id_tokens *always* match the endpoint they're requested from, and access tokens *always* match the format expected by the Web API your client will call using that token. So if your app uses the v2.0 endpoint to get a token to call Microsoft Graph, which expects v1.0 format access tokens, your app will receive a token in the v1.0 format. Currently, library support for the Microsoft identity platform endpoint is limit * If you're building a web application, you can safely use the generally available server-side middleware to do sign-in and token validation. These include the OWIN OpenID Connect middleware for ASP.NET and the Node.js Passport plug-in. For code samples that use Microsoft middleware, see the [Microsoft identity platform getting started](../develop/v2-overview.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json#getting-started) section. * If you're building a desktop or mobile application, you can use one of the Microsoft Authentication Libraries (MSAL). These libraries are generally available or in a production-supported preview, so it is safe to use them in production applications. You can read more about the terms of the preview and the available libraries in [authentication libraries reference](../develop/reference-v2-libraries.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).-* For platforms not covered by Microsoft libraries, you can integrate with the Microsoft identity platform endpoint by directly sending and receiving protocol messages in your application code. The OpenID Connect and OAuth protocols [are explicitly documented](../develop/active-directory-v2-protocols.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) to help you do such an integration. +* For platforms not covered by Microsoft libraries, you can integrate with the Microsoft identity platform endpoint by directly sending and receiving protocol messages in your application code. The OpenID Connect and OAuth protocols [are explicitly documented](../develop/v2-protocols.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) to help you do such an integration. * Finally, you can use open-source OpenID Connect and OAuth libraries to integrate with the Microsoft identity platform endpoint. The Microsoft identity platform endpoint should be compatible with many open-source protocol libraries without changes. The availability of these kinds of libraries varies by language and platform. The [OpenID Connect](https://openid.net/connect/) and [OAuth 2.0](https://oauth.net/2/) websites maintain a list of popular implementations. For more information, see [Microsoft identity platform and authentication libraries](../develop/reference-v2-libraries.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json), and the list of open-source client libraries and samples that have been tested with the Microsoft identity platform endpoint. * For reference, the `.well-known` endpoint for the Microsoft identity platform common endpoint is `https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration`. Replace `common` with your tenant ID to get data specific to your tenant. The Microsoft identity platform endpoint does not support SAML or WS-Federation; * The `scope` parameter is now supported in place of the `resource` parameter. * Many responses have been modified to make them more compliant with the OAuth 2.0 specification, for example, correctly returning `expires_in` as an int instead of a string. -To better understand the scope of protocol functionality supported in the Microsoft identity platform endpoint, see [OpenID Connect and OAuth 2.0 protocol reference](../develop/active-directory-v2-protocols.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). +To better understand the scope of protocol functionality supported in the Microsoft identity platform endpoint, see [OpenID Connect and OAuth 2.0 protocol reference](../develop/v2-protocols.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). #### SAML usage -If you've used Active Directory Authentication Library (ADAL) in Windows applications, you might have taken advantage of Windows Integrated authentication, which uses the Security Assertion Markup Language (SAML) assertion grant. With this grant, users of federated Azure AD tenants can silently authenticate with their on-premises Active Directory instance without entering credentials. While [SAML is still a supported protocol](../develop/active-directory-saml-protocol-reference.md) for use with enterprise users, the v2.0 endpoint is only for use with OAuth 2.0 applications. +If you've used Active Directory Authentication Library (ADAL) in Windows applications, you might have taken advantage of Windows Integrated authentication, which uses the Security Assertion Markup Language (SAML) assertion grant. With this grant, users of federated Azure AD tenants can silently authenticate with their on-premises Active Directory instance without entering credentials. While [SAML is still a supported protocol](../develop/saml-protocol-reference.md) for use with enterprise users, the v2.0 endpoint is only for use with OAuth 2.0 applications. ## Next steps |
active-directory | Conditional Access Dev Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/conditional-access-dev-guide.md | Developers can take this challenge and append it onto a new request to Azure AD. ### Prerequisites -Azure AD Conditional Access is a feature included in [Azure AD Premium](../fundamentals/active-directory-whatis.md). You can learn more about licensing requirements in the [unlicensed usage report](../reports-monitoring/overview-reports.md). Developers can join the [Microsoft Developer Network](/), which includes a free subscription to the Enterprise Mobility Suite, which includes Azure AD Premium. +Azure AD Conditional Access is a feature included in [Azure AD Premium](../fundamentals/whatis.md). You can learn more about licensing requirements in the [unlicensed usage report](../reports-monitoring/overview-reports.md). Developers can join the [Microsoft Developer Network](/), which includes a free subscription to the Enterprise Mobility Suite, which includes Azure AD Premium. ### Considerations for specific scenarios To try out this scenario, see our [JS SPA On-behalf-of code sample](https://gith * To learn more about the capabilities, see [Conditional Access in Azure Active Directory](../conditional-access/overview.md). * For more Azure AD code samples, see [GitHub repo of code samples](https://github.com/azure-samples?utf8=%E2%9C%93&q=active-directory). * For more info on the ADAL SDK's and access the reference documentation, see [library guide](active-directory-authentication-libraries.md).-* To learn more about multi-tenant scenarios, see [How to sign in users using the multi-tenant pattern](../develop/howto-convert-app-to-be-multi-tenant.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). +* To learn more about multi-tenant scenarios, see [How to sign in users using the multi-tenant pattern](../develop/howto-convert-app-to-be-multi-tenant.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). |
active-directory | Sample V1 Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/sample-v1-code.md | This section provides links to samples you can use to learn more about the Azure > If you are interested in Azure AD V2 code samples, see [v2.0 code samples by scenario](../develop/sample-v2-code.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json). > [!WARNING]-> Support for Active Directory Authentication Library (ADAL) will end in December, 2022. Apps using ADAL on existing OS versions will continue to work, but technical support and security updates will end. Without continued security updates, apps using ADAL will become increasingly vulnerable to the latest security attack patterns. For more information, see [Migrate apps to MSAL](..\develop\msal-migration.md). +> Support for Active Directory Authentication Library (ADAL) will end in December, 2022. Apps using ADAL on existing OS versions will continue to work, but technical support and security updates will end. Without continued security updates, apps using ADAL will become increasingly vulnerable to the latest security attack patterns. For more information, see [Migrate apps to MSAL](../develop/msal-migration.md). To understand the basic scenario for each sample type, see [Authentication scenarios for Azure AD](v1-authentication-scenarios.md). |
active-directory | V1 Oauth2 Client Creds Grant Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.md | A service-to-service access token request with a certificate contains the follow | grant_type |required |Specifies the requested response type. In a Client Credentials Grant flow, the value must be **client_credentials**. | | client_id |required |Specifies the Azure AD client id of the calling web service. To find the calling application's client ID, in the [Azure portal](https://portal.azure.com), click **Azure Active Directory**, click **App registrations**, click the application. The client_id is the *Application ID* | | client_assertion_type |required |The value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` |-| client_assertion |required | An assertion (a JSON Web Token) that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](../develop/active-directory-certificate-credentials.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) to learn how to register your certificate and the format of the assertion.| +| client_assertion |required | An assertion (a JSON Web Token) that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](../develop/certificate-credentials.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) to learn how to register your certificate and the format of the assertion.| | resource | required |Enter the App ID URI of the receiving web service. To find the App ID URI, in the Azure portal, click **Azure Active Directory**, click **App registrations**, click the service application, and then click **Settings** and **Properties**. | Notice that the parameters are almost the same as in the case of the request by shared secret except that |
active-directory | V1 Oauth2 On Behalf Of Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/v1-oauth2-on-behalf-of-flow.md | A service-to-service access token request with a certificate contains the follow | assertion |required | The value of the token used in the request. | | client_id |required | The app ID assigned to the calling service during registration with Azure AD. To find the app ID in the Azure portal, select **Active Directory**, choose the directory, and then select the application name. | | client_assertion_type |required |The value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` |-| client_assertion |required | A JSON Web Token that you create and sign with the certificate you registered as credentials for your application. See [certificate credentials](../develop/active-directory-certificate-credentials.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) to learn about assertion format and about how to register your certificate.| +| client_assertion |required | A JSON Web Token that you create and sign with the certificate you registered as credentials for your application. See [certificate credentials](../develop/certificate-credentials.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) to learn about assertion format and about how to register your certificate.| | resource |required | The app ID URI of the receiving service (secured resource). To find the app ID URI in the Azure portal, select **Active Directory** and choose the directory. Select the application name, choose **All settings**, and then select **Properties**. | | requested_token_use |required | Specifies how the request should be processed. In the On-Behalf-Of flow, the value must be **on_behalf_of**. | | scope |required | A space separated list of scopes for the token request. For OpenID Connect, the scope **openid** must be specified.| Public clients with wildcard reply URLs can't use an `id_token` for OBO flows. H Learn more about the OAuth 2.0 protocol and another way to perform service-to-service authentication that uses client credentials: * [Service to service authentication using OAuth 2.0 client credentials grant in Azure AD](v1-oauth2-client-creds-grant-flow.md)-* [OAuth 2.0 in Azure AD](v1-protocols-oauth-code.md) +* [OAuth 2.0 in Azure AD](v1-protocols-oauth-code.md) |
active-directory | V1 Permissions Consent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/v1-permissions-consent.md | Azure Active Directory (Azure AD) makes extensive use of permissions for both OA Azure AD defines two kinds of permissions: * **Delegated permissions** - Are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to an API. Depending on the API, the user may not be able to consent to the API directly and would instead [require an administrator to provide "admin consent"](../develop/howto-convert-app-to-be-multi-tenant.md).-* **Application permissions** - Are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be [consented to by administrators](../develop/v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant) because they are typically powerful and allow access to data across user-boundaries, or data that would otherwise be restricted to administrators. Users who are defined as owners of the resource application (i.e. the API which publishes the permissions) are also allowed to grant application permissions for the APIs they own. +* **Application permissions** - Are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be [consented to by administrators](../develop/permissions-consent-overview.md) because they are typically powerful and allow access to data across user-boundaries, or data that would otherwise be restricted to administrators. Users who are defined as owners of the resource application (i.e. the API which publishes the permissions) are also allowed to grant application permissions for the APIs they own. Effective permissions are the permissions that your app will have when making requests to an API. Applications in Azure AD rely on consent in order to gain access to necessary re * **Static user consent** - Occurs automatically during the [OAuth 2.0 authorize flow](v1-protocols-oauth-code.md#request-an-authorization-code) when you specify the resource that your app wants to interact with. In the static user consent scenario, your app must have already specified all the permissions it needs in the app's configuration in the Azure portal. If the user (or administrator, as appropriate) has not granted consent for this app, then Azure AD will prompt the user to provide consent at this time. Learn more about registering an Azure AD app that requests access to a static set of APIs.-* **Dynamic user consent** - Is a feature of the v2 Azure AD app model. In this scenario, your app requests a set of permissions that it needs in the [OAuth 2.0 authorize flow for v2 apps](../develop/v2-permissions-and-consent.md#requesting-individual-user-consent). If the user has not consented already, they will be prompted to consent at this time. [Learn more about dynamic consent](./azure-ad-endpoint-comparison.md#incremental-and-dynamic-consent). +* **Dynamic user consent** - Is a feature of the v2 Azure AD app model. In this scenario, your app requests a set of permissions that it needs in the [OAuth 2.0 authorize flow for v2 apps](../develop/permissions-consent-overview.md#requesting-individual-user-consent). If the user has not consented already, they will be prompted to consent at this time. [Learn more about dynamic consent](./azure-ad-endpoint-comparison.md#incremental-and-dynamic-consent). > [!IMPORTANT] > Dynamic consent can be convenient, but presents a big challenge for permissions that require admin consent, since the admin consent experience doesn't know about those permissions at consent time. If you require admin privileged permissions or if your app uses dynamic consent, you must register all of the permissions in the Azure portal (not just the subset of permissions that require admin consent). This enables tenant admins to consent on behalf of all their users. -* **Admin consent** - Is required when your app needs access to certain high-privilege permissions. Admin consent ensures that administrators have some additional controls before authorizing apps or users to access highly privileged data from the organization. [Learn more about how to grant admin consent](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint). +* **Admin consent** - Is required when your app needs access to certain high-privilege permissions. Admin consent ensures that administrators have some additional controls before authorizing apps or users to access highly privileged data from the organization. [Learn more about how to grant admin consent](../develop/permissions-consent-overview.md). ## Best practices Applications in Azure AD rely on consent in order to gain access to necessary re For example: - Mail.Read - Allows users to read mail. - Mail.ReadWrite - Allows users to read or write mail.- - Mail.ReadWrite.All - Allows an administrator or user to access all mail in the organization. + - Mail.ReadWrite.All - Allows an administrator or user to access all mail in the organization. |
active-directory | V1 Protocols Openid Connect Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/v1-protocols-openid-connect-code.md | The metadata is a simple JavaScript Object Notation (JSON) document. See the fol } ``` -If your app has custom signing keys as a result of using the [claims-mapping](../develop/active-directory-claims-mapping.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) feature, you must append an `appid` query parameter containing the app ID in order to get a `jwks_uri` pointing to your app's signing key information. For example: `https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e` contains a `jwks_uri` of `https://login.microsoftonline.com/{tenant}/discovery/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e`. +If your app has custom signing keys as a result of using the [claims-mapping](../develop/saml-claims-customization.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json) feature, you must append an `appid` query parameter containing the app ID in order to get a `jwks_uri` pointing to your app's signing key information. For example: `https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e` contains a `jwks_uri` of `https://login.microsoftonline.com/{tenant}/discovery/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e`. ## Send the sign-in request |
active-directory | Onboard Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md | To enable Controller mode **On** for any projects, add these roles to the specif - Role Administrators - Security Admin -The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GPC console. +The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GCP console. 3. Select **Next**. #### Option 2: Enter authorization systems -You have the ability to specify only certain GCP member projects to manage and monitor with MEPM (up to 100 per collector). Follow the steps to configure these GCP member projects to be monitored: +You have the ability to specify only certain GCP member projects to manage and monitor with Permissions Management (up to 100 per collector). Follow the steps to configure these GCP member projects to be monitored: 1. In the **Permissions Management Onboarding - GCP Project Ids** page, enter the **Project IDs**. You can enter up to comma separated 100 GCP project IDs. To enable Controller mode **On** for any projects, add these roles to the specif - Role Administrators - Security Admin -The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GPC console. +The required commands to run in Google Cloud Shell are listed in the Manage Authorization screen for each scope of a project, folder or organization. This is also configured in the GCP console. 3. Select **Next**. |
active-directory | Product Data Sources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-data-sources.md | You can use the **Data Collectors** dashboard in Permissions Management to view ## Next steps -- To view an inventory of created resources and licensing information for your authorization system, see [Display an inventory of created resources and licenses for your authorization system](product-data-inventory.md)+- To view an inventory of created resources and licensing information for your authorization system, see [Display an inventory of created resources and licenses for your authorization system](./product-data-billable-resources.md) |
active-directory | Concept Conditional Access Conditions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-conditions.md | If the access control assigned to the policy uses **Require approved client app* For more information, see the following articles: - [Block legacy authentication with Conditional Access](block-legacy-authentication.md)-- [Requiring approved client apps with Conditional Access](app-based-conditional-access.md)+- [Requiring approved client apps with Conditional Access](./howto-policy-approved-app-or-app-protection.md) ### Other clients |
active-directory | Concept Conditional Access Grant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-grant.md | Administrators can choose to enforce one or more controls when granting access. - [Require authentication strength](#require-authentication-strength) - [Require device to be marked as compliant (Microsoft Intune)](/intune/protect/device-compliance-get-started) - [Require hybrid Azure AD joined device](../devices/concept-hybrid-join.md)-- [Require approved client app](app-based-conditional-access.md)-- [Require app protection policy](app-protection-based-conditional-access.md)+- [Require approved client app](./howto-policy-approved-app-or-app-protection.md) +- [Require app protection policy](./howto-policy-approved-app-or-app-protection.md) - [Require password change](#require-password-change) When administrators choose to combine these options, they can use the following methods: The following client apps support this setting. This list isn't exhaustive and i - Conditional Access can't consider Microsoft Edge in InPrivate mode an approved client app. - Conditional Access policies that require Microsoft Power BI as an approved client app don't support using Azure AD Application Proxy to connect the Power BI mobile app to the on-premises Power BI Report Server. -See [Require approved client apps for cloud app access with Conditional Access](app-based-conditional-access.md) for configuration examples. +See [Require approved client apps for cloud app access with Conditional Access](./howto-policy-approved-app-or-app-protection.md) for configuration examples. ### Require app protection policy The following client apps support this setting. This list isn't exhaustive and i > [!NOTE] > Kaizala, Skype for Business, and Visio don't support the **Require app protection policy** grant. If you require these apps to work, use the **Require approved apps** grant exclusively. Using the "or" clause between the two grants will not work for these three applications. -See [Require app protection policy and an approved client app for cloud app access with Conditional Access](app-protection-based-conditional-access.md) for configuration examples. +See [Require app protection policy and an approved client app for cloud app access with Conditional Access](./howto-policy-approved-app-or-app-protection.md) for configuration examples. ### Require password change |
active-directory | Concept Conditional Access Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-policies.md | The article [Common Conditional Access policies](concept-conditional-access-poli ## Next steps -[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json#create-a-conditional-access-policy) +[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json#create-a-conditional-access-policy) [Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md) |
active-directory | Concept Continuous Access Evaluation Workload | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md | -Continuous access evaluation (CAE) for [workload identities](../develop/workload-identities-overview.md) provides security benefits to your organization. It enables real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for workload identities. +Continuous access evaluation (CAE) for [workload identities](../workload-identities/workload-identities-overview.md) provides security benefits to your organization. It enables real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for workload identities. Continuous access evaluation doesn't currently support managed identities. |
active-directory | Howto Conditional Access Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md | When administrators select **Every time**, it will require full reauthentication A persistent browser session allows users to remain signed in after closing and reopening their browser window. -The Azure AD default for browser session persistence allows users on personal devices to choose whether to persist the session by showing a ΓÇ£Stay signed in?ΓÇ¥ prompt after successful authentication. If browser persistence is configured in AD FS using the guidance in the article [AD FS single sign-on settings](/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online), we'll comply with that policy and persist the Azure AD session as well. You can also configure whether users in your tenant see the ΓÇ£Stay signed in?ΓÇ¥ prompt by changing the appropriate setting in the [company branding pane](../fundamentals/customize-branding.md). +The Azure AD default for browser session persistence allows users on personal devices to choose whether to persist the session by showing a ΓÇ£Stay signed in?ΓÇ¥ prompt after successful authentication. If browser persistence is configured in AD FS using the guidance in the article [AD FS single sign-on settings](/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings#enable-psso-for-office-365-users-to-access-sharepoint-online), we'll comply with that policy and persist the Azure AD session as well. You can also configure whether users in your tenant see the ΓÇ£Stay signed in?ΓÇ¥ prompt by changing the appropriate setting in the [company branding pane](../fundamentals/how-to-customize-branding.md). In persistent browsers, cookies stay stored in the userΓÇÖs device even after a user closes the browser. These cookies could have access to Azure Active Directory artifacts, and those artifacts are useable until token expiry regardless of the Conditional Access policies placed on the resource environment. So, token caching can be in direct violation of desired security policies for authentication. While it may seem convenient to store tokens beyond the current session, doing so can create a security vulnerability by allowing unauthorized access to Azure Active Directory artifacts. |
active-directory | Plan Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/plan-conditional-access.md | Microsoft provides [security defaults](../fundamentals/security-defaults.md) tha * Create or modify Conditional Access policies * [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) * [Security Administrator](../roles/permissions-reference.md#security-administrator)-* A test user (non-administrator) that allows you to verify policies work as expected before deploying to real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md). -* A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md). +* A test user (non-administrator) that allows you to verify policies work as expected before deploying to real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users.md). +* A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/how-to-manage-groups.md). ### Communicating change Perform each test in your test plan with test users. The test plan is important | Policy | Scenario | Expected Result | |||| | [Risky sign-ins](../identity-protection/howto-identity-protection-configure-risk-policies.md) | User signs into App using an unapproved browser | Calculates a risk score based on the probability that the sign-in wasn't performed by the user. Requires user to self-remediate using MFA |-| [Device management](require-managed-devices.md) | Authorized user attempts to sign in from an authorized device | Access granted | -| [Device management](require-managed-devices.md) | Authorized user attempts to sign in from an unauthorized device | Access blocked | +| [Device management](./concept-conditional-access-grant.md) | Authorized user attempts to sign in from an authorized device | Access granted | +| [Device management](./concept-conditional-access-grant.md) | Authorized user attempts to sign in from an unauthorized device | Access blocked | | [Password change for risky users](../identity-protection/howto-identity-protection-configure-risk-policies.md) | Authorized user attempts to sign in with compromised credentials (high risk sign-in) | User is prompted to change password or access is blocked based on your policy | ### Deploy in production |
active-directory | Require Tou | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/require-tou.md | To complete the scenario in this quickstart, you need: - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. You can sign up for a trial in the Azure portal.-- A test account to sign-in with - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users-azure-active-directory.md#add-a-new-user).+- A test account to sign-in with - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users.md#add-a-new-user). ## Sign-in without terms of use To test your policy, try to sign in to the [Azure portal](https://portal.azure.c When no longer needed, delete the test user and the Conditional Access policy: -- If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users-azure-active-directory.md#delete-a-user).+- If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users.md#delete-a-user). - To delete your policy, select the ellipsis (`...`) next to your policies name, then select **Delete**. - To delete your terms of use, select it, and then select **Delete terms**. |
active-directory | Service Dependencies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/service-dependencies.md | -With Conditional Access policies, you can specify access requirements to websites and services. For example, your access requirements can include requiring multifactor authentication (MFA) or [managed devices](require-managed-devices.md). +With Conditional Access policies, you can specify access requirements to websites and services. For example, your access requirements can include requiring multifactor authentication (MFA) or [managed devices](./concept-conditional-access-grant.md). When you access a site or service directly, the impact of a related policy is typically easy to assess. For example, if you have a policy that requires multifactor authentication (MFA) for SharePoint Online configured, MFA is enforced for each sign-in to the SharePoint web portal. However, it isn't always straight-forward to assess the impact of a policy because there are cloud apps with dependencies to other cloud apps. For example, Microsoft Teams can provide access to resources in SharePoint Online. So, when you access Microsoft Teams in our current scenario, you're also subject to the SharePoint MFA policy. |
active-directory | Troubleshoot Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access.md | Selecting the ellipsis on the right side of the policy in a sign-in event brings The left side provides details collected at sign-in and the right side provides details of whether those details satisfy the requirements of the applied Conditional Access policies. Conditional Access policies only apply when all conditions are satisfied or not configured. -If the information in the event isn't enough to understand the sign-in results, or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under **Basic info** > **Troubleshoot Event**. For more information about the sign-in diagnostic, see the article [What is the sign-in diagnostic in Azure AD](../reports-monitoring/overview-sign-in-diagnostics.md). You can also [use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md). +If the information in the event isn't enough to understand the sign-in results, or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under **Basic info** > **Troubleshoot Event**. For more information about the sign-in diagnostic, see the article [What is the sign-in diagnostic in Azure AD](../reports-monitoring/howto-use-sign-in-diagnostics.md). You can also [use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md). If you need to submit a support incident, provide the request ID and time and date from the sign-in event in the incident submission details. This information allows Microsoft support to find the specific event you're concerned about. |
active-directory | Troubleshoot Policy Changes Audit Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-policy-changes-audit-log.md | For more information about programmatically updating your Conditional Access pol ## Next steps - [What is Azure Active Directory monitoring?](../reports-monitoring/overview-monitoring.md)-- [Install and use the log analytics views for Azure Active Directory](../reports-monitoring/howto-install-use-log-analytics-views.md)+- [Install and use the log analytics views for Azure Active Directory](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) - [Conditional Access: Programmatic access](howto-conditional-access-apis.md) |
active-directory | Access Token Claims Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/access-token-claims-reference.md | Use the `BulkCreateGroups.ps1` provided in the [App Creation Scripts](https://gi ### v1.0 basic claims -The v1.0 tokens include the following claims if applicable, but not v2.0 tokens by default. To use these claims for v2.0, the application requests them using [optional claims](active-directory-optional-claims.md). +The v1.0 tokens include the following claims if applicable, but not v2.0 tokens by default. To use these claims for v2.0, the application requests them using [optional claims](./optional-claims.md). | Claim | Format | Description | |-|--|-| |
active-directory | Access Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/access-tokens.md | The Azure AD middleware has built-in capabilities for validating access tokens, The following examples suppose that your application is validating a v2.0 access token (and therefore reference the v2.0 versions of the OIDC metadata documents and keys). Just remove the "/v2.0" in the URL if you validate v1.0 tokens. +### Validate the issuer ++[OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) says "The Issuer Identifier \[...\] MUST exactly match the value of the iss (issuer) Claim." For applications which use a tenant-specific metadata endpoint (like [https://login.microsoftonline.com/8eaef023-2b34-4da1-9baa-8bc8c9d6a490/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/8eaef023-2b34-4da1-9baa-8bc8c9d6a490/v2.0/.well-known/openid-configuration) or [https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration)), this is all that is needed. ++Azure AD makes available a tenant-independent version of the document at [https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration). This endpoint returns an issuer value `https://login.microsoftonline.com/{tenantid}/v2.0`. Applications may use this tenant-independent endpoint to validate tokens from every tenant with the following modifications: ++ 1. Instead of expecting the issuer claim in the token to exactly match the issuer value from metadata, the application should replace the `{tenantid}` value in the issuer metadata with the tenantid that is the target of the current request, and then check the exact match. + 2. The application should use the `issuer` property returned from the keys endpoint to restrict the scope of keys. + - Keys that have an issuer value like `https://login.microsoftonline.com/{tenantid}/v2.0` may be used with any matching token issuer. + - Keys that have an issuer value like `https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0` should only be used with exact match. ++ Azure AD's tenant-independent key endpoint ([https://login.microsoftonline.com/common/discovery/v2.0/keys](https://login.microsoftonline.com/common/discovery/v2.0/keys)) returns a document like: + ``` + { + "keys":[ + {"kty":"RSA","use":"sig","kid":"jS1Xo1OWDj_52vbwGNgvQO2VzMc","x5t":"jS1Xo1OWDj_52vbwGNgvQO2VzMc","n":"spv...","e":"AQAB","x5c":["MIID..."],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0"}, + {"kty":"RSA","use":"sig","kid":"2ZQpJ3UpbjAYXYGaXEJl8lV0TOI","x5t":"2ZQpJ3UpbjAYXYGaXEJl8lV0TOI","n":"wEM...","e":"AQAB","x5c":["MIID..."],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0"}, + {"kty":"RSA","use":"sig","kid":"yreX2PsLi-qkbR8QDOmB_ySxp8Q","x5t":"yreX2PsLi-qkbR8QDOmB_ySxp8Q","n":"rv0...","e":"AQAB","x5c":["MIID..."],"issuer":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0"} + ] + } + ``` + 3. Applications that use Azure AD's tenantid (`tid`) claim as a trust boundary instead of the standard issuer claim should ensure that the tenant-id claim is a guid and that the issuer and tenantid match. ++Using tenant-independent metadata is more efficient for applications which accept tokens from many tenants. ++> [!NOTE] +> With Azure AD tenant-independent metadata, claims should be interpreted within the tenant, just as under standard OpenID Connect, claims are interpreted within the issuer. That is, `{"sub":"ABC123","iss":"https://login.microsoftonline.com/8eaef023-2b34-4da1-9baa-8bc8c9d6a490/v2.0","tid":"8eaef023-2b34-4da1-9baa-8bc8c9d6a490"}` and `{"sub":"ABC123","iss":"https://login.microsoftonline.com/82229342-1101-4ab6-817b-70c0747630f3/v2.0","tid":"82229342-1101-4ab6-817b-70c0747630f3"}` describe different users, even though the `sub` is the same, because claims like `sub` are interpreted within the context of the issuer/tenant. + ### Validate the signature A JWT contains three segments separated by the `.` character. The first segment is the **header**, the second is the **body**, and the third is the **signature**. Use the signature segment to evaluate the authenticity of the token. The following information describes the metadata document: Doing signature validation is outside the scope of this document. There are many open-source libraries available for helping with signature validation if necessary. However, the Microsoft identity platform has one token signing extension to the standards, which are custom signing keys. -If the application has custom signing keys as a result of using the [claims-mapping](active-directory-claims-mapping.md) feature, append an `appid` query parameter that contains the application ID. For validation, use `jwks_uri` that points to the signing key information of the application. For example: `https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e` contains a `jwks_uri` of `https://login.microsoftonline.com/{tenant}/discovery/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e`. +If the application has custom signing keys as a result of using the [claims-mapping](./saml-claims-customization.md) feature, append an `appid` query parameter that contains the application ID. For validation, use `jwks_uri` that points to the signing key information of the application. For example: `https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e` contains a `jwks_uri` of `https://login.microsoftonline.com/{tenant}/discovery/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e`. ### Validate the issuer |
active-directory | Accounts Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/accounts-overview.md | String issuer = account.getClaims().get("iss"); // The tenant specific authority > To see a list of claims available from the account object, refer to the [ID token claims reference](./id-token-claims-reference.md). > [!TIP]-> To include additional claims in your id_token, refer to the optional claims documentation in [How to: Provide optional claims to your Azure AD app](./active-directory-optional-claims.md) +> To include additional claims in your id_token, refer to the optional claims documentation in [How to: Provide optional claims to your Azure AD app](./optional-claims.md) ### Access tenant profile claims private IAccount getAccountForPolicy(IPublicClientApplication app, String policy return null; }-``` +``` |
active-directory | App Objects And Service Principals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/app-objects-and-service-principals.md | az ad sp list --filter "appId eq '{AppId}'" ### Consequences of modifying and deleting applications -Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object. However, restoring that application object through the app registrations UI won't restore its corresponding service principal. For more information on deletion and recovery of applications and their service principal objects, see [delete and recover applications and service principal objects](../manage-apps/recover-deleted-apps-faq.md). +Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object. However, restoring that application object through the app registrations UI won't restore its corresponding service principal. For more information on deletion and recovery of applications and their service principal objects, see [delete and recover applications and service principal objects](../manage-apps/delete-recover-faq.yml). ## Example |
active-directory | App Only Access Primer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/app-only-access-primer.md | Always follow the principle of least privilege: you should never request app rol ## Designing and publishing app roles for a resource service -If you're building a service on Azure AD that exposes APIs for other clients to call, you may wish to support automated access with app roles (app-only permissions). You can define the app roles for your application in the **App roles** section of your app registration in Azure AD portal. For more information on how to create app roles, see [Declare roles for an application](howto-add-app-roles-in-azure-ad-apps.md#declare-roles-for-an-application). +If you're building a service on Azure AD that exposes APIs for other clients to call, you may wish to support automated access with app roles (app-only permissions). You can define the app roles for your application in the **App roles** section of your app registration in Azure AD portal. For more information on how to create app roles, see [Declare roles for an application](./howto-add-app-roles-in-apps.md#declare-roles-for-an-application). When exposing app roles for others to use, provide clear descriptions of the scenario to the admin who is going to assign them. App roles should generally be as narrow as possible and support specific functional scenarios, since app-only access isn't constrained by user rights. Avoid exposing a single role that grants full `read` or full `read/write` access to all APIs and resources your service contains. The example given is a simple illustration of application authorization. The pro ## Next steps -- [Learn how to create and assign app roles in Azure AD](howto-add-app-roles-in-azure-ad-apps.md)+- [Learn how to create and assign app roles in Azure AD](./howto-add-app-roles-in-apps.md) - [Overview of permissions in Microsoft Graph](/graph/permissions-overview) - [Microsoft Graph permissions reference](/graph/permissions-reference) |
active-directory | Application Consent Experience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/application-consent-experience.md | In this article, you'll learn about the Azure Active Directory (Azure AD) applic Consent is the process of a user granting authorization to an application to access protected resources on their behalf. An admin or user can be asked for consent to allow access to their organization/individual data. -The actual user experience of granting consent will differ depending on policies set on the user's tenant, the user's scope of authority (or role), and the type of [permissions](v2-permissions-and-consent.md) being requested by the client application. This means that application developers and tenant admins have some control over the consent experience. Admins have the flexibility of setting and disabling policies on a tenant or app to control the consent experience in their tenant. Application developers can dictate what types of permissions are being requested and if they want to guide users through the user consent flow or the admin consent flow. +The actual user experience of granting consent will differ depending on policies set on the user's tenant, the user's scope of authority (or role), and the type of [permissions](./permissions-consent-overview.md) being requested by the client application. This means that application developers and tenant admins have some control over the consent experience. Admins have the flexibility of setting and disabling policies on a tenant or app to control the consent experience in their tenant. Application developers can dictate what types of permissions are being requested and if they want to guide users through the user consent flow or the admin consent flow. - **User consent flow** is when an application developer directs users to the authorization endpoint with the intent to record consent for only the current user. - **Admin consent flow** is when an application developer directs users to the admin consent endpoint with the intent to record consent for the entire tenant. To ensure the admin consent flow works properly, application developers must list all permissions in the `RequiredResourceAccess` property in the application manifest. For more info, see [Application manifest](./reference-app-manifest.md). For troubleshooting steps, see [Unexpected error when performing consent to an a - Get a step-by-step overview of [how the Azure AD consent framework implements consent](./quickstart-register-app.md). - For more depth, learn [how a multi-tenant application can use the consent framework](./howto-convert-app-to-be-multi-tenant.md) to implement "user" and "admin" consent, supporting more advanced multi-tier application patterns.-- Learn [how to configure the app's publisher domain](howto-configure-publisher-domain.md).+- Learn [how to configure the app's publisher domain](howto-configure-publisher-domain.md). |
active-directory | Authentication Flows App Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-flows-app-scenarios.md | -The Microsoft identity platform supports authentication for different kinds of modern application architectures. All of the architectures are based on the industry-standard protocols [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md). By using the [authentication libraries for the Microsoft identity platform](reference-v2-libraries.md), applications authenticate identities and acquire tokens to access protected APIs. +The Microsoft identity platform supports authentication for different kinds of modern application architectures. All of the architectures are based on the industry-standard protocols [OAuth 2.0 and OpenID Connect](./v2-protocols.md). By using the [authentication libraries for the Microsoft identity platform](reference-v2-libraries.md), applications authenticate identities and acquire tokens to access protected APIs. This article describes authentication flows and the application scenarios that they're used in. For more information, see [Daemon application that calls web APIs](scenario-daem You use authentication flows to implement the application scenarios that are requesting tokens. There isn't a one-to-one mapping between application scenarios and authentication flows. -Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flows. For more information, see [OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform](active-directory-v2-protocols.md). +Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flows. For more information, see [OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform](./v2-protocols.md). <table> <thead> |
active-directory | Authentication Protocols | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-protocols.md | The Microsoft identity platform supports several of the most widely used authent ## Authentication protocols articles and reference -* [Important Information About Signing Key Rollover in Microsoft identity platform](active-directory-signing-key-rollover.md) ΓÇô Learn about Microsoft identity platformΓÇÖs signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios. +* [Important Information About Signing Key Rollover in Microsoft identity platform](./signing-key-rollover.md) ΓÇô Learn about Microsoft identity platformΓÇÖs signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios. * [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that the Microsoft identity platform issues. * [OAuth 2.0 in Microsoft identity platform](v2-oauth2-auth-code-flow.md) - Learn about the implementation of OAuth 2.0 in Microsoft identity platform. * [OpenID Connect 1.0](v2-protocols-oidc.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication. * [Service to Service Calls with Client Credentials](v2-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls. * [Service to Service Calls with On-Behalf-Of Flow](v2-oauth2-on-behalf-of-flow.md) - Learn how to use OAuth 2.0 On-Behalf-Of flow for service to service calls.-* [SAML Protocol Reference](active-directory-saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Microsoft identity platform. +* [SAML Protocol Reference](./saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Microsoft identity platform. ## See also |
active-directory | Authentication Vs Authorization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-vs-authorization.md | This video explains the Microsoft identity platform and the basics of modern aut Here's a comparison of the protocols that the Microsoft identity platform uses: -* **OAuth versus OpenID Connect**: The platform uses OAuth for authorization and OpenID Connect (OIDC) for authentication. OpenID Connect is built on top of OAuth 2.0, so the terminology and flow are similar between the two. You can even both authenticate a user (through OpenID Connect) and get authorization to access a protected resource that the user owns (through OAuth 2.0) in one request. For more information, see [OAuth 2.0 and OpenID Connect protocols](active-directory-v2-protocols.md) and [OpenID Connect protocol](v2-protocols-oidc.md). +* **OAuth versus OpenID Connect**: The platform uses OAuth for authorization and OpenID Connect (OIDC) for authentication. OpenID Connect is built on top of OAuth 2.0, so the terminology and flow are similar between the two. You can even both authenticate a user (through OpenID Connect) and get authorization to access a protected resource that the user owns (through OAuth 2.0) in one request. For more information, see [OAuth 2.0 and OpenID Connect protocols](./v2-protocols.md) and [OpenID Connect protocol](v2-protocols-oidc.md). * **OAuth versus SAML**: The platform uses OAuth 2.0 for authorization and SAML for authentication. For more information on how to use these protocols together to both authenticate a user and get authorization to access a protected resource, see [Microsoft identity platform and OAuth 2.0 SAML bearer assertion flow](./scenario-token-exchange-saml-oauth.md). * **OpenID Connect versus SAML**: The platform uses both OpenID Connect and SAML to authenticate a user and enable single sign-on. SAML authentication is commonly used with identity providers such as Active Directory Federation Services (AD FS) federated to Azure AD, so it's often used in enterprise applications. OpenID Connect is commonly used for apps that are purely in the cloud, such as mobile apps, websites, and web APIs. |
active-directory | Authorization Basics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authorization-basics.md | Authorization by using access control lists (ACLs) involves maintaining explicit Role-based access control (RBAC) is possibly the most common approach to enforcing authorization in applications. When using RBAC, roles are defined to describe the kinds of activities an entity may perform. An application developer grants access to roles rather than to individual entities. An administrator can then assign roles to different entities to control which ones have access to what resources and functionality. -In advanced RBAC implementations, roles may be mapped to collections of permissions, where a permission describes a granular action or activity that can be performed. Roles are then configured as combinations of permissions. Compute the overall permission set for an entity by intersecting the permissions granted to the various roles the entity is assigned. A good example of this approach is the RBAC implementation that governs access to resources in Azure subscriptions. +In advanced RBAC implementations, roles may be mapped to collections of permissions, where a permission describes a granular action or activity that can be performed. Roles are then configured as combinations of permissions. Compute the overall permission set for an entity by combining the permissions granted to the various roles the entity is assigned. A good example of this approach is the RBAC implementation that governs access to resources in Azure subscriptions. > [!NOTE] > [Application RBAC](./custom-rbac-for-developers.md) differs from [Azure RBAC](../../role-based-access-control/overview.md) and [Azure AD RBAC](../roles/custom-overview.md#understand-azure-ad-role-based-access-control). Azure custom roles and built-in roles are both part of Azure RBAC, which helps manage Azure resources. Azure AD RBAC allows management of Azure AD resources. |
active-directory | Certificate Credentials | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/certificate-credentials.md | The Microsoft identity platform allows an application to use its own credentials One form of credential that an application can use for authentication is a [JSON Web Token](./security-tokens.md#json-web-tokens-and-claims) (JWT) assertion signed with a certificate that the application owns. This is described in the [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) specification for the `private_key_jwt` client authentication option. -If you're interested in using a JWT issued by another identity provider as a credential for your application, please see [workload identity federation](workload-identity-federation.md) for how to set up a federation policy. +If you're interested in using a JWT issued by another identity provider as a credential for your application, please see [workload identity federation](../workload-identities/workload-identity-federation.md) for how to set up a federation policy. ## Assertion format |
active-directory | Claims Challenge | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/claims-challenge.md | You would prepend the client capability in the existing **claims** payload. To receive information about whether client applications can handle claims challenges, an API implementer must request **xms_cc** as an optional claim in its application manifest. -The **xms_cc** claim with a value of "cp1" in the access token is the authoritative way to identify a client application is capable of handling a claims challenge. **xms_cc** is an optional claim that will not always be issued in the access token, even if the client sends a claims request with "xms_cc". In order for an access token to contain the **xms_cc** claim, the resource application (that is, the API implementer) must request xms_cc as an [optional claim](active-directory-optional-claims.md) in its application manifest. When requested as an optional claim, **xms_cc** will be added to the access token only if the client application sends **xms_cc** in the claims request. The value of the **xms_cc** claim request will be included as the value of the **xms_cc** claim in the access token, if it is a known value. The only currently known value is **cp1**. +The **xms_cc** claim with a value of "cp1" in the access token is the authoritative way to identify a client application is capable of handling a claims challenge. **xms_cc** is an optional claim that will not always be issued in the access token, even if the client sends a claims request with "xms_cc". In order for an access token to contain the **xms_cc** claim, the resource application (that is, the API implementer) must request xms_cc as an [optional claim](./optional-claims.md) in its application manifest. When requested as an optional claim, **xms_cc** will be added to the access token only if the client application sends **xms_cc** in the claims request. The value of the **xms_cc** claim request will be included as the value of the **xms_cc** claim in the access token, if it is a known value. The only currently known value is **cp1**. The values are not case-sensitive and unordered. If more than one value is specified in the **xms_cc** claim request, those values will be a multi-valued collection as the value of the **xms_cc** claim. will result in a claim of in the access token, if **cp1**, **foo** and **bar** are known capabilities. -This is how the app's manifest looks like after the **xms_cc** [optional claim](active-directory-optional-claims.md) has been requested +This is how the app's manifest looks like after the **xms_cc** [optional claim](./optional-claims.md) has been requested ```c# "optionalClaims": |
active-directory | Configure App Multi Instancing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/configure-app-multi-instancing.md | The IDP initiated SSO feature exposes the following settings for each applicatio ## Next steps -- To learn more about how to configure this policy see [Customize app SAML token claims](active-directory-saml-claims-customization.md)+- To learn more about how to configure this policy see [Customize app SAML token claims](./saml-claims-customization.md) |
active-directory | Consent Types Developer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/consent-types-developer.md | Allowing an application to request permissions dynamically through the `scope` p ## Requesting individual user consent -In an [OpenID Connect or OAuth 2.0](active-directory-v2-protocols.md) authorization request, an application can request the permissions it needs by using the `scope` query parameter. For example, when a user signs in to an app, the application sends a request like the following example. (Line breaks are added for legibility). +In an [OpenID Connect or OAuth 2.0](./v2-protocols.md) authorization request, an application can request the permissions it needs by using the `scope` query parameter. For example, when a user signs in to an app, the application sends a request like the following example. (Line breaks are added for legibility). ```HTTP GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize? In many cases, it makes sense for the application to show the "connect" view onl When you sign the user into your app, you can identify the organization to which the admin belongs before you ask them to approve the necessary permissions. Although this step isn't strictly necessary, it can help you create a more intuitive experience for your organizational users. -To sign the user in, follow the [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md). +To sign the user in, follow the [Microsoft identity platform protocol tutorials](./v2-protocols.md). ### Request the permissions in the app registration portal Content-Type: application/json You can use the resulting access token in HTTP requests to the resource. It reliably indicates to the resource that your application has the proper permission to do a specific task. -For more information about the OAuth 2.0 protocol and how to get access tokens, see the [Microsoft identity platform endpoint protocol reference](active-directory-v2-protocols.md). +For more information about the OAuth 2.0 protocol and how to get access tokens, see the [Microsoft identity platform endpoint protocol reference](./v2-protocols.md). ## Next steps - [Consent experience](application-consent-experience.md) - [ID tokens](id-tokens.md)-- [Access tokens](access-tokens.md)+- [Access tokens](access-tokens.md) |
active-directory | Custom Claims Provider Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-claims-provider-overview.md | The following short video provides an excellent overview of the Azure AD custom Use a custom claims provider for the following scenarios: - **Migration of legacy systems** - You may have legacy identity systems such as Active Directory Federation Services (AD FS) or data stores (such as LDAP directory) that hold information about users. You'd like to migrate these applications, but can't fully migrate the identity data into Azure AD. Your apps may depend on certain information on the token, and can't be rearchitected.-- **Integration with other data stores that can't be synced to the directory** - You may have third-party systems, or your own systems that store user data. Ideally this information could be consolidated, either through [synchronization](../cloud-sync/what-is-cloud-sync.md) or direct migration, in the Azure AD directory. However, that isn't always feasible. The restriction may be because of data residency, regulations, or other requirements.+- **Integration with other data stores that can't be synced to the directory** - You may have third-party systems, or your own systems that store user data. Ideally this information could be consolidated, either through [synchronization](../hybrid/cloud-sync/what-is-cloud-sync.md) or direct migration, in the Azure AD directory. However, that isn't always feasible. The restriction may be because of data residency, regulations, or other requirements. ## Token issuance start event listener For an example using a custom claims provider with the **token issuance start** - Learn how to [create and register a custom claims provider](custom-extension-get-started.md) with a sample Open ID Connect application. - If you already have a custom claims provider registered, you can configure a [SAML application](custom-extension-configure-saml-app.md) to receive tokens with claims sourced from an external store. - Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.-- |
active-directory | Custom Claims Provider Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-claims-provider-reference.md | Once you create your claims mapping policy, the next step is to upload it to you ## Next steps - To learn how to [create and register a custom extension and API endpoint](custom-extension-get-started.md).-- To learn how to customize the claims emitted in tokens for a specific application in their tenant using PowerShell, see [How to: Customize claims emitted in tokens for a specific app in a tenant](active-directory-claims-mapping.md)-- To learn how to customize claims issued in the SAML token through the Azure portal, see [How to: Customize claims issued in the SAML token for enterprise applications](active-directory-saml-claims-customization.md)-- To learn more about extension attributes, see [Using directory extension attributes in claims](active-directory-schema-extensions.md).+- To learn how to customize the claims emitted in tokens for a specific application in their tenant using PowerShell, see [How to: Customize claims emitted in tokens for a specific app in a tenant](./saml-claims-customization.md) +- To learn how to customize claims issued in the SAML token through the Azure portal, see [How to: Customize claims issued in the SAML token for enterprise applications](./saml-claims-customization.md) +- To learn more about extension attributes, see [Using directory extension attributes in claims](./schema-extensions.md). |
active-directory | Custom Rbac For Developers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-rbac-for-developers.md | -Role-based access control (RBAC) allows certain users or groups to have specific permissions to access and manage resources. Application RBAC differs from [Azure role-based access control](../../role-based-access-control/overview.md) and [Azure AD role-based access control](../roles/custom-overview.md#understand-azure-ad-role-based-access-control). Azure custom roles and built-in roles are both part of Azure RBAC, which is used to help manage Azure resources. Azure AD RBAC is used to manage Azure AD resources. This article explains application-specific RBAC. For information about implementing application-specific RBAC, see [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-azure-ad-apps.md). +Role-based access control (RBAC) allows certain users or groups to have specific permissions to access and manage resources. Application RBAC differs from [Azure role-based access control](../../role-based-access-control/overview.md) and [Azure AD role-based access control](../roles/custom-overview.md#understand-azure-ad-role-based-access-control). Azure custom roles and built-in roles are both part of Azure RBAC, which is used to help manage Azure resources. Azure AD RBAC is used to manage Azure AD resources. This article explains application-specific RBAC. For information about implementing application-specific RBAC, see [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-apps.md). ## Roles definitions The following guidance should be applied when considering including role-based a - Define the roles that are required for the authorization needs of the application. - Apply, store, and retrieve the pertinent roles for authenticated users.-- Determine how the application behavior based on the roles assigned affects the current user.+- Determine the application behavior based on the roles assigned to the current user. After the roles are defined, the Microsoft identity platform supports several different solutions that can be used to apply, store, and retrieve role information for authenticated users. These solutions include app roles, Azure AD groups, and the use of custom datastores for user role information. Developers have the flexibility to provide their own implementation for how role ### App roles -Azure AD allows you to [define app roles](./howto-add-app-roles-in-azure-ad-apps.md) for your application and assign those roles to users and other applications. The roles you assign to a user or application define their level of access to the resources and operations in your application. +Azure AD allows you to [define app roles](./howto-add-app-roles-in-apps.md) for your application and assign those roles to users and other applications. The roles you assign to a user or application define their level of access to the resources and operations in your application. When Azure AD issues an access token for an authenticated user or application, it includes the names of the roles you've assigned the entity (the user or application) in the access token's [`roles`](./access-token-claims-reference.md#payload-claims) claim. An application like a web API that receives that access token in a request can then make authorization decisions based on the values in the `roles` claim. ### Groups -Developers can also use [Azure AD groups](../fundamentals/active-directory-manage-groups.md) to implement RBAC in their applications, where the memberships of the user in specific groups are interpreted as their role memberships. When an organization uses groups, the token includes a [groups claim](./access-token-claims-reference.md#payload-claims). The group claim specifies the identifiers of all of the assigned groups of the user within the tenant. +Developers can also use [Azure AD groups](../fundamentals/concept-learn-about-groups.md) to implement RBAC in their applications, where the memberships of the user in specific groups are interpreted as their role memberships. When an organization uses groups, the token includes a [groups claim](./access-token-claims-reference.md#payload-claims). The group claim specifies the identifiers of all of the assigned groups of the user within the tenant. > [!IMPORTANT] > When working with groups, developers need to be aware of the concept of an [overage claim](./access-token-claims-reference.md#payload-claims). By default, if a user is a member of more than the overage limit (150 for SAML tokens, 200 for JWT tokens, 6 if using the implicit flow), Azure AD doesn't emit a groups claim in the token. Instead, it includes an "overage claim" in the token that indicates the consumer of the token needs to query the Microsoft Graph API to retrieve the group memberships of the user. For more information about working with overage claims, see [Claims in access tokens](./access-token-claims-reference.md). It's possible to only emit groups that are assigned to an application, though [group-based assignment](../manage-apps/assign-user-or-group-access-portal.md) does require Azure Active Directory Premium P1 or P2 edition. |
active-directory | Developer Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-glossary.md | A client application requests [authorization](#authorization) from a resource ow The process of a [resource owner](#resource-owner) granting authorization to a [client application](#client-application), to access protected resources under specific [permissions](#permissions), on behalf of the resource owner. Depending on the permissions requested by the client, an administrator or user will be asked for consent to allow access to their organization/individual data respectively. Note, in a [multi-tenant](#multi-tenant-application) scenario, the application's [service principal](#service-principal-object) is also recorded in the tenant of the consenting user. -See [consent framework](consent-framework.md) for more information. +See [consent framework](./application-consent-experience.md) for more information. ## ID token A type of [client application](#client-application) that executes all code on a ## Workload identity -An identity used by a software workload like an application, service, script, or container to authenticate and access other services and resources. In Azure AD, workload identities are apps, service principals, and managed identities. For more information, see [workload identity overview](workload-identities-overview.md). +An identity used by a software workload like an application, service, script, or container to authenticate and access other services and resources. In Azure AD, workload identities are apps, service principals, and managed identities. For more information, see [workload identity overview](../workload-identities/workload-identities-overview.md). ## Workload identity federation -Allows you to securely access Azure AD protected resources from external apps and services without needing to manage secrets (for supported scenarios). For more information, see [workload identity federation](workload-identity-federation.md). +Allows you to securely access Azure AD protected resources from external apps and services without needing to manage secrets (for supported scenarios). For more information, see [workload identity federation](../workload-identities/workload-identity-federation.md). ## Next steps Many of the terms in this glossary are related to the OAuth 2.0 and OpenID Connect protocols. Though you don't need to know how the protocols work "on the wire" to use the identity platform, knowing some protocol basics can help you more easily build and debug authentication and authorization in your apps: -- [OAuth 2.0 and OpenID Connect (OIDC) in the Microsoft identity platform](active-directory-v2-protocols.md)+- [OAuth 2.0 and OpenID Connect (OIDC) in the Microsoft identity platform](./v2-protocols.md) <!--Image references--> <!--Reference style links --> [AAD-App-Manifest]:reference-app-manifest.md [AAD-App-SP-Objects]:app-objects-and-service-principals.md-[AAD-Auth-Scenarios]:authentication-scenarios.md -[AAD-Dev-Guide]:azure-ad-developers-guide.md +[AAD-Auth-Scenarios]:./authentication-vs-authorization.md +[AAD-Dev-Guide]:../develop.md [Graph-Perm-Scopes]: /graph/permissions-reference [Graph-App-Resource]: /graph/api/resources/application [Graph-Sp-Resource]: /graph/api/resources/serviceprincipal [Graph-User-Resource]: /graph/api/resources/user-[AAD-How-Subscriptions-Assoc]:../fundamentals/active-directory-how-subscriptions-associated-directory.md -[AAD-How-To-Integrate]: ./active-directory-how-to-integrate.md +[AAD-How-Subscriptions-Assoc]:../fundamentals/how-subscriptions-associated-directory.md +[AAD-How-To-Integrate]: ./how-to-integrate.md [AAD-How-To-Tenant]:quickstart-create-new-tenant.md-[AAD-Integrating-Apps]:quickstart-v1-integrate-apps-with-azure-ad.md +[AAD-Integrating-Apps]:./quickstart-register-app.md [AAD-Multi-Tenant-Overview]:howto-convert-app-to-be-multi-tenant.md-[AAD-Security-Token-Claims]: ./active-directory-authentication-scenarios/#claims-in-azure-ad-security-tokens +[AAD-Security-Token-Claims]: ./authentication-vs-authorization.md#claims-in-azure-ad-security-tokens [AAD-Tokens-Claims]:access-tokens.md [Azure portal]: https://portal.azure.com [AAD-RBAC]: ../../role-based-access-control/role-assignments-portal.md |
active-directory | Enterprise App Role Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/enterprise-app-role-management.md | You can customize the role claim in the access token that is received after an a - A user account that is assigned to the role. For more information, see [Quickstart: Create and assign a user account](../manage-apps/add-application-portal-assign-users.md). > [!NOTE]-> This article explains how to create, update, or delete application roles on the service principal using APIs. To use the new user interface for App Roles, see [Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md). +> This article explains how to create, update, or delete application roles on the service principal using APIs. To use the new user interface for App Roles, see [Add app roles to your application and receive them in the token](./howto-add-app-roles-in-apps.md). ## Locate the enterprise application |
active-directory | How Applications Are Added | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-applications-are-added.md | Applications are added to Azure AD to use one or more of the services it provide - Role-based access control (RBAC) - Use the directory to define application roles to perform role-based authorization checks in an application - OAuth authorization services - Used by Microsoft 365 and other Microsoft applications to authorize access to APIs/resources - Application publishing and proxy - Publish an application from a private network to the internet-- Directory schema extension attributes - [Extend the schema of service principal and user objects](active-directory-schema-extensions.md) to store additional data in Azure AD+- Directory schema extension attributes - [Extend the schema of service principal and user objects](./schema-extensions.md) to store additional data in Azure AD ## Who has permission to add applications to my Azure AD instance? |
active-directory | How To Integrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-to-integrate.md | Integration with the Microsoft identity platform comes with benefits that do not ### Easy development -**Industry standard protocols.** Microsoft is committed to supporting industry standards. The Microsoft identity platform supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. Learn more about the [Microsoft identity platform authentication protocols](active-directory-v2-protocols.md). +**Industry standard protocols.** Microsoft is committed to supporting industry standards. The Microsoft identity platform supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. Learn more about the [Microsoft identity platform authentication protocols](./v2-protocols.md). **Open source libraries.** Microsoft provides fully supported open source libraries for popular languages and platforms to speed development. The source code is licensed under Apache 2.0, and you are free to fork and contribute back to the projects. Learn more about the [Microsoft Authentication Library (MSAL)](reference-v2-libraries.md). |
active-directory | Howto Convert App To Be Multi Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md | To learn more about making API calls to Azure AD and Microsoft 365 services like <!--Reference style links IN USE --> [AAD-Access-Panel]: https://myapps.microsoft.com [AAD-App-Branding]:howto-add-branding-in-apps.md-[AAD-App-Manifest]:reference-azure-ad-app-manifest.md +[AAD-App-Manifest]:./reference-app-manifest.md [AAD-App-SP-Objects]:app-objects-and-service-principals.md-[AAD-Auth-Scenarios]:authentication-scenarios.md -[AAD-Consent-Overview]:consent-framework.md +[AAD-Auth-Scenarios]:./authentication-vs-authorization.md +[AAD-Consent-Overview]:./application-consent-experience.md [AAD-Dev-Guide]:azure-ad-developers-guide.md-[AAD-Integrating-Apps]:quickstart-v1-integrate-apps-with-azure-ad.md +[AAD-Integrating-Apps]:./quickstart-register-app.md [AAD-Samples-MT]: /samples/browse/?products=azure-active-directory-[AAD-Why-To-Integrate]: ./active-directory-how-to-integrate.md +[AAD-Why-To-Integrate]: ./how-to-integrate.md [MSFT-Graph-overview]: /graph/ [MSFT-Graph-permission-scopes]: /graph/permissions-reference To learn more about making API calls to Azure AD and Microsoft 365 services like [Consent-Multi-Tier-Multi-Party]: ./media/howto-convert-app-to-be-multi-tenant/consent-flow-multi-tier-multi-party.svg <!--Reference style links -->-[AAD-App-Manifest]:reference-azure-ad-app-manifest.md +[AAD-App-Manifest]:./reference-app-manifest.md [AAD-App-SP-Objects]:app-objects-and-service-principals.md-[AAD-Auth-Scenarios]:authentication-scenarios.md -[AAD-Integrating-Apps]:quickstart-v1-integrate-apps-with-azure-ad.md -[AAD-Dev-Guide]:azure-ad-developers-guide.md -[AAD-How-To-Integrate]: ./active-directory-how-to-integrate.md -[AAD-Security-Token-Claims]: ./active-directory-authentication-scenarios/#claims-in-azure-ad-security-tokens +[AAD-Auth-Scenarios]:./authentication-vs-authorization.md +[AAD-Integrating-Apps]:./quickstart-register-app.md +[AAD-Dev-Guide]:../develop.md +[AAD-How-To-Integrate]: ./how-to-integrate.md +[AAD-Security-Token-Claims]: ./authentication-vs-authorization.md#claims-in-azure-ad-security-tokens [AAD-Tokens-Claims]:access-tokens.md [AAD-V2-Dev-Guide]: v2-overview.md [Azure portal]: https://portal.azure.com |
active-directory | Howto Create Self Signed Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-self-signed-certificate.md | The self-signed certificate you created following the steps above has a limited ## Next steps -[Manage certificates for federated single sign-on in Azure Active Directory](../manage-apps/manage-certificates-for-federated-single-sign-on.md) +[Manage certificates for federated single sign-on in Azure Active Directory](../manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md) |
active-directory | Howto Get List Of All Auth Library Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-get-list-of-all-auth-library-apps.md | -Azure Active Directory Authentication Library (ADAL) has been deprecated. While existing apps that use ADAL continue to work, Microsoft will no longer release security fixes on ADAL. Use the [Microsoft Authentication Library (MSAL)](/entr). This article provides guidance on how to use Azure Monitor workbooks to obtain a list of all apps that use ADAL in your tenant. +Azure Active Directory Authentication Library (ADAL) has been deprecated. While existing apps that use ADAL continue to work, Microsoft will no longer release security fixes on ADAL. Use the [Microsoft Authentication Library (MSAL)](/entr). This article provides guidance on how to use Azure Monitor workbooks to obtain a list of all apps that use ADAL in your tenant. ## Sign-ins workbook |
active-directory | Howto Implement Rbac For Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-implement-rbac-for-apps.md | Role-based access control (RBAC) allows users or groups to have specific permiss As discussed in [Role-based access control for application developers](./custom-rbac-for-developers.md), there are three ways to implement RBAC using the Microsoft identity platform: -- **App Roles** ΓÇô using the [App Roles feature in an application](./howto-add-app-roles-in-azure-ad-apps.md#declare-roles-for-an-application) using logic within the application to interpret incoming app role assignments.+- **App Roles** ΓÇô using the [App Roles feature in an application](./howto-add-app-roles-in-apps.md#declare-roles-for-an-application) using logic within the application to interpret incoming app role assignments. - **Groups** ΓÇô using group assignments of an incoming identity using logic within the application to interpret the group assignments. - **Custom Data Store** ΓÇô retrieve and interpret role assignments using logic within the application. The preferred approach is to use *App Roles* as it is the easiest to implement. ## Define app roles -The first step for implementing RBAC for an application is to define the app roles for it and assign users or groups to it. This process is outlined in [How to: Add app roles to your application and receive them in the token](./howto-add-app-roles-in-azure-ad-apps.md). After defining the app roles and assigning users or groups to them, access the role assignments in the tokens coming into the application and act on them accordingly. +The first step for implementing RBAC for an application is to define the app roles for it and assign users or groups to it. This process is outlined in [How to: Add app roles to your application and receive them in the token](./howto-add-app-roles-in-apps.md). After defining the app roles and assigning users or groups to them, access the role assignments in the tokens coming into the application and act on them accordingly. ## Implement RBAC in ASP.NET Core Implementing RBAC in a Node.js with express application involves the use of MSAL ## Next steps -- Read more on [permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md).+- Read more on [permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md). - Read more on [role-based access control for application developers](./custom-rbac-for-developers.md). |
active-directory | Howto Restrict Your App To A Set Of Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md | Follow the steps in this section to secure app-to-app authentication access for For more information about roles and security groups, see: -- [How to: Add app roles in your application](./howto-add-app-roles-in-azure-ad-apps.md)+- [How to: Add app roles in your application](./howto-add-app-roles-in-apps.md) - [Using Security Groups and Application Roles in your apps (Video)](https://www.youtube.com/watch?v=LRoc-na27l0) - [Azure Active Directory app manifest](./reference-app-manifest.md) |
active-directory | Id Token Claims Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/id-token-claims-reference.md | The following table shows header claims present in ID tokens. ## Payload claims -The following table shows the claims that are in most ID tokens by default (except where noted). However, your app can use [optional claims](active-directory-optional-claims.md) to request more claims in the ID token. Optional claims can range from the `groups` claim to information about the user's name. +The following table shows the claims that are in most ID tokens by default (except where noted). However, your app can use [optional claims](./optional-claims.md) to request more claims in the ID token. Optional claims can range from the `groups` claim to information about the user's name. | Claim | Format | Description | |-|--|-| The following table shows the claims that are in most ID tokens by default (exce | `at_hash` | String | The access token hash is included in ID tokens only when the ID token is issued from the `/authorize` endpoint with an OAuth 2.0 access token. It can be used to validate the authenticity of an access token. To understand how to do this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). This claim isn't returned on ID tokens from the `/token` endpoint. | | `aio` | Opaque String | An internal claim that's used to record data for token reuse. Should be ignored. | | `preferred_username` | String | The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since it's mutable, this value can't be used to make authorization decisions. It can be used for username hints and in human-readable UI as a username. The `profile` scope is required to receive this claim. Present only in v2.0 tokens. |-| `email` | String | Present by default for guest accounts that have an email address. Your app can request the email claim for managed users (from the same tenant as the resource) using the `email` [optional claim](active-directory-optional-claims.md). This value isn't guaranteed to be correct and is mutable over time. Never use it for authorization or to save data for a user. If you require an addressable email address in your app, request this data from the user directly by using this claim as a suggestion or prefill in your UX. On the v2.0 endpoint, your app can also request the `email` OpenID Connect scope - you don't need to request both the optional claim and the scope to get the claim. | +| `email` | String | Present by default for guest accounts that have an email address. Your app can request the email claim for managed users (from the same tenant as the resource) using the `email` [optional claim](./optional-claims.md). This value isn't guaranteed to be correct and is mutable over time. Never use it for authorization or to save data for a user. If you require an addressable email address in your app, request this data from the user directly by using this claim as a suggestion or prefill in your UX. On the v2.0 endpoint, your app can also request the `email` OpenID Connect scope - you don't need to request both the optional claim and the scope to get the claim. | | `name` | String | The `name` claim provides a human-readable value that identifies the subject of the token. The value isn't guaranteed to be unique, it can be changed, and should be used only for display purposes. The `profile` scope is required to receive this claim. | | `nonce` | String | The nonce matches the parameter included in the original authorize request to the IDP. If it doesn't match, your application should reject the token. | | `oid` | String, a GUID | The immutable identifier for an object, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user receives the same value in the `oid` claim. Microsoft Graph returns this ID as the `id` property for a user account. Because the `oid` allows multiple apps to correlate users, the `profile` scope is required to receive this claim. If a single user exists in multiple tenants, the user contains a different object ID in each tenant - they're considered different accounts, even though the user logs into each account with the same credentials. The `oid` claim is a GUID and can't be reused. | |
active-directory | Id Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/id-tokens.md | The following JWT claims should be validated in the ID token after validating th ## See also * [ID token claims reference](id-token-claims-reference.md)-* [OAuth 2.0 and OpenID Connect protocols](active-directory-v2-protocols.md) -* [Optional claims](active-directory-optional-claims.md) +* [OAuth 2.0 and OpenID Connect protocols](./v2-protocols.md) +* [Optional claims](./optional-claims.md) ## Next steps |
active-directory | Identity Platform Integration Checklist | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/identity-platform-integration-checklist.md | Use the following checklist to ensure that your application is effectively integ ![checkbox](./medi). -![checkbox](./medi) to store and regularly rotate your credentials. +![checkbox](./medi) to store and regularly rotate your credentials. -![checkbox](./medi#permission-types). Only use application permissions if necessary; use delegated permissions where possible. For a full list of Microsoft Graph permissions, see this [permissions reference](/graph/permissions-reference). +![checkbox](./medi#permission-types). Only use application permissions if necessary; use delegated permissions where possible. For a full list of Microsoft Graph permissions, see this [permissions reference](/graph/permissions-reference). ![checkbox](./media/integration-checklist/checkbox-two.svg) If you're securing an API using the Microsoft identity platform, carefully think through the permissions it should expose. Consider what's the right granularity for your solution and which permission(s) require admin consent. Check for expected permissions in the incoming tokens before making any authorization decisions. Use the following checklist to ensure that your application is effectively integ Explore in-depth information about v2.0: * [Microsoft identity platform (overview)](v2-overview.md)-* [Microsoft identity platform protocols reference](active-directory-v2-protocols.md) +* [Microsoft identity platform protocols reference](./v2-protocols.md) * [Access tokens reference](access-tokens.md) * [ID tokens reference](id-tokens.md) * [Authentication libraries reference](reference-v2-libraries.md)-* [Permissions and consent in the Microsoft identity platform](v2-permissions-and-consent.md) +* [Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md) * [Microsoft Graph API](https://developer.microsoft.com/graph) |
active-directory | Jwt Claims Customization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/jwt-claims-customization.md | Applications that receive tokens rely on claim values that are authoritatively i - [Configure a custom signing key](#configure-a-custom-signing-key) - [update the application manifest to accept mapped claims](#update-the-application-manifest). -Without this, Azure AD returns an [AADSTS50146 error code](reference-aadsts-error-codes.md#aadsts-error-codes). +Without this, Azure AD returns an [AADSTS50146 error code](./reference-error-codes.md#aadsts-error-codes). ## Configure a custom signing key For multi-tenant apps, a custom signing key should be used. Don't set `acceptMappedClaims` in the app manifest. when setting up an app in the Azure portal, you get an app registration object and a service principal in your tenant. That app is using the Azure global sign-in key, which can't be used for customizing claims in tokens. To get custom claims in tokens, create a custom sign-in key from a certificate and add it to service principal. For testing purposes, you can use a self-signed certificate. After configuring the custom signing key, your application code needs to validate the token signing key. |
active-directory | Migrate Adal Msal Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-adal-msal-java.md | ADAL4J acquires tokens for resources whereas MSAL for Java acquires tokens for s You can add the `/.default` scope suffix to the resource to help migrate your apps from the ADAL to MSAL. For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource isn't in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`. For more details about the different types of scopes, refer-[Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles. +[Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles. ## Core classes |
active-directory | Migrate Objc Adal Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-objc-adal-msal.md | This is the built-in scope for every application. It refers to the static list o To use the `/.default` scope, append `/.default` to the resource identifier. For example: `https://graph.microsoft.com/.default`. If your resource ends with a slash (`/`), you should still append `/.default`, including the leading forward slash, resulting in a scope that has a double forward slash (`//`) in it. -You can read more information about using the "/.default" scope [here](./v2-permissions-and-consent.md#the-default-scope) +You can read more information about using the "/.default" scope [here](./permissions-consent-overview.md). ### Supporting different WebView types & browsers application.acquireTokenSilent(with: silentParameters) { ## Next steps -Learn more about [Authentication flows and application scenarios](authentication-flows-app-scenarios.md) +Learn more about [Authentication flows and application scenarios](authentication-flows-app-scenarios.md) |
active-directory | Migrate Python Adal Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-python-adal-msal.md | ADAL Python acquires tokens for resources, but MSAL Python acquires tokens for s You can add the `/.default` scope suffix to the resource to help migrate your apps from the v1.0 endpoint (ADAL) to the Microsoft identity platform (MSAL). For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource isn't in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`. -For more details about the different types of scopes, refer to [Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles. +For more details about the different types of scopes, refer to [Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles. ### Error handling |
active-directory | Mobile Sso Support Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/mobile-sso-support-overview.md | The best choice for implementing single sign-on in your application is to use [t > [!NOTE] > It is possible to configure MSAL to use an embedded web view. This will prevent single sign-on. Use the default behavior (that is, the system web browser) to ensure that SSO will work. -Azure Active Directory Authentication Library (ADAL) has been deprecated. Please use the [Microsoft Authentication Library (MSAL)](/entr). +Azure Active Directory Authentication Library (ADAL) has been deprecated. Please use the [Microsoft Authentication Library (MSAL)](/entr). For iOS applications, we have a [quickstart](quickstart-v2-ios.md) that shows you how to set up sign-ins using MSAL, as well as [guidance for configuring MSAL for various SSO scenarios](single-sign-on-macos-ios.md). |
active-directory | Msal Acquire Cache Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-acquire-cache-tokens.md | You can also clear the token cache, which is achieved by removing the accounts f ## Scopes when acquiring tokens -[Scopes](v2-permissions-and-consent.md) are the permissions that a web API exposes that client applications can request access to. Client applications request the user's consent for these scopes when making authentication requests to get tokens to access the web APIs. MSAL allows you to get tokens to access Azure AD for developers (v1.0) and the Microsoft identity platform APIs. v2.0 protocol uses scopes instead of resource in the requests. Based on the web API's configuration of the token version it accepts, the v2.0 endpoint returns the access token to MSAL. +[Scopes](./permissions-consent-overview.md) are the permissions that a web API exposes that client applications can request access to. Client applications request the user's consent for these scopes when making authentication requests to get tokens to access the web APIs. MSAL allows you to get tokens to access Azure AD for developers (v1.0) and the Microsoft identity platform APIs. v2.0 protocol uses scopes instead of resource in the requests. Based on the web API's configuration of the token version it accepts, the v2.0 endpoint returns the access token to MSAL. Several of MSAL's token acquisition methods require a `scopes` parameter. The `scopes` parameter is a list of strings that declare the desired permissions and the resources requested. Well-known scopes are the [Microsoft Graph permissions](/graph/permissions-reference). |
active-directory | Msal Authentication Flows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-authentication-flows.md | The following constraints apply to the applications using the ROPC flow: - ROPC is **supported** in .NET desktop and .NET Core applications. - ROPC is **unsupported** in Universal Windows Platform (UWP) applications. - ROPC in Azure AD B2C is supported _only_ for local accounts.- - For information about ROPC in MSAL.NET and Azure AD B2C, see [Using ROPC with Azure AD B2C](msal-net-aad-b2c-considerations.md#resource-owner-password-credentials-ropc). + - For information about ROPC in MSAL.NET and Azure AD B2C, see [Using ROPC with Azure AD B2C](./msal-net-b2c-considerations.md#resource-owner-password-credentials-ropc). ## Integrated Windows authentication (IWA) To satisfy either requirement, one of these operations must have been completed: - You've provided a way for users to consent to the application; see [User consent](../manage-apps/user-admin-consent-overview.md#user-consent). - You've provided a way for the tenant admin to consent for the application; see [Administrator consent](../manage-apps/user-admin-consent-overview.md#admin-consent). -For more information on consent, see [Permissions and consent](v2-permissions-and-consent.md#consent). +For more information on consent, see [Permissions and consent](./permissions-consent-overview.md#consent). ## Next steps |
active-directory | Msal B2c Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-b2c-overview.md | MSAL.js enables [single-page applications](../../active-directory-b2c/applicatio - Users **can** authenticate with their social and local identities. - Users **can** be authorized to access Azure AD B2C protected resources (but not Azure AD protected resources).-- Users **cannot** obtain tokens for Microsoft APIs (for example, MS Graph API) using [delegated permissions](./v2-permissions-and-consent.md#permission-types).-- Users with administrator privileges **can** obtain tokens for Microsoft APIs (for example, MS Graph API) using [delegated permissions](./v2-permissions-and-consent.md#permission-types).+- Users **cannot** obtain tokens for Microsoft APIs (for example, MS Graph API) using [delegated permissions](./permissions-consent-overview.md#permission-types). +- Users with administrator privileges **can** obtain tokens for Microsoft APIs (for example, MS Graph API) using [delegated permissions](./permissions-consent-overview.md#permission-types). For more information, see: [Working with Azure AD B2C](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/working-with-b2c.md) |
active-directory | Msal Js Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-js-sso.md | If the information in the `login_hint` claim doesn't match any existing user, th #### Using a session ID -To use a session ID, add `sid` as an [optional claim](active-directory-optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](active-directory-optional-claims.md). Use the session ID (SID) in silent authentication requests you make with `ssoSilent` in MSAL.js. +To use a session ID, add `sid` as an [optional claim](./optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](./optional-claims.md). Use the session ID (SID) in silent authentication requests you make with `ssoSilent` in MSAL.js. ```javascript const request = { const msalInstance = new msal.PublicClientApplication(config); For more information about SSO, see: - [MSAL.js prompt behavior](msal-js-prompt-behavior.md)-- [Optional token claims](active-directory-optional-claims.md)+- [Optional token claims](./optional-claims.md) - [Configurable token lifetimes](configurable-token-lifetimes.md) |
active-directory | Msal Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-migration.md | The following diagram shows the v2.0 vs v1.0 endpoint experience at a high level MSAL leverages all the [benefits of Microsoft identity platform (v2.0) endpoint](../azuread-dev/azure-ad-endpoint-comparison.md). -MSAL is designed to enable a secure solution without developers having to worry about the implementation details. It simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. We recommend you use MSAL to [increase the resilience of authentication and authorization in client applications that you develop](../fundamentals/resilience-client-app.md?tabs=csharp#use-the-microsoft-authentication-library-msal). +MSAL is designed to enable a secure solution without developers having to worry about the implementation details. It simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. We recommend you use MSAL to [increase the resilience of authentication and authorization in client applications that you develop](../architecture/resilience-client-app.md?tabs=csharp#use-the-microsoft-authentication-library-msal). MSAL provides multiple benefits over ADAL, including the following features: If you need to continue using AD FS, you should upgrade to AD FS 2019 or later b ## How to migrate to MSAL Before you start the migration, you need to identify which of your apps are using ADAL for authentication. Follow the steps in this article to get a list by using the Azure portal:-- [How to: Get a complete list of apps using ADAL in your tenant](howto-get-list-of-all-active-directory-auth-library-apps.md)+- [How to: Get a complete list of apps using ADAL in your tenant](./howto-get-list-of-all-auth-library-apps.md) After identifying applications that use ADAL, migrate them to MSAL depending on your app type: |
active-directory | Msal Net Client Assertions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-client-assertions.md | app = ConfidentialClientApplicationBuilder.Create(config.ClientId) .Build(); ``` -The [claims expected by Azure AD](active-directory-certificate-credentials.md) in the signed assertion are: +The [claims expected by Azure AD](./certificate-credentials.md) in the signed assertion are: Claim type | Value | Description - | - | - |
active-directory | Msal Node Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-node-migration.md | However, some methods in ADAL Node are deprecated, while MSAL Node offers new me | `acquireUserCode` | N/A | Merged with `acquireTokeByDeviceCode` (see above)| | N/A | `acquireTokenOnBehalfOf` | A new method that abstracts [OBO flow](./v2-oauth2-on-behalf-of-flow.md) | | `acquireTokenWithClientCertificate` | N/A | No longer needed as certificates are assigned during initialization now (see [configuration options](#configure-msal)) |-| N/A | `getAuthCodeUrl` | A new method that abstracts [authorize endpoint](./active-directory-v2-protocols.md#endpoints) URL construction | +| N/A | `getAuthCodeUrl` | A new method that abstracts [authorize endpoint](./v2-protocols.md#endpoints) URL construction | ## Use scopes instead of resources |
active-directory | Optional Claims Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/optional-claims-reference.md | The following table lists the v1.0 and v2.0 optional claim set. | `verified_secondary_email` | Sourced from the user's SecondaryAuthoritativeEmail | JWT | | | | `vnet` | VNET specifier information. | JWT | | | | `xms_cc` | Client Capabilities | JWT | Azure AD | Indicates whether the client application that acquired the token is capable of handling claims challenges. It's often used along with claim `acrs`. This claim is commonly used in Conditional Access and Continuous Access Evaluation scenarios. The resource server or service application that the token is issued for controls the presence of this claim in a token. A value of `cp1` in the access token is the authoritative way to identify that a client application is capable of handling a claims challenge. For more information, see [Claims challenges, claims requests and client capabilities](claims-challenge.md?tabs=dotnet). |-| `xms_edov` | Boolean value indicating whether the user's email domain owner has been verified. | JWT | | An email is considered to be domain verified if it belongs to the tenant where the user account resides and the tenant admin has done verification of the domain. Also, the email must be from a Microsoft account (MSA), a Google account, or used for authentication using the one-time passcode (OTP) flow. It should also be noted the Facebook and SAML/WS-Fed accounts **do not** have verified domains. | -| `xms_pdl` | Preferred data location | JWT | | For Multi-Geo tenants, the preferred data location is the three-letter code showing the geographic region the user is in. For more information, see the [Azure AD Connect documentation about preferred data location](../hybrid/how-to-connect-sync-feature-preferreddatalocation.md). | +| `xms_edov` | Boolean value indicating whether the user's email domain owner has been verified. | JWT | | An email is considered to be domain verified if it belongs to the tenant where the user account resides and the tenant admin has done verification of the domain. Also, the email must be from a Microsoft account (MSA), a Google account, or used for authentication using the one-time passcode (OTP) flow. Facebook and SAML/WS-Fed accounts **do not** have verified domains. For this claim to be returned in the token, the presence of the `email` claim is required. | +| `xms_pdl` | Preferred data location | JWT | | For Multi-Geo tenants, the preferred data location is the three-letter code showing the geographic region the user is in. For more information, see the [Azure AD Connect documentation about preferred data location](../hybrid/connect/how-to-connect-sync-feature-preferreddatalocation.md). | | `xms_pl` | User preferred language | JWT | | The user's preferred language, if set. Sourced from their home tenant, in guest access scenarios. Formatted LL-CC ("en-us"). | | `xms_tpl` | Tenant preferred language| JWT | | The resource tenant's preferred language, if set. Formatted LL ("en"). | | `ztdid` | Zero-touch Deployment ID | JWT | | The device identity used for `Windows AutoPilot`. | |
active-directory | Optional Claims | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/optional-claims.md | Within the JWT, these claims are emitted with the following name format: `extn. This section covers the configuration options under optional claims for changing the group attributes used in group claims from the default group objectID to attributes synced from on-premises Windows Active Directory. You can configure groups optional claims for your application through the Azure portal or application manifest. Group optional claims are only emitted in the JWT for user principals. Service principals aren't included in group optional claims emitted in the JWT. > [!IMPORTANT]-> The number of groups emitted in a token are limited to 150 for SAML assertions and 200 for JWT, including nested groups. For more information about group limits and important caveats for group claims from on-premises attributes, see [Configure group claims for applications](../hybrid/how-to-connect-fed-group-claims.md). +> The number of groups emitted in a token are limited to 150 for SAML assertions and 200 for JWT, including nested groups. For more information about group limits and important caveats for group claims from on-premises attributes, see [Configure group claims for applications](../hybrid/connect/how-to-connect-fed-group-claims.md). Complete the following steps to configure groups optional claims using the Azure portal: |
active-directory | Permissions Consent Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/permissions-consent-overview.md | +<a id ='requesting-consent-for-an-entire-tenant'></a> +<a id ='using-the-admin-consent-endpoint'></a> +<a id ='openid-connect-scopes'></a> +<a id ='admin-restricted-permissions'></a> +<a id ='the-default-scope'></a> +<a id ='scopes-and-permissions'></a> + To *access* a protected resource like email or calendar data, your application needs the resource owner's *authorization*. The resource owner can *consent* to or deny your app's request. Understanding these foundational concepts will help you build more secure and trustworthy applications that request only the access they need, when they need it, from users and administrators. ## Access scenarios For the user, the authorization relies on the privileges that the user has been In this access scenario, the application acts on its own with no user signed in. Application access is used in scenarios such as automation, and backup. This scenario includes apps that run as background services or daemons. It's appropriate when it's undesirable to have a specific user signed in, or when the data required can't be scoped to a single user. For more information about the app-only access scenario, see [App-only-access](app-only-access-primer.md). -App-only access uses app roles instead of delegated scopes. When granted through consent, app roles may also be called applications permissions. For app-only access, the client app must be granted appropriate app roles of the resource app it's calling in order to access the requested data. For more information about assigning app roles to client applications, see [Assigning app roles to applications](howto-add-app-roles-in-azure-ad-apps.md#assign-app-roles-to-applications). +App-only access uses app roles instead of delegated scopes. When granted through consent, app roles may also be called applications permissions. For app-only access, the client app must be granted appropriate app roles of the resource app it's calling in order to access the requested data. For more information about assigning app roles to client applications, see [Assigning app roles to applications](./howto-add-app-roles-in-apps.md#assign-app-roles-to-applications). ++<a id='permission-types'></a> ## Types of permissions One way that applications are granted permissions is through consent. Consent is The key details of a consent prompt are the list of permissions the application requires and the publisher information. For more information about the consent prompt and the consent experience for both admins and end-users, see [application consent experience](application-consent-experience.md). +<a id='requesting-individual-user-consent'></a> + ### User consent User consent happens when a user attempts to sign into an application. The user provides their sign-in credentials. These credentials are checked to determine whether consent has already been granted. If no previous record of user or admin consent for the required permissions exists, the user is shown a consent prompt, and asked to grant the application the requested permissions. In many cases, an admin may be required to grant consent on behalf of the user. ### Administrator consent -Depending on the permissions they require, some applications might require an administrator to be the one who grants consent. For example, application permissions and many high-privilege delegated permissions can only be consented to by an administrator. Administrators can grant consent for themselves or for the entire organization. For more information about user and admin consent, see [user and admin consent overview](../manage-apps/consent-and-permissions-overview.md). +Depending on the permissions they require, some applications might require an administrator to be the one who grants consent. For example, application permissions and many high-privilege delegated permissions can only be consented to by an administrator. Administrators can grant consent for themselves or for the entire organization. For more information about user and admin consent, see [user and admin consent overview](../manage-apps/user-admin-consent-overview.md). ### Preauthorization Preauthorization allows a resource application owner to grant permissions withou ## Next steps - [Delegated access scenario](delegated-access-primer.md)-- [User and admin consent overview](../manage-apps/consent-and-permissions-overview.md)+- [User and admin consent overview](../manage-apps/user-admin-consent-overview.md) - [OpenID connect scopes](scopes-oidc.md) |
active-directory | Publisher Verification Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/publisher-verification-overview.md | The following video describes the process: > [!VIDEO https://www.youtube.com/embed/IYRN2jDl5dc] -Publisher verification primarily is for developers who build multitenant apps that use [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md) with the [Microsoft identity platform](v2-overview.md). These types of apps can sign in a user by using OpenID Connect, or they can use OAuth 2.0 to request access to data by using APIs like [Microsoft Graph](https://developer.microsoft.com/graph/). +Publisher verification primarily is for developers who build multitenant apps that use [OAuth 2.0 and OpenID Connect](./v2-protocols.md) with the [Microsoft identity platform](v2-overview.md). These types of apps can sign in a user by using OpenID Connect, or they can use OAuth 2.0 to request access to data by using APIs like [Microsoft Graph](https://developer.microsoft.com/graph/). ## Benefits |
active-directory | Quickstart Console App Nodejs Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-console-app-nodejs-acquire-token.md | To register your application and add the app's registration information to your - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant ID** or **Tenant name** (for example, contoso.microsoft.com). Find these values on the app registration's **Overview** pane in the Azure portal. - `Enter_the_Client_Secret_Here` - replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings in the Azure portal. - Using a plaintext secret in the source code poses an increased security risk for your application. Although the sample in this quickstart uses a plaintext client secret, it's only for simplicity. We recommend using [certificate credentials](active-directory-certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production. + Using a plaintext secret in the source code poses an increased security risk for your application. Although the sample in this quickstart uses a plaintext client secret, it's only for simplicity. We recommend using [certificate credentials](./certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production. 3. Edit *.env* and replace the Azure AD and Microsoft Graph endpoints with the following values: - For the Azure AD endpoint, replace `Enter_the_Cloud_Instance_Id_Here` with `https://login.microsoftonline.com`. |
active-directory | Quickstart Create New Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-create-new-tenant.md | If you don't have a tenant associated with your account, you'll see a GUID under ### Create a new Azure AD tenant -If you don't already have an Azure AD tenant or if you want to create a new one for development, see [Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md) or use the [directory creation experience](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory) in the Azure portal. If you want to create a tenant for app testing, see [build a test environment](test-setup-environment.md). +If you don't already have an Azure AD tenant or if you want to create a new one for development, see [Create a new tenant in Azure AD](../fundamentals/create-new-tenant.md) or use the [directory creation experience](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory) in the Azure portal. If you want to create a tenant for app testing, see [build a test environment](test-setup-environment.md). You'll provide the following information to create your new tenant: |
active-directory | Quickstart Single Page App React Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-react-sign-in.md | npm install @azure/msal-browser @azure/msal-react Next, try a step-by-step tutorial to learn how to build a React SPA from scratch that signs in users and calls the Microsoft Graph API to get user profile data: > [!div class="nextstepaction"]-> [Tutorial: Sign in users and call Microsoft Graph](tutorial-v2-react.md) +> [Tutorial: Sign in users and call Microsoft Graph](./single-page-app-tutorial-01-register-app.md) |
active-directory | Quickstart V2 Aspnet Core Web Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-aspnet-core-web-api.md | -> 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source=".\media\common\portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application. +> 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application. > 1. Search for and select **Azure Active Directory**. > 1. Under **Manage**, select **App registrations** > **New registration**. > 1. For **Name**, enter a name for the application. For example, enter **AspNetCoreWebApi-Quickstart**. Users of the app will see this name, and can be changed later. |
active-directory | Quickstart V2 Aspnet Core Webapp Calls Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp-calls-graph.md | -> ![Shows how the sample app generated by this quickstart works](media/quickstart-v2-aspnet-core-webapp-calls-graph/> aspnetcorewebapp-intro.svg) +> ![Shows how the sample app generated by this quickstart works](./configure-app-multi-instancing.md aspnetcorewebapp-intro.svg) > > ### Startup class > |
active-directory | Quickstart V2 Aspnet Webapp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-aspnet-webapp.md | -> > [Add sign-in to an ASP.NET web app](tutorial-v2-asp-webapp.md) +> > [Add sign-in to an ASP.NET web app](./web-app-tutorial-01-register-application.md) |
active-directory | Quickstart V2 Javascript Auth Code React | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-javascript-auth-code-react.md | -> > [Tutorial: Sign in users and call Microsoft Graph](tutorial-v2-react.md) +> > [Tutorial: Sign in users and call Microsoft Graph](./single-page-app-tutorial-01-register-app.md) |
active-directory | Quickstart V2 Netcore Daemon | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-netcore-daemon.md | -> ![Diagram that shows how the sample app generated by this quickstart works.](media/quickstart-v2-netcore-daemon/> netcore-daemon-intro.svg) +> ![Diagram that shows how the sample app generated by this quickstart works.](./media/quickstart-v2-netcore-daemon/netcore-daemon-intro.svg) > > ### Microsoft.Identity.Web.GraphServiceClient > |
active-directory | Quickstart V2 Python Webapp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-python-webapp.md | -> > This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](./active-directory-certificate-credentials.md). +> > This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](./certificate-credentials.md). > > ## More information > |
active-directory | Quickstart Web App Aspnet Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-web-app-aspnet-sign-in.md | You can call Microsoft Graph from the controller by getting the instance of Grap For a complete step-by-step guide on building applications and new features, including a full explanation of this quickstart, try out the ASP.NET tutorial. > [!div class="nextstepaction"]-> [Add sign-in to an ASP.NET web app](tutorial-v2-asp-webapp.md) +> [Add sign-in to an ASP.NET web app](./web-app-tutorial-01-register-application.md) |
active-directory | Quickstart Web App Java Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-web-app-java-sign-in.md | If you want to deploy the web sample to Tomcat, make a couple changes to the sou 4. After the file is deployed, go to https://localhost:8443/msal4jsample by using a browser. > [!IMPORTANT]-> This quickstart application uses a client secret to identify itself as a confidential client. Because the client secret is added as plain text to your project files, for security reasons we recommend that you use a certificate instead of a client secret before using the application in a production environment. For more information on how to use a certificate, see [Certificate credentials for application authentication](active-directory-certificate-credentials.md). +> This quickstart application uses a client secret to identify itself as a confidential client. Because the client secret is added as plain text to your project files, for security reasons we recommend that you use a certificate instead of a client secret before using the application in a production environment. For more information on how to use a certificate, see [Certificate credentials for application authentication](./certificate-credentials.md). ## More information import com.microsoft.aad.msal4j.*; For a more in-depth discussion of building web apps that sign in users on the Microsoft identity platform, see the multipart scenario series: > [!div class="nextstepaction"]-> [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md?tabs=java) +> [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md?tabs=java) |
active-directory | Quickstart Web App Python Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-web-app-python-sign-in.md | You can also use an integrated development environment to open the folder. 1. Create a virtual environment for the app: - [!INCLUDE [Virtual environment setup](<../../app-service/includes/quickstart-python/virtual-environment-setup.md>)] + [!INCLUDE [Virtual environment setup](../../app-service/includes/quickstart-python/virtual-environment-setup.md)] 1. Install the requirements using `pip`: You can also use an integrated development environment to open the folder. ``` > [!IMPORTANT]- > This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](active-directory-certificate-credentials.md). + > This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](./certificate-credentials.md). [!INCLUDE [Help and support](includes/error-handling-and-tips/help-support-include.md)] |
active-directory | Reference App Manifest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-app-manifest.md | Example: | : | : | | acceptMappedClaims | Nullable Boolean | -As documented on the [apiApplication resource type](/graph/api/resources/apiapplication#properties), this allows an application to use [claims mapping](active-directory-claims-mapping.md) without specifying a custom signing key. Applications that receive tokens rely on the fact that the claim values are authoritatively issued by Azure AD and cannot be tampered with. However, when you modify the token contents through claims-mapping policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the claims-mapping policy to protect themselves from claims-mapping policies created by malicious actors. +As documented on the [apiApplication resource type](/graph/api/resources/apiapplication#properties), this allows an application to use [claims mapping](./saml-claims-customization.md) without specifying a custom signing key. Applications that receive tokens rely on the fact that the claim values are authoritatively issued by Azure AD and cannot be tampered with. However, when you modify the token contents through claims-mapping policies, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the claims-mapping policy to protect themselves from claims-mapping policies created by malicious actors. > [!WARNING] > Do not set `acceptMappedClaims` property to `true` for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app. Example: | : | : | | appRoles | Collection | -Specifies the collection of roles that an app may declare. These roles can be assigned to users, groups, or service principals. For more examples and info, see [Add app roles in your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md). +Specifies the collection of roles that an app may declare. These roles can be assigned to users, groups, or service principals. For more examples and info, see [Add app roles in your application and receive them in the token](./howto-add-app-roles-in-apps.md). Example: Example: The optional claims returned in the token by the security token service for this specific app. -At this time, apps that support both personal accounts and Azure AD (registered through the app registration portal) cannot use optional claims. However, apps registered for just Azure AD using the v2.0 endpoint can get the optional claims they requested in the manifest. For more info, see [Optional claims](active-directory-optional-claims.md). +At this time, apps that support both personal accounts and Azure AD (registered through the app registration portal) cannot use optional claims. However, apps registered for just Azure AD using the v2.0 endpoint can get the optional claims they requested in the manifest. For more info, see [Optional claims](./optional-claims.md). Example: Use the following comments section to provide feedback that helps refine and sha [AAD-APP-OBJECTS]:app-objects-and-service-principals.md [AAD-DEVELOPER-GLOSSARY]:developer-glossary.md [AAD-GROUPS-FOR-AUTHORIZATION]: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/-[ADD-UPD-RMV-APP]:quickstart-v1-integrate-apps-with-azure-ad.md +[ADD-UPD-RMV-APP]:./quickstart-register-app.md [DEV-GUIDE-TO-AUTH-WITH-ARM]: http://www.dushyantgill.com/blog/2015/05/23/developers-guide-to-auth-with-azure-resource-manager-api/ [GRAPH-API]: /graph/migrate-azure-ad-graph-planning-checklist-[IMPLICIT-GRANT]:v1-oauth2-implicit-grant-flow.md +[IMPLICIT-GRANT]:./v2-oauth2-implicit-grant-flow.md [INTEGRATING-APPLICATIONS-AAD]: ./quickstart-register-app.md [O365-PERM-DETAILS]: /graph/permissions-reference [RBAC-CLOUD-APPS-AZUREAD]: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/ |
active-directory | Reference Breaking Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-breaking-changes.md | If a request fails the validation check, the application API for create/update w **Endpoints impacted**: v2.0 -**Protocol impacted**: All flows using [dynamic consent](v2-permissions-and-consent.md#requesting-individual-user-consent) +**Protocol impacted**: All flows using [dynamic consent](./permissions-consent-overview.md#requesting-individual-user-consent) Applications using dynamic consent today are given all the permissions they have consent for, even if they weren't requested by name in the `scope` parameter. An app requesting only `user.read` but with consent to `files.read` can be forced to pass the Conditional Access requirement assigned for `files.read`, for example. |
active-directory | Reference Claims Mapping Policy Type | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-claims-mapping-policy-type.md | These claims are restricted by default, but aren't restricted if you have a [cus To control the claims that are included and where the data comes from, use the properties of a claims mapping policy. Without a policy, the system issues tokens with the following claims: - The core claim set. - The basic claim set.-- Any [optional claims](active-directory-optional-claims.md) that the application has chosen to receive.+- Any [optional claims](./optional-claims.md) that the application has chosen to receive. > [!NOTE] > Claims in the core claim set are present in every token, regardless of what this property is set to. |
active-directory | Reference Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-error-codes.md | The `error` field has several possible values - review the protocol documentatio | AADSTS40009 | OAuth2IdPRefreshTokenRedemptionUserError - There's an issue with your federated Identity Provider. Contact your IDP to resolve this issue. | | AADSTS40010 | OAuth2IdPRetryableServerError - There's an issue with your federated Identity Provider. Contact your IDP to resolve this issue. | | AADSTS40015 | OAuth2IdPAuthCodeRedemptionUserError - There's an issue with your federated Identity Provider. Contact your IDP to resolve this issue. |-| AADSTS50000 | TokenIssuanceError - There's an issue with the sign-in service. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) to resolve this issue. | +| AADSTS50000 | TokenIssuanceError - There's an issue with the sign-in service. [Open a support ticket](../fundamentals/how-to-get-support.md) to resolve this issue. | | AADSTS50001 | InvalidResource - The resource is disabled or doesn't exist. Check your app's code to ensure that you have specified the exact resource URL for the resource you're trying to access. | | AADSTS50002 | NotAllowedTenant - Sign-in failed because of a restricted proxy access on the tenant. If it's your own tenant policy, you can change your restricted tenant settings to fix this issue. | | AADSTS500011 | InvalidResourceServicePrincipalNotFound - The resource principal named {name} was not found in the tenant named {tenant}. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. If you expect the app to be installed, you may need to provide administrator permissions to add it. Check with the developers of the resource and application to understand what the right setup for your tenant is. | The `error` field has several possible values - review the protocol documentatio | AADSTS50003 | MissingSigningKey - Sign-in failed because of a missing signing key or certificate. This might be because there was no signing key configured in the app. To learn more, see the troubleshooting article for error [AADSTS50003](/troubleshoot/azure/active-directory/error-code-aadsts50003-cert-or-key-not-configured). If you still see issues, contact the app owner or an app admin. | | AADSTS50005 | DevicePolicyError - User tried to log in to a device from a platform that's currently not supported through Conditional Access policy. | | AADSTS50006 | InvalidSignature - Signature verification failed because of an invalid signature. |-| AADSTS50007 | PartnerEncryptionCertificateMissing - The partner encryption certificate was not found for this app. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Microsoft to get this fixed. | +| AADSTS50007 | PartnerEncryptionCertificateMissing - The partner encryption certificate was not found for this app. [Open a support ticket](../fundamentals/how-to-get-support.md) with Microsoft to get this fixed. | | AADSTS50008 | InvalidSamlToken - SAML assertion is missing or misconfigured in the token. Contact your federation provider. | | AADSTS5000819 | InvalidSamlTokenEmailMissingOrInvalid - SAML Assertion is invalid. Email address claim is missing or does not match domain from an external realm. | | AADSTS50010 | AudienceUriValidationFailed - Audience URI validation for the app failed since no token audiences were configured. | The `error` field has several possible values - review the protocol documentatio | AADSTS50049 | NoSuchInstanceForDiscovery - Unknown or invalid instance. | | AADSTS50050 | MalformedDiscoveryRequest - The request is malformed. | | AADSTS50053 | This error can result from two different reasons: <br><ul><li>IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password. The user is blocked due to repeated sign-in attempts. See [Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md).</li><li>Or, sign-in was blocked because it came from an IP address with malicious activity.</li></ul> <br>To determine which failure reason caused this error, sign in to the [Azure portal](https://portal.azure.com). Navigate to your Azure AD tenant and then **Monitoring** -> **Sign-ins**. Find the failed user sign-in with **Sign-in error code** 50053 and check the **Failure reason**.|-| AADSTS50055 | InvalidPasswordExpiredPassword - The password is expired. The user's password is expired, and therefore their login or session was ended. They will be offered the opportunity to reset it, or may ask an admin to reset it via [Reset a user's password using Azure Active Directory](../fundamentals/active-directory-users-reset-password-azure-portal.md). | +| AADSTS50055 | InvalidPasswordExpiredPassword - The password is expired. The user's password is expired, and therefore their login or session was ended. They will be offered the opportunity to reset it, or may ask an admin to reset it via [Reset a user's password using Azure Active Directory](../fundamentals/users-reset-password-azure-portal.md). | | AADSTS50056 | Invalid or null password: password doesn't exist in the directory for this user. The user should be asked to enter their password again. | | AADSTS50057 | UserDisabled - The user account is disabled. The user object in Active Directory backing this account has been disabled. An admin can re-enable this account [through PowerShell](/powershell/module/activedirectory/enable-adaccount) | | AADSTS50058 | UserInformationNotProvided - Session information isn't sufficient for single-sign-on. This means that a user isn't signed in. This is a common error that's expected when a user is unauthenticated and has not yet signed in.</br>If this error is encountered in an SSO context where the user has previously signed in, this means that the SSO session was either not found or invalid.</br>This error may be returned to the application if prompt=none is specified. | The `error` field has several possible values - review the protocol documentatio | AADSTS50135 | PasswordChangeCompromisedPassword - Password change is required due to account risk. | | AADSTS50136 | RedirectMsaSessionToApp - Single MSA session detected. | | AADSTS50139 | SessionMissingMsaOAuth2RefreshToken - The session is invalid due to a missing external refresh token. |-| AADSTS50140 | KmsiInterrupt - This error occurred due to "Keep me signed in" interrupt when the user was signing-in. This is an expected part of the login flow, where a user is asked if they want to remain signed into their current browser to make further logins easier. For more information, see [The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/the-new-azure-ad-sign-in-and-keep-me-signed-in-experiences/m-p/128267). You can [open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Correlation ID, Request ID, and Error code to get more details.| -| AADSTS50143 | Session mismatch - Session is invalid because user tenant doesn't match the domain hint due to different resource. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Correlation ID, Request ID, and Error code to get more details. | +| AADSTS50140 | KmsiInterrupt - This error occurred due to "Keep me signed in" interrupt when the user was signing-in. This is an expected part of the login flow, where a user is asked if they want to remain signed into their current browser to make further logins easier. For more information, see [The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/the-new-azure-ad-sign-in-and-keep-me-signed-in-experiences/m-p/128267). You can [open a support ticket](../fundamentals/how-to-get-support.md) with Correlation ID, Request ID, and Error code to get more details.| +| AADSTS50143 | Session mismatch - Session is invalid because user tenant doesn't match the domain hint due to different resource. [Open a support ticket](../fundamentals/how-to-get-support.md) with Correlation ID, Request ID, and Error code to get more details. | | AADSTS50144 | InvalidPasswordExpiredOnPremPassword - User's Active Directory password has expired. Generate a new password for the user or have the user use the self-service reset tool to reset their password. | | AADSTS50146 | MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. It is either not configured with one, or the key has expired or isn't yet valid. Please contact the owner of the application. | | AADSTS501461 | AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key. | The `error` field has several possible values - review the protocol documentatio | AADSTS700082 | ExpiredOrRevokedGrantInactiveToken - The refresh token has expired due to inactivity. The token was issued on {issueDate} and was inactive for {time}. Expected part of the token lifecycle - the user went an extended period of time without using the application, so the token was expired when the app attempted to refresh it. | | AADSTS700084 | The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifetime of {time}, which can't be extended. It is now expired and a new sign in request must be sent by the SPA to the sign in page. The token was issued on {issueDate}.| | AADSTS70011 | InvalidScope - The scope requested by the app is invalid. |-| AADSTS70012 | MsaServerError - A server error occurred while authenticating an MSA (consumer) user. Try again. If it continues to fail, [open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) | +| AADSTS70012 | MsaServerError - A server error occurred while authenticating an MSA (consumer) user. Try again. If it continues to fail, [open a support ticket](../fundamentals/how-to-get-support.md) | | AADSTS70016 | AuthorizationPending - OAuth 2.0 device flow error. Authorization is pending. The device will retry polling the request. | | AADSTS70018 | BadVerificationCode - Invalid verification code due to User typing in wrong user code for device code flow. Authorization isn't approved. | | AADSTS70019 | CodeExpired - Verification code expired. Have the user retry the sign-in. | The `error` field has several possible values - review the protocol documentatio | AADSTS76026 | RequestIssueTimeExpired - IssueTime in an SAML2 Authentication Request is expired. | | AADSTS80001 | OnPremiseStoreIsNotAvailable - The Authentication Agent is unable to connect to Active Directory. Make sure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they are able to connect to Active Directory. | | AADSTS80002 | OnPremisePasswordValidatorRequestTimedout - Password validation request timed out. Make sure that Active Directory is available and responding to requests from the agents. |-| AADSTS80005 | OnPremisePasswordValidatorUnpredictableWebException - An unknown error occurred while processing the response from the Authentication Agent. Retry the request. If it continues to fail, [open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) to get more details on the error. | +| AADSTS80005 | OnPremisePasswordValidatorUnpredictableWebException - An unknown error occurred while processing the response from the Authentication Agent. Retry the request. If it continues to fail, [open a support ticket](../fundamentals/how-to-get-support.md) to get more details on the error. | | AADSTS80007 | OnPremisePasswordValidatorErrorOccurredOnPrem - The Authentication Agent is unable to validate user's password. Check the agent logs for more info and verify that Active Directory is operating as expected. | | AADSTS80010 | OnPremisePasswordValidationEncryptionException - The Authentication Agent is unable to decrypt password. | | AADSTS80012 | OnPremisePasswordValidationAccountLogonInvalidHours - The users attempted to log on outside of the allowed hours (this is specified in AD). | The `error` field has several possible values - review the protocol documentatio | AADSTS90024 | RequestBudgetExceededError - A transient error has occurred. Try again. | | AADSTS90027 | We are unable to issue tokens from this API version on the MSA tenant. Please contact the application vendor as they need to use version 2.0 of the protocol to support this.| | AADSTS90033 | MsodsServiceUnavailable - The Microsoft Online Directory Service (MSODS) isn't available. |-| AADSTS90036 | MsodsServiceUnretryableFailure - An unexpected, non-retryable error from the WCF service hosted by MSODS has occurred. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) to get more details on the error. | +| AADSTS90036 | MsodsServiceUnretryableFailure - An unexpected, non-retryable error from the WCF service hosted by MSODS has occurred. [Open a support ticket](../fundamentals/how-to-get-support.md) to get more details on the error. | | AADSTS90038 | NationalCloudTenantRedirection - The specified tenant 'Y' belongs to the National Cloud 'X'. Current cloud instance 'Z' does not federate with X. A cloud redirect error is returned. | | AADSTS90043 | NationalCloudAuthCodeRedirection - The feature is disabled. | | AADSTS900432 | Confidential Client isn't supported in Cross Cloud request.| The `error` field has several possible values - review the protocol documentatio | AADSTS700023 | InvalidResourcelessScope - The provided value for the input parameter scope isn't valid when request an access token. | | AADSTS7000215 | Invalid client secret is provided. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.| | AADSTS7000218 | The request body must contain the following parameter: 'client_assertion' or 'client_secret'. |-| AADSTS7000222 | InvalidClientSecretExpiredKeysProvided - The provided client secret keys are expired. Visit the Azure portal to create new keys for your app, or consider using certificate credentials for added security: [https://aka.ms/certCreds](./active-directory-certificate-credentials.md) | +| AADSTS7000222 | InvalidClientSecretExpiredKeysProvided - The provided client secret keys are expired. Visit the Azure portal to create new keys for your app, or consider using certificate credentials for added security: [https://aka.ms/certCreds](./certificate-credentials.md) | | AADSTS700229 | ForbiddenTokenType- Only app-only tokens may be used as Federated Identity Credentials for AAD issuer. Use an app-only access token (generated during a client credentials flow) instead of a user-delegated access token (representing a request coming from a user context). | | AADSTS700005 | InvalidGrantRedeemAgainstWrongTenant - Provided Authorization Code is intended to use against other tenant, thus rejected. OAuth2 Authorization Code must be redeemed against same tenant it was acquired for (/common or /{tenant-ID} as appropriate) | | AADSTS1000000 | UserNotBoundError - The Bind API requires the Azure AD user to also authenticate with an external IDP, which hasn't happened yet. | |
active-directory | Reference Saml Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-saml-tokens.md | This is a sample of a typical SAML token. ## Next steps * To learn more about managing token lifetime policy using the Microsoft Graph API, see the [Azure AD policy resource overview](/graph/api/resources/policy-overview).-* Add [custom and optional claims](active-directory-optional-claims.md) to the tokens for your application. +* Add [custom and optional claims](./optional-claims.md) to the tokens for your application. * Use [Single Sign-On (SSO) with SAML](single-sign-on-saml-protocol.md). * Use the [Azure Single Sign-Out SAML protocol](single-sign-out-saml-protocol.md) |
active-directory | Reference V2 Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-v2-libraries.md | The following tables show Microsoft Authentication Library support for several a The Microsoft identity platform has been certified by the OpenID Foundation as a [certified OpenID provider](https://openid.net/certification/). If you prefer to use a library other than the Microsoft Authentication Library (MSAL) or another Microsoft-supported library, choose one with a [certified OpenID Connect implementation](https://openid.net/developers/certified/). -If you choose to hand-code your own protocol-level implementation of [OAuth 2.0 or OpenID Connect 1.0](active-directory-v2-protocols.md), pay close attention to the security considerations in each standard's specification and follow secure software design and development practices like those in the [Microsoft SDL][Microsoft-SDL]. +If you choose to hand-code your own protocol-level implementation of [OAuth 2.0 or OpenID Connect 1.0](./v2-protocols.md), pay close attention to the security considerations in each standard's specification and follow secure software design and development practices like those in the [Microsoft SDL][Microsoft-SDL]. ## Single-page application (SPA) |
active-directory | Refresh Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/refresh-tokens.md | The server can revoke refresh tokens because of a change in credentials, user ac - [Access tokens in the Microsoft identity platform](access-tokens.md) - [ID tokens in the Microsoft identity platform](id-tokens.md)-- [Invalidate refresh token](https://learn.microsoft.com/powershell/module/microsoft.graph.beta.users.actions/invoke-mgbetainvalidateuserrefreshtoken?view=graph-powershell-beta.md)+- [Invalidate refresh token](/powershell/module/microsoft.graph.beta.users.actions/invoke-mgbetainvalidateuserrefreshtoken?view=graph-powershell-beta) - [Single sign-out](v2-protocols-oidc.md#single-sign-out) ## Next steps |
active-directory | Registration Config Sso How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-sso-how-to.md | For iOS, see [Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md). [Integrating Apps to AzureAD](./quickstart-register-app.md)<br> -[Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md)<br> +[Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md)<br> [AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Saml Claims Customization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/saml-claims-customization.md | Select the desired source for the `NameIdentifier` (or `nameID`) claim. You can | `onpremisessamaccountname` | The SAM account name that has been synced from on-premises Azure AD. | | `objectid` | The object ID of the user in Azure AD. | | `employeeid` | The employee ID of the user. |-| `Directory extensions` | The directory extensions [synced from on-premises Active Directory using Azure AD Connect Sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md). | +| `Directory extensions` | The directory extensions [synced from on-premises Active Directory using Azure AD Connect Sync](../hybrid/connect/how-to-connect-sync-feature-directory-extensions.md). | | `Extension Attributes 1-15` | The on-premises extension attributes used to extend the Azure AD schema. | | `pairwiseid` | The persistent form of user identifier. | When the following conditions occur after **Add** or **Run test** is selected, a ## Add the UPN claim to SAML tokens -The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](active-directory-optional-claims.md) through **App registrations** in the Azure portal. +The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal. Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token. The following table lists other advanced options that can be configured for an a ## Next steps -* [Configure single sign-on for applications that aren't in the Azure AD application gallery](../manage-apps/configure-saml-single-sign-on.md) +* [Configure single sign-on for applications that aren't in the Azure AD application gallery](./single-sign-on-saml-protocol.md) |
active-directory | Scenario Daemon Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-daemon-acquire-token.md | Content: { ### Are you calling your own API? -If your daemon app calls your own web API and you weren't able to add an app permission to the daemon's app registration, you need to [Add app roles to the web API's app registration](howto-add-app-roles-in-azure-ad-apps.md). +If your daemon app calls your own web API and you weren't able to add an app permission to the daemon's app registration, you need to [Add app roles to the web API's app registration](./howto-add-app-roles-in-apps.md). ## Next steps |
active-directory | Scenario Daemon Production | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-daemon-production.md | If you're an ISV creating a daemon application that can run in several tenants, - Provisions a service principal for the application. - Grants consent to the application. -You'll need to explain to your customers how to perform these operations. For more info, see [Requesting consent for an entire tenant](v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant). +You'll need to explain to your customers how to perform these operations. For more info, see [Requesting consent for an entire tenant](./permissions-consent-overview.md#requesting-consent-for-an-entire-tenant). [!INCLUDE [Pre-requisites](./includes/scenarios/scenarios-production.md)] |
active-directory | Scenario Desktop Acquire Token Integrated Windows Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-desktop-acquire-token-integrated-windows-authentication.md | To sign in a domain user on a domain or Azure AD joined machine, use integrated - In other words: - Either you as a developer selected the **Grant** button in the Azure portal for yourself. - Or, a tenant admin selected the **Grant/revoke admin consent for {tenant domain}** button on the **API permissions** tab of the registration for the application. For more information, see [Add permissions to access your web API](quickstart-configure-app-access-web-apis.md#add-permissions-to-access-your-web-api).- - Or, you've provided a way for users to consent to the application. For more information, see [Requesting individual user consent](./v2-permissions-and-consent.md#requesting-individual-user-consent). - - Or, you've provided a way for the tenant admin to consent to the application. For more information, see [Admin consent](./v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant). + - Or, you've provided a way for users to consent to the application. For more information, see [Requesting individual user consent](./permissions-consent-overview.md#requesting-individual-user-consent). + - Or, you've provided a way for the tenant admin to consent to the application. For more information, see [Admin consent](./permissions-consent-overview.md#requesting-consent-for-an-entire-tenant). - This flow is enabled for .NET desktop, .NET Core, and UWP apps. -For more information on consent, see the [Microsoft identity platform permissions and consent](./v2-permissions-and-consent.md). +For more information on consent, see the [Microsoft identity platform permissions and consent](./permissions-consent-overview.md). ## Learn how to use it |
active-directory | Scenario Protected Web Api App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-protected-web-api-app-registration.md | Expose _application permissions_ instead of delegated permissions if your API sh #### Expose application permissions (app roles) -To expose application permissions, follow the steps in [Add app roles to your app](howto-add-app-roles-in-azure-ad-apps.md). +To expose application permissions, follow the steps in [Add app roles to your app](./howto-add-app-roles-in-apps.md). In the **Create app role** pane under **Allowed member types**, select **Applications**. Or, add the role by using the **Application manifest editor** as described in the article. |
active-directory | Scenario Protected Web Api Verification Scope App Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md | For a full version of `ValidateAppRole` for ASP.NET Core, see [_RolesRequiredHtt ### Verify app roles in APIs called on behalf of users -Users can also use roles claims in user assignment patterns, as shown in [How to add app roles in your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md). If the roles are assignable to both, checking roles will let apps sign in as users and users sign in as apps. We recommend that you declare different roles for users and apps to prevent this confusion. +Users can also use roles claims in user assignment patterns, as shown in [How to add app roles in your application and receive them in the token](./howto-add-app-roles-in-apps.md). If the roles are assignable to both, checking roles will let apps sign in as users and users sign in as apps. We recommend that you declare different roles for users and apps to prevent this confusion. If you have defined app roles with user/group, then roles claim can also be verified in the API along with scopes. The verification logic of the app roles in this scenario remains same as if API is called by the daemon apps since there is no differentiation in the role claim for user/group and application. If you set `AllowWebApiToBeAuthorizedByACL` to true, this is **your responsibili Move on to the next article in this scenario, [Move to production](scenario-protected-web-api-production.md).- |
active-directory | Scenario Spa Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-spa-acquire-token.md | var request = { myMSALObj.acquireTokenPopup(request); ``` -To learn more, see [Optional claims](active-directory-optional-claims.md). +To learn more, see [Optional claims](./optional-claims.md). # [Angular (MSAL.js v2)](#tab/angular2) |
active-directory | Scenario Token Exchange Saml Oauth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-token-exchange-saml-oauth.md | -SAML and OpenID Connect (OIDC) / OAuth are popular protocols used to implement single sign-on (SSO). Some apps might only implement SAML and others might only implement OIDC/OAuth. Both protocols use tokens to communicate secrets. To learn more about SAML, see [single sign-on SAML protocol](single-sign-on-saml-protocol.md). To learn more about OIDC/OAuth, see [OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform](active-directory-v2-protocols.md). +SAML and OpenID Connect (OIDC) / OAuth are popular protocols used to implement single sign-on (SSO). Some apps might only implement SAML and others might only implement OIDC/OAuth. Both protocols use tokens to communicate secrets. To learn more about SAML, see [single sign-on SAML protocol](single-sign-on-saml-protocol.md). To learn more about OIDC/OAuth, see [OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform](./v2-protocols.md). This article outlines a common scenario where an app implements SAML but calls the Graph API, which uses OIDC/OAuth. Basic guidance is provided for people working with this scenario. |
active-directory | Schema Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/schema-extensions.md | The identifier for a directory extension attribute is of the form `extension_xxx Register directory extension attributes in one of the following ways: -- Configure Azure AD Connect to create them and to sync data into them from on-premises. See [Azure AD Connect Sync Directory Extensions](../hybrid/how-to-connect-sync-feature-directory-extensions.md).+- Configure Azure AD Connect to create them and to sync data into them from on-premises. See [Azure AD Connect Sync Directory Extensions](../hybrid/connect/how-to-connect-sync-feature-directory-extensions.md). - Use Microsoft Graph to register, set the values of, and read from [directory extensions](/graph/extensibility-overview#directory-azure-ad-extensions). [PowerShell cmdlets](/powershell/azure/active-directory/using-extension-attributes-sample) are also available. ### Emit claims with data from Azure AD Connect If a directory extension attribute is registered for using Microsoft Graph or Po Multi-tenant applications can then register directory extension attributes for their own use. When the application is provisioned into a tenant, the associated directory extensions become available and consumed for users in that tenant. After the directory extension is available, it can be used to store and retrieve data using Microsoft Graph. The directory extension can also map to claims in tokens the Microsoft identity platform emits to applications. -If an application needs to send claims with data from an extension attribute that's registered on a different application, a [claims mapping policy](active-directory-claims-mapping.md) must be used to map the extension attribute to the claim. +If an application needs to send claims with data from an extension attribute that's registered on a different application, a [claims mapping policy](./saml-claims-customization.md) must be used to map the extension attribute to the claim. A common pattern for managing directory extension attributes is to register an application specifically for all the directory extensions that you need. When you use this type of application, all the extensions have the same appID in their name. Where `xxxxxxx` is the appID (or Client ID) of the application that the extensio > Case consistency is important when you set directory extension attributes on objects. Extension attribute names aren't case sensitive when being set up, but they are case sensitive when being read from the directory by the token service. If an extension attribute is set on a user object with the name "LegacyId" and on another user object with the name "legacyid", when the attribute is mapped to a claim using the name "LegacyId" the data is successfully retrieved and the claim included in the token for the first user but not the second. ## Next steps-- Learn how to [customize claims emitted in tokens for a specific app](active-directory-claims-mapping.md).+- Learn how to [customize claims emitted in tokens for a specific app](./saml-claims-customization.md). |
active-directory | Scopes Oidc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scopes-oidc.md | -The Microsoft identity platform implements the [OAuth 2.0](active-directory-v2-protocols.md) authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user. Any web-hosted resource that integrates with the Microsoft identity platform has a resource identifier, or *application ID URI*. +The Microsoft identity platform implements the [OAuth 2.0](./v2-protocols.md) authorization protocol. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user. Any web-hosted resource that integrates with the Microsoft identity platform has a resource identifier, or *application ID URI*. In this article, you'll learn about scopes and permissions in the identity platform. If you request the OpenID Connect scopes and a token, you'll get a token to call ### openid -If an app signs in by using [OpenID Connect](active-directory-v2-protocols.md), it must request the `openid` scope. The `openid` scope appears on the work account consent page as the **Sign you in** permission. +If an app signs in by using [OpenID Connect](./v2-protocols.md), it must request the `openid` scope. The `openid` scope appears on the work account consent page as the **Sign you in** permission. By using this permission, an app can receive a unique identifier for the user in the form of the `sub` claim. The permission also gives the app access to the UserInfo endpoint. The `openid` scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication. When a user approves the `offline_access` scope, your app can receive refresh to > [!NOTE] > This permission currently appears on all consent pages, even for flows that don't provide a refresh token (such as the [implicit flow](v2-oauth2-implicit-grant-flow.md)). This setup addresses scenarios where a client can begin within the implicit flow and then move to the code flow where a refresh token is expected. -On the Microsoft identity platform (requests made to the v2.0 endpoint), your app must explicitly request the `offline_access` scope, to receive refresh tokens. So when you redeem an authorization code in the [OAuth 2.0 authorization code flow](active-directory-v2-protocols.md), you'll receive only an access token from the `/token` endpoint. +On the Microsoft identity platform (requests made to the v2.0 endpoint), your app must explicitly request the `offline_access` scope, to receive refresh tokens. So when you redeem an authorization code in the [OAuth 2.0 authorization code flow](./v2-protocols.md), you'll receive only an access token from the `/token` endpoint. The access token is valid for a short time. It usually expires in one hour. At that point, your app needs to redirect the user back to the `/authorize` endpoint to get a new authorization code. During this redirect, depending on the type of app, the user might need to enter their credentials again or consent again to permissions. -For more information about how to get and use refresh tokens, see the [Microsoft identity platform protocol reference](active-directory-v2-protocols.md). +For more information about how to get and use refresh tokens, see the [Microsoft identity platform protocol reference](./v2-protocols.md). ## The .default scope This code example produces a consent page for all registered permissions if the Another use of `.default` is to request app roles (also known as application permissions) in a non-interactive application like a daemon app that uses the [client credentials](v2-oauth2-client-creds-grant-flow.md) grant flow to call a web API. -To define app roles (application permissions) for a web API, see [Add app roles in your application](howto-add-app-roles-in-azure-ad-apps.md). +To define app roles (application permissions) for a web API, see [Add app roles in your application](./howto-add-app-roles-in-apps.md). Client credentials requests in your client service *must* include `scope={resource}/.default`. Here, `{resource}` is the web API that your app intends to call, and wishes to obtain an access token for. Issuing a client credentials request by using individual application permissions (roles) is *not* supported. All the app roles (application permissions) that have been granted for that web API are included in the returned access token. |
active-directory | Secure Group Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/secure-group-access-control.md | Azure Active Directory (Azure AD) allows the use of groups to manage access to r To learn more about the benefits of groups for access control, see [manage access to an application](../manage-apps/what-is-access-management.md). -While developing an application, authorize access with the groups claim. To learn more, see how to [configure group claims for applications with Azure AD](../hybrid/how-to-connect-fed-group-claims.md). +While developing an application, authorize access with the groups claim. To learn more, see how to [configure group claims for applications with Azure AD](../hybrid/connect/how-to-connect-fed-group-claims.md). Today, many applications select a subset of groups with the `securityEnabled` flag set to `true` to avoid scale challenges, that is, to reduce the number of groups returned in the token. Setting the `securityEnabled` flag to be true for a group doesn't guarantee that the group is securely managed. The following table presents several security best practices for security groups ## Next steps -- [Manage app and resource access using Azure Active Directory groups](../fundamentals/active-directory-manage-groups.md)+- [Manage app and resource access using Azure Active Directory groups](../fundamentals/concept-learn-about-groups.md) - [Restrict your Azure AD app to a set of users in an Azure AD tenant](./howto-restrict-your-app-to-a-set-of-users.md) |
active-directory | Secure Least Privileged Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/secure-least-privileged-access.md | Make these standard practices in an organization to help make sure that deployed ## Next steps -- [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md)+- [Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md) - [Understanding Azure AD application consent experiences](../develop/application-consent-experience.md) |
active-directory | Security Best Practices For App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/security-best-practices-for-app-registration.md | Certificates and secrets, also known as credentials, are a vital part of an appl Consider the following guidance related to certificates and secrets: -- Always use [certificate credentials](./active-directory-certificate-credentials.md) whenever possible and don't use password credentials, also known as *secrets*. While it's convenient to use password secrets as a credential, when possible use x509 certificates as the only credential type for getting tokens for an application.+- Always use [certificate credentials](./certificate-credentials.md) whenever possible and don't use password credentials, also known as *secrets*. While it's convenient to use password secrets as a credential, when possible use x509 certificates as the only credential type for getting tokens for an application. - Configure [application authentication method policies](/graph/api/resources/applicationauthenticationmethodpolicy) to govern the use of secrets by limiting their lifetimes or blocking their use altogether. - Use Key Vault with [managed identities](../managed-identities-azure-resources/overview.md) to manage credentials for an application. - If an application is used only as a Public Client App (allows users to sign in using a public endpoint), make sure that there are no credentials specified on the application object. |
active-directory | Security Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/security-tokens.md | Tokens issued using the implicit flow have a length limitation because they're p ## See also -* [OAuth 2.0](active-directory-v2-protocols.md) +* [OAuth 2.0](./v2-protocols.md) * [OpenID Connect](v2-protocols-oidc.md) ## Next steps |
active-directory | Signing Key Rollover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/signing-key-rollover.md | How your application handles key rollover depends on variables such as the type This guidance is **not** applicable for: -* Applications added from Azure AD Application Gallery (including Custom) have separate guidance with regard to signing keys. [More information.](../manage-apps/manage-certificates-for-federated-single-sign-on.md) +* Applications added from Azure AD Application Gallery (including Custom) have separate guidance with regard to signing keys. [More information.](../manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md) * On-premises applications published via application proxy don't have to worry about signing keys. ### <a name="nativeclient"></a>Native client applications accessing resources |
active-directory | Single And Multi Tenant Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-and-multi-tenant-apps.md | Building great multi-tenant apps can be challenging because of the number of dif - Test your app in a tenant that has configured [Conditional Access policies](v2-conditional-access-dev-guide.md). - Follow the principle of least user access to ensure that your app only requests permissions it actually needs.-- Provide appropriate names and descriptions for any permissions you expose as part of your app. This helps users and admins know what they're agreeing to when they attempt to use your app's APIs. For more information, see the best practices section in the [permissions guide](v2-permissions-and-consent.md).+- Provide appropriate names and descriptions for any permissions you expose as part of your app. This helps users and admins know what they're agreeing to when they attempt to use your app's APIs. For more information, see the best practices section in the [permissions guide](./permissions-consent-overview.md). ## Next steps |
active-directory | Spa Quickstart Portal Javascript Auth Code React | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/spa-quickstart-portal-javascript-auth-code-react.md | -> > [Tutorial: Sign in users and call Microsoft Graph from a React single-page app](tutorial-v2-react.md) +> > [Tutorial: Sign in users and call Microsoft Graph from a React single-page app](./single-page-app-tutorial-01-register-app.md) |
active-directory | Test Automate Integration Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/test-automate-integration-testing.md | To prepare for your automated integration tests, create some test users, create > * Personal accounts that are invited to an Azure AD tenant can't use ROPC. > * Accounts that don't have passwords can't sign in with ROPC, which means features like SMS sign-in, FIDO, and the Authenticator app won't work with that flow. > * If users need to use [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md) to log in to the application, they will be blocked instead.-> * ROPC is not supported in [hybrid identity federation](../hybrid/whatis-fed.md) scenarios (for example, Azure AD and Active Directory Federation Services (AD FS) used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity provider, Azure AD is not able to test the username and password against that identity provider. [Pass-through authentication](../hybrid/how-to-connect-pta.md) is supported with ROPC, however. +> * ROPC is not supported in [hybrid identity federation](../hybrid/connect/whatis-fed.md) scenarios (for example, Azure AD and Active Directory Federation Services (AD FS) used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity provider, Azure AD is not able to test the username and password against that identity provider. [Pass-through authentication](../hybrid/connect/how-to-connect-pta.md) is supported with ROPC, however. > * An exception to a hybrid identity federation scenario would be the following: Home Realm Discovery policy with *AllowCloudPasswordValidation* set to TRUE will enable ROPC flow to work for federated users when on-premises password is synced to cloud. For more information, see [Enable direct ROPC authentication of federated users for legacy applications](../manage-apps/home-realm-discovery-policy.md#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications). ## Create a separate test tenant |
active-directory | Tutorial V2 Aspnet Daemon Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md | The app is built as an ASP.NET MVC application. It uses the OWIN OpenID Connect The "daemon" component in this sample is an API controller, `SyncController.cs`. When the controller is called, it pulls in a list of users in the customer's Azure Active Directory (Azure AD) tenant from Microsoft Graph. `SyncController.cs` is triggered by an AJAX call in the web application. It uses the [Microsoft Authentication Library (MSAL) for .NET](msal-overview.md) to acquire an access token for Microsoft Graph. -Because the app is a multi-tenant app for Microsoft business customers, it must provide a way for customers to "sign up" or "connect" the application to their company data. During the connection flow, a Global Administrator first grants *application permissions* directly to the app so that it can access company data in a non-interactive fashion, without the presence of a signed-in user. The majority of the logic in this sample shows how to achieve this connection flow by using the identity platform's [admin consent](v2-permissions-and-consent.md#using-the-admin-consent-endpoint) endpoint. +Because the app is a multi-tenant app for Microsoft business customers, it must provide a way for customers to "sign up" or "connect" the application to their company data. During the connection flow, a Global Administrator first grants *application permissions* directly to the app so that it can access company data in a non-interactive fashion, without the presence of a signed-in user. The majority of the logic in this sample shows how to achieve this connection flow by using the identity platform's [admin consent](./permissions-consent-overview.md#using-the-admin-consent-endpoint) endpoint. ![Diagram shows UserSync App with three local items connecting to Azure, with Start dot Auth acquiring a token interactively to connect to Azure A D, AccountController getting admin consent to connect to Azure A D, and SyncController reading user to connect to Microsoft Graph.](./media/tutorial-v2-aspnet-daemon-webapp/topology.png) |
active-directory | Tutorial V2 Nodejs Webapp Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-nodejs-webapp-msal.md | Fill in these details with the values you obtain from Azure app registration por - `Enter_the_Client_secret`: Replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings in the Azure portal. > [!WARNING]-> Any plaintext secret in source code poses an increased security risk. This article uses a plaintext client secret for simplicity only. Use [certificate credentials](active-directory-certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production. +> Any plaintext secret in source code poses an increased security risk. This article uses a plaintext client secret for simplicity only. Use [certificate credentials](./certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production. - `Enter_the_Graph_Endpoint_Here`: The Microsoft Graph API cloud instance that your app will call. For the main (global) Microsoft Graph API service, enter `https://graph.microsoft.com/` (include the trailing forward-slash). - `Enter_the_Express_Session_Secret_Here` the secret used to sign the Express session cookie. Choose a random string of characters to replace this string with, such as your client secret. |
active-directory | Userinfo | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/userinfo.md | The UserInfo endpoint is typically called automatically by [OIDC-compliant libra The information in an ID token is a superset of the information available on UserInfo endpoint. Because you can get an ID token at the same time you get a token to call the UserInfo endpoint, we suggest getting the user's information from the token instead of calling the UserInfo endpoint. Using the ID token instead of calling the UserInfo endpoint eliminates up to two network requests, reducing latency in your application. -If you require more details about the user like manager or job title, call the [Microsoft Graph `/user` API](/graph/api/user-get). You can also use [optional claims](active-directory-optional-claims.md) to include additional user information in your ID and access tokens. +If you require more details about the user like manager or job title, call the [Microsoft Graph `/user` API](/graph/api/user-get). You can also use [optional claims](./optional-claims.md) to include additional user information in your ID and access tokens. ## Calling the UserInfo endpoint UserInfo is a standard OAuth bearer token API hosted by Microsoft Graph. Call th ### Permissions -Use the following [OIDC permissions](v2-permissions-and-consent.md#openid-connect-scopes) to call the UserInfo API. The `openid` claim is required, and the `profile` and `email` scopes ensure that additional information is provided in the response. +Use the following [OIDC permissions](./permissions-consent-overview.md#openid-connect-scopes) to call the UserInfo API. The `openid` claim is required, and the `profile` and `email` scopes ensure that additional information is provided in the response. | Permission type | Permissions | |:|:-| To customize the information returned by the identity platform during authentica ## Next steps * [Review the contents of ID tokens](id-tokens.md).-* [Customize the contents of an ID token using optional claims](active-directory-optional-claims.md). +* [Customize the contents of an ID token using optional claims](./optional-claims.md). * [Request an access token and ID token using the OAuth 2 protocol](v2-protocols-oidc.md). |
active-directory | V2 App Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-app-types.md | -The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](active-directory-v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios). +The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios). ## The basics For most of the history of OAuth 2.0, the [implicit flow](v2-oauth2-implicit-gra ## Web apps -For web apps (.NET, PHP, Java, Ruby, Python, Node) that the user accesses through a browser, you can use [OpenID Connect](active-directory-v2-protocols.md) for user sign-in. In OpenID Connect, the web app receives an ID token. An ID token is a security token that verifies the user's identity and provides information about the user in the form of claims: +For web apps (.NET, PHP, Java, Ruby, Python, Node) that the user accesses through a browser, you can use [OpenID Connect](./v2-protocols.md) for user sign-in. In OpenID Connect, the web app receives an ID token. An ID token is a security token that verifies the user's identity and provides information about the user in the form of claims: ```JSON // Partial raw ID token Accept: application/json The web API uses the access token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the access token. Further details of different types of tokens used in the Microsoft identity platform are available in the [access token](access-tokens.md) reference and [id_token](id-tokens.md) reference. -A web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as [scopes](v2-permissions-and-consent.md). For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. The Microsoft identity platform asks the user for permission, and then records permissions in all access tokens that the web API receives. The web API validates the access tokens it receives on each call and performs authorization checks. +A web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as [scopes](./permissions-consent-overview.md). For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. The Microsoft identity platform asks the user for permission, and then records permissions in all access tokens that the web API receives. The web API validates the access tokens it receives on each call and performs authorization checks. A web API can receive access tokens from all types of apps, including web server apps, desktop and mobile apps, single-page apps, server-side daemons, and even other web APIs. The high-level flow for a web API looks like this: To build a daemon app, see the [client credentials documentation](v2-oauth2-clie ## Next steps -Now that you're familiar with the types of applications supported by the Microsoft identity platform, learn more about [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md) to gain an understanding of the protocol components used by the different scenarios. +Now that you're familiar with the types of applications supported by the Microsoft identity platform, learn more about [OAuth 2.0 and OpenID Connect](./v2-protocols.md) to gain an understanding of the protocol components used by the different scenarios. |
active-directory | V2 Conditional Access Dev Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-conditional-access-dev-guide.md | Developers can take this challenge and append it onto a new request to Azure AD. ### Prerequisites -Azure AD Conditional Access is a feature included in [Azure AD Premium](../fundamentals/active-directory-whatis.md). Customers with [Microsoft 365 Business licenses](/office365/servicedescriptions/office-365-service-descriptions-technet-library) also have access to Conditional Access features. +Azure AD Conditional Access is a feature included in [Azure AD Premium](../fundamentals/whatis.md). Customers with [Microsoft 365 Business licenses](/office365/servicedescriptions/office-365-service-descriptions-technet-library) also have access to Conditional Access features. ### Considerations for specific scenarios |
active-directory | V2 Oauth Ropc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth-ropc.md | The Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password > * Personal accounts that are invited to an Azure AD tenant can't use the ROPC flow. > * Accounts that don't have passwords can't sign in with ROPC, which means features like SMS sign-in, FIDO, and the Authenticator app won't work with that flow. If your app or users require these features, use a grant type other than ROPC. > * If users need to use [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md) to log in to the application, they will be blocked instead.-> * ROPC is not supported in [hybrid identity federation](../hybrid/whatis-fed.md) scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity provider, Azure AD is not able to test the username and password against that identity provider. [Pass-through authentication](../hybrid/how-to-connect-pta.md) is supported with ROPC, however. +> * ROPC is not supported in [hybrid identity federation](../hybrid/connect/whatis-fed.md) scenarios (for example, Azure AD and ADFS used to authenticate on-premises accounts). If users are full-page redirected to an on-premises identity provider, Azure AD is not able to test the username and password against that identity provider. [Pass-through authentication](../hybrid/connect/how-to-connect-pta.md) is supported with ROPC, however. > * An exception to a hybrid identity federation scenario would be the following: Home Realm Discovery policy with **AllowCloudPasswordValidation** set to TRUE will enable ROPC flow to work for federated users when an on-premises password is synced to the cloud. For more information, see [Enable direct ROPC authentication of federated users for legacy applications](../manage-apps/home-realm-discovery-policy.md#enable-direct-ropc-authentication-of-federated-users-for-legacy-applications). > * Passwords with leading or trailing whitespaces are not supported by the ROPC flow. client_id=6731de76-14a6-49ae-97bc-6eba6914391e | `grant_type` | Required | Must be set to `password`. | | `username` | Required | The user's email address. | | `password` | Required | The user's password. |-| `scope` | Recommended | A space-separated list of [scopes](v2-permissions-and-consent.md), or permissions, that the app requires. In an interactive flow, the admin or the user must consent to these scopes ahead of time. | +| `scope` | Recommended | A space-separated list of [scopes](./permissions-consent-overview.md), or permissions, that the app requires. In an interactive flow, the admin or the user must consent to these scopes ahead of time. | | `client_secret`| Sometimes required | If your app is a public client, then the `client_secret` or `client_assertion` can't be included. If the app is a confidential client, then it must be included.|-| `client_assertion` | Sometimes required | A different form of `client_secret`, generated using a certificate. For more information, see [certificate credentials](active-directory-certificate-credentials.md). | +| `client_assertion` | Sometimes required | A different form of `client_secret`, generated using a certificate. For more information, see [certificate credentials](./certificate-credentials.md). | > [!WARNING] > As part of not recommending this flow for use, the official SDKs do not support this flow for confidential clients, those that use a secret or assertion. You may find that the SDK you wish to use does not allow you to add a secret while using ROPC. The following example shows a successful token response: | `token_type` | String | Always set to `Bearer`. | | `scope` | Space separated strings | If an access token was returned, this parameter lists the scopes the access token is valid for. | | `expires_in`| int | Number of seconds that the included access token is valid for. |-| `access_token`| Opaque string | Issued for the [scopes](v2-permissions-and-consent.md) that were requested. | +| `access_token`| Opaque string | Issued for the [scopes](./permissions-consent-overview.md) that were requested. | | `id_token` | JWT | Issued if the original `scope` parameter included the `openid` scope. | | `refresh_token` | Opaque string | Issued if the original `scope` parameter included `offline_access`. | |
active-directory | V2 Oauth2 Auth Code Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-auth-code-flow.md | Applications can't use a `spa` redirect URI with non-SPA flows, for example, nat The authorization code flow begins with the client directing the user to the `/authorize` endpoint. In this request, the client requests the `openid`, `offline_access`, and `https://graph.microsoft.com/mail.read` permissions from the user. -Some permissions are admin-restricted, for example, writing data to an organization's directory by using `Directory.ReadWrite.All`. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. To request access to admin-restricted scopes, you should request them directly from a Global Administrator. For more information, see [Admin-restricted permissions](v2-permissions-and-consent.md#admin-restricted-permissions). +Some permissions are admin-restricted, for example, writing data to an organization's directory by using `Directory.ReadWrite.All`. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. To request access to admin-restricted scopes, you should request them directly from a Global Administrator. For more information, see [Admin-restricted permissions](./permissions-consent-overview.md#admin-restricted-permissions). Unless specified otherwise, there are no default values for optional parameters. There is, however, default behavior for a request omitting optional parameters. The default behavior is to either sign in the sole current user, show the account picker if there are multiple users, or show the login page if there are no users signed in. client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | Required/optional | Description | |--|-|--|-| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to sign them into the resource tenant. For more information, see [Endpoints](active-directory-v2-protocols.md#endpoints). | +| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to sign them into the resource tenant. For more information, see [Endpoints](./v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `response_type` | required | Must include `code` for the authorization code flow. Can also include `id_token` or `token` if using the [hybrid flow](#request-an-id-token-as-well-or-hybrid-flow). | | `redirect_uri` | required | The `redirect_uri` of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except it must be URL-encoded. For native and mobile apps, use one of the recommended values: `https://login.microsoftonline.com/common/oauth2/nativeclient` for apps using embedded browsers or `http://localhost` for apps that use system browsers. |-| `scope` | required | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to. For the `/authorize` leg of the request, this parameter can cover multiple resources. This value allows your app to get consent for multiple web APIs you want to call. | +| `scope` | required | A space-separated list of [scopes](./permissions-consent-overview.md) that you want the user to consent to. For the `/authorize` leg of the request, this parameter can cover multiple resources. This value allows your app to get consent for multiple web APIs you want to call. | | `response_mode` | recommended | Specifies how the identity platform should return the requested token to your app. <br/><br/>Supported values:<br/><br/>- `query`: Default when requesting an access token. Provides the code as a query string parameter on your redirect URI. The `query` parameter isn't supported when requesting an ID token by using the implicit flow. <br/>- `fragment`: Default when requesting an ID token by using the implicit flow. Also supported if requesting *only* a code.<br/>- `form_post`: Executes a POST containing the code to your redirect URI. Supported when requesting a code.<br/><br/> | | `state` | recommended | A value included in the request that is also returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The value can also encode information about the user's state in the app before the authentication request occurred. For instance, it could encode the page or view they were on. | | `prompt` | optional | Indicates the type of user interaction that is required. Valid values are `login`, `none`, `consent`, and `select_account`.<br/><br/>- `prompt=login` forces the user to enter their credentials on that request, negating single-sign on.<br/>- `prompt=none` is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an `interaction_required` error.<br/>- `prompt=consent` triggers the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.<br/>- `prompt=select_account` interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.<br/> |-| `login_hint` | optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user. Apps can use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](active-directory-optional-claims.md) from an earlier sign-in. | +| `login_hint` | optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user. Apps can use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](./optional-claims.md) from an earlier sign-in. | | `domain_hint` | optional | If included, the app skips the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. For example, sending them to their federated identity provider. Apps can use this parameter during reauthentication, by extracting the `tid` from a previous sign-in. | | `code_challenge` | recommended / required | Used to secure authorization code grants by using Proof Key for Code Exchange (PKCE). Required if `code_challenge_method` is included. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This parameter is now recommended for all application types, both public and confidential clients, and required by the Microsoft identity platform for [single page apps using the authorization code flow](reference-third-party-cookies-spas.md). | | `code_challenge_method` | recommended / required | The method used to encode the `code_verifier` for the `code_challenge` parameter. This *SHOULD* be `S256`, but the spec allows the use of `plain` if the client can't support SHA256. <br/><br/>If excluded, `code_challenge` is assumed to be plaintext if `code_challenge` is included. The Microsoft identity platform supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This parameter is required for [single page apps using the authorization code flow](reference-third-party-cookies-spas.md).| -At this point, the user is asked to enter their credentials and complete the authentication. The Microsoft identity platform also ensures that the user has consented to the permissions indicated in the `scope` query parameter. If the user hasn't consented to any of those permissions, it asks the user to consent to the required permissions. For more information, see [Permissions and consent in the Microsoft identity platform](v2-permissions-and-consent.md). +At this point, the user is asked to enter their credentials and complete the authentication. The Microsoft identity platform also ensures that the user has consented to the permissions indicated in the `scope` query parameter. If the user hasn't consented to any of those permissions, it asks the user to consent to the required permissions. For more information, see [Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md). Once the user authenticates and grants consent, the Microsoft identity platform returns a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter. code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGBCmLdgfSTLEMPGYuNHSUYBrq... ## Redeem a code for an access token -All confidential clients have a choice of using client secrets or certificate credentials. Symmetric shared secrets are generated by the Microsoft identity platform. Certificate credentials are asymmetric keys uploaded by the developer. For more information, see [Microsoft identity platform application authentication certificate credentials](active-directory-certificate-credentials.md). +All confidential clients have a choice of using client secrets or certificate credentials. Symmetric shared secrets are generated by the Microsoft identity platform. Certificate credentials are asymmetric keys uploaded by the developer. For more information, see [Microsoft identity platform application authentication certificate credentials](./certificate-credentials.md). For best security, we recommend using certificate credentials. Public clients, which include native applications and single page apps, must not use secrets or certificates when redeeming an authorization code. Always ensure that your redirect URIs include the type of application and [are unique](reply-url.md#localhost-exceptions). client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | Required/optional | Description | ||-|-|-| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [Endpoints](active-directory-v2-protocols.md#endpoints). | +| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [Endpoints](./v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |-| `scope` | optional | A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (`profile`, `openid`, `email`). For more information, see [Permissions and consent in the Microsoft identity platform](v2-permissions-and-consent.md). This parameter is a Microsoft extension to the authorization code flow, intended to allow apps to declare the resource they want the token for during token redemption.| +| `scope` | optional | A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (`profile`, `openid`, `email`). For more information, see [Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md). This parameter is a Microsoft extension to the authorization code flow, intended to allow apps to declare the resource they want the token for during token redemption.| | `code` | required | The `authorization_code` that you acquired in the first leg of the flow. | | `redirect_uri` | required | The same `redirect_uri` value that was used to acquire the `authorization_code`. | | `grant_type` | required | Must be `authorization_code` for the authorization code flow. | client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | Required/optional | Description | ||-|-|-| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [Endpoints](active-directory-v2-protocols.md#endpoints). | +| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [Endpoints](./v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |-| `scope` | optional | A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (`profile`, `openid`, `email`). For more information, see [permissions, consent, and scopes](v2-permissions-and-consent.md). This parameter is a Microsoft extension to the authorization code flow. This extension allows apps to declare the resource they want the token for during token redemption.| +| `scope` | optional | A space-separated list of scopes. The scopes must all be from a single resource, along with OIDC scopes (`profile`, `openid`, `email`). For more information, see [permissions, consent, and scopes](./permissions-consent-overview.md). This parameter is a Microsoft extension to the authorization code flow. This extension allows apps to declare the resource they want the token for during token redemption.| | `code` | required | The `authorization_code` that you acquired in the first leg of the flow. | | `redirect_uri` | required | The same `redirect_uri` value that was used to acquire the `authorization_code`. | | `grant_type` | required | Must be `authorization_code` for the authorization code flow. | | `code_verifier` | recommended | The same `code_verifier` that was used to obtain the `authorization_code`. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). | | `client_assertion_type` | required for confidential web apps | The value must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` to use a certificate credential. |-| `client_assertion` | required for confidential web apps | An assertion, which is a JSON web token (JWT), that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](active-directory-certificate-credentials.md) to learn how to register your certificate and the format of the assertion.| +| `client_assertion` | required for confidential web apps | An assertion, which is a JSON web token (JWT), that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](./certificate-credentials.md) to learn how to register your certificate and the format of the assertion.| The parameters are same as the request by shared secret except that the `client_secret` parameter is replaced by two parameters: a `client_assertion_type` and `client_assertion`. client_id=535fb089-9ff3-47b6-9bfb-4f1264799865 | Parameter | Type | Description | ||-|--|-| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [Endpoints](active-directory-v2-protocols.md#endpoints). | +| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. Valid values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [Endpoints](./v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `grant_type` | required | Must be `refresh_token` for this leg of the authorization code flow. |-| `scope` | optional | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original `authorization_code` request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform returns a token for the resource specified in the first scope. For more information, see [Permissions and consent in the Microsoft identity platform](v2-permissions-and-consent.md). | +| `scope` | optional | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original `authorization_code` request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform returns a token for the resource specified in the first scope. For more information, see [Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md). | | `refresh_token` | required | The `refresh_token` that you acquired in the second leg of the flow. | | `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It shouldn't be used in a native app, because a `client_secret` can't be reliably stored on devices. It's required for web apps and web APIs, which can store the `client_secret` securely on the server side. This secret needs to be URL-Encoded. For more information, see the [URI Generic Syntax specification](https://tools.ietf.org/html/rfc3986#page-12). | |
active-directory | V2 Oauth2 Client Creds Grant Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md | Instead of using ACLs, you can use APIs to expose a set of **application permiss * Send mail as any user * Read directory data -To use app roles (application permissions) with your own API (as opposed to Microsoft Graph), you must first [expose the app roles](howto-add-app-roles-in-azure-ad-apps.md) in the API's app registration in the Azure portal. Then, [configure the required app roles](howto-add-app-roles-in-azure-ad-apps.md#assign-app-roles-to-applications) by selecting those permissions in your client application's app registration. If you haven't exposed any app roles in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal. +To use app roles (application permissions) with your own API (as opposed to Microsoft Graph), you must first [expose the app roles](./howto-add-app-roles-in-apps.md) in the API's app registration in the Azure portal. Then, [configure the required app roles](./howto-add-app-roles-in-apps.md#assign-app-roles-to-applications) by selecting those permissions in your client application's app registration. If you haven't exposed any app roles in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal. When authenticating as an application (as opposed to with a user), you can't use *delegated permissions* because there is no user for your app to act on behalf of. You must use application permissions, also known as app roles, that are granted by an admin or by the API's owner. -For more information about application permissions, see [Permissions and consent](v2-permissions-and-consent.md#permission-types). +For more information about application permissions, see [Permissions and consent](./permissions-consent-overview.md#permission-types). #### Recommended: Sign the admin into your app to have app roles assigned Typically, when you build an application that uses application permissions, the app requires a page or view on which the admin approves the app's permissions. This page can be part of the app's sign-in flow, part of the app's settings, or a dedicated *connect* flow. It often makes sense for the app to show this *connect* view only after a user has signed in with a work or school Microsoft account. -If you sign the user into your app, you can identify the organization to which the user belongs to before you ask the user to approve the application permissions. Although not strictly necessary, it can help you create a more intuitive experience for your users. To sign the user in, follow the [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md). +If you sign the user into your app, you can identify the organization to which the user belongs to before you ask the user to approve the application permissions. Although not strictly necessary, it can help you create a more intuitive experience for your users. To sign the user in, follow the [Microsoft identity platform protocol tutorials](./v2-protocols.md). #### Request the permissions from a directory admin curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id= | | | -- | | `tenant` | Required | The directory tenant the application plans to operate against, in GUID or domain-name format. | | `client_id` | Required | The application ID that's assigned to your app. You can find this information in the portal where you registered your app. |-| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. All scopes included must be for a single resource. Including scopes for multiple resources will result in an error. <br/>For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). | +| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. All scopes included must be for a single resource. Including scopes for multiple resources will result in an error. <br/>For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](./permissions-consent-overview.md#the-default-scope). | | `client_secret` | Required | The client secret that you generated for your app in the app registration portal. The client secret must be URL-encoded before being sent. The Basic auth pattern of instead providing credentials in the Authorization header, per [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) is also supported. | | `grant_type` | Required | Must be set to `client_credentials`. | scope=https%3A%2F%2Fgraph.microsoft.com%2F.default | -- | | -- | | `tenant` | Required | The directory tenant the application plans to operate against, in GUID or domain-name format. | | `client_id` | Required | The application (client) ID that's assigned to your app. |-| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. All scopes included must be for a single resource. Including scopes for multiple resources will result in an error. <br/>For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). | +| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. All scopes included must be for a single resource. Including scopes for multiple resources will result in an error. <br/>For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](./permissions-consent-overview.md#the-default-scope). | | `client_assertion_type` | Required | The value must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. |-| `client_assertion` | Required | An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](active-directory-certificate-credentials.md) to learn how to register your certificate and the format of the assertion.| +| `client_assertion` | Required | An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](./certificate-credentials.md) to learn how to register your certificate and the format of the assertion.| | `grant_type` | Required | Must be set to `client_credentials`. | The parameters for the certificate-based request differ in only one way from the shared secret-based request: the `client_secret` parameter is replaced by the `client_assertion_type` and `client_assertion` parameters. scope=https%3A%2F%2Fgraph.microsoft.com%2F.default | Parameter | Condition | Description | | | | -- |-| `client_assertion` | Required | An assertion (a JWT, or JSON web token) that your application gets from another identity provider outside of Microsoft identity platform, like Kubernetes. The specifics of this JWT must be registered on your application as a [federated identity credential](workload-identity-federation-create-trust.md). Read about [workload identity federation](workload-identity-federation.md) to learn how to setup and use assertions generated from other identity providers.| +| `client_assertion` | Required | An assertion (a JWT, or JSON web token) that your application gets from another identity provider outside of Microsoft identity platform, like Kubernetes. The specifics of this JWT must be registered on your application as a [federated identity credential](../workload-identities/workload-identity-federation-create-trust.md). Read about [workload identity federation](../workload-identities/workload-identity-federation.md) to learn how to setup and use assertions generated from other identity providers.| -Everything in the request is the same as the certificate-based flow, with the crucial exception of the source of the `client_assertion`. In this flow, your application does not create the JWT assertion itself. Instead, your app uses a JWT created by another identity provider. This is called *[workload identity federation](workload-identity-federation.md)*, where your apps identity in another identity platform is used to acquire tokens inside the Microsoft identity platform. This is best suited for cross-cloud scenarios, such as hosting your compute outside Azure but accessing APIs protected by Microsoft identity platform. For information about the required format of JWTs created by other identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format). +Everything in the request is the same as the certificate-based flow, with the crucial exception of the source of the `client_assertion`. In this flow, your application does not create the JWT assertion itself. Instead, your app uses a JWT created by another identity provider. This is called *[workload identity federation](../workload-identities/workload-identity-federation.md)*, where your apps identity in another identity platform is used to acquire tokens inside the Microsoft identity platform. This is best suited for cross-cloud scenarios, such as hosting your compute outside Azure but accessing APIs protected by Microsoft identity platform. For information about the required format of JWTs created by other identity providers, read about the [assertion format](./certificate-credentials.md#assertion-format). ### Successful response |
active-directory | V2 Oauth2 Device Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-device-code.md | client_id=6731de76-14a6-49ae-97bc-6eba6914391e | | | | | `tenant` | Required | Can be `/common`, `/consumers`, or `/organizations`. It can also be the directory tenant that you want to request permission from in GUID or friendly name format. | | `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |-| `scope` | Required | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to. | +| `scope` | Required | A space-separated list of [scopes](./permissions-consent-overview.md) that you want the user to consent to. | ### Device authorization response A successful token response will look like: | `token_type` | String| Always `Bearer`. | | `scope` | Space separated strings | If an access token was returned, this lists the scopes in which the access token is valid for. | | `expires_in`| int | Number of seconds the included access token is valid for. |-| `access_token`| Opaque string | Issued for the [scopes](v2-permissions-and-consent.md) that were requested. | +| `access_token`| Opaque string | Issued for the [scopes](./permissions-consent-overview.md) that were requested. | | `id_token` | JWT | Issued if the original `scope` parameter included the `openid` scope. | | `refresh_token` | Opaque string | Issued if the original `scope` parameter included `offline_access`. | |
active-directory | V2 Oauth2 Implicit Grant Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md | client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | Type | Description | | | | |-| `tenant` | required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints).Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.| +| `tenant` | required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](./v2-protocols.md#endpoints).Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.| | `client_id` | required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. | | `response_type` | required |Must include `id_token` for OpenID Connect sign-in. It may also include the response_type `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, user.read on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This id_token+code response is sometimes called the hybrid flow. | | `redirect_uri` | recommended |The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be URL-encoded. |-| `scope` | required |A space-separated list of [scopes](v2-permissions-and-consent.md). For OpenID Connect (id_tokens), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | +| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (id_tokens), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | | `response_mode` | optional |Specifies the method that should be used to send the resulting token back to your app. Defaults to query for just an access token, but fragment if the request includes an id_token. | | `state` | recommended |A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. | | `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | | `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. |-| `login_hint` | optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](active-directory-optional-claims.md) from an earlier sign-in. | +| `login_hint` | optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](./optional-claims.md) from an earlier sign-in. | | `domain_hint` | optional |If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. This parameter is commonly used for Line of Business apps that operate in a single tenant, where they'll provide a domain name within a given tenant, forwarding the user to the federation provider for that tenant. This hint prevents guests from signing into this application, and limits the use of cloud credentials like FIDO. | -At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has consented to **none** of those permissions, it will ask the user to consent to the required permissions. For more info, see [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md). +At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has consented to **none** of those permissions, it will ask the user to consent to the required permissions. For more info, see [permissions, consent, and multi-tenant apps](./permissions-consent-overview.md). Once the user authenticates and grants consent, the Microsoft identity platform will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter. https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redire | Parameter | Type | Description | | | | |-| `tenant` |required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | +| `tenant` |required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](./v2-protocols.md#endpoints). | | `post_logout_redirect_uri` | recommended | The URL that the user should be returned to after logout completes. This value must match one of the redirect URIs registered for the application. If not included, the user will be shown a generic message by the Microsoft identity platform. | ## Next steps |
active-directory | V2 Oauth2 On Behalf Of Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md | When using a shared secret, a service-to-service access token request contains t | `client_id` | Required | The application (client) ID that [the Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page has assigned to your app. | | `client_secret` | Required | The client secret that you generated for your app in the Azure portal - App registrations page. The Basic auth pattern of instead providing credentials in the Authorization header, per [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) is also supported. | | `assertion` | Required | The access token that was sent to the middle-tier API. This token must have an audience (`aud`) claim of the app making this OBO request (the app denoted by the `client-id` field). Applications can't redeem a token for a different app (for example, if a client sends an API a token meant for Microsoft Graph, the API can't redeem it using OBO. It should instead reject the token). |-| `scope` | Required | A space separated list of scopes for the token request. For more information, see [scopes](v2-permissions-and-consent.md). | +| `scope` | Required | A space separated list of scopes for the token request. For more information, see [scopes](./permissions-consent-overview.md). | | `requested_token_use` | Required | Specifies how the request should be processed. In the OBO flow, the value must be set to `on_behalf_of`. | #### Example A service-to-service access token request with a certificate contains the follow | `grant_type` | Required | The type of the token request. For a request using a JWT, the value must be `urn:ietf:params:oauth:grant-type:jwt-bearer`. | | `client_id` | Required | The application (client) ID that [the Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page has assigned to your app. | | `client_assertion_type` | Required | The value must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. |-| `client_assertion` | Required | An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. To learn how to register your certificate and the format of the assertion, see [certificate credentials](active-directory-certificate-credentials.md). | +| `client_assertion` | Required | An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. To learn how to register your certificate and the format of the assertion, see [certificate credentials](./certificate-credentials.md). | | `assertion` | Required | The access token that was sent to the middle-tier API. This token must have an audience (`aud`) claim of the app making this OBO request (the app denoted by the `client-id` field). Applications can't redeem a token for a different app (for example, if a client sends an API a token meant for MS Graph, the API can't redeem it using OBO. It should instead reject the token). | | `requested_token_use` | Required | Specifies how the request should be processed. In the OBO flow, the value must be set to `on_behalf_of`. |-| `scope` | Required | A space-separated list of scopes for the token request. For more information, see [scopes](v2-permissions-and-consent.md).| +| `scope` | Required | A space-separated list of scopes for the token request. For more information, see [scopes](./permissions-consent-overview.md).| Notice that the parameters are almost the same as in the case of the request by shared secret except that the `client_secret` parameter is replaced by two parameters: a `client_assertion_type` and `client_assertion`. The `client_assertion_type` parameter is set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` and the `client_assertion` parameter is set to the JWT token that is signed with the private key of the certificate. A service-to-service request for a SAML assertion contains the following paramet | assertion |required | The value of the access token used in the request.| | client_id |required | The app ID assigned to the calling service during registration with Azure AD. To find the app ID in the Azure portal, select **Active Directory**, choose the directory, and then select the application name. | | client_secret |required | The key registered for the calling service in Azure AD. This value should have been noted at the time of registration. The Basic auth pattern of instead providing credentials in the Authorization header, per [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) is also supported. |-| scope |required | A space-separated list of scopes for the token request. For more information, see [scopes](v2-permissions-and-consent.md). SAML itself doesn't have a concept of scopes, but is used to identify the target SAML application for which you want to receive a token. For this OBO flow, the scope value must always be the SAML Entity ID with `/.default` appended. For example, in case the SAML application's Entity ID is `https://testapp.contoso.com`, then the requested scope should be `https://testapp.contoso.com/.default`. In case the Entity ID doesn't start with a URI scheme such as `https:`, Azure AD prefixes the Entity ID with `spn:`. In that case you must request the scope `spn:<EntityID>/.default`, for example `spn:testapp/.default` in case the Entity ID is `testapp`. The scope value you request here determines the resulting `Audience` element in the SAML token, which may be important to the SAML application receiving the token. | +| scope |required | A space-separated list of scopes for the token request. For more information, see [scopes](./permissions-consent-overview.md). SAML itself doesn't have a concept of scopes, but is used to identify the target SAML application for which you want to receive a token. For this OBO flow, the scope value must always be the SAML Entity ID with `/.default` appended. For example, in case the SAML application's Entity ID is `https://testapp.contoso.com`, then the requested scope should be `https://testapp.contoso.com/.default`. In case the Entity ID doesn't start with a URI scheme such as `https:`, Azure AD prefixes the Entity ID with `spn:`. In that case you must request the scope `spn:<EntityID>/.default`, for example `spn:testapp/.default` in case the Entity ID is `testapp`. The scope value you request here determines the resulting `Audience` element in the SAML token, which may be important to the SAML application receiving the token. | | requested_token_use |required | Specifies how the request should be processed. In the On-Behalf-Of flow, the value must be `on_behalf_of`. | | requested_token_type | required | Specifies the type of token requested. The value can be `urn:ietf:params:oauth:token-type:saml2` or `urn:ietf:params:oauth:token-type:saml1` depending on the requirements of the accessed resource. | The goal of the OBO flow is to ensure proper consent is given so that the client ### .default and combined consent -The middle tier application adds the client to the [known client applications list](reference-app-manifest.md#knownclientapplications-attribute) (`knownClientApplications`) in its manifest. If a consent prompt is triggered by the client, the consent flow will be both for itself and the middle tier application. On the Microsoft identity platform, this is done using the [`.default` scope](v2-permissions-and-consent.md#the-default-scope). The `.default` scope is a special scope that is used to request consent to access all the scopes that the application has permissions for. This is useful when the application needs to access multiple resources, but the user should only be prompted for consent once. +The middle tier application adds the client to the [known client applications list](reference-app-manifest.md#knownclientapplications-attribute) (`knownClientApplications`) in its manifest. If a consent prompt is triggered by the client, the consent flow will be both for itself and the middle tier application. On the Microsoft identity platform, this is done using the [`.default` scope](./permissions-consent-overview.md#the-default-scope). The `.default` scope is a special scope that is used to request consent to access all the scopes that the application has permissions for. This is useful when the application needs to access multiple resources, but the user should only be prompted for consent once. When triggering a consent screen using known client applications and `.default`, the consent screen will show permissions for **both** the client to the middle tier API, and also request whatever permissions are required by the middle-tier API. The user provides consent for both applications, and then the OBO flow works. Resources can indicate that a given application always has permission to receive ### Admin consent -A tenant admin can guarantee that applications have permission to call their required APIs by providing admin consent for the middle tier application. To do this, the admin can find the middle tier application in their tenant, open the required permissions page, and choose to give permission for the app. To learn more about admin consent, see the [consent and permissions documentation](v2-permissions-and-consent.md). +A tenant admin can guarantee that applications have permission to call their required APIs by providing admin consent for the middle tier application. To do this, the admin can find the middle tier application in their tenant, open the required permissions page, and choose to give permission for the app. To learn more about admin consent, see the [consent and permissions documentation](./permissions-consent-overview.md). ### Use of a single application Learn more about the OAuth 2.0 protocol and another way to perform service to se * [OAuth 2.0 client credentials grant in Microsoft identity platform](v2-oauth2-client-creds-grant-flow.md) * [OAuth 2.0 code flow in Microsoft identity platform](v2-oauth2-auth-code-flow.md)-* [Using the `/.default` scope](v2-permissions-and-consent.md#the-default-scope) +* [Using the `/.default` scope](./permissions-consent-overview.md#the-default-scope) |
active-directory | V2 Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-overview.md | Learn how core authentication and Azure AD concepts apply to the Microsoft ident - [Authentication basics](./authentication-vs-authorization.md) - [Application and service principals](app-objects-and-service-principals.md) - [Audiences](v2-supported-account-types.md)-- [Permissions and consent](v2-permissions-and-consent.md)+- [Permissions and consent](./permissions-consent-overview.md) - [ID tokens](id-tokens.md) - [Access tokens](access-tokens.md) - [Authentication flows and application scenarios](authentication-flows-app-scenarios.md) |
active-directory | V2 Protocols Oidc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-protocols-oidc.md | client_id=6731de76-14a6-49ae-97bc-6eba6914391e | Parameter | Condition | Description | | | | |-| `tenant` | Required | You can use the `{tenant}` value in the path of the request to control who can sign in to the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [protocol basics](active-directory-v2-protocols.md#endpoints). Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.| +| `tenant` | Required | You can use the `{tenant}` value in the path of the request to control who can sign in to the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [protocol basics](./v2-protocols.md#endpoints). Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.| | `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `response_type` | Required | Must include `id_token` for OpenID Connect sign-in. | | `redirect_uri` | Recommended | The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except that it must be URL-encoded. If not present, the endpoint will pick one registered `redirect_uri` at random to send the user back to. | client_id=6731de76-14a6-49ae-97bc-6eba6914391e | `response_mode` | Recommended | Specifies the method that should be used to send the resulting authorization code back to your app. Can be `form_post` or `fragment`. For web applications, we recommend using `response_mode=form_post`, to ensure the most secure transfer of tokens to your application. | | `state` | Recommended | A value included in the request that also will be returned in the token response. It can be a string of any content you want. A randomly generated unique value typically is used to [prevent cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state also is used to encode information about the user's state in the app before the authentication request occurred, such as the page or view the user was on. | | `prompt` | Optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, `consent`, and `select_account`. The `prompt=login` claim forces the user to enter their credentials on that request, which negates single sign-on. The `prompt=none` parameter is the opposite, and should be paired with a `login_hint` to indicate which user must be signed in. These parameters ensure that the user isn't presented with any interactive prompt at all. If the request can't be completed silently via single sign-on, the Microsoft identity platform returns an error. Causes include no signed-in user, the hinted user isn't signed in, or multiple users are signed in but no hint was provided. The `prompt=consent` claim triggers the OAuth consent dialog after the user signs in. The dialog asks the user to grant permissions to the app. Finally, `select_account` shows the user an account selector, negating silent SSO but allowing the user to pick which account they intend to sign in with, without requiring credential entry. You can't use both `login_hint` and `select_account`.|-| `login_hint` | Optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](active-directory-optional-claims.md) from an earlier sign-in. | +| `login_hint` | Optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](./optional-claims.md) from an earlier sign-in. | | `domain_hint` | Optional | The realm of the user in a federated directory. This skips the email-based discovery process that the user goes through on the sign-in page, for a slightly more streamlined user experience. For tenants that are federated through an on-premises directory like AD FS, this often results in a seamless sign-in because of the existing login session. | -At this point, the user is prompted to enter their credentials and complete the authentication. The Microsoft identity platform verifies that the user has consented to the permissions indicated in the `scope` query parameter. If the user hasn't consented to any of those permissions, the Microsoft identity platform prompts the user to consent to the required permissions. You can read more about [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md). +At this point, the user is prompted to enter their credentials and complete the authentication. The Microsoft identity platform verifies that the user has consented to the permissions indicated in the `scope` query parameter. If the user hasn't consented to any of those permissions, the Microsoft identity platform prompts the user to consent to the required permissions. You can read more about [permissions, consent, and multi-tenant apps](./permissions-consent-overview.md). After the user authenticates and grants consent, the Microsoft identity platform returns a response to your app at the indicated redirect URI by using the method specified in the `response_mode` parameter. If you validate ID tokens in your application, we recommend *not* doing so manua ### What to validate in an ID token -In addition to validating ID token's signature, you should validate several of its claims as described in [Validating an ID token](id-tokens.md#validate-tokens). Also see [Important information about signing key-rollover](active-directory-signing-key-rollover.md). +In addition to validating ID token's signature, you should validate several of its claims as described in [Validating an ID token](id-tokens.md#validate-tokens). Also see [Important information about signing key-rollover](./signing-key-rollover.md). Several other validations are common and vary by application scenario, including: post_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F | Parameter | Condition | Description | | -- | - | | | `post_logout_redirect_uri` | Recommended | The URL that the user is redirected to after successfully signing out. If the parameter isn't included, the user is shown a generic message that's generated by the Microsoft identity platform. This URL must match one of the redirect URIs registered for your application in the app registration portal. |-| `logout_hint` | Optional | Enables sign-out to occur without prompting the user to select an account. To use `logout_hint`, enable the `login_hint` [optional claim](active-directory-optional-claims.md) in your client application and use the value of the `login_hint` optional claim as the `logout_hint` parameter. Don't use UPNs or phone numbers as the value of the `logout_hint` parameter. +| `logout_hint` | Optional | Enables sign-out to occur without prompting the user to select an account. To use `logout_hint`, enable the `login_hint` [optional claim](./optional-claims.md) in your client application and use the value of the `login_hint` optional claim as the `logout_hint` parameter. Don't use UPNs or phone numbers as the value of the `logout_hint` parameter. > [!NOTE] > After successful sign-out, the active sessions will be set to inactive. If a valid Primary Refresh Token (PRT) exists for the signed-out user and a new sign-in is executed, SSO will be interrupted and user will see a prompt with an account picker. If the option selected is the connected account that refers to the PRT, sign-in will proceed automatically without the need to insert fresh credentials. When you redirect the user to the `end_session_endpoint`, the Microsoft identity ## Next steps * Review the [UserInfo endpoint documentation](userinfo.md).-* [Populate claim values in a token](active-directory-claims-mapping.md) with data from on-premises systems. -* [Include your own claims in tokens](active-directory-optional-claims.md). +* [Populate claim values in a token](./saml-claims-customization.md) with data from on-premises systems. +* [Include your own claims in tokens](./optional-claims.md). |
active-directory | Web App Quickstart Portal Aspnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-aspnet.md | -> > [Add sign-in to an ASP.NET web app](tutorial-v2-asp-webapp.md) +> > [Add sign-in to an ASP.NET web app](./web-app-tutorial-01-register-application.md) |
active-directory | Web App Quickstart Portal Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-python.md | -> > This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](./active-directory-certificate-credentials.md). +> > This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](./certificate-credentials.md). > > ## More information > -> > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md) +> > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md) |
active-directory | Zero Trust For Developers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/zero-trust-for-developers.md | The Microsoft identity platform offers authentication mechanisms for verifying t | Best practice | Benefits to application security | | - | -- |-| Use the [Microsoft Authentication Libraries](./reference-v2-libraries.md) (MSAL). | MSAL is a set of Microsoft Authentication Libraries for developers. With MSAL, users and applications can be authenticated, and tokens can be acquired to access corporate resources using just a few lines of code. MSAL uses modern protocols ([OpenID Connect and OAuth 2.0](./active-directory-v2-protocols.md)) that remove the need for applications to ever handle a user's credentials directly. This handling of credentials vastly improves the security for both users and applications as the identity provider becomes the security perimeter. Also, these protocols continuously evolve to address new paradigms, opportunities, and challenges in identity security. | +| Use the [Microsoft Authentication Libraries](./reference-v2-libraries.md) (MSAL). | MSAL is a set of Microsoft Authentication Libraries for developers. With MSAL, users and applications can be authenticated, and tokens can be acquired to access corporate resources using just a few lines of code. MSAL uses modern protocols ([OpenID Connect and OAuth 2.0](./v2-protocols.md)) that remove the need for applications to ever handle a user's credentials directly. This handling of credentials vastly improves the security for both users and applications as the identity provider becomes the security perimeter. Also, these protocols continuously evolve to address new paradigms, opportunities, and challenges in identity security. | | Adopt enhanced security extensions like [Continuous Access Evaluation](../conditional-access/concept-continuous-access-evaluation.md) (CAE) and Conditional Access authentication context when appropriate. | In Azure AD, some of the most used extensions include [Conditional Access](../conditional-access/overview.md), [Conditional Access authentication context](./developer-guide-conditional-access-authentication-context.md) and CAE. Applications that use enhanced security features like CAE and Conditional Access authentication context must be coded to handle claims challenges. Open protocols enable the [claims challenges and claims requests](./claims-challenge.md) to be used to invoke extra client capabilities. The capabilities might be to continue interaction with Azure AD, such as when there was an anomaly or if the user authentication conditions change. These extensions can be coded into an application without disturbing the primary code flows for authentication. | | Use the correct **authentication flow** by [application type](./v2-app-types.md). For web applications, always try to use [confidential client flows](./authentication-flows-app-scenarios.md#single-page-public-client-and-confidential-client-applications). For mobile applications, try to use [brokers](./msal-android-single-sign-on.md#sso-through-brokered-authentication) or the [system browser](./msal-android-single-sign-on.md#sso-through-system-browser) for authentication. | The flows for web applications that can hold a secret (confidential clients) are considered more secure than public clients (for example: Desktop and Console applications). When the system web browser is used to authenticate a mobile application, a secure [Single Sign-On](../manage-apps/what-is-single-sign-on.md) (SSO) experience enables the use of application protection policies. | The Microsoft identity platform offers authentication mechanisms for verifying t A developer uses the Microsoft identity platform to grant permissions (scopes) and verify that a caller has been granted proper permission before allowing access. Enforce least privileged access in applications by enabling fine-grained permissions that allow the smallest amount of access necessary to be granted. Consider the following practices to make sure of adherence to the [principle of least privilege](./secure-least-privileged-access.md): - Evaluate the permissions that are requested to make sure that the absolute least privileged is set to get the job done. Don't create "catch-all" permissions with access to the entire API surface.-- When designing APIs, provide granular permissions to allow least-privileged access. Start with dividing the functionality and data access into sections that can be controlled by using [scopes](./v2-permissions-and-consent.md#scopes-and-permissions) and [App roles](./howto-add-app-roles-in-azure-ad-apps.md). Don't add APIs to existing permissions in a way that changes the semantics of the permission.+- When designing APIs, provide granular permissions to allow least-privileged access. Start with dividing the functionality and data access into sections that can be controlled by using [scopes](./permissions-consent-overview.md#scopes-and-permissions) and [App roles](./howto-add-app-roles-in-apps.md). Don't add APIs to existing permissions in a way that changes the semantics of the permission. - Offer **read-only** permissions. `Write` access, includes privileges for create, update, and delete operations. A client should never require write access to only read data. - Offer both [delegated and application](/graph/auth/auth-concepts#delegated-and-application-permissions) permissions. Skipping application permissions can create hard requirement for clients to achieve common scenarios like automation, microservices and more. - Consider "standard" and "full" access permissions if working with sensitive data. Restrict the sensitive properties so that they can't be accessed using a "standard" access permission, for example `Resource.Read`. And then implement a "full" access permission, for example `Resource.ReadFull` that returns all available properties including sensitive information. |
active-directory | Assign Local Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md | By adding Azure AD roles to the local administrators group, you can update the u To view and update the membership of the Global Administrator role, see: - [View all members of an administrator role in Azure Active Directory](../roles/manage-roles-portal.md)-- [Assign a user to administrator roles in Azure Active Directory](../fundamentals/active-directory-users-assign-role-azure-portal.md)+- [Assign a user to administrator roles in Azure Active Directory](../fundamentals/how-subscriptions-associated-directory.md) ## Manage the device administrator role |
active-directory | Device Join Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-join-plan.md | Azure AD join works in managed and federated environments. We think most organiz ### Managed environment -A managed environment can be deployed either through [Password Hash Sync](../hybrid/how-to-connect-password-hash-synchronization.md) or [Pass Through Authentication](../hybrid/how-to-connect-pta-quick-start.md) with Seamless Single Sign On. +A managed environment can be deployed either through [Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) or [Pass Through Authentication](../hybrid/connect/how-to-connect-pta-quick-start.md) with Seamless Single Sign On. ### Federated environment If your identity provider doesn't support these protocols, Azure AD join doesn't If you create users in your: -- **On-premises Active Directory**, you need to synchronize them to Azure AD using [Azure AD Connect](../hybrid/how-to-connect-sync-whatis.md). +- **On-premises Active Directory**, you need to synchronize them to Azure AD using [Azure AD Connect](../hybrid/connect/how-to-connect-sync-whatis.md). - **Azure AD**, no extra setup is required. On-premises user principal names (UPNs) that are different from Azure AD UPNs aren't supported on Azure AD joined devices. If your users use an on-premises UPN, you should plan to switch to using their primary UPN in Azure AD. If you have an MDM provider configured for your Azure AD joined devices, the pro ![Compliant device](./media/device-join-plan/46.png) -You can use this implementation to [require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md). +You can use this implementation to [require managed devices for cloud app access with Conditional Access](../conditional-access/concept-conditional-access-grant.md). ## Next steps |
active-directory | Device Registration How It Works | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-registration-how-it-works.md | Device Registration is a prerequisite to cloud-based authentication. Commonly, d - [Azure AD registered devices](concept-device-registration.md) - [Hybrid Azure AD joined devices](concept-hybrid-join.md) - [What is a Primary Refresh Token?](concept-primary-refresh-token.md)-- [Azure AD Connect: Device options](../hybrid/how-to-connect-device-options.md)+- [Azure AD Connect: Device options](../hybrid/connect/how-to-connect-device-options.md) |
active-directory | Device Sso To On Premises Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-sso-to-on-premises-resources.md | This article explains how this works. - An [Azure AD joined device](concept-directory-join.md). - On-premises SSO requires line-of-sight communication with your on-premises AD DS domain controllers. If Azure AD joined devices aren't connected to your organization's network, a VPN or other network infrastructure is required. -- Azure AD Connect or Azure AD Connect cloud sync: To synchronize default user attributes like SAM Account Name, Domain Name, and UPN. For more information, see the article [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10).+- Azure AD Connect or Azure AD Connect cloud sync: To synchronize default user attributes like SAM Account Name, Domain Name, and UPN. For more information, see the article [Attributes synchronized by Azure AD Connect](../hybrid/connect/reference-connect-sync-attributes-synchronized.md#windows-10). ## How it works You can use: ## What you should know -- You may have to adjust your [domain-based filtering](../hybrid/how-to-connect-sync-configure-filtering.md#domain-based-filtering) in Azure AD Connect to ensure that the data about the required domains is synchronized if you have multiple domains.+- You may have to adjust your [domain-based filtering](../hybrid/connect/how-to-connect-sync-configure-filtering.md#domain-based-filtering) in Azure AD Connect to ensure that the data about the required domains is synchronized if you have multiple domains. - Apps and resources that depend on Active Directory machine authentication don't work because Azure AD joined devices don't have a computer object in AD DS. - You can't share files with other users on an Azure AD-joined device. - Applications running on your Azure AD joined device may authenticate users. They must use the implicit UPN or the NT4 type syntax with the domain FQDN name as the domain part, for example: user@contoso.corp.com or contoso.corp.com\user. |
active-directory | Enterprise State Roaming Group Policy Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-group-policy-settings.md | These settings are located in Group Policy under: **Computer Configuration** > * ## Next steps -For an overview, see [enterprise State Roaming overview](enterprise-state-roaming-overview.md). +For an overview, see [enterprise State Roaming overview](./enterprise-state-roaming-enable.md). |
active-directory | Enterprise State Roaming Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md | Proceed with the steps listed [KB3196528](https://support.microsoft.com/kb/31965 ## Next steps -For an overview, see [enterprise state roaming overview](enterprise-state-roaming-overview.md). +For an overview, see [enterprise state roaming overview](./enterprise-state-roaming-enable.md). |
active-directory | Enterprise State Roaming Windows Settings Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-windows-settings-reference.md | For Windows 10 version 1803 or later, Internet Explorer setting group (favorites ## Next steps -For an overview, see [enterprise state roaming overview](enterprise-state-roaming-overview.md). +For an overview, see [enterprise state roaming overview](./enterprise-state-roaming-enable.md). |
active-directory | How To Hybrid Join | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/how-to-hybrid-join.md | Bringing your devices to Azure AD maximizes user productivity through single sig ## Prerequisites - [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594) version 1.1.819.0 or later.- - Don't exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to Azure AD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10). - - If the computer objects of the devices you want to be hybrid Azure AD joined belong to specific organizational units (OUs), configure the correct OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unitΓÇôbased filtering](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering). + - Don't exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to Azure AD, see [Attributes synchronized by Azure AD Connect](../hybrid/connect/reference-connect-sync-attributes-synchronized.md#windows-10). + - If the computer objects of the devices you want to be hybrid Azure AD joined belong to specific organizational units (OUs), configure the correct OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unitΓÇôbased filtering](../hybrid/connect/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering). - Global Administrator credentials for your Azure AD tenant. - Enterprise administrator credentials for each of the on-premises Active Directory Domain Services forests. - (**For federated domains**) At least Windows Server 2012 R2 with Active Directory Federation Services installed. Verify devices can access the required Microsoft resources under the system acco ## Managed domains -We think most organizations will deploy hybrid Azure AD join with managed domains. Managed domains use [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md). Managed domain scenarios don't require configuring a federation server. +We think most organizations will deploy hybrid Azure AD join with managed domains. Managed domains use [password hash sync (PHS)](../hybrid/connect/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/connect/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/connect/how-to-connect-sso.md). Managed domain scenarios don't require configuring a federation server. Configure hybrid Azure AD join by using Azure AD Connect for a managed domain: |
active-directory | Howto Device Identity Virtual Desktop Infrastructure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure.md | Before configuring device identities in Azure AD for your VDI environment, famil <sup>3</sup> A **Federated** identity infrastructure environment represents an environment with an identity provider such as AD FS or other third-party IDP. In a federated identity infrastructure environment, computers follow the [managed device registration flow](device-registration-how-it-works.md#hybrid-azure-ad-joined-in-managed-environments) based on the [AD Service Connection Point (SCP) settings](hybrid-join-manual.md#configure-a-service-connection-point). -<sup>4</sup> A **Managed** identity infrastructure environment represents an environment with Azure AD as the identity provider deployed with either [password hash sync (PHS)](../hybrid/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/how-to-connect-sso.md). +<sup>4</sup> A **Managed** identity infrastructure environment represents an environment with Azure AD as the identity provider deployed with either [password hash sync (PHS)](../hybrid/connect/whatis-phs.md) or [pass-through authentication (PTA)](../hybrid/connect/how-to-connect-pta.md) with [seamless single sign-on](../hybrid/connect/how-to-connect-sso.md). <sup>5</sup> **Non-Persistence support for Windows current** requires other consideration as documented below in guidance section. This scenario requires Windows 10 1803 or newer, Windows Server 2019, or Windows Server (Semi-annual channel) starting version 1803 Before configuring device identities in Azure AD for your VDI environment, famil Administrators should reference the following articles, based on their identity infrastructure, to learn how to configure hybrid Azure AD join. -- [Configure hybrid Azure Active Directory join for federated environment](hybrid-azuread-join-federated-domains.md)-- [Configure hybrid Azure Active Directory join for managed environment](hybrid-azuread-join-managed-domains.md)+- [Configure hybrid Azure Active Directory join for federated environment](./how-to-hybrid-join.md) +- [Configure hybrid Azure Active Directory join for managed environment](./how-to-hybrid-join.md) ### Non-persistent VDI We recommend you to implement process for [managing stale devices](manage-stale- ## Next steps -[Configuring hybrid Azure Active Directory join for federated environment](hybrid-azuread-join-federated-domains.md) +[Configuring hybrid Azure Active Directory join for federated environment](./how-to-hybrid-join.md) |
active-directory | Howto Vm Sign In Azure Ad Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md | Another way to verify it is via Graph PowerShell: ## Next steps -For more information about Azure AD, see [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md). +For more information about Azure AD, see [What is Azure Active Directory?](../fundamentals/whatis.md). |
active-directory | Hybrid Join Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-control.md | To do a targeted deployment of hybrid Azure AD join on Windows current devices, 1. Clear the Service Connection Point (SCP) entry from Active Directory (AD) if it exists. 1. Configure client-side registry setting for SCP on your domain-joined computers using a Group Policy Object (GPO). 1. If you're using Active Directory Federation Services (AD FS), you must also configure the client-side registry setting for SCP on your AD FS server using a GPO.-1. You may also need to [customize synchronization options](../hybrid/how-to-connect-post-installation.md#additional-tasks-available-in-azure-ad-connect) in Azure AD Connect to enable device synchronization. +1. You may also need to [customize synchronization options](../hybrid/connect/how-to-connect-post-installation.md#additional-tasks-available-in-azure-ad-connect) in Azure AD Connect to enable device synchronization. ### Clear the SCP from AD When you configure a **Hybrid Azure AD join** task in the Azure AD Connect Sync ## Post validation -After you verify that everything works as expected, you can automatically register the rest of your Windows current and down-level devices with Azure AD. Automate hybrid Azure AD join by [configuring the SCP using Azure AD Connect](hybrid-azuread-join-managed-domains.md#configure-hybrid-azure-ad-join). +After you verify that everything works as expected, you can automatically register the rest of your Windows current and down-level devices with Azure AD. Automate hybrid Azure AD join by [configuring the SCP using Azure AD Connect](./how-to-hybrid-join.md#configure-hybrid-azure-ad-join). ## Next steps |
active-directory | Hybrid Join Manual | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-manual.md | This article covers the manual configuration of requirements for hybrid Azure AD ## Prerequisites - [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594) version 1.1.819.0 or later.- - To get device registration sync join to succeed, as part of the device registration configuration, don't exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to Azure AD, see [Attributes synchronized by Azure AD Connect](../hybrid/reference-connect-sync-attributes-synchronized.md#windows-10). - - If the computer objects of the devices you want to be hybrid Azure AD joined belong to specific organizational units (OUs), configure the correct OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unitΓÇôbased filtering](../hybrid/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering). + - To get device registration sync join to succeed, as part of the device registration configuration, don't exclude the default device attributes from your Azure AD Connect sync configuration. To learn more about default device attributes synced to Azure AD, see [Attributes synchronized by Azure AD Connect](../hybrid/connect/reference-connect-sync-attributes-synchronized.md#windows-10). + - If the computer objects of the devices you want to be hybrid Azure AD joined belong to specific organizational units (OUs), configure the correct OUs to sync in Azure AD Connect. To learn more about how to sync computer objects by using Azure AD Connect, see [Organizational unitΓÇôbased filtering](../hybrid/connect/how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering). - Global Administrator credentials for your Azure AD tenant. - Enterprise administrator credentials for each of the on-premises Active Directory Domain Services forests. - (**For federated domains**) Windows Server 2012 R2 with Active Directory Federation Services installed. |
active-directory | Hybrid Join Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-plan.md | If your Windows 10 or newer domain joined devices are [Azure AD registered](conc To register devices as hybrid Azure AD join to respective tenants, organizations need to ensure that the Service Connection Points (SCP) configuration is done on the devices and not in AD. More details on how to accomplish this task can be found in the article [Hybrid Azure AD join targeted deployment](hybrid-join-control.md). It's important for organizations to understand that certain Azure AD capabilities won't work in a single forest, multiple Azure AD tenants configurations. -- [Device writeback](../hybrid/how-to-connect-device-writeback.md) won't work. This configuration affects [Device based Conditional Access for on-premises apps that are federated using ADFS](/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises). This configuration also affects [Windows Hello for Business deployment when using the Hybrid Cert Trust model](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust).-- [Groups writeback](../hybrid/how-to-connect-group-writeback.md) won't work. This configuration affects writeback of Office 365 Groups to a forest with Exchange installed.-- [Seamless SSO](../hybrid/how-to-connect-sso.md) won't work. This configuration affects SSO scenarios that organizations may be using on cross OS or browser platforms, for example iOS or Linux with Firefox, Safari, or Chrome without the Windows 10 extension.-- [Hybrid Azure AD join for Windows down-level devices in managed environment](./hybrid-azuread-join-managed-domains.md#enable-windows-down-level-devices) won't work. For example, hybrid Azure AD join on Windows Server 2012 R2 in a managed environment requires Seamless SSO and since Seamless SSO won't work, hybrid Azure AD join for such a setup won't work.+- [Device writeback](../hybrid/connect/how-to-connect-device-writeback.md) won't work. This configuration affects [Device based Conditional Access for on-premises apps that are federated using ADFS](/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises). This configuration also affects [Windows Hello for Business deployment when using the Hybrid Cert Trust model](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust). +- [Groups writeback](../hybrid/connect/how-to-connect-group-writeback-v2.md) won't work. This configuration affects writeback of Office 365 Groups to a forest with Exchange installed. +- [Seamless SSO](../hybrid/connect/how-to-connect-sso.md) won't work. This configuration affects SSO scenarios that organizations may be using on cross OS or browser platforms, for example iOS or Linux with Firefox, Safari, or Chrome without the Windows 10 extension. +- [Hybrid Azure AD join for Windows down-level devices in managed environment](./how-to-hybrid-join-downlevel.md) won't work. For example, hybrid Azure AD join on Windows Server 2012 R2 in a managed environment requires Seamless SSO and since Seamless SSO won't work, hybrid Azure AD join for such a setup won't work. - [On-premises Azure AD Password Protection](../authentication/concept-password-ban-bad-on-premises.md) won't work. This configuration affects the ability to do password changes and password reset events against on-premises Active Directory Domain Services (AD DS) domain controllers using the same global and custom banned password lists that are stored in Azure AD. ### Other considerations Hybrid Azure AD join works with both, managed and federated environments dependi ### Managed environment -A managed environment can be deployed either through [Password Hash Sync (PHS)](../hybrid/whatis-phs.md) or [Pass Through Authentication (PTA)](../hybrid/how-to-connect-pta.md) with [Seamless Single Sign On](../hybrid/how-to-connect-sso.md). +A managed environment can be deployed either through [Password Hash Sync (PHS)](../hybrid/connect/whatis-phs.md) or [Pass Through Authentication (PTA)](../hybrid/connect/how-to-connect-pta.md) with [Seamless Single Sign On](../hybrid/connect/how-to-connect-sso.md). These scenarios don't require you to configure a federation server for authentication. > [!NOTE]-> [Cloud authentication using Staged rollout](../hybrid/how-to-connect-staged-rollout.md) is only supported starting at the Windows 10 1903 update. +> [Cloud authentication using Staged rollout](../hybrid/connect/how-to-connect-staged-rollout.md) is only supported starting at the Windows 10 1903 update. ### Federated environment Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to ## Review on-premises AD users UPN support for hybrid Azure AD join -Sometimes, on-premises AD users UPNs are different from your Azure AD UPNs. In these cases, Windows 10 or newer hybrid Azure AD join provides limited support for on-premises AD UPNs based on the [authentication method](../hybrid/choose-ad-authn.md), domain type, and Windows version. There are two types of on-premises AD UPNs that can exist in your environment: +Sometimes, on-premises AD users UPNs are different from your Azure AD UPNs. In these cases, Windows 10 or newer hybrid Azure AD join provides limited support for on-premises AD UPNs based on the [authentication method](../hybrid/connect/choose-ad-authn.md), domain type, and Windows version. There are two types of on-premises AD UPNs that can exist in your environment: - Routable users UPN: A routable UPN has a valid verified domain that is registered with a domain registrar. For example, if contoso.com is the primary domain in Azure AD, contoso.org is the primary domain in on-premises AD owned by Contoso and [verified in Azure AD](../fundamentals/add-custom-domain.md). - Non-routable users UPN: A non-routable UPN doesn't have a verified domain and is applicable only within your organization's private network. For example, if contoso.com is the primary domain in Azure AD and contoso.local is the primary domain in on-premises AD but isn't a verifiable domain in the internet and only used within Contoso's network. |
active-directory | Manage Device Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md | This option is a premium edition capability available through products like Azur - **Restrict non-admin users from recovering the BitLocker key(s) for their owned devices**: Admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices. You must be a Global Administrator or Privileged Role Administrator to update this setting. -- **Enterprise State Roaming**: For information about this setting, see [the overview article](enterprise-state-roaming-overview.md).+- **Enterprise State Roaming**: For information about this setting, see [the overview article](./enterprise-state-roaming-enable.md). ## Audit logs |
active-directory | Manage Stale Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md | Because a stale device is defined as a registered device that hasn't been used t The evaluation of the activity timestamp is triggered by an authentication attempt of a device. Azure AD evaluates the activity timestamp when: -- A Conditional Access policies requiring [managed devices](../conditional-access/require-managed-devices.md) or [approved client apps](../conditional-access/app-based-conditional-access.md) has been triggered.+- A Conditional Access policies requiring [managed devices](../conditional-access/concept-conditional-access-grant.md) or [approved client apps](../conditional-access/howto-policy-approved-app-or-app-protection.md) has been triggered. - Windows 10 or newer devices that are either Azure AD joined or hybrid Azure AD joined are active on the network. - Intune managed devices have checked in to the service. |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/overview.md | There are three ways to get a device identity: - Azure AD join - Hybrid Azure AD join -Device identities are a prerequisite for scenarios like [device-based Conditional Access policies](../conditional-access/require-managed-devices.md) and [Mobile Device Management with the Microsoft Intune family of products](/mem/endpoint-manager-overview). +Device identities are a prerequisite for scenarios like [device-based Conditional Access policies](../conditional-access/concept-conditional-access-grant.md) and [Mobile Device Management with the Microsoft Intune family of products](/mem/endpoint-manager-overview). ## Modern device scenario Getting devices in to Azure AD can be done in a self-service manner or a control - Learn more about [Azure AD joined devices](concept-directory-join.md) - Learn more about [hybrid Azure AD joined devices](concept-hybrid-join.md) - To get an overview of how to manage device identities in the Azure portal, see [Managing device identities using the Azure portal](manage-device-identities.md).-- To learn more about device-based Conditional Access, see [Configure Azure Active Directory device-based Conditional Access policies](../conditional-access/require-managed-devices.md).+- To learn more about device-based Conditional Access, see [Configure Azure Active Directory device-based Conditional Access policies](../conditional-access/concept-conditional-access-grant.md). |
active-directory | Plan Device Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/plan-device-deployment.md | The key benefits of giving your devices an Azure AD identity: > [!VIDEO https://www.youtube-nocookie.com/embed/NcONUf-jeS4] -* Improve user experience ΓÇô Provide your users with easy access to your organizationΓÇÖs cloud-based resources from both personal and corporate devices. Administrators can enable [Enterprise State Roaming](enterprise-state-roaming-overview.md) for a unified experience across all Windows devices. +* Improve user experience ΓÇô Provide your users with easy access to your organizationΓÇÖs cloud-based resources from both personal and corporate devices. Administrators can enable [Enterprise State Roaming](./enterprise-state-roaming-enable.md) for a unified experience across all Windows devices. * Simplify deployment and management ΓÇô Simplify the process of bringing devices to Azure AD with [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot), [bulk provisioning](/mem/intune/enrollment/windows-bulk-enroll), or [self-service: Out of Box Experience (OOBE)](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). Manage devices with Mobile Device Management (MDM) tools like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), and their identities in the [Azure portal](https://portal.azure.com/). Consider your organizational needs while you determine the strategy for this dep ### Engage the right stakeholders -When technology projects fail, they typically do because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders,](../fundamentals/deployment-plans.md) and that stakeholder roles in the project are well understood. +When technology projects fail, they typically do because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders,](../architecture/deployment-plans.md) and that stakeholder roles in the project are well understood. For this plan, add the following stakeholders to your list: Communication is critical to the success of any new service. Proactively communi ### Plan a pilot -We recommend that the initial configuration of your integration method is in a test environment, or with a small group of test devices. See [Best practices for a pilot](../fundamentals/deployment-plans.md). +We recommend that the initial configuration of your integration method is in a test environment, or with a small group of test devices. See [Best practices for a pilot](../architecture/deployment-plans.md). You may want to do a [targeted deployment of hybrid Azure AD join](hybrid-join-control.md) before enabling it across the entire organization. Conditional Access <br>(Require hybrid Azure AD joined devices) | | | ![Checkmar Registered devices are often managed with [Microsoft Intune](/mem/intune/enrollment/device-enrollment). Devices are enrolled in Intune in several ways, depending on the operating system. -Azure AD registered devices provide support for Bring Your Own Devices (BYOD) and corporate owned devices to SSO to cloud resources. Access to resources is based on the Azure AD [Conditional Access policies](../conditional-access/require-managed-devices.md) applied to the device and the user. +Azure AD registered devices provide support for Bring Your Own Devices (BYOD) and corporate owned devices to SSO to cloud resources. Access to resources is based on the Azure AD [Conditional Access policies](../conditional-access/concept-conditional-access-grant.md) applied to the device and the user. ### Registering devices |
active-directory | Troubleshoot Hybrid Join Windows Current | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md | To troubleshoot other Windows clients, see [Troubleshoot hybrid Azure AD-joined This article assumes that you have [configured hybrid Azure AD-joined devices](hybrid-join-plan.md) to support the following scenarios: - Device-based Conditional Access-- [Enterprise state roaming](./enterprise-state-roaming-overview.md)+- [Enterprise state roaming](./enterprise-state-roaming-enable.md) - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) Possible reasons for failure: - The service connection point object is misconfigured or can't be read from the domain controller. - A valid service connection point object is required in the AD forest, to which the device belongs, that points to a verified domain name in Azure AD.- - For more information, see the "Configure a service connection point" section of [Tutorial: Configure hybrid Azure Active Directory join for federated domains](hybrid-azuread-join-federated-domains.md#configure-hybrid-azure-ad-join). + - For more information, see the "Configure a service connection point" section of [Tutorial: Configure hybrid Azure Active Directory join for federated domains](./how-to-hybrid-join.md#configure-hybrid-azure-ad-join). - Failure to connect to and fetch the discovery metadata from the discovery endpoint. - The device should be able to access `https://enterpriseregistration.windows.net`, in the system context, to discover the registration and authorization endpoints. - If the on-premises environment requires an outbound proxy, the IT admin must ensure that the computer account of the device can discover and silently authenticate to the outbound proxy. Possible reasons for failure: | | | | | **DSREG_AUTOJOIN_ADCONFIG_READ_FAILED** (0x801c001d/-2145648611) | Unable to read the service connection point (SCP) object and get the Azure AD tenant information. | Refer to the [Configure a service connection point](hybrid-join-manual.md#configure-a-service-connection-point) section. | | **DSREG_AUTOJOIN_DISC_FAILED** (0x801c0021/-2145648607) | Generic discovery failure. Failed to get the discovery metadata from the data replication service (DRS). | To investigate further, find the sub-error in the next sections. |-| **DSREG_AUTOJOIN_DISC_WAIT_TIMEOUT** (0x801c001f/-2145648609) | Operation timed out while performing discovery. | Ensure that `https://enterpriseregistration.windows.net` is accessible in the system context. For more information, see the [Network connectivity requirements](hybrid-azuread-join-managed-domains.md#prerequisites) section. | +| **DSREG_AUTOJOIN_DISC_WAIT_TIMEOUT** (0x801c001f/-2145648609) | Operation timed out while performing discovery. | Ensure that `https://enterpriseregistration.windows.net` is accessible in the system context. For more information, see the [Network connectivity requirements](./how-to-hybrid-join.md#prerequisites) section. | | **DSREG_AUTOJOIN_USERREALM_DISCOVERY_FAILED** (0x801c003d/-2145648579) | Generic realm discovery failure. Failed to determine domain type (managed/federated) from STS. | To investigate further, find the sub-error in the next sections. | | | | Use Event Viewer logs to look for the phase and error code for the join failures | Error code | Reason | Resolution | | | | |-| **WININET_E_CANNOT_CONNECT** (0x80072efd/-2147012867) | Connection with the server couldn't be established. | Ensure network connectivity to the required Microsoft resources. For more information, see [Network connectivity requirements](hybrid-azuread-join-managed-domains.md#prerequisites). | -| **WININET_E_TIMEOUT** (0x80072ee2/-2147012894) | General network timeout. | Ensure network connectivity to the required Microsoft resources. For more information, see [Network connectivity requirements](hybrid-azuread-join-managed-domains.md#prerequisites). | +| **WININET_E_CANNOT_CONNECT** (0x80072efd/-2147012867) | Connection with the server couldn't be established. | Ensure network connectivity to the required Microsoft resources. For more information, see [Network connectivity requirements](./how-to-hybrid-join.md#prerequisites). | +| **WININET_E_TIMEOUT** (0x80072ee2/-2147012894) | General network timeout. | Ensure network connectivity to the required Microsoft resources. For more information, see [Network connectivity requirements](./how-to-hybrid-join.md#prerequisites). | | **WININET_E_DECODING_FAILED** (0x80072f8f/-2147012721) | Network stack was unable to decode the response from the server. | Ensure that the network proxy isn't interfering and modifying the server response. | | | | Use Event Viewer logs to locate the error code, sub-error code, server error cod | Error code | Reason | Resolution | | | | |-| **ERROR_ADAL_INTERNET_TIMEOUT** (0xcaa82ee2/-894947614) | General network timeout. | Ensure that `https://login.microsoftonline.com` is accessible in the system context. Ensure that the on-premises identity provider is accessible in the system context. For more information, see [Network connectivity requirements](hybrid-azuread-join-managed-domains.md#prerequisites). | +| **ERROR_ADAL_INTERNET_TIMEOUT** (0xcaa82ee2/-894947614) | General network timeout. | Ensure that `https://login.microsoftonline.com` is accessible in the system context. Ensure that the on-premises identity provider is accessible in the system context. For more information, see [Network connectivity requirements](./how-to-hybrid-join.md#prerequisites). | | **ERROR_ADAL_INTERNET_CONNECTION_ABORTED** (0xcaa82efe/-894947586) | Connection with the authorization endpoint was aborted. | Retry the join after a while, or try joining from another stable network location. | | **ERROR_ADAL_INTERNET_SECURE_FAILURE** (0xcaa82f8f/-894947441) | The Transport Layer Security (TLS) certificate (previously known as the Secure Sockets Layer [SSL] certificate) sent by the server couldn't be validated. | Check the client time skew. Retry the join after a while, or try joining from another stable network location. | | **ERROR_ADAL_INTERNET_CANNOT_CONNECT** (0xcaa82efd/-894947587) | The attempt to connect to `https://login.microsoftonline.com` failed. | Check the network connection to `https://login.microsoftonline.com`. | |
active-directory | Troubleshoot Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-primary-refresh-token.md | The following procedure describes how to capture traces by using the [Time Trave [server-errors]: #common-server-error-codes-aadsts-prefix [view-event-ids]: #method-2-use-event-viewer-to-examine-azure-ad-analytic-and-operational-logs [alt-login-id]: /windows-server/identity/ad-fs/operations/configuring-alternate-login-id-[hybrid-azure-ad-join-plan]: ./hybrid-azuread-join-plan.md +[hybrid-azure-ad-join-plan]: ./hybrid-join-plan.md |
active-directory | Directory Overview User Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-overview-user-model.md | -This article introduces and administrator for Azure Active Directory (Azure AD), part of Microsoft Entra, to the relationship between top [identity management](../fundamentals/active-directory-whatis.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) tasks for users in terms of their groups, licenses, deployed enterprise apps, and administrator roles. As your organization grows, you can use Azure AD groups and administrator roles to: +This article introduces and administrator for Azure Active Directory (Azure AD), part of Microsoft Entra, to the relationship between top [identity management](../fundamentals/whatis.md?context=azure/active-directory/users-groups-roles/context/ugr-context) tasks for users in terms of their groups, licenses, deployed enterprise apps, and administrator roles. As your organization grows, you can use Azure AD groups and administrator roles to: * Assign licenses to groups instead of assigning licenses to individual users. * Grant permissions to delegate Azure AD management work to personnel in less-privileged roles. You can use [dynamic groups](groups-create-rule.md) in Azure AD to expand and co ## Assign licenses to groups -Managing user license assignments individually is time consuming and error prone. If you [assign licenses to groups](../fundamentals/license-users-groups.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) instead, you experience easier large-scale license management. +Managing user license assignments individually is time consuming and error prone. If you [assign licenses to groups](../fundamentals/license-users-groups.md?context=azure/active-directory/users-groups-roles/context/ugr-context) instead, you experience easier large-scale license management. Azure AD users who join a licensed group are automatically assigned the appropriate licenses. When users leave the group, Azure AD removes their license assignments. Without Azure AD groups, you'd have to write a PowerShell script or use Graph API to bulk add or remove user licenses for users joining or leaving the organization. New Azure AD administrator roles are being added. Check the Azure portal or the ## Assign app access -You can use Azure AD to assign group access to [enterprise apps deployed in your Azure AD organization](../manage-apps/assign-user-or-group-access-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). If you combine dynamic groups with group assignment to apps, you can automate user app access assignments as your organization grows. You'll need an Azure Active Directory Premium P1 or Premium P2 license to assign access to enterprise apps. +You can use Azure AD to assign group access to [enterprise apps deployed in your Azure AD organization](../manage-apps/assign-user-or-group-access-portal.md?context=azure/active-directory/users-groups-roles/context/ugr-context). If you combine dynamic groups with group assignment to apps, you can automate user app access assignments as your organization grows. You'll need an Azure Active Directory Premium P1 or Premium P2 license to assign access to enterprise apps. Azure AD also gives you granular control of the data that flows between the app and the groups to whom you assign access. In [Enterprise Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps), open an app and select **Provisioning** to: Azure AD also gives you granular control of the data that flows between the app If you're a beginning Azure AD administrator, get the basics down in [Azure Active Directory Fundamentals](../fundamentals/index.yml). -Or you can start [creating groups](../fundamentals/active-directory-groups-create-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context), [assigning licenses](../fundamentals/license-users-groups.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context), [assigning app access](../manage-apps/assign-user-or-group-access-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) or [assigning administrator roles](../roles/permissions-reference.md). +Or you can start [creating groups](../fundamentals/how-to-manage-groups.md?context=azure/active-directory/users-groups-roles/context/ugr-context), [assigning licenses](../fundamentals/license-users-groups.md?context=azure/active-directory/users-groups-roles/context/ugr-context), [assigning app access](../manage-apps/assign-user-or-group-access-portal.md?context=azure/active-directory/users-groups-roles/context/ugr-context) or [assigning administrator roles](../roles/permissions-reference.md). |
active-directory | Directory Service Limits Restrictions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-service-limits-restrictions.md | This article contains the usage constraints and other service limits for the Azu ## Next steps * [Sign up for Azure as an organization](../fundamentals/sign-up-organization.md)-* [How Azure subscriptions are associated with Azure AD](../fundamentals/active-directory-how-subscriptions-associated-directory.md) +* [How Azure subscriptions are associated with Azure AD](../fundamentals/how-subscriptions-associated-directory.md) |
active-directory | Groups Assign Sensitivity Labels | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md | If you must make a change, use an [Azure AD PowerShell script](https://github.co - [Use sensitivity labels with Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites) - [Update groups after label policy change manually with Azure AD PowerShell script](https://github.com/microsoftgraph/powershell-aad-samples/blob/master/ReassignSensitivityLabelToO365Groups.ps1)-- [Edit your group settings](../fundamentals/active-directory-groups-settings-azure-portal.md)+- [Edit your group settings](../fundamentals/how-to-manage-groups.md) - [Manage groups using PowerShell commands](../enterprise-users/groups-settings-v2-cmdlets.md) |
active-directory | Groups Change Type | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-change-type.md | ConvertStaticGroupToDynamic "a58913b2-eee4-44f9-beb2-e381c375058f" "user.display These articles provide additional information on groups in Azure Active Directory. -* [See existing groups](../fundamentals/active-directory-groups-view-azure-portal.md) -* [Create a new group and adding members](../fundamentals/active-directory-groups-create-azure-portal.md) -* [Manage settings of a group](../fundamentals/active-directory-groups-settings-azure-portal.md) -* [Manage memberships of a group](../fundamentals/active-directory-groups-membership-azure-portal.md) +* [See existing groups](../fundamentals/groups-view-azure-portal.md) +* [Create a new group and adding members](../fundamentals/how-to-manage-groups.md) +* [Manage settings of a group](../fundamentals/how-to-manage-groups.md) +* [Manage memberships of a group](../fundamentals/how-to-manage-groups.md) * [Manage dynamic rules for users in a group](groups-dynamic-membership.md) |
active-directory | Groups Create Rule | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-create-rule.md | If an error occurs while processing the membership rule for a specific group, an The following articles provide additional information on how to use groups in Azure Active Directory. -- [See existing groups](../fundamentals/active-directory-groups-view-azure-portal.md)-- [Create a new group and adding members](../fundamentals/active-directory-groups-create-azure-portal.md)-- [Manage settings of a group](../fundamentals/active-directory-groups-settings-azure-portal.md)-- [Manage memberships of a group](../fundamentals/active-directory-groups-membership-azure-portal.md)+- [See existing groups](../fundamentals/groups-view-azure-portal.md) +- [Create a new group and adding members](../fundamentals/how-to-manage-groups.md) +- [Manage settings of a group](../fundamentals/how-to-manage-groups.md) +- [Manage memberships of a group](../fundamentals/how-to-manage-groups.md) - [Manage dynamic rules for users in a group](groups-dynamic-membership.md) |
active-directory | Groups Dynamic Membership | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-membership.md | Extension attributes and custom extension properties are supported as string pro (user.extensionAttribute15 -eq "Marketing") ``` -[Custom extension properties](../hybrid/how-to-connect-sync-feature-directory-extensions.md) can be synced from on-premises Windows Server Active Directory, from a connected SaaS application, or created using Microsoft Graph, and are of the format of `user.extension_[GUID]_[Attribute]`, where: +[Custom extension properties](../hybrid/connect/how-to-connect-sync-feature-directory-extensions.md) can be synced from on-premises Windows Server Active Directory, from a connected SaaS application, or created using Microsoft Graph, and are of the format of `user.extension_[GUID]_[Attribute]`, where: - [GUID] is the stripped version of the unique identifier in Azure AD for the application that created the property. It contains only characters 0-9 and A-Z - [Attribute] is the name of the property as it was created Custom extension properties are also called directory or Azure AD extension prop The custom property name can be found in the directory by querying a user's property using Graph Explorer and searching for the property name. Also, you can now select **Get custom extension properties** link in the dynamic user group rule builder to enter a unique app ID and receive the full list of custom extension properties to use when creating a dynamic membership rule. This list can also be refreshed to get any new custom extension properties for that app. Extension attributes and custom extension properties must be from applications in your tenant. -For more information, see [Use the attributes in dynamic groups](../hybrid/how-to-connect-sync-feature-directory-extensions.md#use-the-attributes-in-dynamic-groups) in the article [Azure AD Connect sync: Directory extensions](../hybrid/how-to-connect-sync-feature-directory-extensions.md). +For more information, see [Use the attributes in dynamic groups](../hybrid/connect/how-to-connect-sync-feature-directory-extensions.md#use-the-attributes-in-dynamic-groups) in the article [Azure AD Connect sync: Directory extensions](../hybrid/connect/how-to-connect-sync-feature-directory-extensions.md). ## Rules for devices The following device attributes can be used. These articles provide additional information on groups in Azure Active Directory. -- [See existing groups](../fundamentals/active-directory-groups-view-azure-portal.md)-- [Create a new group and adding members](../fundamentals/active-directory-groups-create-azure-portal.md)-- [Manage settings of a group](../fundamentals/active-directory-groups-settings-azure-portal.md)-- [Manage memberships of a group](../fundamentals/active-directory-groups-membership-azure-portal.md)+- [See existing groups](../fundamentals/groups-view-azure-portal.md) +- [Create a new group and adding members](../fundamentals/how-to-manage-groups.md) +- [Manage settings of a group](../fundamentals/how-to-manage-groups.md) +- [Manage memberships of a group](../fundamentals/how-to-manage-groups.md) - [Manage dynamic rules for users in a group](groups-create-rule.md) |
active-directory | Groups Dynamic Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-dynamic-tutorial.md | In this tutorial, you learned how to: Advance to the next article to learn more group-based licensing basics > [!div class="nextstepaction"]-> [Group licensing basics](../fundamentals/active-directory-licensing-whatis-azure-portal.md) +> [Group licensing basics](../fundamentals/licensing-whatis-azure-portal.md) |
active-directory | Groups Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-lifecycle.md | The following cmdlets can be used to configure the policy in more detail. For mo These articles provide additional information on Azure AD groups. -- [See existing groups](../fundamentals/active-directory-groups-view-azure-portal.md)-- [Manage settings of a group](../fundamentals/active-directory-groups-settings-azure-portal.md)-- [Manage members of a group](../fundamentals/active-directory-groups-members-azure-portal.md)-- [Manage memberships of a group](../fundamentals/active-directory-groups-membership-azure-portal.md)+- [See existing groups](../fundamentals/groups-view-azure-portal.md) +- [Manage settings of a group](../fundamentals/how-to-manage-groups.md) +- [Manage members of a group](../fundamentals/how-to-manage-groups.md) +- [Manage memberships of a group](../fundamentals/how-to-manage-groups.md) - [Manage dynamic rules for users in a group](groups-dynamic-membership.md) |
active-directory | Groups Members Owners Search | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-members-owners-search.md | The group **Overview** page provides member counts for groups. You can see the t These articles provide additional information on working with groups in Azure AD. -- [View your groups and members](../fundamentals/active-directory-groups-view-azure-portal.md)-- [Manage group membership](../fundamentals/active-directory-groups-membership-azure-portal.md)+- [View your groups and members](../fundamentals/groups-view-azure-portal.md) +- [Manage group membership](../fundamentals/how-to-manage-groups.md) - [Manage dynamic rules for users in a group](groups-create-rule.md)-- [Edit your group settings](../fundamentals/active-directory-groups-settings-azure-portal.md)-- [Manage access to resources using groups](../fundamentals/active-directory-manage-groups.md)+- [Edit your group settings](../fundamentals/how-to-manage-groups.md) +- [Manage access to resources using groups](../fundamentals/concept-learn-about-groups.md) - [Manage access to SaaS apps using groups](groups-saasapps.md) - [Manage groups using PowerShell commands](../enterprise-users/groups-settings-v2-cmdlets.md)-- [Add an Azure subscription to Azure Active Directory](../fundamentals/active-directory-how-subscriptions-associated-directory.md)+- [Add an Azure subscription to Azure Active Directory](../fundamentals/how-subscriptions-associated-directory.md) |
active-directory | Groups Naming Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-naming-policy.md | Microsoft 365 admin center | Microsoft 365 admin center is compliant with naming These articles provide additional information on Azure AD groups. -- [See existing groups](../fundamentals/active-directory-groups-view-azure-portal.md)+- [See existing groups](../fundamentals/groups-view-azure-portal.md) - [Expiration policy for Microsoft 365 groups](groups-lifecycle.md)-- [Manage settings of a group](../fundamentals/active-directory-groups-settings-azure-portal.md)-- [Manage members of a group](../fundamentals/active-directory-groups-members-azure-portal.md)-- [Manage memberships of a group](../fundamentals/active-directory-groups-membership-azure-portal.md)+- [Manage settings of a group](../fundamentals/how-to-manage-groups.md) +- [Manage members of a group](../fundamentals/how-to-manage-groups.md) +- [Manage memberships of a group](../fundamentals/how-to-manage-groups.md) - [Manage dynamic rules for users in a group](groups-dynamic-membership.md) |
active-directory | Groups Restore Deleted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-restore-deleted.md | To verify that youΓÇÖve successfully restored a Microsoft 365 group, run the `Ge These articles provide additional information on Azure Active Directory groups. -* [See existing groups](../fundamentals/active-directory-groups-view-azure-portal.md) -* [Manage settings of a group](../fundamentals/active-directory-groups-settings-azure-portal.md) -* [Manage members of a group](../fundamentals/active-directory-groups-members-azure-portal.md) -* [Manage memberships of a group](../fundamentals/active-directory-groups-membership-azure-portal.md) +* [See existing groups](../fundamentals/groups-view-azure-portal.md) +* [Manage settings of a group](../fundamentals/how-to-manage-groups.md) +* [Manage members of a group](../fundamentals/how-to-manage-groups.md) +* [Manage memberships of a group](../fundamentals/how-to-manage-groups.md) * [Manage dynamic rules for users in a group](groups-dynamic-membership.md) |
active-directory | Groups Saasapps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-saasapps.md | Using Azure Active Directory (Azure AD), part of Microsoft Entra, with an Azure ## Next steps These articles provide additional information on Azure Active Directory. -* [Managing access to resources with Azure Active Directory groups](../fundamentals/active-directory-manage-groups.md) +* [Managing access to resources with Azure Active Directory groups](../fundamentals/concept-learn-about-groups.md) * [Application Management in Azure Active Directory](../manage-apps/what-is-application-management.md) * [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md)-* [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md) +* [What is Azure Active Directory?](../fundamentals/whatis.md) * [Integrating your on-premises identities with Azure Active Directory](../hybrid/whatis-hybrid-identity.md) |
active-directory | Groups Self Service Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-self-service-management.md | To configure the _Users can create security groups in Azure portals, API or Powe These articles provide additional information on Azure Active Directory. -* [Manage access to resources with Azure Active Directory groups](../fundamentals/active-directory-manage-groups.md) +* [Manage access to resources with Azure Active Directory groups](../fundamentals/concept-learn-about-groups.md) * [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md) * [Application Management in Azure Active Directory](../manage-apps/what-is-application-management.md)-* [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md) +* [What is Azure Active Directory?](../fundamentals/whatis.md) * [Integrate your on-premises identities with Azure Active Directory](../hybrid/whatis-hybrid-identity.md) |
active-directory | Groups Settings Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-cmdlets.md | To configure and manage group settings using Microsoft Graph, see the [groupSett ## Additional reading -* [Managing access to resources with Azure Active Directory groups](../fundamentals/active-directory-manage-groups.md) +* [Managing access to resources with Azure Active Directory groups](../fundamentals/concept-learn-about-groups.md) * [Integrating your on-premises identities with Azure Active Directory](../hybrid/whatis-hybrid-identity.md) |
active-directory | Groups Settings V2 Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-v2-cmdlets.md | -> - [Azure portal](../fundamentals/active-directory-groups-create-azure-portal.md?context=azure/active-directory/users-groups-roles/context/ugr-context) +> - [Azure portal](../fundamentals/how-to-manage-groups.md?context=azure/active-directory/users-groups-roles/context/ugr-context) > - [PowerShell](../enterprise-users/groups-settings-v2-cmdlets.md) > > Today, many groups are still managed in on-premises Active Directory. To answer Microsoft 365 groups are created and managed in the cloud. The writeback capability allows you to write back Microsoft 365 groups as distribution groups to an Active Directory forest with Exchange installed. Users with on-premises Exchange mailboxes can then send and receive emails from these groups. The group writeback feature doesn't support Azure AD security groups or distribution groups. -For more details, please refer to documentation for the [Azure AD Connect sync service](../hybrid/how-to-connect-syncservice-features.md). +For more details, please refer to documentation for the [Azure AD Connect sync service](../hybrid/connect/how-to-connect-syncservice-features.md). Microsoft 365 group writeback is a public preview feature of Azure Active Directory (Azure AD) and is available with any paid Azure AD license plan. For some legal information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft 365 group writeback is a public preview feature of Azure Active Direct You can find more Azure Active Directory PowerShell documentation at [Azure Active Directory Cmdlets](/powershell/azure/active-directory/install-adv2). -* [Managing access to resources with Azure Active Directory groups](../fundamentals/active-directory-manage-groups.md?context=azure/active-directory/users-groups-roles/context/ugr-context) +* [Managing access to resources with Azure Active Directory groups](../fundamentals/concept-learn-about-groups.md?context=azure/active-directory/users-groups-roles/context/ugr-context) * [Integrating your on-premises identities with Azure Active Directory](../hybrid/whatis-hybrid-identity.md?context=azure/active-directory/users-groups-roles/context/ugr-context) |
active-directory | Groups Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-troubleshooting.md | The following table lists common dynamic membership rule errors and how to corre These articles provide additional information on Azure Active Directory. -* [Managing access to resources with Azure Active Directory groups](../fundamentals/active-directory-manage-groups.md) +* [Managing access to resources with Azure Active Directory groups](../fundamentals/concept-learn-about-groups.md) * [Application Management in Azure Active Directory](../manage-apps/what-is-application-management.md)-* [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md) +* [What is Azure Active Directory?](../fundamentals/whatis.md) * [Integrating your on-premises identities with Azure Active Directory](../hybrid/whatis-hybrid-identity.md) |
active-directory | Groups Write Back Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-write-back-portal.md | -Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback for tenants with an Azure AD Premium license and Azure AD Connect version 2021 December release or later. In this preview, once you have [enabled Azure AD Connect group writeback](..//hybrid/how-to-connect-group-writeback-v2.md), you can specify in the Azure portal which groups you want to write back and what youΓÇÖd like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universalΓÇï. +Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback for tenants with an Azure AD Premium license and Azure AD Connect version 2021 December release or later. In this preview, once you have [enabled Azure AD Connect group writeback](../hybrid/connect/how-to-connect-group-writeback-v2.md), you can specify in the Azure portal which groups you want to write back and what youΓÇÖd like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universalΓÇï. >[!NOTE] > If you were previously writing Microsoft 365 groups back to on-premises Active Directory as universal distribution groups, they will appear in the Azure portal as not enabled for writeback in both the **Groups** page and in the properties page for a group. These pages display a new property introduced for the preview, ΓÇ£writeback enabledΓÇ¥. This property is not set by the current version of group writeback to ensure backward compatibility with the legacy version of group writeback and to avoid breaking existing customer setups. Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-expl Replace the Group_ID with a cloud group ID, and then select on Run query. In the **Response Preview**, scroll to the end to see the part of the JSON file. -```JSON +```json "writebackConfiguration": {- "isEnabled": true, + "isEnabled": true, + ... +} ``` ## Next steps - Check out the groups REST API documentation for the [preview writeback property on the settings template](/graph/api/resources/group?view=graph-rest-beta&preserve-view=true).-- For more about group writeback operations, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback.md).+- For more about group writeback operations, see [Azure AD Connect group writeback](../hybrid/connect/how-to-connect-group-writeback-v2.md). - For more information about the writebackConfiguration resource, read [writebackConfiguration resource type](/graph/api/resources/writebackconfiguration?view=graph-rest-beta&preserve-view=true). |
active-directory | Licensing Admin Center | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-admin-center.md | When assign licenses to a group, Azure AD processes all existing members of that To learn more about the feature set for license assignment using groups, see the following articles: -- [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context)+- [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md?context=azure/active-directory/users-groups-roles/context/ugr-context) - [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md) |
active-directory | Licensing Directory Independence | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-directory-independence.md | If a non-administrative user of organization 'Contoso' creates a test organizati ## Synchronization independence -You can configure each Azure AD organization independently to get data synchronized from different AD forests, using the Azure AD Connect tool. See [topologies for Azure AD Connect](../hybrid/plan-connect-topologies.md) for more information on supported topologies when there are multiple Azure AD tenants. +You can configure each Azure AD organization independently to get data synchronized from different AD forests, using the Azure AD Connect tool. See [topologies for Azure AD Connect](../hybrid/connect/plan-connect-topologies.md) for more information on supported topologies when there are multiple Azure AD tenants. ## Add an Azure AD organization To add an Azure AD organization in the Azure portal, sign in to the [Azure portal](https://portal.azure.com) with an account that is an Azure AD Global Administrator, and select **New**. > [!NOTE]-> Unlike other Azure resources, your Azure AD organizations are not child resources of an Azure subscription. If your Azure subscription is canceled or expired, you can still access your Azure AD organization's data using Azure PowerShell, the Microsoft Graph API, or the Microsoft 365 admin center. You can also [associate another subscription with the organization](../fundamentals/active-directory-how-subscriptions-associated-directory.md). +> Unlike other Azure resources, your Azure AD organizations are not child resources of an Azure subscription. If your Azure subscription is canceled or expired, you can still access your Azure AD organization's data using Azure PowerShell, the Microsoft Graph API, or the Microsoft 365 admin center. You can also [associate another subscription with the organization](../fundamentals/how-subscriptions-associated-directory.md). > ## Next steps -For Azure AD licensing considerations and best practices, see [What is Azure Active Directory licensing?](../fundamentals/active-directory-licensing-whatis-azure-portal.md). +For Azure AD licensing considerations and best practices, see [What is Azure Active Directory licensing?](../fundamentals/licensing-whatis-azure-portal.md). |
active-directory | Licensing Group Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-group-advanced.md | Some Microsoft services aren't available in all locations. For group license ass 1. Select the **Save** button. > [!NOTE]-> Group license assignment will never modify an existing usage location value on a user. We recommend that you always set usage location as part of your user creation flow in Azure AD (for example, via [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) configuration). Following such a process ensures the result of license assignment is always correct, and users do not receive services in locations that are not allowed. +> Group license assignment will never modify an existing usage location value on a user. We recommend that you always set usage location as part of your user creation flow in Azure AD (for example, via [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) configuration). Following such a process ensures the result of license assignment is always correct, and users do not receive services in locations that are not allowed. ## Use group-based licensing with dynamic groups If you use group-based licensing, it's a good idea to familiarize yourself with To learn more about other scenarios for license management through group-based licensing, see: -* [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md) +* [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md) * [Assigning licenses to a group in Azure Active Directory](licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md) * [How to migrate individual licensed users to group-based licensing in Azure Active Directory](licensing-groups-migrate-users.md) |
active-directory | Licensing Groups Assign | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-assign.md | When assign licenses to a group, Azure AD processes all existing members of that To learn more about the feature set for license assignment using groups, see the following articles: -- [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context)+- [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md?context=azure/active-directory/users-groups-roles/context/ugr-context) - [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md) - [How to migrate individual licensed users to group-based licensing in Azure Active Directory](licensing-groups-migrate-users.md) - [How to migrate users between product licenses using group-based licensing in Azure Active Directory](licensing-groups-change-licenses.md) |
active-directory | Licensing Groups Migrate Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-migrate-users.md | Here is what the migration process could look like: Learn more about other scenarios for group license management: -- [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md)+- [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md) - [Assigning licenses to a group in Azure Active Directory](licensing-groups-assign.md) - [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md) - [How to migrate users between product licenses using group-based licensing in Azure Active Directory](licensing-groups-change-licenses.md) |
active-directory | Licensing Groups Resolve Problems | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md | For example, after you resolve duplicate proxy address problem for an affected u To learn more about other scenarios for license management through groups, see the following: -* [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md) +* [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md) * [Assigning licenses to a group in Azure Active Directory](./licensing-groups-assign.md) * [How to migrate individual licensed users to group-based licensing in Azure Active Directory](licensing-groups-migrate-users.md) * [How to migrate users between product licenses using group-based licensing in Azure Active Directory](licensing-groups-change-licenses.md) |
active-directory | Licensing Powershell Graph Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-powershell-graph-examples.md | Group-based licensing in Azure Active Directory (Azure AD), part of Microsoft En ## Assign licenses to a group -[Group based licensing](../fundamentals/active-directory-licensing-whatis-azure-portal.md) provides a convenient way to manage license assignment. You can assign one or more product licenses to a group and those licenses are assigned to all members of the group. +[Group based licensing](../fundamentals/licensing-whatis-azure-portal.md) provides a convenient way to manage license assignment. You can assign one or more product licenses to a group and those licenses are assigned to all members of the group. ```powershell # Import the Microsoft.Graph.Groups module foreach ($user in $users) { To learn more about the feature set for license management through groups, see the following articles: -* [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md) +* [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md) * [Assigning licenses to a group in Azure Active Directory](./licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md) |
active-directory | Licensing Ps Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-ps-examples.md | aadbe4da-c4b5-4d84-800a-9400f31d7371 User has no direct license to remove. Skipp To learn more about the feature set for license management through groups, see the following articles: -* [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md) +* [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md) * [Assigning licenses to a group in Azure Active Directory](./licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md) * [How to migrate individual licensed users to group-based licensing in Azure Active Directory](licensing-groups-migrate-users.md) |
active-directory | Licensing Service Plan Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-service-plan-reference.md | The following service plans cannot be assigned together: To learn more about the feature set for license management through groups, see the following: -* [What is group-based licensing in Azure Active Directory?](../fundamentals/active-directory-licensing-whatis-azure-portal.md) +* [What is group-based licensing in Azure Active Directory?](../fundamentals/licensing-whatis-azure-portal.md) * [Assigning licenses to a group in Azure Active Directory](licensing-groups-assign.md) * [Identifying and resolving license problems for a group in Azure Active Directory](licensing-groups-resolve-problems.md) * [How to migrate individual licensed users to group-based licensing in Azure Active Directory](licensing-groups-migrate-users.md) |
active-directory | Users Revoke Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-revoke-access.md | Once admins have taken the above steps, the user can't gain new tokens for any a ## Next steps - [Secure access practices for Azure AD administrators](../roles/security-planning.md)-- [Add or update user profile information](../fundamentals/active-directory-users-profile-azure-portal.md)+- [Add or update user profile information](../fundamentals/how-to-manage-user-profile-info.md) - [Remove or Delete a former employee](/microsoft-365/admin/add-users/remove-former-employee) |
active-directory | Users Search Enhanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-search-enhanced.md | You can edit properties by selecting the pencil icon next to any category, which User operations -- [Add or change profile information](../fundamentals/active-directory-users-profile-azure-portal.md)-- [Add or delete users](../fundamentals/add-users-azure-active-directory.md)+- [Add or change profile information](../fundamentals/how-to-manage-user-profile-info.md) +- [Add or delete users](../fundamentals/add-users.md) Bulk operations |
active-directory | Users Sharing Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-sharing-accounts.md | Azure AD supports shared accounts for any Enterprise Mobility Suite (EMS) or Azu Azure AD features that enable account sharing include: -* [Password single sign-on](../manage-apps/sso-options.md#password-based-sso) +* [Password single sign-on](../manage-apps/plan-sso-deployment.md#single-sign-on-options) * Password single sign-on agent * [Group assignment](groups-self-service-management.md) * Custom Password apps You can also make your shared account more secure with Multi-Factor Authenticati * [Application Management in Azure Active Directory](../manage-apps/what-is-application-management.md) * [Protecting apps with Conditional Access](../../active-directory-b2c/overview.md)-* [Self-service group management/SSAA](groups-self-service-management.md) +* [Self-service group management/SSAA](groups-self-service-management.md) |
active-directory | Add Users Administrator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/add-users-administrator.md | As a user who is assigned any of the limited administrator directory roles, you After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can select the redemption URL in the invitation email. For more information about the redemption process, see [B2B collaboration invitation redemption](redemption-experience.md). > [!IMPORTANT]-> You should follow the steps in [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/active-directory-properties-area.md) to add the URL of your organization's privacy statement. As part of the first time invitation redemption process, an invited user must consent to your privacy terms to continue. +> You should follow the steps in [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/properties-area.md) to add the URL of your organization's privacy statement. As part of the first time invitation redemption process, an invited user must consent to your privacy terms to continue. The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Instructions for the legacy create user process can be found in the [Add or delete users](../fundamentals/add-users-azure-active-directory.md) article. +Instructions for the legacy create user process can be found in the [Add or delete users](../fundamentals/add-users.md) article. ## Before you begin |
active-directory | Add Users Information Worker | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/add-users-information-worker.md | Self-service app management requires some initial setup by a Global Administrato 3. Under **Manage**, select **Enterprise applications** > **All applications**. 4. In the application list, find and open the app. 5. Under **Manage**, select **Single sign-on**, and configure the application for single sign-on. (For details, see [how to manage single sign-on for enterprise apps](../manage-apps/add-application-portal-setup-sso.md).)-6. Under **Manage**, select **Self-service**, and set up self-service app access. (For details, see [how to use self-service app access](../manage-apps/access-panel-manage-self-service-access.md).) +6. Under **Manage**, select **Self-service**, and set up self-service app access. (For details, see [how to use self-service app access](../manage-apps/manage-self-service-access.md).) > [!NOTE] > For the setting **To which group should assigned users be added?** select the group you created in the previous section. |
active-directory | B2b Direct Connect Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-direct-connect-overview.md | When B2B direct connect is enabled with an external organization, users in the e ### Inbound access -We strongly recommend you add both your global privacy contact and your organization's privacy statement so your internal employees and external guests can review your policies. Follow the steps to [add your organization's privacy info](../fundamentals/active-directory-properties-area.md). +We strongly recommend you add both your global privacy contact and your organization's privacy statement so your internal employees and external guests can review your policies. Follow the steps to [add your organization's privacy info](../fundamentals/properties-area.md). ### Restricting access to users and groups |
active-directory | B2b Fundamentals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-fundamentals.md | This article contains recommendations and best practices for business-to-busines | Recommendation | Comments | | | |-| Consult Azure AD guidance for securing your collaboration with external partners | Learn how to take a holistic governance approach to your organization's collaboration with external partners by following the recommendations in [Securing external collaboration in Azure Active Directory and Microsoft 365](../fundamentals/secure-external-access-resources.md). | +| Consult Azure AD guidance for securing your collaboration with external partners | Learn how to take a holistic governance approach to your organization's collaboration with external partners by following the recommendations in [Securing external collaboration in Azure Active Directory and Microsoft 365](../architecture/secure-external-access-resources.md). | | Carefully plan your cross-tenant access and external collaboration settings | Azure AD gives you a flexible set of controls for managing collaboration with external users and organizations. You can allow or block all collaboration, or configure collaboration only for specific organizations, users, and apps. Before configuring settings for cross-tenant access and external collaboration, take a careful inventory of the organizations you work and partner with. Then determine if you want to enable [B2B direct connect](b2b-direct-connect-overview.md) or [B2B collaboration](what-is-b2b.md) with other Azure AD tenants, and how you want to manage [B2B collaboration invitations](external-collaboration-settings-configure.md). | | Use tenant restrictions to control how external accounts are used on your networks and managed devices. | With tenant restrictions, you can prevent your users from using accounts they've created in unknown tenants or accounts they've received from external organizations. We recommend you disallow these accounts and use B2B collaboration instead. | | For an optimal sign-in experience, federate with identity providers | Whenever possible, federate directly with identity providers to allow invited users to sign in to your shared apps and resources without having to create Microsoft Accounts (MSAs) or Azure AD accounts. You can use the [Google federation feature](google-federation.md) to allow B2B guest users to sign in with their Google accounts. Or, you can use the [SAML/WS-Fed identity provider (preview) feature](direct-federation.md) to set up federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. | | Use the Email one-time passcode feature for B2B guests who canΓÇÖt authenticate by other means | The [Email one-time passcode](one-time-passcode.md) feature authenticates B2B guest users when they can't be authenticated through other means like Azure AD, a Microsoft account (MSA), or Google federation. When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in. |-| Add company branding to your sign-in page | You can customize your sign-in page so it's more intuitive for your B2B guest users. See how to [add company branding to sign in and Access Panel pages](../fundamentals/customize-branding.md). | -| Add your privacy statement to the B2B guest user redemption experience | You can add the URL of your organization's privacy statement to the first time invitation redemption process so that an invited user must consent to your privacy terms to continue. See [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/active-directory-properties-area.md). | +| Add company branding to your sign-in page | You can customize your sign-in page so it's more intuitive for your B2B guest users. See how to [add company branding to sign in and Access Panel pages](../fundamentals/how-to-customize-branding.md). | +| Add your privacy statement to the B2B guest user redemption experience | You can add the URL of your organization's privacy statement to the first time invitation redemption process so that an invited user must consent to your privacy terms to continue. See [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/properties-area.md). | | Use the bulk invite (preview) feature to invite multiple B2B guest users at the same time | Invite multiple guest users to your organization at the same time by using the bulk invite preview feature in the Azure portal. This feature lets you upload a CSV file to create B2B guest users and send invitations in bulk. See [Tutorial for bulk inviting B2B users](tutorial-bulk-invite.md). | | Enforce Conditional Access policies for Azure Active Directory Multi-Factor Authentication (MFA) | We recommend enforcing MFA policies on the apps you want to share with partner B2B users. This way, MFA will be consistently enforced on the apps in your tenant regardless of whether the partner organization is using MFA. See [Conditional Access for B2B collaboration users](authentication-conditional-access.md). | | If youΓÇÖre enforcing device-based Conditional Access policies, use exclusion lists to allow access to B2B users | If device-based Conditional Access policies are enabled in your organization, B2B guest user devices will be blocked because theyΓÇÖre not managed by your organization. You can create exclusion lists containing specific partner users to exclude them from the device-based Conditional Access policy. See [Conditional Access for B2B collaboration users](authentication-conditional-access.md). | This article contains recommendations and best practices for business-to-busines ## Next steps -[Manage B2B sharing](external-collaboration-settings-configure.md) +[Manage B2B sharing](external-collaboration-settings-configure.md) |
active-directory | B2b Quickstart Add Guest Users Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md | If you donΓÇÖt have an Azure subscription, create a [free account](https://azure The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Instructions for the legacy create user process can be found in the [Add or delete users](../fundamentals/add-users-azure-active-directory.md) article. +Instructions for the legacy create user process can be found in the [Add or delete users](../fundamentals/add-users.md) article. ## Prerequisites |
active-directory | Claims Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/claims-mapping.md | There are two possible reasons why you might need to edit the claims that are is 1. The application requires a different set of claim URIs or claim values. -2. The application requires the NameIdentifier claim to be something other than the user principal name [(UPN)](../hybrid/plan-connect-userprincipalname.md#what-is-userprincipalname) that's stored in Azure AD. +2. The application requires the NameIdentifier claim to be something other than the user principal name [(UPN)](../hybrid/connect/plan-connect-userprincipalname.md#what-is-userprincipalname) that's stored in Azure AD. -For information about how to add and edit claims, see [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/active-directory-saml-claims-customization.md). +For information about how to add and edit claims, see [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/saml-claims-customization.md). For B2B collaboration users, mapping NameID and UPN cross-tenant are prevented for security reasons. For B2B collaboration users, mapping NameID and UPN cross-tenant are prevented f - For information about B2B collaboration user properties, see [Properties of an Azure Active Directory B2B collaboration user](user-properties.md). - For information about user tokens for B2B collaboration users, see [Understand user tokens in Azure AD B2B collaboration](user-token.md).- |
active-directory | Cross Cloud Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-cloud-settings.md | After each organization has completed these steps, Azure AD B2B collaboration be In your Microsoft cloud settings, enable the Microsoft Azure cloud you want to collaborate with. -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service. +1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service. 1. Select **External Identities**, and then select **Cross-tenant access settings**. 1. Select **Microsoft cloud settings**. 1. Select the checkboxes next to the external Microsoft Azure clouds you want to enable. |
active-directory | Cross Tenant Access Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-overview.md | To collaborate with a partner tenant in a different Microsoft Azure cloud, both > [!IMPORTANT] > Changing the default inbound or outbound settings to block access could block existing business-critical access to apps in your organization or partner organizations. Be sure to use the tools described in this article and consult with your business stakeholders to identify the required access. -- To configure cross-tenant access settings in the Azure portal, you'll need an account with a Global administrator or Security administrator role.+- To configure cross-tenant access settings in the Azure portal, you'll need an account with a Global administrator, Security administrator, or a [custom role](#custom-roles-for-managing-cross-tenant-access-settings) you've defined. - To configure trust settings or apply access settings to specific users, groups, or applications, you'll need an Azure AD Premium P1 license. The license is required on the tenant that you configure. For B2B direct connect, where mutual trust relationship with another Azure AD organization is required, you'll need an Azure AD Premium P1 license in both tenants. To collaborate with a partner tenant in a different Microsoft Azure cloud, both - If you block access to all apps by default, users will be unable to read emails encrypted with Microsoft Rights Management Service (also known as Office 365 Message Encryption or OME). To avoid this issue, we recommend configuring your outbound settings to allow your users to access this app ID: 00000012-0000-0000-c000-000000000000. If this is the only application you allow, access to all other apps will be blocked by default. +## Custom roles for managing cross-tenant access settings ++Cross-tenant access settings can be managed with custom roles defined by your organization. This enables you to [define your own finely-scoped roles](../roles/custom-create.md) to manage cross-tenant access settings instead of using one of the built-in roles for management. +Your organization can define custom roles to manage cross-tenant access settings. This allows you to create [your own finely-scoped roles](../roles/custom-create.md) to manage cross-tenant access settings instead of using built-in roles for management. +### Recommended custom roles ++#### Cross-tenant access administrator ++This role can manage everything in cross-tenant access settings, including default and organizational based settings. This role should be assigned to users who need to manage all settings in cross-tenant access settings. ++Please find the list of recommended actions for this role below. ++| Actions | +| - | +| microsoft.directory.tenantRelationships/standard/read | +| microsoft.directory/crossTenantAccessPolicy/standard/read | +| microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | +| microsoft.directory/crossTenantAccessPolicy/basic/update | +| microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | +| microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | +| microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | +| microsoft.directory/crossTenantAccessPolicy/default/standard/read | +| microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | +| microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | +| microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | +| microsoft.directory/crossTenantAccessPolicy/partners/create | +| microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | +| microsoft.directory/crossTenantAccessPolicy/partners/delete | +| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update | +| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create | +| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read | +| microsoft.directory/crossTenantAccessPolicy/partners/standard/read | +| microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | ++#### Cross-tenant access reader +This role can read everything in cross-tenant access settings, including default and organizational based settings. This role should be assigned to users who only need to review settings in cross-tenant access settings, but not manage them. ++Please find the list of recommended actions for this role below. ++| Actions | +| - | +| microsoft.directory.tenantRelationships/standard/read | +| microsoft.directory/crossTenantAccessPolicy/standard/read | +| microsoft.directory/crossTenantAccessPolicy/default/standard/read | +| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read | +| microsoft.directory/crossTenantAccessPolicy/partners/standard/read | ++#### Cross-tenant access partner administrator +This role can manage everything relating to partners and read the default settings. This role should be assigned to users who need to manage organizational based settings but not be able to change default settings. ++Please find the list of recommended actions for this role below. ++| Actions | +| - | +| microsoft.directory.tenantRelationships/standard/read | +| microsoft.directory/crossTenantAccessPolicy/standard/read | +| microsoft.directory/crossTenantAccessPolicy/basic/update | +| microsoft.directory/crossTenantAccessPolicy/default/standard/read | +| microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | +| microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | +| microsoft.directory/crossTenantAccessPolicy/partners/create | +| microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | +| microsoft.directory/crossTenantAccessPolicy/partners/delete | +| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update | +| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create | +| microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read | +| microsoft.directory/crossTenantAccessPolicy/partners/standard/read | +| microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | ++## Protect cross-tenant access administrative actions +Any actions that modify cross-tenant access settings are considered protected actions and can be additionally protected with Conditional Access policies. For more information and configuration steps see [protected actions](../roles/protected-actions-overview.md). + ## Identify inbound and outbound sign-ins Several tools are available to help you identify the access your users and partners need before you set inbound and outbound access settings. To ensure you donΓÇÖt remove access that your users and partners need, you should examine current sign-in behavior. Taking this preliminary step will help prevent loss of desired access for your end users and partner users. However, in some cases these logs are only retained for 30 days, so we strongly recommend you speak with your business stakeholders to ensure required access isn't lost. |
active-directory | Cross Tenant Access Settings B2b Collaboration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md | Use External Identities cross-tenant access settings to manage how you collabora Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. If you want to modify the Azure AD-provided default settings, follow these steps. -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service. +1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service. 1. Select **External Identities**, and then select **Cross-tenant access settings**. 1. Select the **Default settings** tab and review the summary page. |
active-directory | Cross Tenant Access Settings B2b Direct Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md | Learn more about using cross-tenant access settings to [manage B2B direct connec Default cross-tenant access settings apply to all external tenants for which you haven't created organization-specific customized settings. If you want to modify the Azure AD-provided default settings, follow these steps. -1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service. +1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator, Security administrator, or an account with a [custom role](cross-tenant-access-overview.md#custom-roles-for-managing-cross-tenant-access-settings) you've created. Then open the **Azure Active Directory** service. 1. Select **External Identities**, and then select **Cross-tenant access settings**. 1. Select the **Default settings** tab and review the summary page. |
active-directory | Concept Supported Features Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/concept-supported-features-customers.md | Although workforce tenants and customer tenants are built on the same underlying |||| | **External Identities** | Invite partners and other external users to your workforce tenant for collaboration. External users become guests in your workforce directory. | Enable self-service sign-up for customers and authorize access to apps. Users are added to your directory as customer accounts. | | **Authentication methods and identity providers** | - Azure AD accounts </br>- Microsoft accounts </br>- Email one-time passcode </br>- Google federation</br>- Facebook federation</br>- SAML/WS-Fed federation | - Local account (Email and password) </br>- Email one-time passcode </br>- Google federation</br>- Facebook federation|-| **Groups** | [Groups](../../fundamentals/active-directory-groups-create-azure-portal.md) can be used to manage administrative and user accounts.| Groups can be used to manage administrative accounts. Support for Azure AD groups and [application roles](how-to-use-app-roles-customers.md) is being phased into customer tenants. For the latest updates, see [Groups and application roles support](reference-group-app-roles-support.md). | -| **Roles and administrators**| [Roles and administrators](../../fundamentals/active-directory-users-assign-role-azure-portal.md) are fully supported for administrative and user accounts. | Roles aren't supported with customer accounts. Customer accounts don't have access to tenant resources.| +| **Groups** | [Groups](../../fundamentals/how-to-manage-groups.md) can be used to manage administrative and user accounts.| Groups can be used to manage administrative accounts. Support for Azure AD groups and [application roles](how-to-use-app-roles-customers.md) is being phased into customer tenants. For the latest updates, see [Groups and application roles support](reference-group-app-roles-support.md). | +| **Roles and administrators**| [Roles and administrators](../../fundamentals/how-subscriptions-associated-directory.md) are fully supported for administrative and user accounts. | Roles aren't supported with customer accounts. Customer accounts don't have access to tenant resources.| | **Custom domain names** | You can use [custom domains](../../fundamentals/add-custom-domain.md) for administrative accounts only. | Not currently supported. However, the URLs visible to customers in sign-up and sign-in pages are neutral, unbranded URLs. [Learn more](concept-branding-customers.md)| | **Conditional Access** | [Conditional Access](../../conditional-access/overview.md) is fully supported for administrative and user accounts. | A subset of the Azure AD Conditional Access is available. Multifactor authentication (MFA) is supported with local accounts in customer tenants. [Learn more](concept-security-customers.md).| | **Identity protection** | Provides ongoing risk detection for your Azure AD tenant. It allows organizations to discover, investigate, and remediate identity-based risks. | A subset of the Azure AD Identity Protection risk detections is available. [Learn more](how-to-identity-protection-customers.md). | |
active-directory | How To Browserless App Node Sign In Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-browserless-app-node-sign-in-overview.md | The device code flow is an OAuth2.0 grant flow that allows users to sign in to i - Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>. -If you want to run a sample Node.js browserless application rather than building it from scratch, complete the steps in [Sign in users in a sample Node.js browserless application by using the Device Code flow](how-to-browserless-app-node-sample-sign-in.md) +If you want to run a sample Node.js browserless application rather than building it from scratch, complete the steps in [Sign in users in a sample Node.js browserless application by using the Device Code flow](./sample-browserless-app-node-sign-in.md) ## Next steps |
active-directory | How To Browserless App Node Sign In Sign Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-browserless-app-node-sign-in-sign-out.md | Now that we're done building the app, we can test it by following these steps: 1. In your terminal, ensure you're in project directory that contains the *package.json* file. For example, *ciam-sign-in-node-browserless-app*. -1. Use the steps in [Run and test the browserless app](how-to-browserless-app-node-sample-sign-in.md?#run-and-test-sample-browserless-app) article to test your browserless app. +1. Use the steps in [Run and test the browserless app](./sample-browserless-app-node-sign-in.md#run-and-test-sample-browserless-app) article to test your browserless app. ## Next steps |
active-directory | How To Manage Admin Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-manage-admin-accounts.md | To delete an existing user, you must have a *Global administrator* role assignme 1. Select the user you want to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. -The user is deleted and no longer appears on the **All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure AD](../../fundamentals/active-directory-users-restore.md). +The user is deleted and no longer appears on the **All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure AD](../../fundamentals/users-restore.md). ## Protect administrative accounts |
active-directory | How To Manage Customer Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-manage-customer-accounts.md | To reset a customer's password: 1. Search for and select the user to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. -For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../../fundamentals/active-directory-users-restore.md). +For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../../fundamentals/users-restore.md). |
active-directory | How To Register Ciam App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-register-ciam-app.md | If you'd like to learn how to expose the permissions by adding a link, go to the ## Next steps - [Create a sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md)-- [Sign in users in a sample vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-sample-sign-in.md) +- [Sign in users in a sample vanilla JavaScript single-page app](./sample-single-page-app-vanillajs-sign-in.md) # [Web app](#tab/webapp) ## Register your Web app If your web app needs to call an API, you must grant your web app API permission ## Next steps - [Create a sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md)-- [Sign in users in a sample Node.js web app](how-to-web-app-node-sample-sign-in.md) +- [Sign in users in a sample Node.js web app](./sample-web-app-node-sign-in.md) # [Web API](#tab/webapi) ## Register your Web API A daemon app signs-in as itself using the [OAuth 2.0 client credentials flow](/a [!INCLUDE [add app client secret](../customers/includes/register-app/add-app-client-secret.md)] ## Next steps-- Learn more how to manage [Azure Active Directory for customers resources with Microsoft Graph](microsoft-graph-operations.md)+- Learn more how to manage [Azure Active Directory for customers resources with Microsoft Graph](microsoft-graph-operations.md) |
active-directory | How To Web App Node Sign In Call Api Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-sign-in-call-api-call-api.md | At this point, you're ready to test your client web app and web API. ``` Your client web app starts. -1. Use the steps in [Run and test sample web app and API](how-to-web-app-node-sample-sign-in-call-api.md#run-and-test-sample-web-app-and-api) to demonstrate how the client app calls the web API. +1. Use the steps in [Run and test sample web app and API](./sample-web-app-node-sign-in-call-api.md#run-and-test-sample-web-app-and-api) to demonstrate how the client app calls the web API. ## Next steps |
active-directory | How To Web App Node Sign In Call Api Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-sign-in-call-api-overview.md | The web API completes the following events: - Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>. -If you want to run a sample Node.js web application that calls a sample web API to get a feel of how things work, complete the steps in [Sign in users and call an API in sample Node.js web application](how-to-web-app-node-sample-sign-in-call-api.md). +If you want to run a sample Node.js web application that calls a sample web API to get a feel of how things work, complete the steps in [Sign in users and call an API in sample Node.js web application](./sample-web-app-node-sign-in-call-api.md). ## Next steps |
active-directory | How To Web App Node Sign In Call Api Sign In Acquire Access Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-sign-in-call-api-sign-in-acquire-access-token.md | The `/signin`, `/signout` and `/redirect` routes are defined in the *routes/auth - The `handleRedirect` method handles `/redirect` route: - - You set this route as Redirect URI for the web app in the Microsoft Entra admin center earlier in [Register the web app](how-to-web-app-node-sample-sign-in-call-api.md#register-the-web-app). + - You set this route as Redirect URI for the web app in the Microsoft Entra admin center earlier in [Register the web app](./sample-web-app-node-sign-in-call-api.md#register-the-web-app). - This endpoint implements the second leg of auth code flow uses. It uses the authorization code to request an ID token by using MSAL's [acquireTokenByCode](/javascript/api/@azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-acquiretokenbycode) method. |
active-directory | Sample Web App Dotnet Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-web-app-dotnet-sign-in.md | -This how-to guide uses a sample ASP.NET web application to show the fundamentals of modern authentication using the [Microsoft Authentication Library for .NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) and [Microsoft Identity Web](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) for ASP.NET to handle authentication. +This how-to guide uses a sample ASP.NET web application to show the fundamentals of modern authentication using the [Microsoft Authentication Library for .NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) and [Microsoft Identity Web](https://github.com/AzureAD/microsoft-identity-web/) for ASP.NET to handle authentication. In this article, you'll register a web application in the Microsoft Entra admin center and create a sign in and sign out user flow. You'll associate your web application with the user flow, download and update a sample ASP.NET web application using your own Azure Active Directory (Azure AD) for customers tenant details. Finally, you'll run and test the sample web application. To get the web app sample code, you can do either of the following tasks: 1. Once signed in the display name is shown next to the **Sign out** button as shown in the following screenshot. - :::image type="content" source="media/how-to-web-app-dotnet-sign-in-sign-in-out/display-aspnet-welcome.png" alt-text="Screenshot of sign in into a ASP.NET web app."::: + :::image type="content" source="media/tutorial-web-app-dotnet-sign-in-sign-in-out/display-aspnet-welcome.png" alt-text="Screenshot of sign in into a ASP.NET web app."::: 1. To sign-out from the application, select the **Sign out** button. To get the web app sample code, you can do either of the following tasks: - [Enable password reset](how-to-enable-password-reset-customers.md) - [Customize the default branding](how-to-customize-branding-customers.md) - [Configure sign-in with Google](how-to-google-federation-customers.md)-- [Sign in users in your own ASP.NET web application by using an Azure AD for customers tenant](how-to-web-app-dotnet-sign-in-prepare-app.md)+- [Sign in users in your own ASP.NET web application by using an Azure AD for customers tenant](tutorial-web-app-dotnet-sign-in-prepare-app.md) |
active-directory | Samples Ciam All | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/samples-ciam-all.md | These samples and how-to guides demonstrate how to integrate a single-page appli > [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | - | -- | - |-> | JavaScript, Vanilla | • [Sign in users](how-to-single-page-app-vanillajs-sample-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | -> | JavaScript, Angular | • [Sign in users](how-to-single-page-application-angular-sample.md) | | -> | JavaScript, React | • [Sign in users](how-to-single-page-application-react-sample.md) | • [Sign in users](how-to-single-page-application-react-prepare-tenant.md) | +> | JavaScript, Vanilla | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | +> | JavaScript, Angular | • [Sign in users](./sample-single-page-app-angular-sign-in.md) | | +> | JavaScript, React | • [Sign in users](./sample-single-page-app-react-sign-in.md) | • [Sign in users](./tutorial-single-page-app-react-sign-in-prepare-tenant.md) | ### Web app These samples and how-to guides demonstrate how to write a web application that > [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | - | -- | - | -> | JavaScript, Node.js (Express) | • [Sign in users](how-to-web-app-node-sample-sign-in.md)<br/> • [Sign in users and call an API](how-to-web-app-node-sample-sign-in-call-api.md) | • [Sign in users](tutorial-web-app-node-sign-in-prepare-tenant.md)<br/> • [Sign in users and call an API](how-to-web-app-node-sign-in-call-api-overview.md) | -> | ASP.NET Core | • [Sign in users](how-to-web-app-dotnet-sample-sign-in.md) | • [Sign in users](how-to-web-app-dotnet-sign-in-prepare-tenant.md) | +> | JavaScript, Node.js (Express) | • [Sign in users](./sample-web-app-node-sign-in.md)<br/> • [Sign in users and call an API](./sample-web-app-node-sign-in-call-api.md) | • [Sign in users](tutorial-web-app-node-sign-in-prepare-tenant.md)<br/> • [Sign in users and call an API](how-to-web-app-node-sign-in-call-api-overview.md) | +> | ASP.NET Core | • [Sign in users](./sample-web-app-dotnet-sign-in.md) | • [Sign in users](tutorial-web-app-dotnet-sign-in-prepare-tenant.md) | ### Web API These samples and how-to guides demonstrate how to write a browserless applicati > [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | - | -- | - | -> | JavaScript, Node | • [Sign in users](how-to-browserless-app-node-sample-sign-in.md) | • [Sign in users](how-to-browserless-app-node-sign-in-overview.md ) | -> | .NET | • [Sign in users](how-to-browserless-app-dotnet-sample-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) | +> | JavaScript, Node | • [Sign in users](./sample-browserless-app-node-sign-in.md) | • [Sign in users](how-to-browserless-app-node-sign-in-overview.md ) | +> | .NET | • [Sign in users](./sample-browserless-app-dotnet-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) | ### Desktop These samples and how-to guides demonstrate how to write a daemon application th > [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | -- | -- |-- |-> | Node.js | • [Call an API](how-to-daemon-node-sample-call-api.md) | • [Call an API](tutorial-daemon-node-call-api-prepare-tenant.md) | +> | Node.js | • [Call an API](./sample-daemon-node-call-api.md) | • [Call an API](tutorial-daemon-node-call-api-prepare-tenant.md) | > | .NET | • [Call an API](sample-daemon-dotnet-call-api.md) | • [Call an API](tutorial-daemon-dotnet-call-api-prepare-tenant.md) | These samples and how-to guides demonstrate how to write a daemon application th > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Browserless | • [Sign in users](how-to-browserless-app-dotnet-sample-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) | +> | Browserless | • [Sign in users](./sample-browserless-app-dotnet-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) | > | Daemon | • [Call an API](sample-daemon-dotnet-call-api.md) | • [Call an API](tutorial-daemon-dotnet-call-api-prepare-tenant.md) | These samples and how-to guides demonstrate how to write a daemon application th > | App type | Code sample guide | Build and integrate guide | > | - | -- | - | > | Web API| | • [Secure an ASP.NET web API](tutorial-protect-web-api-dotnet-core-build-app.md) |-> | Web app | • [Sign in users](how-to-web-app-dotnet-sample-sign-in.md) | • [Sign in users](how-to-web-app-dotnet-sign-in-prepare-tenant.md) | +> | Web app | • [Sign in users](sample-web-app-dotnet-sign-in.md) | • [Sign in users](tutorial-web-app-dotnet-sign-in-prepare-tenant.md) | ### .NET (MAUI) These samples and how-to guides demonstrate how to write a daemon application th > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Single-page application | • [Sign in users](how-to-single-page-app-vanillajs-sample-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | +> | Single-page application | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | ### JavaScript, Angular > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Single-page application | • [Sign in users](how-to-single-page-application-angular-sample.md) | | +> | Single-page application | • [Sign in users](./sample-single-page-app-angular-sign-in.md) | | ### JavaScript, React > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Single-page application| • [Sign in users](how-to-single-page-application-react-sample.md) | • [Sign in users](how-to-single-page-application-react-prepare-tenant.md) | +> | Single-page application| • [Sign in users](./sample-single-page-app-react-sign-in.md) | • [Sign in users](./tutorial-single-page-app-react-sign-in-prepare-tenant.md) | ### JavaScript, Node > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Browserless | • [Sign in users](how-to-browserless-app-node-sample-sign-in.md) | • [Sign in users](how-to-browserless-app-node-sign-in-overview.md ) | -> | Daemon | • [Call an API](how-to-daemon-node-sample-call-api.md) | • [Call an API](how-to-daemon-node-call-api-overview.md) | +> | Browserless | • [Sign in users](./sample-browserless-app-node-sign-in.md) | • [Sign in users](how-to-browserless-app-node-sign-in-overview.md ) | +> | Daemon | • [Call an API](./sample-daemon-node-call-api.md) | • [Call an API](./tutorial-daemon-node-call-api-prepare-tenant.md) | ### JavaScript, Node.js (Express) These samples and how-to guides demonstrate how to write a daemon application th > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Web app |• [Sign in users](how-to-web-app-node-sample-sign-in.md)<br/> • [Sign in users and call an API](how-to-web-app-node-sample-sign-in-call-api.md) | • [Sign in users](tutorial-web-app-node-sign-in-prepare-tenant.md)<br/> • [Sign in users and call an API](how-to-web-app-node-sign-in-call-api-overview.md) | +> | Web app |• [Sign in users](./sample-web-app-node-sign-in.md)<br/> • [Sign in users and call an API](./sample-web-app-node-sign-in-call-api.md) | • [Sign in users](tutorial-web-app-node-sign-in-prepare-tenant.md)<br/> • [Sign in users and call an API](how-to-web-app-node-sign-in-call-api-overview.md) | ### JavaScript, Electron These samples and how-to guides demonstrate how to write a daemon application th > | - | -- | - | > | Desktop | • [Sign in users](how-to-desktop-app-electron-sample-sign-in.md) | | -+ |
active-directory | Tutorial Daemon Node Call Api Build App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-daemon-node-call-api-build-app.md | const todos = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken); At this point, you're ready to test your client daemon app and web API: -1. Use the steps you learned in [Secure an ASP.NET web API](how-to-protect-web-api-dotnet-core-overview.md) tutorial to start your web API. Your web API is now ready to serve client requests. If you don't run your web API on port `44351` as specified in the *authConfig.js* file, make sure you update the *authConfig.js* file to use the correct web API's port number. +1. Use the steps you learned in [Secure an ASP.NET web API](./tutorial-protect-web-api-dotnet-core-build-app.md) tutorial to start your web API. Your web API is now ready to serve client requests. If you don't run your web API on port `44351` as specified in the *authConfig.js* file, make sure you update the *authConfig.js* file to use the correct web API's port number. 1. In your terminal, make sure you're in the project folder that contains your daemon Node.js app such as `ciam-call-api-node-daemon`, then run the following command: If your daemon app and web API run successfully, you should find the data return ## Next steps -Learn how to [Use client certificate instead of a secret for authentication in your Node.js confidential app](how-to-web-app-node-use-certificate.md). +Learn how to [Use client certificate instead of a secret for authentication in your Node.js confidential app](how-to-web-app-node-use-certificate.md). |
active-directory | Tutorial Web App Dotnet Sign In Prepare App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-web-app-dotnet-sign-in-prepare-app.md | + + Title: Tutorial - Prepare an ASP.NET web app for authentication in a customer tenant +description: Learn how to prepare an ASP.NET web app for authentication with your Azure Active Directory (Azure AD) for customers tenant. +++++++++ Last updated : 05/23/2023+#Customer intent: As a dev, devops, I want to learn about how to enable authentication in my own ASP.NET web app with Azure Active Directory (Azure AD) for customers tenant. +++# Tutorial: Prepare an ASP.NET web app for authentication in a customer tenant ++In the [previous article](./tutorial-web-app-dotnet-sign-in-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (Azure AD) for customers tenant. ++In this tutorial you'll; ++> [!div class="checklist"] +> * Create an ASP.NET project in Visual Studio Code +> * Add the required NuGet packages +> * Configure the settings for the application +> * Add code to implement authentication ++## Prerequisites ++* Completion of the prerequisites and steps in [Prepare your customer tenant for building an ASP.NET web app](./tutorial-web-app-dotnet-sign-in-prepare-tenant.md). +* Although any integrated development environment (IDE) that supports ASP.NET applications can be used, this tutorial uses **Visual Studio Code**. You can download it [here](https://visualstudio.microsoft.com/downloads/). +* [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet). ++## Create an ASP.NET project ++1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project. +1. Open a new terminal by selecting **Terminal** > **New Terminal**. +1. Enter the following command to make a Model View Controller (MVC) ASP.NET project. ++ ```powershell + dotnet new mvc -n aspnet_webapp + ``` ++## Install identity packages ++Identity related NuGet packages must be installed in the project to authenticate users. ++1. Enter the following commands to change into the *aspnet_webapp* folder and install the relevant NuGet package: ++ ```powershell + cd aspnet_webapp + dotnet add package Microsoft.Identity.Web.UI + ``` ++## Configure the application for authentication ++1. Open the *appsettings.json* file and replace the existing code with the following snippet. ++ ```json + { + "AzureAd": { + "Authority": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/", + "ClientId": "Enter_the_Application_Id_Here", + "ClientCredentials": [ + { + "SourceType": "ClientSecret", + "ClientSecret": "Enter_the_Client_Secret_Here" + } + ], + "CallbackPath": "/signin-oidc", + "SignedOutCallbackPath": "/signout-callback-oidc" + }, + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" + } + ``` ++ * `Authority` - The identity provider instance and sign-in audience for the app. Replace `Enter_the_Tenant_Subdomain_Here` with the sub-domain of your customer tenant. To find this, select **Overview** in the sidebar menu, then switch to the **Overview tab**. Find the **Primary domain**, in the form *caseyjensen.onmicrosoft.com*. The sub-domain is *caseyjensen*. + * `ClientId` - The identifier of the application, also referred to as the client. Replace the text in quotes with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application. + * `ClientSecret` - The value of the client secret you created in [Prepare your tenant](./tutorial-web-app-dotnet-sign-in-prepare-tenant.md). Replace the text in quotes with the client secret **value** in the Microsoft Entra admin center. + * `CallbackPath` - Is an identifier to help the server redirect a response to the appropriate application. + +1. Save changes to the file. +1. Open the *Properties/launchSettings.json* file. +1. In the `https` section of `profiles`, change the `https` URL in `applicationUrl` so that it reads `https://localhost:7274`. You used this URL to define the **Redirect URI**. +1. Save the changes to your file. ++## Add authorization to *HomeController.cs* ++The *HomeController.cs* file contains the code for the home page of the application and needs to have the capability to authorize the user. The `Microsoft.AspNetCore.Authorization` namespace provides the classes and interfaces to implement authorization to the web app, and the `[Authorize]` attribute is used to specify that only authenticated users can use the web app. ++1. In your code editor, open *Controllers\HomeController.cs* file. +1. Authorization needs to be added to the controller, add `Microsoft.AspNetCore.Authorization` so that the top of the file is identical to the following snippet: ++ ```cshtml + using System.Diagnostics; + using Microsoft.AspNetCore.Authorization; + using Microsoft.AspNetCore.Mvc; + using aspnet_webapp.Models; + ``` ++1. Additionally, add the `[Authorize]` attribute directly above the `HomeController` class definition. ++ ```csharp + [Authorize] + ``` ++## Add authentication and authorization to *Program.cs* ++The *Program.cs* needs to be modified to add authentication and authorization to the web app. This includes adding namespaces for authentication and authorization, and being able to sign in users with the Microsoft identity platform. ++1. To add the required namespaces, open *Program.cs* and add the following snippet to the top of the file: ++ ```csharp + using Microsoft.AspNetCore.Authentication.OpenIdConnect; + using Microsoft.AspNetCore.Authorization; + using Microsoft.AspNetCore.Mvc.Authorization; + using Microsoft.Identity.Web; + using Microsoft.Identity.Web.UI; + using System.IdentityModel.Tokens.Jwt; + ``` ++1. Next, add the authentication services to the application which will enable the web app to sign in users with the Microsoft identity platform. You can replace the rest of the code in *Program.cs* with the following snippet: ++ ```csharp + var builder = WebApplication.CreateBuilder(args); ++ // Add services to the container. + builder.Services.AddControllersWithViews(); ++ // This is required to be instantiated before the OpenIdConnectOptions starts getting configured. + // By default, the claims mapping will map claim names in the old format to accommodate older SAML applications. + // For instance, 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role' instead of 'roles' claim. + // This flag ensures that the ClaimsIdentity claims collection will be built from the claims in the token + JwtSecurityTokenHandler.DefaultMapInboundClaims = false; ++ // Sign-in users with the Microsoft identity platform + builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) + .AddMicrosoftIdentityWebApp(builder.Configuration) + .EnableTokenAcquisitionToCallDownstreamApi() + .AddInMemoryTokenCaches(); ++ builder.Services.AddControllersWithViews(options => + { + var policy = new AuthorizationPolicyBuilder() + .RequireAuthenticatedUser() + .Build(); + options.Filters.Add(new AuthorizeFilter(policy)); + }).AddMicrosoftIdentityUI(); ++ var app = builder.Build(); ++ // Configure the HTTP request pipeline. + if (!app.Environment.IsDevelopment()) + { + app.UseExceptionHandler("/Home/Error"); + // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. + app.UseHsts(); + } ++ app.UseHttpsRedirection(); + app.UseStaticFiles(); ++ app.UseRouting(); + app.UseAuthorization(); ++ app.MapControllerRoute( + name: "default", + pattern: "{controller=Home}/{action=Index}/{id?}"); ++ app.Run(); ++ ``` ++## Next steps ++> [!div class="nextstepaction"] +> [Sign in and sign out](tutorial-web-app-dotnet-sign-in-sign-out.md) |
active-directory | Tutorial Web App Dotnet Sign In Prepare Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-web-app-dotnet-sign-in-prepare-tenant.md | + + Title: Tutorial - Prepare your customer tenant to authenticate users in an ASP.NET web app +description: Learn how to configure your Azure Active Directory (Azure AD) for customers tenant for authentication with an ASP.NET web application +++++++++ Last updated : 05/23/2023+#Customer intent: As a dev, devops, I want to learn about how to enable authentication in my own ASP.NET web app with Azure Active Directory (Azure AD) for customers tenant +++# Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app ++This tutorial series demonstrates how to build an ASP.NET web application from scratch and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for .NET](/entra/msal/dotnet) and [Microsoft Identity Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) libraries to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences. ++In this tutorial, you'll; ++> [!div class="checklist"] +> * Register a web application in the Microsoft Entra admin center, and record its identifiers +> * Create a client secret for the web application +> * Define the platform and URLs +> * Grant permissions to the web application to access the Microsoft Graph API +> * Create a sign in and sign out user flow in the Microsoft Entra admin center +> * Associate your web application with the user flow ++## Prerequisites ++- An Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. ++- This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions: + * Application administrator + * Application developer + * Cloud application administrator ++- An Azure AD for customers tenant. If you haven't already, [create one now](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl). You can use an existing customer tenant if you have one. ++## Register the web app and record identifiers +++## Add a platform redirect URL +++## Add app client secret +++## Grant API permissions +++## Create a user flow +++## Associate the web application with the user flow +++## Next steps ++> [!div class="nextstepaction"] +> [Prepare ASP.NET web app](tutorial-web-app-dotnet-sign-in-prepare-app.md) |
active-directory | Tutorial Web App Dotnet Sign In Sign Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-web-app-dotnet-sign-in-sign-out.md | + + Title: Tutorial - Add sign-in and sign-out to an ASP.NET web application for a customer tenant +description: Learn how to configure an ASP.NET web application to sign in and sign out users with your Azure Active Directory (Azure AD) for customers tenant. +++++++ Last updated : 05/23/2023+#Customer intent: As a dev, devops, I want to learn about how to enable authentication in my own ASP.NET web app with Azure Active Directory (Azure AD) for customers tenant. +++# Tutorial: Add sign-in and sign-out to an ASP.NET web application for a customer tenant ++In the [previous article](./tutorial-web-app-dotnet-sign-in-prepare-app.md), you created an ASP.NET project in Visual Studio Code and configured it for authentication. ++In this tutorial you'll: ++> [!div class="checklist"] +> * Add sign-in and sign-out experiences +> * Add code to view ID token claims +> * Sign-in and sign-out of the application using the user flow ++## Prerequisites ++- Completion of the prerequisites and steps in [Prepare an ASP.NET web app for authentication in a customer tenant](./tutorial-web-app-dotnet-sign-in-prepare-app.md). ++## Add the sign-in and sign out experience ++After installing the NuGet packages and adding necessary code for authentication, we need to add the sign-in and sign out experiences. The code reads the ID token claims to check that the user is authenticated and uses `User.Claims` to extract ID token claims. ++1. In your IDE, navigate to *Views/Shared*, and create a new file called *_LoginPartial.cshtml*. +1. Open *_LoginPartial.cshtml* and add the following code for adding the sign in and sign out experience. ++ ```csharp + @using System.Security.Principal ++ <ul class="navbar-nav"> + @if (User.Identity is not null && User.Identity.IsAuthenticated) + { + <li class="nav-item"> + <span class="nav-link text-dark">Hello @User.Claims.First(c => c.Type == "preferred_username").Value!</span> + </li> + <li class="nav-item"> + <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignOut">Sign out</a> + </li> + } + else + { + <li class="nav-item"> + <a class="nav-link text-dark" asp-area="MicrosoftIdentity" asp-controller="Account" asp-action="SignIn">Sign in</a> + </li> + } + </ul> + ``` ++1. Next, add a reference to `_LoginPartial` in the *Layout.cshtml* file, which is located in the same folder. It's recommended to place this after the `navbar-collapse` class as shown in the following snippet: ++ ```html + <div class="navbar-collapse collapse d-sm-inline-flex flex-sm-row-reverse"> + <partial name="_LoginPartial" /> + </div> + ``` ++## View ID token claims ++The web app is now configured to sign in users with the Microsoft identity platform. The next step is to add code that allows us to view the ID token claims. The app will check that the user is authenticated using `User.Identity.IsAuthenticated`, and lists out the ID token claims by looping through each item in `User.Claims`, returning their `Type` and `Value`. ++1. Open *Views/Home/Index.cshtml* and replace the contents of the file with the following snippet: ++ ```csharp + @{ + ViewData["Title"] = "Home Page"; + } + + <style> + table { + border-collapse: collapse; + width: 100%; + } + th, td { + text-align: justify; + padding: 8px; + border-bottom: 1px solid #ddd; + border-top: 1px solid #ddd; + } + </style> + + <div class="text-center"> + <h1 class="display-4">Welcome</h1> + + @if (@User.Identity is not null && @User.Identity.IsAuthenticated) + { + <p>You are signed in! Below are the claims in your ID token. For more information, visit: <a href="https://learn.microsoft.com/azure/active-directory/develop/id-tokens">Microsoft identity platform ID tokens</a></p> + <table> + <tbody> + + @foreach (var item in @User.Claims) + { + <tr> + <td>@item.Type</td> + <td>@item.Value</td> + </tr> + } + </tbody> + </table> + } + + <br /> + <p>Learn about <a href="https://learn.microsoft.com/azure/active-directory/develop/v2-overview">building web apps with Microsoft identity platform</a>.</p> + </div> + ``` ++## Sign-in to the application ++1. Start the application by typing the following in the terminal to launch the `https` profile in the *launchSettings.json* file. ++ ```powershell + dotnet run --launch-profile https + ``` ++1. Open a new private browser, and enter the application URI into the browser, in this case `https://localhost:7274`. +1. To test the sign-up user flow you configured earlier, select **No account? Create one**. +1. In the **Create account** window, enter the email address registered to your customer tenant, which will start the sign-up flow as a user for your application. +1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed. + 1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**. +1. The ASP.NET Welcome page appears in your browser as depicted in the following screenshot: ++ :::image type="content" source="media/tutorial-web-app-dotnet-sign-in-sign-in-out/display-aspnet-welcome.png" alt-text="Screenshot of sign in into an ASP.NET web app."::: ++## Sign out of the application ++1. To sign out of the application, select **Sign out** in the navigation bar. +1. A window appears asking which account to sign out of. +1. Upon successful sign out, a final window appears advising you to close all browser windows. ++## Next steps ++> [!div class="nextstepaction"] +> [Enable self-service password reset](./how-to-enable-password-reset-customers.md) |
active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/whats-new-docs.md | Welcome to what's new in Azure Active Directory for customers documentation. Thi - [Tutorial: Register and configure .NET MAUI mobile app in a customer tenant](tutorial-mobile-app-maui-sign-in-prepare-tenant.md) - [Tutorial: Sign in users in .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-sign-out.md) - [Use role-based access control in your Node.js web application](how-to-web-app-role-based-access-control.md)-- [Tutorial: Handle authentication flows in a React single-page app](how-to-single-page-application-react-configure-authentication.md)+- [Tutorial: Handle authentication flows in a React single-page app](./tutorial-single-page-app-react-sign-in-configure-authentication.md) - [Tutorial: Create a .NET MAUI app](tutorial-desktop-app-maui-sign-in-prepare-app.md) - [Tutorial: Register and configure .NET MAUI app in a customer tenant](tutorial-desktop-app-maui-sign-in-prepare-tenant.md) - [Tutorial: Sign in users in .NET MAUI app](tutorial-desktop-app-maui-sign-in-sign-out.md) Welcome to what's new in Azure Active Directory for customers documentation. Thi - [What is Microsoft Entra External ID for customers?](overview-customers-ciam.md) - Added a section regarding Azure AD B2C to the overview and emphasized tenant creation when getting started - [Add user attributes to token claims](how-to-add-attributes-to-token.md) - Added attributes to token claims: fixed steps for updating the app manifest-- [Tutorial: Prepare a React single-page app (SPA) for authentication in a customer tenant](how-to-single-page-application-react-prepare-app.md) - JavaScript tutorial edits, code sample updates and fixed SPA aligning content styling-- [Tutorial: Add sign-in and sign-out to a React single-page app (SPA) for a customer tenant](how-to-single-page-application-react-sign-in-out.md) - JavaScript tutorial edits and fixed SPA aligning content styling+- [Tutorial: Prepare a React single-page app (SPA) for authentication in a customer tenant](./tutorial-single-page-app-react-sign-in-prepare-app.md) - JavaScript tutorial edits, code sample updates and fixed SPA aligning content styling +- [Tutorial: Add sign-in and sign-out to a React single-page app (SPA) for a customer tenant](./tutorial-single-page-app-react-sign-in-sign-out.md) - JavaScript tutorial edits and fixed SPA aligning content styling - [Tutorial: Handle authentication flows in a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-configure-authentication.md) - Fixed SPA aligning content styling - [Tutorial: Prepare a vanilla JavaScript single-page app for authentication in a customer tenant](how-to-single-page-app-vanillajs-prepare-app.md) - Fixed SPA aligning content styling - [Tutorial: Prepare your customer tenant to authenticate a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-prepare-tenant.md) - Fixed SPA aligning content styling - [Tutorial: Add sign-in and sign-out to a vanilla JavaScript single-page app for a customer tenant](how-to-single-page-app-vanillajs-sign-in-sign-out.md) - Fixed SPA aligning content styling-- [Tutorial: Prepare your customer tenant to authenticate users in a React single-page app (SPA)](how-to-single-page-application-react-prepare-tenant.md) - Fixed SPA aligning content styling-- [Tutorial: Prepare an ASP.NET web app for authentication in a customer tenant](how-to-web-app-dotnet-sign-in-prepare-app.md) - ASP.NET web app fixes-- [Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app](how-to-web-app-dotnet-sign-in-prepare-tenant.md) - ASP.NET web app fixes-- [Tutorial: Add sign-in and sign-out to an ASP.NET web application for a customer tenant](how-to-web-app-dotnet-sign-in-sign-out.md) - ASP.NET web app fixes+- [Tutorial: Prepare your customer tenant to authenticate users in a React single-page app (SPA)](tutorial-single-page-app-react-sign-in-prepare-tenant.md) - Fixed SPA aligning content styling +- [Tutorial: Prepare an ASP.NET web app for authentication in a customer tenant](tutorial-web-app-dotnet-sign-in-prepare-app.md) - ASP.NET web app fixes +- [Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app](tutorial-web-app-dotnet-sign-in-prepare-tenant.md) - ASP.NET web app fixes +- [Tutorial: Add sign-in and sign-out to an ASP.NET web application for a customer tenant](tutorial-web-app-dotnet-sign-in-sign-out.md) - ASP.NET web app fixes - [Collect user attributes during sign-up](how-to-define-custom-attributes.md) - Added a step for the Show more attributes pane and custom attributes - [Manage Azure Active Directory for customers resources with Microsoft Graph](microsoft-graph-operations.md) - Combined Graph API references into one doc |
active-directory | Direct Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/direct-federation.md | Next, your partner organization needs to configure their IdP with the required c ### SAML 2.0 configuration -Azure AD B2B can be configured to federate with IdPs that use the SAML protocol with specific requirements listed in this section. For more information about setting up a trust between your SAML IdP and Azure AD, see [Use a SAML 2.0 Identity Provider (IdP) for SSO](../hybrid/how-to-connect-fed-saml-idp.md). +Azure AD B2B can be configured to federate with IdPs that use the SAML protocol with specific requirements listed in this section. For more information about setting up a trust between your SAML IdP and Azure AD, see [Use a SAML 2.0 Identity Provider (IdP) for SSO](../hybrid/connect/how-to-connect-fed-saml-idp.md). > [!NOTE] > The target domain for SAML/WS-Fed IdP federation must not be DNS-verified in Azure AD. See the [Frequently asked questions](#frequently-asked-questions) section for details. |
active-directory | External Collaboration Settings Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-collaboration-settings-configure.md | For B2B collaboration with other Azure AD organizations, you should also review - **No**: Users can't leave your organization themselves. They'll see a message guiding them to contact your admin or privacy contact to request removal from your organization. > [!IMPORTANT]- > You can configure **External user leave settings** only if you have [added your privacy information](../fundamentals/active-directory-properties-area.md) to your Azure AD tenant. Otherwise, this setting will be unavailable. + > You can configure **External user leave settings** only if you have [added your privacy information](../fundamentals/properties-area.md) to your Azure AD tenant. Otherwise, this setting will be unavailable. ![Screenshot showing External user leave settings in the portal.](media/external-collaboration-settings-configure/external-user-leave-settings.png) |
active-directory | External Identities Pricing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-identities-pricing.md | If no subscriptions are available in the **Link a subscription** pane, here are - You don't have the appropriate permissions. Be sure to sign in with an Azure account that's been assigned at least the Contributor role within the subscription or a resource group within the subscription. -- A subscription exists, but it hasn't been associated with your directory yet. You can [associate an existing subscription to your tenant](../fundamentals/active-directory-how-subscriptions-associated-directory.md) and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription).+- A subscription exists, but it hasn't been associated with your directory yet. You can [associate an existing subscription to your tenant](../fundamentals/how-subscriptions-associated-directory.md) and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription). - No subscription exists. In the **Link a subscription** pane, you can create a subscription by selecting the link **if you don't already have a subscription you may create one here**. After you create a new subscription, you'll need to [create a resource group](../../azure-resource-manager/management/manage-resource-groups-portal.md) in the new subscription, and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription). ## Next steps -For the latest pricing information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). +For the latest pricing information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). |
active-directory | Google Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/google-federation.md | The following are known scenarios that will impact Gmail users: - Windows apps that use the [WebView](/windows/communitytoolkit/controls/wpf-winforms/webview) control, [WebView2](/microsoft-edge/webview2/), or the older WebBrowser control, for authentication. These apps should migrate to using the Web Account Manager (WAM) flow. - Android applications using the WebView UI element - iOS applications using UIWebView/WKWebview -- [Apps using ADAL](../develop/howto-get-list-of-all-active-directory-auth-library-apps.md)+- [Apps using ADAL](../develop/howto-get-list-of-all-auth-library-apps.md) This change does not affect: - Web apps |
active-directory | Hybrid On Premises To Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/hybrid-on-premises-to-cloud.md | -If you create accounts for your external partners in your on-premises directory (for example, you create an account with a sign-in name of "msullivan" for an external user named Maria Sullivan in your partners.contoso.com domain), you can now sync these accounts to the cloud. Specifically, you can use [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) to sync the partner accounts to the cloud, which creates a user account with UserType = Guest. This enables your partner users to access cloud resources using the same credentials as their local accounts, without giving them more access than they need. +If you create accounts for your external partners in your on-premises directory (for example, you create an account with a sign-in name of "msullivan" for an external user named Maria Sullivan in your partners.contoso.com domain), you can now sync these accounts to the cloud. Specifically, you can use [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) to sync the partner accounts to the cloud, which creates a user account with UserType = Guest. This enables your partner users to access cloud resources using the same credentials as their local accounts, without giving them more access than they need. > [!NOTE] > See also how to [invite internal users to B2B collaboration](invite-internal-users.md). With this feature, you can invite internal guest users to use B2B collaboration, regardless of whether you've synced their accounts from your on-premises directory to the cloud. Once the user accepts the invitation to use B2B collaboration, they'll be able to use their own identities and credentials to sign in to the resources you want them to access. You wonΓÇÖt need to maintain passwords or manage account lifecycles. Two common approaches for this are to: - Designate an unused on-premises Active Directory attribute (for example, extensionAttribute1) to use as the source attribute. - Alternatively, derive the value for UserType attribute from other properties. For example, you want to synchronize all users as Guest if their on-premises Active Directory UserPrincipalName attribute ends with the domain *\@partners.contoso.com*. -For detailed attribute requirements, see [Enable synchronization of UserType](../hybrid/how-to-connect-sync-change-the-configuration.md#enable-synchronization-of-usertype). +For detailed attribute requirements, see [Enable synchronization of UserType](../hybrid/connect/how-to-connect-sync-change-the-configuration.md#enable-synchronization-of-usertype). ## Configure Azure AD Connect to sync users to the cloud After you identify the unique attribute, you can configure Azure AD Connect to sync these users to the cloud, which creates a user account with UserType = Guest. From an authorization point of view, these users are indistinguishable from B2B users created through the Azure AD B2B collaboration invitation process. -For implementation instructions, see [Enable synchronization of UserType](../hybrid/how-to-connect-sync-change-the-configuration.md#enable-synchronization-of-usertype). +For implementation instructions, see [Enable synchronization of UserType](../hybrid/connect/how-to-connect-sync-change-the-configuration.md#enable-synchronization-of-usertype). ## Next steps - [Azure Active Directory B2B collaboration for hybrid organizations](hybrid-organizations.md) - [Grant B2B users in Azure AD access to your on-premises applications](hybrid-cloud-to-on-premises.md) - For an overview of Azure AD Connect, see [Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md).- |
active-directory | Invitation Email Elements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/invitation-email-elements.md | The next section of the email contains information about where the invitee will ### Footer section -The footer contains more information about the invitation being sent. There's always an option for the invitee to block future invitations. If the organization has [set a privacy statement](../fundamentals/active-directory-properties-area.md), the link to the statement is displayed here. Otherwise, a note indicates the organization hasn't set a privacy statement. +The footer contains more information about the invitation being sent. There's always an option for the invitee to block future invitations. If the organization has [set a privacy statement](../fundamentals/properties-area.md), the link to the statement is displayed here. Otherwise, a note indicates the organization hasn't set a privacy statement. ![Image of the footer section in the email](media/invitation-email-elements/footer-section.png) |
active-directory | Invite Internal Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/invite-internal-users.md | Sending an invitation to an existing internal account lets you retain that user - **On-premises synced users**: For user accounts that are synced between on-premises and the cloud, the on-premises directory remains the source of authority after theyΓÇÖre invited to use B2B collaboration. Any changes you make to the on-premises account will sync to the cloud account, including disabling or deleting the account. Therefore, you canΓÇÖt prevent the user from signing into their on-premises account while retaining their cloud account by simply deleting the on-premises account. Instead, you can set the on-premises account password to a random GUID or other unknown value. > [!NOTE]-> In Azure AD Connect sync, thereΓÇÖs a default rule that writes the onPremisesUserPrincipalName attribute to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If youΓÇÖre using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isnΓÇÖt written to the user object. +> In Azure AD Connect sync, thereΓÇÖs a default rule that writes the onPremisesUserPrincipalName attribute to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If youΓÇÖre using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/connect/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isnΓÇÖt written to the user object. ## How to invite internal users to B2B collaboration You can use the Azure portal, PowerShell, or the invitation API to send a B2B invitation to the internal user. Some things to note: |
active-directory | Leave The Organization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/leave-the-organization.md | In these cases, you can select **Leave**, but then you'll see a message saying y Administrators can use the **External user leave settings** to control whether external users can remove themselves from their organization. If you disallow the ability for external users to remove themselves from your organization, external users will need to contact your admin, or privacy contact to be removed. > [!IMPORTANT]-> You can configure **External user leave settings** only if you have [added your privacy information](../fundamentals/active-directory-properties-area.md) to your Azure AD tenant. Otherwise, this setting will be unavailable. We recommend adding your privacy information to allow external users to review your policies and email your privacy contact when necessary. +> You can configure **External user leave settings** only if you have [added your privacy information](../fundamentals/properties-area.md) to your Azure AD tenant. Otherwise, this setting will be unavailable. We recommend adding your privacy information to allow external users to review your policies and email your privacy contact when necessary. 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account and open the Azure Active Directory service. |
active-directory | Redemption Experience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/redemption-experience.md | When a user selects the **Accept invitation** link in an [invitation email](invi :::image type="content" source="media/redemption-experience/invitation-redemption.png" alt-text="Screenshot showing the redemption flow diagram."::: -1. Azure AD performs user-based discovery to determine if the user already exists in a managed Azure AD tenant. (Unmanaged Azure AD accounts can no longer be used for the redemption flow.) If the userΓÇÖs User Principal Name ([UPN](../hybrid/plan-connect-userprincipalname.md#what-is-userprincipalname)) matches both an existing Azure AD account and a personal MSA, the user is prompted to choose which account they want to redeem with. +1. Azure AD performs user-based discovery to determine if the user already exists in a managed Azure AD tenant. (Unmanaged Azure AD accounts can no longer be used for the redemption flow.) If the userΓÇÖs User Principal Name ([UPN](../hybrid/connect/plan-connect-userprincipalname.md#what-is-userprincipalname)) matches both an existing Azure AD account and a personal MSA, the user is prompted to choose which account they want to redeem with. 2. If an admin has enabled [SAML/WS-Fed IdP federation](direct-federation.md), Azure AD checks if the userΓÇÖs domain suffix matches the domain of a configured SAML/WS-Fed identity provider and redirects the user to the pre-configured identity provider. When a guest signs in to a resource in a partner organization for the first time :::image type="content" source="media/redemption-experience/new-review-permissions.png" alt-text="Screenshot showing the Review permissions page."::: > [!NOTE]- > For information about how you as a tenant administrator can link to your organization's privacy statement, see [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/active-directory-properties-area.md). + > For information about how you as a tenant administrator can link to your organization's privacy statement, see [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/properties-area.md). 2. If terms of use are configured, the guest opens and reviews the terms of use, and then selects **Accept**. |
active-directory | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/troubleshoot.md | You might see this message: "This invitation is blocked by cross-tenant access s ## Next steps -- [Get support for B2B collaboration](../fundamentals/active-directory-troubleshooting-support-howto.md)+- [Get support for B2B collaboration](../fundamentals/how-to-get-support.md) - [Use audit logs and access reviews](auditing-and-reporting.md) |
active-directory | Use Dynamic Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/use-dynamic-groups.md | -A dynamic group is a dynamic configuration of security group membership for Azure Active Directory (Azure AD) available in the [Azure portal](https://portal.azure.com). Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as [userType](user-properties.md), department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about [dedicated groups in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md). +A dynamic group is a dynamic configuration of security group membership for Azure Active Directory (Azure AD) available in the [Azure portal](https://portal.azure.com). Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as [userType](user-properties.md), department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about [dedicated groups in Azure Active Directory](../fundamentals/how-to-manage-groups.md). ## Prerequisites [Azure AD Premium P1 or P2 licensing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) is required to create and use dynamic groups. Learn more in [Create attribute-based rules for dynamic group membership in Azure Active Directory](../enterprise-users/groups-dynamic-membership.md). |
active-directory | Add Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md | Before you can add a custom domain name, create your domain name with a domain r After you get your domain name, you can create your first Azure AD directory. Sign in to the [Azure portal](https://portal.azure.com) for your directory, using an account with the **Owner** role for the subscription. -Create your new directory by following the steps in [Create a new tenant for your organization](active-directory-access-create-new-tenant.md#create-a-new-tenant-for-your-organization). +Create your new directory by following the steps in [Create a new tenant for your organization](./create-new-tenant.md#create-a-new-tenant-for-your-organization). >[!IMPORTANT] >The person who creates the tenant is automatically the Global administrator for that tenant. The Global administrator can add additional administrators to the tenant. For more information about subscription roles, see [Azure roles](../../role-base >[!TIP] > If you plan to federate your on-premises Windows Server AD with Azure AD, then you need to select **I plan to configure this domain for single sign-on with my local Active Directory** when you run the Azure AD Connect tool to synchronize your directories. >-> You also need to register the same domain name you select for federating with your on-premises directory in the **Azure AD Domain** step in the wizard. To see what that setup looks like, see [Verify the Azure AD domain selected for federation](../hybrid/how-to-connect-install-custom.md#verify-the-azure-ad-domain-selected-for-federation). If you don't have the Azure AD Connect tool, you can [download it here](https://go.microsoft.com/fwlink/?LinkId=615771). +> You also need to register the same domain name you select for federating with your on-premises directory in the **Azure AD Domain** step in the wizard. To see what that setup looks like, see [Verify the Azure AD domain selected for federation](../hybrid/connect/how-to-connect-install-custom.md#verify-the-azure-ad-domain-selected-for-federation). If you don't have the Azure AD Connect tool, you can [download it here](https://go.microsoft.com/fwlink/?LinkId=615771). ## Add your custom domain name to Azure AD If Azure AD can't verify a custom domain name, try the following suggestions: ## Next steps -- Add another Global administrator to your directory. For more information, see [How to assign roles and administrators](active-directory-users-assign-role-azure-portal.md).+- Add another Global administrator to your directory. For more information, see [How to assign roles and administrators](./how-subscriptions-associated-directory.md). -- Add users to your domain. For more information, see [How to add or delete users](add-users-azure-active-directory.md).+- Add users to your domain. For more information, see [How to add or delete users](./add-users.md). - Manage your domain name information in Azure AD. For more information, see [Managing custom domain names](../enterprise-users/domains-manage.md). |
active-directory | Add Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users.md | You can create a new user for your organization or invite an external user from - **Settings:** Optional. Toggle the option to block sign-in for the user or set the user's default location. - - **Job info**: Optional. Add the user's job title, department, company name, and manager. These details can be updated at any time. For more information about adding other user info, see [How to manage user profile information](active-directory-users-profile-azure-portal.md). + - **Job info**: Optional. Add the user's job title, department, company name, and manager. These details can be updated at any time. For more information about adding other user info, see [How to manage user profile information](./how-to-manage-user-profile-info.md). 1. Copy the autogenerated password provided in the **Password** box. You need to give this password to the user to sign in for the first time. The user is created and added to your Azure AD organization. You can also invite new guest user to collaborate with your organization by selecting **Invite user** from the **New user** page. If your organization's external collaboration settings are configured to allow guests, the user will be emailed an invitation they must accept in order to begin collaborating. For more information about inviting B2B collaboration users, see [Invite B2B users to Azure Active Directory](../external-identities/add-users-administrator.md). -The process for inviting a guest is the same as [adding a new user](add-users-azure-active-directory.md#add-a-new-user), with two exceptions. The email address won't follow the same domain rules as users from your organization. You can also include a personal message. +The process for inviting a guest is the same as [adding a new user](./add-users.md#add-a-new-user), with two exceptions. The email address won't follow the same domain rules as users from your organization. You can also include a personal message. ## Add other users To delete a user, follow these steps: ![Screenshot of the All users page with a user selected and the Delete button highlighted.](media/add-users-azure-active-directory/delete-existing-user.png) -The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](active-directory-users-restore.md). +The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](./users-restore.md). When a user is deleted, any licenses consumed by the user are made available for other users. When a user is deleted, any licenses consumed by the user are made available for After you've added your users, you can do the following basic processes: -- [Add or change profile information](active-directory-users-profile-azure-portal.md)+- [Add or change profile information](./how-to-manage-user-profile-info.md) -- [Assign roles to users](active-directory-users-assign-role-azure-portal.md)+- [Assign roles to users](./how-subscriptions-associated-directory.md) -- [Create a basic group and add members](active-directory-groups-create-azure-portal.md)+- [Create a basic group and add members](./how-to-manage-groups.md) - [Work with dynamic groups and users](../enterprise-users/groups-create-rule.md) |
active-directory | Compare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/compare.md | Most IT administrators are familiar with Active Directory Domain Services concep |Concept|Active Directory (AD)|Azure Active Directory | |:-|:-|:-| |**Users**|||-|Provisioning: users | Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.|Existing AD organizations use [Azure AD Connect](../hybrid/how-to-connect-sync-whatis.md) to sync identities to the cloud.</br> Azure AD adds support to automatically create users from [cloud HR systems](../app-provisioning/what-is-hr-driven-provisioning.md). </br>Azure AD can provision identities in [SCIM enabled](../app-provisioning/use-scim-to-provision-users-and-groups.md) SaaS apps to automatically provide apps with the necessary details to allow access for users. | +|Provisioning: users | Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.|Existing AD organizations use [Azure AD Connect](../hybrid/connect/how-to-connect-sync-whatis.md) to sync identities to the cloud.</br> Azure AD adds support to automatically create users from [cloud HR systems](../app-provisioning/what-is-hr-driven-provisioning.md). </br>Azure AD can provision identities in [SCIM enabled](../app-provisioning/use-scim-to-provision-users-and-groups.md) SaaS apps to automatically provide apps with the necessary details to allow access for users. | |Provisioning: external identities| Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)| Azure AD provides a special class of identity to support external identities. [Azure AD B2B](/azure/active-directory/b2b/) will manage the link to the external user identity to make sure they are valid. |-| Entitlement management and groups| Administrators make users members of groups. App and resource owners then give groups access to apps or resources.| [Groups](./active-directory-groups-create-azure-portal.md) are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. </br> Administrators can use [Entitlement management](../governance/entitlement-management-overview.md) in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria. | -| Admin management|Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.| Azure AD provides [built-in roles](./active-directory-users-assign-role-azure-portal.md) with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for [creating custom roles](../roles/custom-overview.md) to delegate privileged access to the identity system, the apps, and resources it controls.</br>Managing roles can be enhanced with [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. | +| Entitlement management and groups| Administrators make users members of groups. App and resource owners then give groups access to apps or resources.| [Groups](./how-to-manage-groups.md) are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. </br> Administrators can use [Entitlement management](../governance/entitlement-management-overview.md) in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria. | +| Admin management|Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.| Azure AD provides [built-in roles](./how-subscriptions-associated-directory.md) with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for [creating custom roles](../roles/custom-overview.md) to delegate privileged access to the identity system, the apps, and resources it controls.</br>Managing roles can be enhanced with [Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. | | Credential management| Credentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](../authentication/concept-password-ban-bad.md) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](../authentication/concept-mfa-howitworks.md) and [passwordless](../authentication/concept-authentication-passwordless.md) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](../authentication/concept-sspr-howitworks.md) system. | | **Apps**||| | Infrastructure apps|Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access|In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate, [Conditional Access](../conditional-access/overview.md) controls which users have access to which apps under required conditions.| Most IT administrators are familiar with Active Directory Domain Services concep ## Next steps -- [What is Azure Active Directory?](./active-directory-whatis.md)+- [What is Azure Active Directory?](./whatis.md) - [Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services](../../active-directory-domain-services/compare-identity-solutions.md) - [Frequently asked questions about Azure Active Directory](./active-directory-faq.yml) - [What's new in Azure Active Directory?](./whats-new.md) |
active-directory | Concept Learn About Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-learn-about-groups.md | There are two group types and three group membership types. Review the options t **Security:** Used to manage user and computer access to shared resources. -For example, you can create a security group so that all group members have the same set of security permissions. Members of a security group can include users, devices, other groups, and [service principals](../fundamentals/service-accounts-principal.md), which define access policy and permissions. Owners of a security group can include users and service principals. +For example, you can create a security group so that all group members have the same set of security permissions. Members of a security group can include users, devices, other groups, and [service principals](../architecture/service-accounts-principal.md), which define access policy and permissions. Owners of a security group can include users and service principals. **Microsoft 365:** Provides collaboration opportunities by giving group members access to a shared mailbox, calendar, files, SharePoint sites, and more. After a user requests to join a group, the request is forwarded to the group own - [Create and manage Azure AD groups and group membership](how-to-manage-groups.md) -- [Learn about group-based licensing in Azure AD](active-directory-licensing-whatis-azure-portal.md)+- [Learn about group-based licensing in Azure AD](./licensing-whatis-azure-portal.md) - [Manage access to SaaS apps using groups](../enterprise-users/groups-saasapps.md) - [Manage dynamic rules for users in a group](../enterprise-users/groups-create-rule.md) -- [Learn about Privileged Identity Management for Azure AD roles](../../active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)+- [Learn about Privileged Identity Management for Azure AD roles](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) |
active-directory | Concept Secure Remote Workers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-secure-remote-workers.md | The guidance helps: ## Prerequisites -This guide assumes that your cloud only or hybrid identities have been established in Azure AD already. For help with choosing your identity type see the article, [Choose the right authentication method for your Azure Active Directory hybrid identity solution](../hybrid/choose-ad-authn.md) +This guide assumes that your cloud only or hybrid identities have been established in Azure AD already. For help with choosing your identity type see the article, [Choose the right authentication method for your Azure Active Directory hybrid identity solution](../hybrid/connect/choose-ad-authn.md) ### Guided walkthrough There are many recommendations that Azure AD Free, Office 365, or Microsoft 365 | Recommended action | Detail | | | | | [Enable Security Defaults](security-defaults.md) | Protect all user identities and applications by enabling MFA and blocking legacy authentication |-| [Enable Password Hash Sync](../hybrid/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | +| [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | | [Enable ADFS smart lock out](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection) (If applicable) | Protects your users from experiencing extranet account lockout from malicious activity. | | [Enable Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md) (if using managed identities) | Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in. | | [Disable end-user consent to applications](../manage-apps/configure-user-consent.md) | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk. | The following table is intended to highlight the key actions for the following l | [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application | | [Implement Password Writeback](../authentication/tutorial-enable-sspr-writeback.md) (if using hybrid identities) | Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. | | Create and enable Conditional Access policies | [MFA for admins to protect accounts that are assigned administrative rights.](../conditional-access/howto-conditional-access-policy-admin-mfa.md) <br><br> [Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols.](../conditional-access/howto-conditional-access-policy-block-legacy.md) <br><br> [MFA for all users and applications to create a balanced MFA policy for your environment, securing your users and applications.](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) <br><br> [Require MFA for Azure Management to protect your privileged resources by requiring multi-factor authentication for any user accessing Azure resources.](../conditional-access/howto-conditional-access-policy-azure-management.md) |-| [Enable Password Hash Sync](../hybrid/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | +| [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | | [Enable ADFS smart lock out](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection) (If applicable) | Protects your users from experiencing extranet account lockout from malicious activity. | | [Enable Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md) (if using managed identities) | Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in. | | [Disable end-user consent to applications](../manage-apps/configure-user-consent.md) | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk. | The following table is intended to highlight the key actions for the following l | [Enable Secure hybrid access: Secure legacy apps with existing app delivery controllers and networks](../manage-apps/secure-hybrid-access.md) (if applicable). | Publish and protect your on-premises and cloud legacy authentication applications by connecting them to Azure AD with your existing application delivery controller or network. | | [Integrate supported SaaS applications from the gallery to Azure AD and enable Single sign on](../manage-apps/add-application-portal.md) | Azure AD has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO). | | [Automate user provisioning and deprovisioning from SaaS Applications](../app-provisioning/user-provisioning.md) (if applicable) | Automatically create user identities and roles in the cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change, increasing your organization's security. |-| [Enable Conditional Access ΓÇô Device based](../conditional-access/require-managed-devices.md) | Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Hybrid Azure AD joined devices. | +| [Enable Conditional Access ΓÇô Device based](../conditional-access/concept-conditional-access-grant.md) | Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Hybrid Azure AD joined devices. | | [Enable Password Protection](../authentication/howto-password-ban-bad-on-premises-deploy.md) | Protect users from using weak and easy to guess passwords. | | [Use least privileged roles where possible](../roles/permissions-reference.md) | Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be Global Administrators. | | [Enable Microsoft's password guidance](https://www.microsoft.com/research/publication/password-guidance/) | Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure. | The following table is intended to highlight the key actions for the following l | [Enable Identity Protection policies to enforce MFA registration](../identity-protection/howto-identity-protection-configure-mfa-policy.md) | Manage the roll-out of Azure AD Multi-Factor Authentication (MFA). | | [Enable Identity Protection user and sign-in risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md) | Enable Identity Protection User and Sign-in policies. The recommended sign-in policy is to target medium risk sign-ins and require MFA. For User policies, you should target high risk users requiring the password change action. | | Create and enable Conditional Access policies | [MFA for admins to protect accounts that are assigned administrative rights.](../conditional-access/howto-conditional-access-policy-admin-mfa.md) <br><br> [Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols.](../conditional-access/howto-conditional-access-policy-block-legacy.md) <br><br> [Require MFA for Azure Management to protect your privileged resources by requiring multi-factor authentication for any user accessing Azure resources.](../conditional-access/howto-conditional-access-policy-azure-management.md) |-| [Enable Password Hash Sync](../hybrid/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | +| [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) | | [Enable ADFS smart lock out](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection) (If applicable) | Protects your users from experiencing extranet account lockout from malicious activity. | | [Enable Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md) (if using managed identities) | Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in. | | [Disable end-user consent to applications](../manage-apps/configure-user-consent.md) | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk. | The following table is intended to highlight the key actions for the following l | [Enable Secure hybrid access: Secure legacy apps with existing app delivery controllers and networks](../manage-apps/secure-hybrid-access.md) (if applicable). | Publish and protect your on-premises and cloud legacy authentication applications by connecting them to Azure AD with your existing application delivery controller or network. | | [Integrate supported SaaS applications from the gallery to Azure AD and enable Single sign on](../manage-apps/add-application-portal.md) | Azure AD has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO). | | [Automate user provisioning and deprovisioning from SaaS Applications](../app-provisioning/user-provisioning.md) (if applicable) | Automatically create user identities and roles in the cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change, increasing your organization's security. |-| [Enable Conditional Access ΓÇô Device based](../conditional-access/require-managed-devices.md) | Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Hybrid Azure AD joined devices. | +| [Enable Conditional Access ΓÇô Device based](../conditional-access/concept-conditional-access-grant.md) | Improve security and user experiences with device-based Conditional Access. This step ensures users can only access from devices that meet your standards for security and compliance. These devices are also known as managed devices. Managed devices can be Intune compliant or Hybrid Azure AD joined devices. | | [Enable Password Protection](../authentication/howto-password-ban-bad-on-premises-deploy.md) | Protect users from using weak and easy to guess passwords. | | [Use least privileged roles where possible](../roles/permissions-reference.md) | Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be Global Administrators. | | [Enable Microsoft's password guidance](https://www.microsoft.com/research/publication/password-guidance/) | Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure. | The following table is intended to highlight the key actions for the following l | [Deploy passwordless authentication methods for your users](../authentication/concept-authentication-passwordless.md) | Provide your users with convenient passwordless authentication methods | | [Create a plan for guest user access](../external-identities/what-is-b2b.md) | Collaborate with guest users by letting them sign into your apps and services with their own work, school, or social identities. | | [Enable Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Enables you to manage, control, and monitor access to important resources in your organization, ensuring admins have access only when needed and with approval |-| [Complete an access review for Azure AD directory roles in PIM](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md) | Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies. | +| [Complete an access review for Azure AD directory roles in PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) | Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies. | [!INCLUDE [active-directory-zero-trust](../../../includes/active-directory-zero-trust.md)] ## Next steps -- For detailed deployment guidance for individual features of Azure AD, review the [Azure AD project deployment plans](deployment-plans.md).+- For detailed deployment guidance for individual features of Azure AD, review the [Azure AD project deployment plans](../architecture/deployment-plans.md). - Organizations can use [identity secure score](identity-secure-score.md) to track their progress against other Microsoft recommendations. |
active-directory | Create New Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/create-new-tenant.md | If you're not going to continue to use this application, you can delete the tena - Change or add other domain names, see [How to add a custom domain name to Azure Active Directory](add-custom-domain.md) -- Add users, see [Add or delete a new user](add-users-azure-active-directory.md)+- Add users, see [Add or delete a new user](./add-users.md) -- Add groups and members, see [Create a basic group and add members](active-directory-groups-create-azure-portal.md)+- Add groups and members, see [Create a basic group and add members](./how-to-manage-groups.md) - Learn about [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) and [Conditional Access](../conditional-access/overview.md) to help manage your organization's application and resource access. -- Learn about Azure AD, including [basic licensing information, terminology, and associated features](active-directory-whatis.md).+- Learn about Azure AD, including [basic licensing information, terminology, and associated features](./whatis.md). |
active-directory | Data Protection Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-protection-considerations.md | For more information about Secret encryption at rest, see the following table. ||| |Password hash sync</br>Cloud account passwords|Hash: Password Key Derivation Function 2 (PBKDF2), using HMAC-SHA256 @ 1000 iterations | |Directory in transit between data centers|AES-256-CTS-HMAC-SHA1-96</br>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |-|Pass-through authentication user credential flow|RSA 2048-Public/Private key pair </br> Learn more: [Azure Active Directory Pass-through Authentication security deep dive](../hybrid/how-to-connect-pta-security-deep-dive.md)| +|Pass-through authentication user credential flow|RSA 2048-Public/Private key pair </br> Learn more: [Azure Active Directory Pass-through Authentication security deep dive](../hybrid/connect/how-to-connect-pta-security-deep-dive.md)| |Self-service password reset password writeback with Azure AD Connect: Cloud to on-premises communication |RSA 2048 Private/Public key pair</br>AES_GCM (256-bits key, 96-bits IV size)| |Self-service password reset: Answers to security questions|SHA256| |SSL certificates for Azure AD application</br>Proxy published applications |AES-GCM 256-bit | |Disk-level encryption|XTS-AES 128|-|[Seamless single sign-on (SSO)](../../active-directory/hybrid/how-to-connect-sso-how-it-works.md) service account password</br>SaaS application provisioning credentials|AES-CBC 128-bit | +|[Seamless single sign-on (SSO)](../hybrid/connect/how-to-connect-sso-how-it-works.md) service account password</br>SaaS application provisioning credentials|AES-CBC 128-bit | |Azure AD Managed Identities|AES-GCM 256-bit| |Microsoft Authenticator app: Passwordless sign-in to Azure AD |Asymmetric RSA Key 2048-bit| |Microsoft Authenticator app: Backup and restore of enterprise account metadata |AES-256 | For more information about Secret encryption at rest, see the following table. * [Microsoft Service Trust Documents](https://servicetrust.microsoft.com/Documents/TrustDocuments) * [Microsoft Azure Trust Center](https://azure.microsoft.com/overview/trusted-cloud/)-* [Recover from deletions in Azure Active Directory](recover-from-deletions.md) +* [Recover from deletions in Azure Active Directory](../architecture/recover-from-deletions.md) ## Next steps |
active-directory | Data Residency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-residency.md | Use the following table to see Azure AD cloud solution models based on infrastru Learn more: -* [Customer data storage and processing for European customers in Azure AD](./active-directory-data-storage-eu.md) +* [Customer data storage and processing for European customers in Azure AD](./data-storage-eu.md) * Power BI: [Azure Active Directory ΓÇô Where is your data located?](https://aka.ms/aaddatamap) * [What is the Azure Active Directory architecture?](https://aka.ms/aadarch) * [Find the Azure geography that meets your needs](https://azure.microsoft.com/overview/datacenters/how-to-choose/) For more information on data residency in Microsoft Cloud offerings, see the fol * [Data operational considerations](data-operational-considerations.md) * [Data protection considerations](data-protection-considerations.md)- |
active-directory | Five Steps To Full Application Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/five-steps-to-full-application-integration.md | Learn more: * [What is Conditional Access?](../conditional-access/overview.md) * [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md)-* [Azure AD seamless single sign-on](../hybrid/how-to-connect-sso.md) +* [Azure AD seamless single sign-on](../hybrid/connect/how-to-connect-sso.md) * [What is app provisioning in Azure AD?](../app-provisioning/user-provisioning.md) If your company has a Microsoft 365 subscription, you likely use Azure AD. However, you can use Azure AD for applications. If you centralize application management, identity management features, tools, and policies for your app portfolio. The benefit is a unified solution that improves security, reduces costs, increases productivity, and enables compliance. In addition, there's remote access to on-premises apps. Improve the configuration illustrated in the previous diagram by moving applicat Learn more: -* [Move application authentication to Azure AD](../manage-apps/migrate-adfs-apps-to-azure.md) +* [Move application authentication to Azure AD](../manage-apps/migrate-adfs-apps-stages.md) * [Sign in and start apps from the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) See the following diagram of app authentication simplified by Azure AD. |
active-directory | Get Started Premium | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/get-started-premium.md | The activation process typically takes only a few minutes and then you can use y ## Next steps -Now that you have Azure AD Premium, you can [customize your domain](add-custom-domain.md), add your [corporate branding](customize-branding.md), [create a tenant](create-new-tenant.md), and [add groups](active-directory-groups-create-azure-portal.md) and [users](add-users-azure-active-directory.md). +Now that you have Azure AD Premium, you can [customize your domain](add-custom-domain.md), add your [corporate branding](./how-to-customize-branding.md), [create a tenant](create-new-tenant.md), and [add groups](./how-to-manage-groups.md) and [users](./add-users.md). |
active-directory | Groups View Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/groups-view-azure-portal.md | If you donΓÇÖt have an Azure subscription, create a [free account](https://azure Before you begin, youΓÇÖll need to: -- Create an Azure Active Directory tenant. For more information, see [Access the Azure portal and create a new tenant](active-directory-access-create-new-tenant.md).+- Create an Azure Active Directory tenant. For more information, see [Access the Azure portal and create a new tenant](./create-new-tenant.md). <a name='sign-in-to-the-azure-portal'></a> You must sign in to the [Azure portal](https://portal.azure.com) using a Global ## Create a new group -Create a new group, named _MDM policy - West_. For more information about creating a group, see [How to create a basic group and add members](active-directory-groups-create-azure-portal.md). +Create a new group, named _MDM policy - West_. For more information about creating a group, see [How to create a basic group and add members](./how-to-manage-groups.md). 1. Go to **Azure Active Directory** > **Groups**. Create a new group, named _MDM policy - West_. For more information about creati 1. Select **Create**. ## Create a new user-A user must exist before being added as a group member, so you'll need to create a new user. For this quickstart, we've added a user named _Alain Charon_. Check the "Custom domain names" tab first to get the verified domain name in which to create users. For more information about creating a user, see [How to add or delete users](add-users-azure-active-directory.md). +A user must exist before being added as a group member, so you'll need to create a new user. For this quickstart, we've added a user named _Alain Charon_. Check the "Custom domain names" tab first to get the verified domain name in which to create users. For more information about creating a user, see [How to add or delete users](./add-users.md). 1. Go to **Azure Active Directory** > **Users**. The group you just created is used in other articles in the Azure AD Fundamental Advance to the next article to learn how to associate a subscription to your Azure AD directory. > [!div class="nextstepaction"]-> [Associate an Azure subscription](active-directory-how-subscriptions-associated-directory.md) +> [Associate an Azure subscription](./how-subscriptions-associated-directory.md) |
active-directory | How Subscriptions Associated Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-subscriptions-associated-directory.md | After you associate a subscription with a different directory, you might need to ## Next steps -- To create a new Azure AD tenant, see [Quickstart: Create a new tenant in Azure Active Directory](active-directory-access-create-new-tenant.md).+- To create a new Azure AD tenant, see [Quickstart: Create a new tenant in Azure Active Directory](./create-new-tenant.md). - To learn more about how Microsoft Azure controls resource access, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md). -- To learn more about how to assign roles in Azure AD, see [Assign administrator and non-administrator roles to users with Azure Active Directory](active-directory-users-assign-role-azure-portal.md).+- To learn more about how to assign roles in Azure AD, see [Assign administrator and non-administrator roles to users with Azure Active Directory](./how-subscriptions-associated-directory.md). |
active-directory | How To Create Delete Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-create-delete-users.md | This article explains how to create a new user, invite an external guest, and de The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Instructions for the legacy create user process can be found in the [Add or delete users](add-users-azure-active-directory.md) article. +Instructions for the legacy create user process can be found in the [Add or delete users](./add-users.md) article. [!INCLUDE [GDPR-related guidance](../../../includes/gdpr-hybrid-note.md)] To delete a user, follow these steps: ![Screenshot of the All users page with a user selected and the Delete button highlighted.](media/how-to-create-delete-users/delete-existing-user.png) -The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](active-directory-users-restore.md). +The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](./users-restore.md). When a user is deleted, any licenses consumed by the user are made available for other users. |
active-directory | How To Customize Branding | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-customize-branding.md | Adding custom branding requires one of the following licenses: - Azure AD Premium 2 - Office 365 (for Office apps) -For more information about licensing and editions, see the [Sign up for Azure AD Premium](active-directory-get-started-premium.md) article. +For more information about licensing and editions, see the [Sign up for Azure AD Premium](./get-started-premium.md) article. Azure AD Premium editions are available for customers in China using the worldwide instance of Azure AD. Azure AD Premium editions aren't currently supported in the Azure service operated by 21Vianet in China |
active-directory | How To Find Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-find-tenant.md | For more information, see the Microsoft 365 [tenant ID get](https://pnp.github.i ## Next steps -- To create a new Azure AD tenant, see [Quickstart: Create a new tenant in Azure Active Directory](active-directory-access-create-new-tenant.md).+- To create a new Azure AD tenant, see [Quickstart: Create a new tenant in Azure Active Directory](./create-new-tenant.md). -- To learn how to associate or add a subscription to a tenant, see [Associate or add an Azure subscription to your Azure Active Directory tenant](active-directory-how-subscriptions-associated-directory.md).+- To learn how to associate or add a subscription to a tenant, see [Associate or add an Azure subscription to your Azure Active Directory tenant](./how-subscriptions-associated-directory.md). - To learn how to find the object ID, see [Find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id). |
active-directory | How To Get Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-get-support.md | Explore the range of [Azure support options and choose the plan](https://azure.m - If you're not an Azure customer, you can open a support request with [Microsoft Support for business](https://support.serviceshub.microsoft.com/supportforbusiness). > [!NOTE]-> If you're using Azure AD B2C, open a support ticket by first switching to an Azure AD tenant that has an Azure subscription associated with it. Typically, this is your employee tenant or the default tenant created for you when you signed up for an Azure subscription. To learn more, see [how an Azure subscription is related to Azure AD](active-directory-how-subscriptions-associated-directory.md). +> If you're using Azure AD B2C, open a support ticket by first switching to an Azure AD tenant that has an Azure subscription associated with it. Typically, this is your employee tenant or the default tenant created for you when you signed up for an Azure subscription. To learn more, see [how an Azure subscription is related to Azure AD](./how-subscriptions-associated-directory.md). 1. Sign in to the [Azure portal](https://portal.azure.com) and open **Azure Active Directory**. |
active-directory | How To Manage Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-groups.md | To delete a group, you'll need the **Groups Administrator** or **User Administra - [Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory](../enterprise-users/licensing-group-advanced.md#limitations-and-known-issues) -- [Associate or add an Azure subscription to Azure Active Directory](active-directory-how-subscriptions-associated-directory.md)+- [Associate or add an Azure subscription to Azure Active Directory](./how-subscriptions-associated-directory.md) |
active-directory | How To Manage User Profile Info | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-user-profile-info.md | -This article covers how to add user profile information, such as a profile picture and job-specific information. You can also choose to allow users to connect their LinkedIn accounts or restrict access to the Azure AD administration portal. Some settings may be managed in more than one area of Azure AD. For more information about adding new users, see [How to add or delete users in Azure Active Directory](add-users-azure-active-directory.md). +This article covers how to add user profile information, such as a profile picture and job-specific information. You can also choose to allow users to connect their LinkedIn accounts or restrict access to the Azure AD administration portal. Some settings may be managed in more than one area of Azure AD. For more information about adding new users, see [How to add or delete users in Azure Active Directory](./add-users.md). ## Add or change profile information The following settings can be managed from Azure AD **User settings**. ## Next steps -- [Add or delete users](add-users-azure-active-directory.md)+- [Add or delete users](./add-users.md) -- [Assign roles to users](active-directory-users-assign-role-azure-portal.md)+- [Assign roles to users](./how-subscriptions-associated-directory.md) -- [Create a basic group and add members](active-directory-groups-create-azure-portal.md)+- [Create a basic group and add members](./how-to-manage-groups.md) - [View Azure AD enterprise user management documentation](../enterprise-users/index.yml). |
active-directory | Introduction Identity Access Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/introduction-identity-access-management.md | In this article, you learn some of the fundamental concepts of Identity and Acce Identity and access management ensures that the right people, machines, and software components get access to the right resources at the right time. First, the person, machine, or software component proves they're who or what they claim to be. Then, the person, machine, or software component is allowed or denied access to or use of certain resources. -To learn about the basic terms and concepts, see [Identity fundamentals](identity-fundamentals.md). +To learn about the basic terms and concepts, see [Identity fundamentals](./whatis.md). ## What does IAM do? |
active-directory | License Users Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md | There are several Azure AD license plans: - Azure AD Premium P2 -For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Azure AD premium license plans see [here](./active-directory-get-started-premium.md). +For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Azure AD premium license plans see [here](./get-started-premium.md). Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory > Users >** select a user **> Properties > Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization. After you've assigned your licenses, you can perform the following processes: - [Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory](../enterprise-users/licensing-group-advanced.md) -- [Add or change profile information](active-directory-users-profile-azure-portal.md)+- [Add or change profile information](./how-to-manage-user-profile-info.md) |
active-directory | Licensing Whatis Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/licensing-whatis-azure-portal.md | For any groups assigned a license, you must also have a license for each unique Here are the main features of group-based licensing: -- Licenses can be assigned to any security group in Azure AD. Security groups can be synced from on-premises, by using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). You can also create security groups directly in Azure AD (also called cloud-only groups), or automatically via the [Azure AD dynamic group feature](../enterprise-users/groups-create-rule.md).+- Licenses can be assigned to any security group in Azure AD. Security groups can be synced from on-premises, by using [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md). You can also create security groups directly in Azure AD (also called cloud-only groups), or automatically via the [Azure AD dynamic group feature](../enterprise-users/groups-create-rule.md). - When a product license is assigned to a group, the administrator can disable one or more service plans in the product. Typically, this assignment is done when the organization is not yet ready to start using a service included in a product. For example, the administrator might assign Microsoft 365 to a department, but temporarily disable the Yammer service. To learn more about other scenarios for license management through group-based l * [How to migrate individual licensed users to group-based licensing in Azure Active Directory](../enterprise-users/licensing-groups-migrate-users.md) * [How to migrate users between product licenses using group-based licensing in Azure Active Directory](../enterprise-users/licensing-groups-change-licenses.md) * [Azure Active Directory group-based licensing additional scenarios](../enterprise-users/licensing-group-advanced.md)-* [PowerShell examples for group-based licensing in Azure Active Directory](../enterprise-users/licensing-ps-examples.md) +* [PowerShell examples for group-based licensing in Azure Active Directory](../enterprise-users/licensing-ps-examples.md) |
active-directory | Properties Area | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/properties-area.md | You add your organization's privacy information in the **Properties** area of Az ## Next steps - [Azure Active Directory B2B collaboration invitation redemption](../external-identities/redemption-experience.md)-- [Add or change profile information for a user in Azure Active Directory](active-directory-users-profile-azure-portal.md)+- [Add or change profile information for a user in Azure Active Directory](./how-to-manage-user-profile-info.md) |
active-directory | Scenario Azure First Sap Identity Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md | Note: to IAS, every Subaccount is considered to be an "application", even though In Azure AD: -- Optionally [configure Azure AD for seamless single sign-on](../hybrid/how-to-connect-sso.md) (Seamless SSO), which automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames.+- Optionally [configure Azure AD for seamless single sign-on](../hybrid/connect/how-to-connect-sso.md) (Seamless SSO), which automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. In Azure AD and IAS: We recommend using the Azure AD group's Group ID rather than its name because th In Azure AD: - Create groups to which users can be added that need access to applications in BTP (for example, create an Azure AD group for each Role Collection in BTP).-- On the Azure AD Enterprise Application representing the federation relation with IAS, configure the SAML User Attributes & Claims to [add a group claim for security groups](../hybrid/how-to-connect-fed-group-claims.md#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration):+- On the Azure AD Enterprise Application representing the federation relation with IAS, configure the SAML User Attributes & Claims to [add a group claim for security groups](../hybrid/connect/how-to-connect-fed-group-claims.md#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration): - Set the Source attribute to "Group ID" and the Name to `Groups` (spelled exactly like this, with upper case 'G'). - Further, in order to keep claims payloads small and to avoid running into the limitation whereby Azure AD will limit the number of group claims to 150 in SAML assertions, we highly recommend limiting the groups returned in the claims to only those groups that explicitly were assigned: - Under "Which groups associated with the user should be returned in the claim?" answer with "Groups assigned to the application". Then for the groups you want to include as claims, assign them to the Enterprise Application using the "Users and Groups" section and selecting "Add user/group". Because IAS is the centralized component which has been set up to federate with When configuring federation between Azure AD and IAS, as well as between IAS and BTP, SAML metadata is exchanged which contains X.509 certificates used for encryption and cryptographic signatures of the SAML tokens being sent between both parties. These certificates have expiration dates and must be updated periodically (even in emergency situations when a certificate was compromised for example). -Note: the default validity period of the initial Azure AD certificate used to sign SAML assertions is 3 years (and note that the certificate is specific to the Enterprise Application, unlike OpenID Connect and OAuth 2.0 tokens which are signed by a global certificate in Azure AD). You can choose to [generate a new certificate with a different expiration date](../manage-apps/manage-certificates-for-federated-single-sign-on.md#customize-the-expiration-date-for-your-federation-certificate-and-roll-it-over-to-a-new-certificate), or create and import your own certificate. +Note: the default validity period of the initial Azure AD certificate used to sign SAML assertions is 3 years (and note that the certificate is specific to the Enterprise Application, unlike OpenID Connect and OAuth 2.0 tokens which are signed by a global certificate in Azure AD). You can choose to [generate a new certificate with a different expiration date](../manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md#customize-the-expiration-date-for-your-federation-certificate-and-roll-it-over-to-a-new-certificate), or create and import your own certificate. When certificates expire, they can no longer be used, and new certificates must be configured. Therefore, a process must be established to keep the certificate configuration inside the relying party (which needs to validate the signatures) up to date with the actual certificates being used to sign the SAML tokens. If the certificates are allowed to expire, or when they are replaced in time but #### Summary of implementation -[Add an email notification address for certificate expiration](../manage-apps/manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration) in Azure AD and set it to a group mailbox so that it isn't sent to a single individual (who may even no longer have an account by the time the certificate is about to expire). By default, only the user who created the Enterprise Application will receive a notification. +[Add an email notification address for certificate expiration](../manage-apps/tutorial-manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration) in Azure AD and set it to a group mailbox so that it isn't sent to a single individual (who may even no longer have an account by the time the certificate is about to expire). By default, only the user who created the Enterprise Application will receive a notification. Consider building automation to execute the entire certificate rollover process. For example, one can periodically check for expiring certificates and replace them while updating all relying parties with the new metadata. |
active-directory | Sign Up Organization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/sign-up-organization.md | Sign up for Azure Active Directory (Azure AD) or a new Microsoft Azure subscript - **Microsoft account.** Use your personal Microsoft account to get access to Azure and all consumer-oriented Microsoft products and cloud services, such as Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Microsoft 365. Signing up for an Outlook.com mailbox automatically creates a Microsoft account. For more information, see [Microsoft account overview](https://account.microsoft.com/account). -- **Work or school account.** Use your work or school-related account to get access to all the small, medium, and enterprise cloud services from Microsoft, such as Azure, Microsoft Intune, or Microsoft 365. After you sign up for one of these services as an organization, Azure AD automatically provisions a cloud-based directory that represents your organization. For more information, see [Manage your Azure AD directory](./active-directory-whatis.md).+- **Work or school account.** Use your work or school-related account to get access to all the small, medium, and enterprise cloud services from Microsoft, such as Azure, Microsoft Intune, or Microsoft 365. After you sign up for one of these services as an organization, Azure AD automatically provisions a cloud-based directory that represents your organization. For more information, see [Manage your Azure AD directory](./whatis.md). > [!Note] > We recommend that you use your work or school account if you already have access to Azure AD. However, you should use whichever type of account is associated with your Azure subscription. Sign up for Azure Active Directory (Azure AD) or a new Microsoft Azure subscript - [How to buy Azure](https://azure.microsoft.com/pricing/purchase-options/) -- [Sign up for Azure Active Directory Premium editions](active-directory-get-started-premium.md)+- [Sign up for Azure Active Directory Premium editions](./get-started-premium.md) -- [Learn more about Azure AD](active-directory-whatis.md)+- [Learn more about Azure AD](./whatis.md) - [Use your on-premises identity infrastructure in the cloud](../hybrid/whatis-hybrid-identity.md) -- [Visit the Microsoft Azure blog](https://azure.microsoft.com/blog/)+- [Visit the Microsoft Azure blog](https://azure.microsoft.com/blog/) |
active-directory | Users Assign Role Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-assign-role-azure-portal.md | You can remove role assignments from the **Administrative roles** page for a sel ## Next steps -- [Add or delete users](add-users-azure-active-directory.md)+- [Add or delete users](./add-users.md) -- [Add or change profile information](active-directory-users-profile-azure-portal.md)+- [Add or change profile information](./how-to-manage-user-profile-info.md) - [Add guest users from another directory](../external-identities/what-is-b2b.md) |
active-directory | Users Default Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-default-permissions.md | -In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user's access consists of the type of user, their [role assignments](active-directory-users-assign-role-azure-portal.md), and their ownership of individual objects. +In Azure Active Directory (Azure AD), all users are granted a set of default permissions. A user's access consists of the type of user, their [role assignments](./how-subscriptions-associated-directory.md), and their ownership of individual objects. This article describes those default permissions and compares the member and guest user defaults. The default user permissions can be changed only in user settings in Azure AD. When a user creates a group, they're automatically added as an owner for that gr An owner can also add or remove other owners. Unlike global administrators and user administrators, owners can manage only the groups that they own. -To assign a group owner, see [Managing owners for a group](active-directory-accessmanagement-managing-group-owners.md). +To assign a group owner, see [Managing owners for a group](./how-to-manage-groups.md). ### Ownership permissions Users can perform the following actions on owned groups. ## Next steps * To learn more about the **Guest user access restrictions** setting, see [Restrict guest access permissions in Azure Active Directory](../enterprise-users/users-restrict-guest-permissions.md).-* To learn more about how to assign Azure AD administrator roles, see [Assign a user to administrator roles in Azure Active Directory](active-directory-users-assign-role-azure-portal.md). +* To learn more about how to assign Azure AD administrator roles, see [Assign a user to administrator roles in Azure Active Directory](./how-subscriptions-associated-directory.md). * To learn more about how resource access is controlled in Microsoft Azure, see [Understanding resource access in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md).-* For more information on how Azure AD relates to your Azure subscription, see [How Azure subscriptions are associated with Azure Active Directory](active-directory-how-subscriptions-associated-directory.md). -* [Manage users](add-users-azure-active-directory.md). +* For more information on how Azure AD relates to your Azure subscription, see [How Azure subscriptions are associated with Azure Active Directory](./how-subscriptions-associated-directory.md). +* [Manage users](./add-users.md). |
active-directory | Users Reset Password Azure Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-reset-password-azure-portal.md | Azure Active Directory (Azure AD) administrators can reset a user's password if After you've reset your user's password, you can perform the following basic processes: -- [Add or delete users](add-users-azure-active-directory.md)+- [Add or delete users](./add-users.md) -- [Assign roles to users](active-directory-users-assign-role-azure-portal.md)+- [Assign roles to users](./how-subscriptions-associated-directory.md) -- [Add or change profile information](active-directory-users-profile-azure-portal.md)+- [Add or change profile information](./how-to-manage-user-profile-info.md) -- [Create a basic group and add members](active-directory-groups-create-azure-portal.md)+- [Create a basic group and add members](./how-to-manage-groups.md) Or you can perform more complex user scenarios, such as assigning delegates, using policies, and sharing user accounts. For more information about other available actions, see [Azure Active Directory user management documentation](../enterprise-users/index.yml). |
active-directory | Users Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-restore.md | When a user account is deleted from the organization, the account is in a suspen You can permanently delete a user from your organization without waiting the 30 days for automatic deletion. A permanently deleted user can't be restored by you, another administrator, nor by Microsoft customer support. >[!Note]->If you permanently delete a user by mistake, you'll have to create a new user and manually enter all the previous information. For more information about creating a new user, see [Add or delete users](add-users-azure-active-directory.md). +>If you permanently delete a user by mistake, you'll have to create a new user and manually enter all the previous information. For more information about creating a new user, see [Add or delete users](./add-users.md). ### To permanently delete a user You can permanently delete a user from your organization without waiting the 30 After you've restored or deleted your users, you can: -- [Add or delete users](add-users-azure-active-directory.md)+- [Add or delete users](./add-users.md) -- [Assign roles to users](active-directory-users-assign-role-azure-portal.md)+- [Assign roles to users](./how-subscriptions-associated-directory.md) -- [Add or change profile information](active-directory-users-profile-azure-portal.md)+- [Add or change profile information](./how-to-manage-user-profile-info.md) - [Add guest users from another organization](../external-identities/what-is-b2b.md) |
active-directory | Whatis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whatis.md | -Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure Active Directory also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see [Quickstart: Create a new tenant in Azure Active Directory](active-directory-access-create-new-tenant.md). +Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Azure AD enables your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure Active Directory also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see [Quickstart: Create a new tenant in Azure Active Directory](./create-new-tenant.md). To learn the differences between Active Directory and Azure Active Directory, see [Compare Active Directory to Azure Active Directory](compare.md). You can also refer [Microsoft Cloud for Enterprise Architects Series](/microsoft-365/solutions/cloud-architecture-models) posters to better understand the core identity services in Azure like Azure AD and Microsoft-365. To enhance your Azure AD implementation, you can also add paid features by upgra - **"Pay as you go" feature licenses.** You can also get licenses for features such as, Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps. For more information, see [Azure Active Directory B2C documentation](../../active-directory-b2c/index.yml). -For more information about associating an Azure subscription to Azure AD, see [Associate or add an Azure subscription to Azure Active Directory](active-directory-how-subscriptions-associated-directory.md). For more information about assigning licenses to your users, see [How to: Assign or remove Azure Active Directory licenses](license-users-groups.md). +For more information about associating an Azure subscription to Azure AD, see [Associate or add an Azure subscription to Azure Active Directory](./how-subscriptions-associated-directory.md). For more information about assigning licenses to your users, see [How to: Assign or remove Azure Active Directory licenses](license-users-groups.md). ## Which features work in Azure AD? After you choose your Azure AD license, you'll get access to some or all of the |Managed identities for Azure resources|Provide your Azure services with an automatically managed identity in Azure AD that can authenticate any Azure AD-supported authentication service, including Key Vault. For more information, see [What is managed identities for Azure resources?](../managed-identities-azure-resources/overview.md).| |Privileged identity management (PIM)|Manage, control, and monitor access within your organization. This feature includes access to resources in Azure AD and Azure, and other Microsoft Online Services, like Microsoft 365 or Intune. For more information, see [Azure AD Privileged Identity Management](../privileged-identity-management/index.yml).| |Reports and monitoring|Gain insights into the security and usage patterns in your environment. For more information, see [Azure Active Directory reports and monitoring](../reports-monitoring/index.yml).|-| Workload identities| Give an identity to your software workload (such as an application, service, script, or container) to authenticate and access other services and resources. For more information, see [workload identities faqs](../develop/workload-identities-faqs.md). +| Workload identities| Give an identity to your software workload (such as an application, service, script, or container) to authenticate and access other services and resources. For more information, see [workload identities faqs](../workload-identities/workload-identities-faqs.md). ## Terminology To better understand Azure AD and its documentation, we recommend reviewing the ## Next steps -- [Sign up for Azure Active Directory Premium](active-directory-get-started-premium.md)+- [Sign up for Azure Active Directory Premium](./get-started-premium.md) -- [Associate an Azure subscription to your Azure Active Directory](active-directory-how-subscriptions-associated-directory.md)+- [Associate an Azure subscription to your Azure Active Directory](./how-subscriptions-associated-directory.md) -- [Azure Active Directory Premium P2 feature deployment checklist](active-directory-deployment-checklist-p2.md)+- [Azure Active Directory Premium P2 feature deployment checklist](./concept-secure-remote-workers.md) |
active-directory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md | This experience helps administrators walk through the different steps involved i For more information, see: -- [Create a new configuration for Azure AD Connect cloud sync](../cloud-sync/how-to-configure.md)-- [Attribute mapping in Azure AD Connect cloud sync](../cloud-sync/how-to-attribute-mapping.md)-- [Azure AD cloud sync insights workbook](../cloud-sync/how-to-cloud-sync-workbook.md)+- [Create a new configuration for Azure AD Connect cloud sync](../hybrid/cloud-sync/how-to-configure.md) +- [Attribute mapping in Azure AD Connect cloud sync](../hybrid/cloud-sync/how-to-attribute-mapping.md) +- [Azure AD cloud sync insights workbook](../hybrid/cloud-sync/how-to-cloud-sync-workbook.md) For more information, see: Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience. -For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../cloud-sync/custom-attribute-mapping.md) +For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../hybrid/cloud-sync/custom-attribute-mapping.md) Developers can now use managed identities for their software workloads running a - Accessing Azure resources from other cloud platforms that support OIDC, such as Google Cloud. For more information, see: -- [Configure a user-assigned managed identity to trust an external identity provider (preview)](../develop/workload-identity-federation-create-trust-user-assigned-managed-identity.md)-- [Workload identity federation](../develop/workload-identity-federation.md)+- [Configure a user-assigned managed identity to trust an external identity provider (preview)](../workload-identities/workload-identity-federation-create-trust-user-assigned-managed-identity.md) +- [Workload identity federation](../workload-identities/workload-identity-federation.md) - [Use an Azure AD workload identity (preview) on Azure Kubernetes Service (AKS)](../../aks/workload-identity-overview.md) Admins can now pause, and resume, the processing of individual dynamic groups in **Service category:** Authentications (Logins) **Product capability:** User Authentication -Update the Azure AD and Microsoft 365 sign-in experience with new company branding capabilities. You can apply your companyΓÇÖs brand guidance to authentication experiences with predefined templates. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md). +Update the Azure AD and Microsoft 365 sign-in experience with new company branding capabilities. You can apply your companyΓÇÖs brand guidance to authentication experiences with predefined templates. For more information, see: [Configure your company branding](./how-to-customize-branding.md). Update the Azure AD and Microsoft 365 sign-in experience with new company brandi **Service category:** Directory Management **Product capability:** Directory -Update the company branding functionality on the Azure AD/Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md). +Update the company branding functionality on the Azure AD/Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: [Configure your company branding](./how-to-customize-branding.md). For more information, see: [How to use additional context in Microsoft Authentic In October 2022 we've added the following 15 new applications in our App gallery with Federation support: -[Unifii](https://www.unifii.com.au/), [WaitWell Staff App](https://waitwell.c) +[Unifii](https://www.unifii.com.au/), [WaitWell Staff App](https://waitwell.c) You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial, For more information about how to better secure your organization by using autom Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph. By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of your organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials. -For more information on this capability and supported scenarios, see [Workload identity federation](../develop/workload-identity-federation.md). +For more information on this capability and supported scenarios, see [Workload identity federation](../workload-identities/workload-identity-federation.md). In Azure AD entitlement management, a new form of access package assignment poli Users can now configure multiple instances of the same application within an Azure AD tenant. It's now supported for both IdP, and Service Provider (SP), initiated single sign-on requests. Multiple application accounts can now have a separate service principal to handle instance-specific claims mapping and roles assignment. For more information, see: -- [Configure SAML app multi-instancing for an application - Microsoft Entra](../develop/reference-app-multi-instancing.md)-- [Customize app SAML token claims - Microsoft Entra](../develop/active-directory-saml-claims-customization.md)+- [Configure SAML app multi-instancing for an application - Microsoft Entra](../develop/configure-app-multi-instancing.md) +- [Customize app SAML token claims - Microsoft Entra](../develop/saml-claims-customization.md) Users can now configure multiple instances of the same application within an Azu Administrators up until recently has the capability to transform claims using many transformations, however using regular expression for claims transformation wasn't exposed to customers. With this public preview release, administrators can now configure and use regular expressions for claims transformation using portal UX. -For more information, see:[Customize app SAML token claims - Microsoft Entra](../develop/active-directory-saml-claims-customization.md). +For more information, see:[Customize app SAML token claims - Microsoft Entra](../develop/saml-claims-customization.md). Check out these resources to learn more: -A new Azure AD Connect release fixes several bugs and includes new functionality. This release is also available for auto upgrade for eligible servers. For more information, see: [Azure AD Connect: Version release history](../hybrid/reference-connect-version-history.md#21150). +A new Azure AD Connect release fixes several bugs and includes new functionality. This release is also available for auto upgrade for eligible servers. For more information, see: [Azure AD Connect: Version release history](../hybrid/connect/reference-connect-version-history.md#21150). For more information, see: [Manage devices in Azure AD using the Azure portal](. Previously the only way to have persistent NameID value was to ΓÇïconfigure user attribute with an empty value. Admins can now explicitly configure the NameID value to be persistent ΓÇïalong with the corresponding format. -For more information, see: [Customize app SAML token claims - Microsoft identity platform](../develop/active-directory-saml-claims-customization.md#attributes). +For more information, see: [Customize app SAML token claims - Microsoft identity platform](../develop/saml-claims-customization.md#attributes). For listing your application in the Azure AD app gallery, please read the detail **Service category:** App Provisioning **Product capability:** GoLocal -From April 15, 2022, Microsoft began storing Azure ADΓÇÖs Customer Data for new tenants with a Japan billing address within the Japanese data centers. For more information, see: [Customer data storage for Japan customers in Azure Active Directory](active-directory-data-storage-japan.md). +From April 15, 2022, Microsoft began storing Azure ADΓÇÖs Customer Data for new tenants with a Japan billing address within the Japanese data centers. For more information, see: [Customer data storage for Japan customers in Azure Active Directory](./data-storage-japan.md). |
active-directory | Whats New Sovereign Clouds Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds-archive.md | Restore a recently deleted application, group, servicePrincipal, administrative **Service category:** Authentications (Logins) **Product capability:** Identity Security & Protection -We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md). +We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Migrate to cloud authentication using Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). Identity Protection now emits risk (such as unfamiliar sign-in properties) on no Entra Workload Identity Federation allows developers to exchange tokens issued by another identity provider with Azure AD tokens, without needing secrets. It eliminates the need to store, and manage, credentials inside the code or secret stores to access Azure AD protected resources such as Azure and Microsoft Graph. By removing the secrets required to access Azure AD protected resources, workload identity federation can improve the security posture of your organization. This feature also reduces the burden of secret management and minimizes the risk of service downtime due to expired credentials. -For more information on this capability and supported scenarios, see: [Workload identity federation](../develop/workload-identity-federation.md). +For more information on this capability and supported scenarios, see: [Workload identity federation](../workload-identities/workload-identity-federation.md). |
active-directory | Whats New Sovereign Clouds | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md | For more information, see: [Protect user accounts from attacks with Azure Active **Service category:** Enterprise Apps **Product capability:** SSO -Filter and transform group names in token claims configuration using regular expression. Many application configurations on ADFS and other IdPs rely on the ability to create authorization claims based on the content of Group Names using regular expression functions in the claim rules. Azure AD now has the capability to use a regular expression match and replace function to create claim content based on Group **onpremisesSAMAccount** names. This functionality allows those applications to be moved to Azure AD for authentication using the same group management patterns. For more information, see: [Configure group claims for applications by using Azure Active Directory](../hybrid/how-to-connect-fed-group-claims.md). +Filter and transform group names in token claims configuration using regular expression. Many application configurations on ADFS and other IdPs rely on the ability to create authorization claims based on the content of Group Names using regular expression functions in the claim rules. Azure AD now has the capability to use a regular expression match and replace function to create claim content based on Group **onpremisesSAMAccount** names. This functionality allows those applications to be moved to Azure AD for authentication using the same group management patterns. For more information, see: [Configure group claims for applications by using Azure Active Directory](../hybrid/connect/how-to-connect-fed-group-claims.md). Azure AD now has the capability to filter the groups included in the token using For more information, see: - [Group Filter](../develop/reference-claims-mapping-policy-type.md#group-filter).-- [Configure group claims for applications by using Azure Active Directory](../hybrid/how-to-connect-fed-group-claims.md).+- [Configure group claims for applications by using Azure Active Directory](../hybrid/connect/how-to-connect-fed-group-claims.md). For more information about Microsoft cloud settings for B2B collaboration, see: Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience. -For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../cloud-sync/custom-attribute-mapping.md) +For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../hybrid/cloud-sync/custom-attribute-mapping.md) |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md | This feature enables admins to create dynamic group rules based on the user obje **Service category:** User Management **Product capability:** User Management -We have increased the number of properties admins are able to define when creating and inviting a user in the Entra admin portal, bringing our UX to parity with our Create User APIs. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: [Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md). +We have increased the number of properties admins are able to define when creating and inviting a user in the Entra admin portal, bringing our UX to parity with our Create User APIs. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: [Add or delete users using Azure Active Directory](./add-users.md). There's no additional work to enable this feature, the unfamiliar properties are In February 2023 we've added the following 10 new applications in our App gallery with Federation support: -[PROCAS](https://accounting.procas.com/), [Tanium Cloud SSO](../saas-apps/tanium-cloud-sso-tutorial.md), [LeanDNA](../saas-apps/leandna-tutorial.md), [CalendarAnything LWC](https://silverlinecrm.com/calendaranything/), [courses.work](../saas-apps/courseswork-tutorial.md), [Udemy Business SAML](../saas-apps/udemy-business-saml-tutorial.md), [Canva](../saas-apps/canva-tutorial.md), [Kno2fy](../saas-apps/kno2fy-tutorial.md), [IT-Conductor](../saas-apps/it-conductor-tutorial.md), [ナレッジワーク(Knowledge Work)](../saas-apps/knowledge-work-tutorial.md), [Valotalive Digital Signage Microsoft 365 integration](https://store.valotalive.com/#main), [Priority Matrix HIPAA](https://hipaa.prioritymatrix.com/), [Priority Matrix Government](https://hipaa.prioritymatrix.com/), [Beable](../saas-apps/beable-tutorial.md), [Grain](https://grain.com/app?dialog=integrations&integration=microsoft+teams), [DojoNavi](../saas-apps/dojonavi-tutorial.md), [Global Validity Access Manager](https://myaccessmanager.com/), [FieldEquip](https://app.fieldequip.com/), [Peoplevine](https://control.peoplevine.com/), [Respondent](../saas-apps/respondent-tutorial.md), [WebTMA](../saas-apps/webtma-tutorial.md), [ClearIP](https://clearip.com/login), [Pennylane](../saas-apps/pennylane-tutorial.md), [VsimpleSSO](https://app.vsimple.com/login), [Compliance Genie](../saas-apps/compliance-genie-tutorial.md), [Dataminr Corporate](https://dmcorp.okta.com/), [Talon](../saas-apps/talon-tutorial.md). +[PROCAS](https://accounting.procas.com/), [Tanium Cloud SSO](../saas-apps/tanium-sso-tutorial.md), [LeanDNA](../saas-apps/leandna-tutorial.md), [CalendarAnything LWC](https://silverlinecrm.com/calendaranything/), [courses.work](../saas-apps/courseswork-tutorial.md), [Udemy Business SAML](../saas-apps/udemy-business-saml-tutorial.md), [Canva](../saas-apps/canva-tutorial.md), [Kno2fy](../saas-apps/kno2fy-tutorial.md), [IT-Conductor](../saas-apps/it-conductor-tutorial.md), [ナレッジワーク(Knowledge Work)](../saas-apps/knowledge-work-tutorial.md), [Valotalive Digital Signage Microsoft 365 integration](https://store.valotalive.com/#main), [Priority Matrix HIPAA](https://hipaa.prioritymatrix.com/), [Priority Matrix Government](https://hipaa.prioritymatrix.com/), [Beable](../saas-apps/beable-tutorial.md), [Grain](https://grain.com/app?dialog=integrations&integration=microsoft+teams), [DojoNavi](../saas-apps/dojonavi-tutorial.md), [Global Validity Access Manager](https://myaccessmanager.com/), [FieldEquip](https://app.fieldequip.com/), [Peoplevine](https://control.peoplevine.com/), [Respondent](../saas-apps/respondent-tutorial.md), [WebTMA](../saas-apps/webtma-tutorial.md), [ClearIP](https://clearip.com/login), [Pennylane](../saas-apps/pennylane-tutorial.md), [VsimpleSSO](https://app.vsimple.com/login), [Compliance Genie](../saas-apps/compliance-genie-tutorial.md), [Dataminr Corporate](https://dmcorp.okta.com/), [Talon](../saas-apps/talon-tutorial.md). You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial. |
active-directory | Access Reviews Application Preparation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-application-preparation.md | -Organizations with compliance requirements or risk management plans will have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements. Azure AD can be integrated with many popular SaaS applications, on-premises applications, and applications that your organization has developed, using [standard protocol](../fundamentals/auth-sync-overview.md) and API interfaces. Through these interfaces, Azure AD can be the authoritative source to control who has access to those applications. As you integrate your applications with Azure AD, you can then use access reviews to recertify the users who have access to those applications, and remove access of those users who no longer need access. You can also use other features, including terms of use, Conditional Access and entitlement management, for governing access to applications, as described in [how to govern access to applications in your environment](identity-governance-applications-prepare.md). +Organizations with compliance requirements or risk management plans will have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements. Azure AD can be integrated with many popular SaaS applications, on-premises applications, and applications that your organization has developed, using [standard protocol](../architecture/auth-sync-overview.md) and API interfaces. Through these interfaces, Azure AD can be the authoritative source to control who has access to those applications. As you integrate your applications with Azure AD, you can then use access reviews to recertify the users who have access to those applications, and remove access of those users who no longer need access. You can also use other features, including terms of use, Conditional Access and entitlement management, for governing access to applications, as described in [how to govern access to applications in your environment](identity-governance-applications-prepare.md). ## Prerequisites for reviewing access To use Azure AD for an access review of access to an application, you must have While using the access reviews feature does not require users to have those licenses assigned to them to use the feature, you'll need to have at least as many licenses in your tenant as the number of member (non-guest) users who will be configured as reviewers. -Also, while not required for reviewing access to an application, we recommend also regularly reviewing the membership of privileged directory roles that have the ability to control other users' access to all applications. Administrators in the `Global Administrator`, `Identity Governance Administrator`, `User Administrator`, `Application Administrator`, `Cloud Application Administrator` and `Privileged Role Administrator` can make changes to users and their application role assignments, so ensure that [access review of these directory roles](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md) have been scheduled. +Also, while not required for reviewing access to an application, we recommend also regularly reviewing the membership of privileged directory roles that have the ability to control other users' access to all applications. Administrators in the `Global Administrator`, `Identity Governance Administrator`, `User Administrator`, `Application Administrator`, `Cloud Application Administrator` and `Privileged Role Administrator` can make changes to users and their application role assignments, so ensure that [access review of these directory roles](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) have been scheduled. ## Determine how the application is integrated with Azure AD Now that you have identified the integration pattern for the application, check 1. In the Azure portal, click **Azure Active Directory**, click **Enterprise Applications**, and check whether your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) in your Azure AD tenant. 1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning. -1. If the application is not already listed, but uses AD security groups and is a web application, [add the application for remote access through Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md). -1. If the application is not already listed, uses AD security groups and is not a web application, then [configure group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md) and continue at the next section. +1. If the application is not already listed, but uses AD security groups and is a web application, [add the application for remote access through Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md) and [configure group writeback to AD](../hybrid/connect/how-to-connect-group-writeback-v2.md). +1. If the application is not already listed, uses AD security groups and is not a web application, then [configure group writeback to AD](../hybrid/connect/how-to-connect-group-writeback-v2.md) and continue at the next section. 1. Once the application is in the list of enterprise applications in your tenant, select the application from the list. 1. Change to the **Properties** tab. Verify that the **User assignment required?** option is set to **Yes**. If it's set to **No**, all users in your directory, including external identities, can access the application, and you can't review access to the application. |
active-directory | Access Reviews External Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-external-users.md | ->A valid Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md). +>A valid Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/whatis.md). ## Why review users from external organizations in your tenant? |
active-directory | Access Reviews Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-overview.md | Azure AD enables you to collaborate with users from inside your organization and ## When should you use access reviews? -- **Too many users in privileged roles:** It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that haven't been removed after being assigned to do an administrative task. You can recertify the role assignment users in [Azure AD roles](../privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json) such as Global Administrators, or [Azure resources roles](../privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json) such as User Access Administrator in the [Microsoft Entra Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) experience.+- **Too many users in privileged roles:** It's a good idea to check how many users have administrative access, how many of them are Global Administrators, and if there are any invited guests or partners that haven't been removed after being assigned to do an administrative task. You can recertify the role assignment users in [Azure AD roles](../privileged-identity-management/pim-perform-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) such as Global Administrators, or [Azure resources roles](../privileged-identity-management/pim-perform-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) such as User Access Administrator in the [Microsoft Entra Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) experience. - **When automation is not possible:** You can create rules for dynamic membership on security groups or Microsoft 365 Groups, but what if the HR data isn't in Azure AD or if users still need access after leaving the group to train their replacement? You can then create a review on that group to ensure those who still need access should have continued access. - **When a group is used for a new purpose:** If you have a group that is going to be synced to Azure AD, or if you plan to enable the application Salesforce for everyone in the Sales team group, it would be useful to ask the group owner to review the group membership prior to the group being used in a different risk content. - **Business critical data access:** for certain resources, such as [business critical applications](identity-governance-applications-prepare.md), it might be required as part of compliance processes to ask people to regularly reconfirm and give a justification on why they need continued access. Depending on what you want to review, you'll either create your access review in | | | | | | Security group members</br>Office group members | Specified reviewers</br>Group owners</br>Self-review | access reviews</br>Azure AD groups | Access panel | | Assigned to a connected app | Specified reviewers</br>Self-review | access reviews</br>Azure AD enterprise apps (in preview) | Access panel |-| Azure AD role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json) | Azure portal | -| Azure resource role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json) | Azure portal | +| Azure AD role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal | +| Azure resource role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal | | Access package assignments | Specified reviewers</br>Group members</br>Self-review | entitlement management | Access panel | ## License requirements Depending on what you want to review, you'll either create your access review in - [Prepare for an access review of users' access to an application](access-reviews-application-preparation.md) - [Create an access review of groups or applications](create-access-review.md)-- [Create an access review of users in an Azure AD administrative role](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json)+- [Create an access review of users in an Azure AD administrative role](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) - [Review access to groups or applications](perform-access-review.md)-- [Complete an access review of groups or applications](complete-access-review.md)+- [Complete an access review of groups or applications](complete-access-review.md) |
active-directory | Complete Access Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/complete-access-review.md | Manually or automatically applying results doesn't have an effect on a group tha On review creation, the creator can choose between two options for denied guest users in an access review. - Denied guest users can have their access to the resource removed. This is the default.+ - The denied guest user can be blocked from signing in for 30 days, then deleted from the tenant. During the 30-day period the guest user is able to be restored access to the tenant by an administrator. After the 30-day period is completed, if the guest user hasn't had access to the resource granted to them again, they'll be removed from the tenant permanently. In addition, using the Azure portal, a Global Administrator can explicitly [permanently delete a recently deleted user](../fundamentals/users-restore.md) before that time period is reached. Once a user has been permanently deleted, the data about that guest user will be removed from active access reviews. Audit information about deleted users remains in the audit log. ### Actions taken on denied B2B direct connect users Denied B2B direct connect users and teams lose access to all shared channels in - [Manage access reviews](manage-access-review.md) - [Create an access review of groups or applications](create-access-review.md)-- [Create an access review of users in an Azure AD administrative role](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)+- [Create an access review of users in an Azure AD administrative role](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) |
active-directory | Conditional Access Exclusion | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/conditional-access-exclusion.md | -> A valid Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/active-directory-whatis.md). +> A valid Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance, Enterprise Mobility + Security E5 paid, or trial license is required to use Azure AD access reviews. For more information, see [Azure Active Directory editions](../fundamentals/whatis.md). ## Why would you exclude users from policies? |
active-directory | Deploy Access Reviews | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/deploy-access-reviews.md | Consider your organizational needs to determine the strategy for deploying acces ### Engage the right stakeholders -When technology projects fail, they typically do so because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/deployment-plans.md) and that project roles are clear. +When technology projects fail, they typically do so because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../architecture/deployment-plans.md) and that project roles are clear. For access reviews, you'll likely include representatives from the following teams within your organization: In your pilot, we recommend that you: * Document any access removed as a part of the pilot in case you need to quickly restore it. * Monitor audit logs to ensure all events are properly audited. -For more information, see [Best practices for a pilot](../fundamentals/deployment-plans.md). +For more information, see [Best practices for a pilot](../architecture/deployment-plans.md). ## Introduction to access reviews After you integrate your organization's resources with Azure AD, such as users, Typical targets for review include: * [Applications integrated with Azure AD for single sign-on](../manage-apps/what-is-application-management.md), such as SaaS and line of business.-* Group [membership](../fundamentals/active-directory-manage-groups.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) synchronized to Azure AD, or created in Azure AD or Microsoft 365, including Microsoft Teams. +* Group [membership](../fundamentals/concept-learn-about-groups.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context) synchronized to Azure AD, or created in Azure AD or Microsoft 365, including Microsoft Teams. * [Access package](./entitlement-management-overview.md) that groups resources such as groups, apps, and sites into a single package to manage access. * [Azure AD rolesΓÇï and Azure resource roles](../privileged-identity-management/pim-resource-roles-assign-roles.md) as defined in PIM. Select the **Lifecycle** tab and scroll down to access reviews. ## Plan access reviews for groups -Besides access packages, reviewing group membership is the most effective way of governing access. Assign access to resources via [Security groups or Microsoft 365 groups](../fundamentals/active-directory-manage-groups.md). Add users to those groups to gain access. +Besides access packages, reviewing group membership is the most effective way of governing access. Assign access to resources via [Security groups or Microsoft 365 groups](../fundamentals/concept-learn-about-groups.md). Add users to those groups to gain access. A single group can be granted access to all appropriate resources. You can assign the group access to individual resources or to an access package that groups applications and other resources. With this method, you can review access to the group rather than an individual's access to each application. To learn how to review guest users' access to group memberships, see [Manage gue ### Review access to on-premises groups -Access reviews can't change the group membership of groups that you synchronize from on-premises with [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). This restriction is because the source of authority is on-premises. +Access reviews can't change the group membership of groups that you synchronize from on-premises with [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md). This restriction is because the source of authority is on-premises. You can still use access reviews to schedule and maintain regular reviews of on-premises groups. Reviewers will then take action in the on-premises group. This strategy keeps access reviews as the tool for all reviews. Follow the instructions in the articles listed in the table. | How-to articles | Description | | - | - |- [Create access reviews](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json)| Create access reviews for privileged Azure AD roles in PIM. | -| [Self-review your access](../privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json)| If you're assigned to an administrative role, approve or deny access to your role. | -| [Complete an access review](../privileged-identity-management/pim-complete-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json)| View an access review and apply the results. | + [Create access reviews](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)| Create access reviews for privileged Azure AD roles in PIM. | +| [Self-review your access](../privileged-identity-management/pim-perform-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)| If you're assigned to an administrative role, approve or deny access to your role. | +| [Complete an access review](../privileged-identity-management/pim-complete-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)| View an access review and apply the results. | ### Review Azure resource roles Follow the instructions in the articles listed in the table. | How-to articles| Description | | - | -|-| [Create access reviews](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json)| Create access reviews for privileged Azure resource roles in PIM. | -| [Self-review your access](../privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json)| If you're assigned to an administrative role, approve or deny access to your role. | -| [Complete an access review](../privileged-identity-management/pim-complete-azure-ad-roles-and-resource-roles-review.md?toc=%2fazure%2factive-directory%2fgovernance%2ftoc.json)| View an access review and apply the results. | +| [Create access reviews](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)| Create access reviews for privileged Azure resource roles in PIM. | +| [Self-review your access](../privileged-identity-management/pim-perform-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)| If you're assigned to an administrative role, approve or deny access to your role. | +| [Complete an access review](../privileged-identity-management/pim-complete-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json)| View an access review and apply the results. | ## Use the Access Reviews API |
active-directory | Entitlement Management Access Package Approval Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-approval-policy.md | Use the following steps to add approvers after selecting how many stages you req 1. If you selected **Manager** as the first approver, select **Add fallback to select one, or more users or groups in your directory to be a fallback approver. Fallback approvers receive the request if entitlement management can't find the manager for the user requesting access. - The manager is found by entitlement management using the **Manager** attribute. The attribute is in the user's profile in Azure AD. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/active-directory-users-profile-azure-portal.md). + The manager is found by entitlement management using the **Manager** attribute. The attribute is in the user's profile in Azure AD. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/how-to-manage-user-profile-info.md). 1. If you selected **Choose specific approvers**, select **Add approvers** to choose one, or more, users or groups in your directory to be approvers. |
active-directory | Entitlement Management Access Package Auto Assignment Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md | This article describes how to create an access package automatic assignment poli ## Before you begin -You'll need to have attributes populated on the users who will be in scope for being assigned access. The attributes you can use in the rules criteria of an access package assignment policy are those attributes listed in [supported properties](../enterprise-users/groups-dynamic-membership.md#supported-properties), along with [extension attributes and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties). These attributes can be brought into Azure AD from [Graph](/graph/api/resources/user), an HR system such as [SuccessFactors](../app-provisioning/sap-successfactors-integration-reference.md), [Azure AD Connect cloud sync](../cloud-sync/how-to-attribute-mapping.md) or [Azure AD Connect sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md). The rules can include up to 5000 users per policy. +You'll need to have attributes populated on the users who will be in scope for being assigned access. The attributes you can use in the rules criteria of an access package assignment policy are those attributes listed in [supported properties](../enterprise-users/groups-dynamic-membership.md#supported-properties), along with [extension attributes and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties). These attributes can be brought into Azure AD from [Graph](/graph/api/resources/user), an HR system such as [SuccessFactors](../app-provisioning/sap-successfactors-integration-reference.md), [Azure AD Connect cloud sync](../hybrid/cloud-sync/how-to-attribute-mapping.md) or [Azure AD Connect sync](../hybrid/connect/how-to-connect-sync-feature-directory-extensions.md). The rules can include up to 5000 users per policy. ## License requirements |
active-directory | Entitlement Management Access Package First | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-first.md | A resource directory has one or more resources to share. In this step, you creat 1. In the left navigation, select **Azure Active Directory**. -1. [Create two users](../fundamentals/add-users-azure-active-directory.md). Use the following names or different names. +1. [Create two users](../fundamentals/add-users.md). Use the following names or different names. | Name | Directory role | | | | | **Admin1** | Global administrator, or User administrator. This user can be the user you're currently signed in. | | **Requestor1** | User | -4. [Create an Azure AD security group](../fundamentals/active-directory-groups-create-azure-portal.md) named **Marketing resources** with a membership type of **Assigned**. This group is the target resource for entitlement management. The group should be empty of members to start. +4. [Create an Azure AD security group](../fundamentals/how-to-manage-groups.md) named **Marketing resources** with a membership type of **Assigned**. This group is the target resource for entitlement management. The group should be empty of members to start. ## Step 2: Create an access package |
active-directory | Entitlement Management Access Package Manage Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-manage-lifecycle.md | Entitlement management allows you to gain visibility into the state of a guest u - **Blank** - The lifecycle for the guest user isn't determined. This happens when the guest user had an access package assigned before managing user lifecycle was possible. > [!NOTE]-> When a guest user is set as **Governed**, based on ELM tenant settings their account will be deleted or disabled in specified days after their last access package assignment expires. Learn more about ELM settings here: [Manage external access with Azure Active Directory entitlement management](../fundamentals/6-secure-access-entitlement-managment.md). +> When a guest user is set as **Governed**, based on ELM tenant settings their account will be deleted or disabled in specified days after their last access package assignment expires. Learn more about ELM settings here: [Manage external access with Azure Active Directory entitlement management](../architecture/6-secure-access-entitlement-managment.md). You can directly convert ungoverned users to be governed by using the **Mark Guests as Governed (preview)** functionality in the top menu bar. To manage user lifecycle, you'd follow these steps: ## Manage guest user lifecycle programmatically -To manage user lifecycle programatically using Microsoft Graph, see: [accessPackageSubject resource type](/graph/api/resources/accesspackagesubject). +To manage user lifecycle programatically using Microsoft Graph, see: [accessPackageSubject resource type](/graph/api/resources/accesspackagesubject). For bulk conversion, see: [ConvertTo-EmGovernedGuest.ps1](https://github.com/JefTek/EntraIdentitySamples/blob/main/PowerShell/IdentityGovernance/GovernedGuests/ConvertTo-EmGovernedGuest.ps1). |
active-directory | Entitlement Management Access Package Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-resources.md | If you need to add resources to an access package, you should check whether the 1. If the resources aren't already in the catalog, and you're an administrator or a catalog owner, you can [add resources to a catalog](entitlement-management-catalog-create.md#add-resources-to-a-catalog). The types of resources you can add are groups, applications, and SharePoint Online sites. For example: - * Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. To give users access to an application that uses AD security group memberships, create a new group in Azure AD, configure [group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](../enterprise-users/groups-write-back-portal.md). Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either. + * Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. To give users access to an application that uses AD security group memberships, create a new group in Azure AD, configure [group writeback to AD](../hybrid/connect/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](../enterprise-users/groups-write-back-portal.md). Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either. * Applications can be Azure AD enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Azure AD. If your application hasn't yet been integrated with Azure AD, see [govern access for applications in your environment](identity-governance-applications-prepare.md) and [integrate an application with Azure AD](identity-governance-applications-integrate.md). * Sites can be SharePoint Online sites or SharePoint Online site collections. You can have entitlement management automatically add users to a group or a team - When a group or team is part of an access package and a user is assigned to that access package, the user is added to that group or team, if not already present. - When a user's access package assignment expires, they're removed from the group or team, unless they currently have an assignment to another access package that includes that same group or team. -You can select any [Azure AD security group or Microsoft 365 Group](../fundamentals/active-directory-groups-create-azure-portal.md). Administrators can add any group to a catalog; catalog owners can add any group to the catalog if they're owner of the group. Keep the following Azure AD constraints in mind when selecting a group: +You can select any [Azure AD security group or Microsoft 365 Group](../fundamentals/how-to-manage-groups.md). Administrators can add any group to a catalog; catalog owners can add any group to the catalog if they're owner of the group. Keep the following Azure AD constraints in mind when selecting a group: - When a user, including a guest, is added as a member to a group or team, they can see all the other members of that group or team. - Azure AD can't change the membership of a group that was synchronized from Windows Server Active Directory using Azure AD Connect, or that was created in Exchange Online as a distribution group. For more information, see [Compare groups](/office365/admin/create-groups/compar You can have Azure AD automatically assign users access to an Azure AD enterprise application, including both SaaS applications and your organization's applications integrated with Azure AD, when a user is assigned an access package. For applications that integrate with Azure AD through federated single sign-on, Azure AD issues federation tokens for users assigned to the application. -Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/active-directory-enterprise-app-role-management.md). +Applications can have multiple app roles defined in their manifest. When you add an application to an access package, if that application has more than one app role, you need to specify the appropriate role for those users in each access package. If you're developing applications, you can read more about how those roles are added to your applications in [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md). > [!NOTE] > If an application has multiple roles, and more than one role of that application are in an access package, then the user will receive all those application's roles. If instead you want users to only have some of the application's roles, then you will need to create multiple access packages in the catalog, with separate access packages for each of the application roles. If you want the users to also be assigned to the access package, you can [direct ## Next steps -- [Create a basic group and add members using Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md)-- [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/active-directory-enterprise-app-role-management.md)+- [Create a basic group and add members using Azure Active Directory](../fundamentals/how-to-manage-groups.md) +- [How to: Configure the role claim issued in the SAML token for enterprise applications](../develop/enterprise-app-role-management.md) - [Introduction to SharePoint Online](/sharepoint/introduction) |
active-directory | Entitlement Management Catalog Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-catalog-create.md | To include resources in an access package, the resources must exist in a catalog * Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. - * Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. To give a user access to an application that uses AD security group memberships, create a new security group in Azure AD, configure [group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](../enterprise-users/groups-write-back-portal.md), so that the cloud-created group can be used by an AD-based application. + * Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. To give a user access to an application that uses AD security group memberships, create a new security group in Azure AD, configure [group writeback to AD](../hybrid/connect/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](../enterprise-users/groups-write-back-portal.md), so that the cloud-created group can be used by an AD-based application. * Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either, so cannot be added to catalogs. |
active-directory | Entitlement Management Delegate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-delegate.md | - * Applications [can define their own roles](../develop/howto-add-app-roles-in-azure-ad-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md). + * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md). * You can use roles for delegating administrative access. If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role. This article discusses how to use roles to manage aspects within Microsoft Entra entitlement management, for controlling access to the entitlement management resources. |
active-directory | Entitlement Management External Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-external-users.md | To ensure people outside of your organization can request access packages and ge ### Review your Microsoft 365 group sharing settings -- If you want to include Microsoft 365 groups in your access packages for external users, make sure the **Let users add new guests to the organization** is set to **On** to allow guest access. For more information, see [Manage guest access to Microsoft 365 Groups](/Microsoft 365/admin/create-groups/manage-guest-access-in-groups?view=Microsoft 365-worldwide#manage-groups-guest-access).+- If you want to include Microsoft 365 groups in your access packages for external users, make sure the **Let users add new guests to the organization** is set to **On** to allow guest access. For more information, see [Manage guest access to Microsoft 365 Groups](/microsoft-365/admin/create-groups/manage-guest-access-in-groups?view=microsoft-365-worldwide#manage-groups-guest-access). - If you want external users to be able to access the SharePoint Online site and resources associated with a Microsoft 365 group, make sure you turn on SharePoint Online external sharing. For more information, see [Turn external sharing on or off](/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting). |
active-directory | Entitlement Management Group Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-group-writeback.md | To set up group writeback for Microsoft 365 groups in access packages, you must - Set up group writeback in the Azure Active Directory admin center. - The Organizational Unit (OU) that is used to set up group writeback in Azure AD Connect Configuration.-- Complete the [group writeback enablement steps](../hybrid/how-to-connect-group-writeback-enable.md) for Azure AD Connect. +- Complete the [group writeback enablement steps](../hybrid/connect/how-to-connect-group-writeback-enable.md) for Azure AD Connect. Using group writeback, you can now sync Microsoft 365 groups that are part of access packages to on-premises Active Directory. To sync the groups, follow the steps: Using group writeback, you can now sync Microsoft 365 groups that are part of ac ## Next steps - [Create and manage a catalog of resources in entitlement management](entitlement-management-catalog-create.md)-- [Delegate access governance to access package managers in entitlement management](entitlement-management-delegate-managers.md)+- [Delegate access governance to access package managers in entitlement management](entitlement-management-delegate-managers.md) |
active-directory | Entitlement Management Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-troubleshoot.md | This article describes some items you should check to help you troubleshoot enti * For a group to be a resource in an access package, it must be able to be modifiable in Azure AD. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either. -* SharePoint Online document libraries and individual documents can't be added as resources. Instead, create an [Azure AD security group](../fundamentals/active-directory-groups-create-azure-portal.md), include that group and a site role in the access package, and in SharePoint Online use that group to control access to the document library or document. +* SharePoint Online document libraries and individual documents can't be added as resources. Instead, create an [Azure AD security group](../fundamentals/how-to-manage-groups.md), include that group and a site role in the access package, and in SharePoint Online use that group to control access to the document library or document. * If there are users that have already been assigned to a resource that you want to manage with an access package, be sure that the users are assigned to the access package with an appropriate policy. For example, you might want to include a group in an access package that already has users in the group. If those users in the group require continued access, they must have an appropriate policy for the access packages so that they don't lose their access to the group. You can assign the access package by either asking the users to request the access package containing that resource, or by directly assigning them to the access package. For more information, see [Change request and approval settings for an access package](entitlement-management-access-package-request-policy.md). This article describes some items you should check to help you troubleshoot enti * When a user who isn't yet in your directory signs in to the My Access portal to request an access package, be sure they authenticate using their organizational account. The organizational account can be either an account in the resource directory, or in a directory that is included in one of the policies of the access package. If the user's account isn't an organizational account, or the directory where they authenticate isn't included in the policy, then the user won't see the access package. For more information, see [Request access to an access package](entitlement-management-request-access.md). -* If a user is blocked from signing in to the resource directory, they won't be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, select **Azure Active Directory**, select **Users**, select the user, and then select **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/active-directory-users-profile-azure-portal.md). You can also check if the user was blocked due to an [Identity Protection policy](../identity-protection/howto-identity-protection-remediate-unblock.md). +* If a user is blocked from signing in to the resource directory, they won't be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, select **Azure Active Directory**, select **Users**, select the user, and then select **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/how-to-manage-user-profile-info.md). You can also check if the user was blocked due to an [Identity Protection policy](../identity-protection/howto-identity-protection-remediate-unblock.md). * In the My Access portal, if a user is both a requestor and an approver, they won't see their request for an access package on the **Approvals** page. This behavior is intentional - a user can't approve their own request. Ensure that the access package they're requesting has additional approvers configured on the policy. For more information, see [Change request and approval settings for an access package](entitlement-management-access-package-request-policy.md). |
active-directory | Entitlement Management Verified Id Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-verified-id-settings.md | Once an access package is configured with a verified ID requirement, end-users w The requestor steps are as follows: -1. Go to [myaccess.microsoft.com](HTTPS://myaccess.microsoft.com) and sign in. +1. Go to [myaccess.microsoft.com](../develop/configure-app-multi-instancing.md) and sign in. 1. Search for the access package you want to request access to (you can browse the listed packages or use the search bar at the top of the page) and select **Request**. The requestor steps are as follows: ## Next steps -[Delegate access governance to access package managers](entitlement-management-delegate-managers.md) +[Delegate access governance to access package managers](entitlement-management-delegate-managers.md) |
active-directory | How To Lifecycle Workflow Sync Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/how-to-lifecycle-workflow-sync-attributes.md | To ensure timing accuracy of scheduled workflows itΓÇÖs crucial to consider: 9. Back on the **Attribute mappings** screen, you should see your new attribute mapping. 10. Select **Save schema**. -For more information on attributes, see [Attribute mapping in Azure AD Connect cloud sync.](../cloud-sync/how-to-attribute-mapping.md) +For more information on attributes, see [Attribute mapping in Azure AD Connect cloud sync.](../hybrid/cloud-sync/how-to-attribute-mapping.md) ## How to create a custom sync rule in Azure AD Connect for EmployeeHireDate The following example will walk you through setting up a custom synchronization rule that synchronizes the Active Directory attribute to the employeeHireDate attribute in Azure AD. The following example will walk you through setting up a custom synchronization > [!NOTE] >- **msDS-cloudExtensionAttribute1** is an example source.->- **Starting with [Azure AD Connect 2.0.3.0](../hybrid/reference-connect-version-history.md#functional-changes-10), `employeeHireDate` is added to the default 'Out to Azure AD' rule, so steps 10-16 are not required.** ->- **Starting with [Azure AD Connect 2.1.19.0](../hybrid/reference-connect-version-history.md#functional-changes-1), `employeeLeaveDateTime` is added to the default 'Out to Azure AD' rule, so steps 10-16 aren't required.** +>- **Starting with [Azure AD Connect 2.0.3.0](../hybrid/connect/reference-connect-version-history.md#functional-changes-10), `employeeHireDate` is added to the default 'Out to Azure AD' rule, so steps 10-16 are not required.** +>- **Starting with [Azure AD Connect 2.1.19.0](../hybrid/connect/reference-connect-version-history.md#functional-changes-1), `employeeLeaveDateTime` is added to the default 'Out to Azure AD' rule, so steps 10-16 aren't required.** -For more information, see [How to customize a synchronization rule](../hybrid/how-to-connect-create-custom-sync-rule.md) and [Make a change to the default configuration.](../hybrid/how-to-connect-sync-change-the-configuration.md) +For more information, see [How to customize a synchronization rule](../hybrid/connect/how-to-connect-create-custom-sync-rule.md) and [Make a change to the default configuration.](../hybrid/connect/how-to-connect-sync-change-the-configuration.md) ## How to verify these attribute values in Azure AD |
active-directory | Identity Governance Applications Integrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-integrate.md | -Microsoft Entra identity governance can be integrated with many applications, using [standards](../fundamentals/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications and on-premises applications, including applications that your organization has developed. This deployment plan covers how to connect your application to Azure AD and enable identity governance features to be used for that application. +Microsoft Entra identity governance can be integrated with many applications, using [standards](../architecture/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications and on-premises applications, including applications that your organization has developed. This deployment plan covers how to connect your application to Azure AD and enable identity governance features to be used for that application. In order for Microsoft Entra identity governance to be used for an application, the application must first be integrated with Azure AD. An application being integrated with Azure AD means one of two requirements must be met: If neither of those criteria are met for an application, for example when the ap ## Integrate the application with Azure AD to ensure only authorized users can access the application -Typically this process of integrating an application begins when you configure that application to rely upon Azure AD for user authentication, with a federated single sign-on (SSO) protocol connection, and then add provisioning. The most commonly used protocols for SSO are [SAML and OpenID Connect](../develop/active-directory-v2-protocols.md). You can read more about the tools and process to [discover and migrate application authentication to Azure AD](../manage-apps/migrate-application-authentication-to-azure-active-directory.md). +Typically this process of integrating an application begins when you configure that application to rely upon Azure AD for user authentication, with a federated single sign-on (SSO) protocol connection, and then add provisioning. The most commonly used protocols for SSO are [SAML and OpenID Connect](../develop/v2-protocols.md). You can read more about the tools and process to [discover and migrate application authentication to Azure AD](../manage-apps/migrate-adfs-apps-phases-overview.md). Next, if the application implements a provisioning protocol, then you should configure Azure AD to provision users to the application, so that Azure AD can signal to the application when a user has been granted access or a user's access has been removed. These provisioning signals permit the application to make automatic corrections, such as to reassign content created by an employee who has left to their manager. Next, if the application implements a provisioning protocol, then you should con |Application supports| Next steps| |-|--| | OpenID Connect | [Add an OpenID Connect OAuth application](../saas-apps/openidoauth-tutorial.md) |- | SAML 2.0 | Register the application and configure the application with [the SAML endpoints and certificate of Azure AD](../develop/active-directory-saml-protocol-reference.md) | + | SAML 2.0 | Register the application and configure the application with [the SAML endpoints and certificate of Azure AD](../develop/saml-protocol-reference.md) | | SAML 1.1 | [Add a SAML-based application](../saas-apps/saml-tutorial.md) | * Otherwise, if this is an on-premises or IaaS hosted application that supports single sign-on, then configure single sign-on from Azure AD to the application through the application proxy. Next, if the application implements a provisioning protocol, then you should con | Integrated Windows Auth (IWA) | Deploy the [application proxy](../app-proxy/application-proxy.md), configure an application for [Integrated Windows authentication SSO](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md), and set firewall rules to prevent access to the application's endpoints except via the proxy.| | header-based authentication | Deploy the [application proxy](../app-proxy/application-proxy.md) and configure an application for [header-based SSO](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md) | -1. If your application has multiple roles, and relies upon Azure AD to send a user's application-specific role as a claim of a user signing into the application, then configure those application roles in Azure AD on your application. You can use the [app roles UI](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to add those roles to the application manifest. +1. If your application has multiple roles, and relies upon Azure AD to send a user's application-specific role as a claim of a user signing into the application, then configure those application roles in Azure AD on your application. You can use the [app roles UI](../develop/howto-add-app-roles-in-apps.md#app-roles-ui) to add those roles to the application manifest. 1. If the application supports provisioning, then [configure provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of assigned users and groups from Azure AD to that application. If this is a private or custom application, you can also select the integration that's most appropriate, based on the location and capabilities of the application. Next, if the application implements a provisioning protocol, then you should con |Application supports| Next steps| |-|--|- | Kerberos | Configure Azure AD Connect [group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md), create groups in Azure AD and [write those groups to AD](../enterprise-users/groups-write-back-portal.md) | + | Kerberos | Configure Azure AD Connect [group writeback to AD](../hybrid/connect/how-to-connect-group-writeback-v2.md), create groups in Azure AD and [write those groups to AD](../enterprise-users/groups-write-back-portal.md) | * Otherwise, if this is an on-premises or IaaS hosted application, and isn't integrated with AD, then configure provisioning to that application, either via SCIM or to the underlying database or directory of the application. Next, if the application implements a provisioning protocol, then you should con | local user accounts, stored in a SQL database | configure an application with the [provisioning agent for on-premises SQL-based applications](../app-provisioning/on-premises-sql-connector-configure.md)| | local user accounts, stored in an LDAP directory | configure an application with the [provisioning agent for on-premises LDAP-based applications](../app-provisioning/on-premises-ldap-connector-configure.md) | -1. If your application uses Microsoft Graph to query groups from Azure AD, then [consent](../develop/consent-framework.md) to the applications to have the appropriate permissions to read from your tenant. +1. If your application uses Microsoft Graph to query groups from Azure AD, then [consent](../develop/application-consent-experience.md) to the applications to have the appropriate permissions to read from your tenant. 1. Set that access to **the application is only permitted for users assigned to the application**. This setting prevents users from inadvertently seeing the application in MyApps, and attempting to sign into the application, prior to Conditional Access policies being enabled. |
active-directory | Identity Governance Applications Prepare | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-prepare.md | In addition to the application access governance scenario, you can also use iden ## Getting started with governing access to applications -Microsoft Entra identity governance can be integrated with many applications, using [standards](../fundamentals/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications, on-premises applications, and applications that your organization has developed. Once you've prepared your Azure AD environment, as described in the section below, the three step plan covers how to connect an application to Azure AD and enable identity governance features to be used for that application. +Microsoft Entra identity governance can be integrated with many applications, using [standards](../architecture/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications, on-premises applications, and applications that your organization has developed. Once you've prepared your Azure AD environment, as described in the section below, the three step plan covers how to connect an application to Azure AD and enable identity governance features to be used for that application. 1. [Define your organization's policies for governing access to the application](identity-governance-applications-define.md) 1. [Integrate the application with Azure AD](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed Before you begin the process of governing application access from Azure AD, you * **Check that Azure AD is already sending its audit log, and optionally other logs, to Azure Monitor.** Azure Monitor is optional, but useful for governing access to apps, as Azure AD only stores audit events for up to 30 days in its audit log. You can keep the audit data for longer than the default retention period, outlined in [How long does Azure AD store reporting data?](../reports-monitoring/reference-reports-data-retention.md), and use Azure Monitor workbooks and custom queries and reports on historical audit data. You can check the Azure AD configuration to see if it's using Azure Monitor, in **Azure Active Directory** in the Azure portal, by clicking on **Workbooks**. If this integration isn't configured, and you have an Azure subscription and are in the `Global Administrator` or `Security Administrator` roles, you can [configure Azure AD to use Azure Monitor](../governance/entitlement-management-logs-and-reporting.md). -* **Make sure only authorized users are in the highly privileged administrative roles in your Azure AD tenant.** Administrators in the *Global Administrator*, *Identity Governance Administrator*, *User Administrator*, *Application Administrator*, *Cloud Application Administrator* and *Privileged Role Administrator* can make changes to users and their application role assignments. If the memberships of those roles haven't yet been recently reviewed, you need a user who is in the *Global Administrator* or *Privileged Role Administrator* to ensure that [access review of these directory roles](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md) are started. You should also ensure that users in Azure roles in subscriptions that hold the Azure Monitor, Logic Apps and other resources needed for the operation of your Azure AD configuration have been reviewed. +* **Make sure only authorized users are in the highly privileged administrative roles in your Azure AD tenant.** Administrators in the *Global Administrator*, *Identity Governance Administrator*, *User Administrator*, *Application Administrator*, *Cloud Application Administrator* and *Privileged Role Administrator* can make changes to users and their application role assignments. If the memberships of those roles haven't yet been recently reviewed, you need a user who is in the *Global Administrator* or *Privileged Role Administrator* to ensure that [access review of these directory roles](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) are started. You should also ensure that users in Azure roles in subscriptions that hold the Azure Monitor, Logic Apps and other resources needed for the operation of your Azure AD configuration have been reviewed. -* **Check your tenant has appropriate isolation.** If your organization is using Active Directory on-premises, and these AD domains are connected to Azure AD, then you need to ensure that highly privileged administrative operations for cloud-hosted services are isolated from on-premises accounts. Check that you've [configured your systems to protect your Microsoft 365 cloud environment from on-premises compromise](../fundamentals/protect-m365-from-on-premises-attacks.md). +* **Check your tenant has appropriate isolation.** If your organization is using Active Directory on-premises, and these AD domains are connected to Azure AD, then you need to ensure that highly privileged administrative operations for cloud-hosted services are isolated from on-premises accounts. Check that you've [configured your systems to protect your Microsoft 365 cloud environment from on-premises compromise](../architecture/protect-m365-from-on-premises-attacks.md). Once you have checked your Azure AD environment is ready, then proceed to [define the governance policies](identity-governance-applications-define.md) for your applications. Once you have checked your Azure AD environment is ready, then proceed to [defin - [Define governance policies](identity-governance-applications-define.md) - [Integrate an application with Azure AD](identity-governance-applications-integrate.md) - [Deploy governance policies](identity-governance-applications-deploy.md)- |
active-directory | Identity Governance Organizational Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-organizational-roles.md | Role-based access control (RBAC) provides a framework for classifying users and In Azure AD, you can use role models in several ways to manage access at scale through identity governance. * You can use access packages to represent organizational roles in your organization, such as "sales representative". An access package representing that organizational role would include all the access rights that a sales representative might typically need, across multiple resources.- * Applications [can define their own roles](../develop/howto-add-app-roles-in-azure-ad-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md). + * Applications [can define their own roles](../develop/howto-add-app-roles-in-apps.md). For example, if you had a sales application, and that application included the app role "salesperson", you could then [include that role in an access package](entitlement-management-access-package-resources.md). * You can use roles for [delegating administrative access](entitlement-management-delegate.md). If you have a catalog for all the access packages needed by sales, you could assign someone to be responsible for that catalog, by assigning them a catalog-specific role. This article discusses how to model organizational roles, using entitlement management access packages, so you can migrate your role definitions to Azure AD to enforce access. |
active-directory | Identity Governance Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-overview.md | In addition to the features listed above, additional Microsoft Entra features fr |Access requests|End users can request group membership or application access. End users, including guests from other organizations, can request access to access packages.|[Entitlement management](entitlement-management-overview.md)| |Workflow|Resource owners can define the approvers and escalation approvers for access requests and approvers for role activation requests. |[Entitlement management](entitlement-management-overview.md) and [PIM](../privileged-identity-management/pim-configure.md)| |Policy and role management|Admin can define Conditional Access policies for run-time access to applications. Resource owners can define policies for user's access via access packages.|[Conditional Access](../conditional-access/overview.md) and [Entitlement management](entitlement-management-overview.md) policies|-|Access certification|Admins can enable recurring access recertification for: SaaS apps, on-premises apps, cloud group memberships, Azure AD or Azure Resource role assignments. Automatically remove resource access, block guest access and delete guest accounts.|[Access reviews](access-reviews-overview.md), also surfaced in [PIM](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)| +|Access certification|Admins can enable recurring access recertification for: SaaS apps, on-premises apps, cloud group memberships, Azure AD or Azure Resource role assignments. Automatically remove resource access, block guest access and delete guest accounts.|[Access reviews](access-reviews-overview.md), also surfaced in [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)| |Fulfillment and provisioning|Automatic provisioning and deprovisioning into Azure AD connected apps, including via SCIM, LDAP, SQL and into SharePoint Online sites. |[user provisioning](../app-provisioning/user-provisioning.md)| |Reporting and analytics|Admins can retrieve audit logs of recent user provisioning and sign on activity. Integration with Azure Monitor and 'who has access' via access packages.|[Azure AD reports](../reports-monitoring/overview-reports.md) and [monitoring](../reports-monitoring/overview-monitoring.md)| |Privileged access|Just-in-time and scheduled access, alerting, approval workflows for Azure AD roles (including custom roles) and Azure Resource roles.|[Azure AD PIM](../privileged-identity-management/pim-configure.md)| |
active-directory | Licensing Fundamentals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/licensing-fundamentals.md | The following licenses are available for use with Microsoft Entra ID Governance. - **Microsoft Entra ID Governance** - Entra ID Governance is an advanced set of identity governance capabilities available for Microsoft Entra ID P1 and P2 customers, as two products **Microsoft Entra ID Governance** and **Microsoft Entra ID Governance Step Up for Microsoft Entra ID P2**. >[!NOTE]->Microsoft Entra ID Governance scenarios may depends upon other features that are not covered by Microsoft Entra ID Governance. These features may have additional licensing requirements. See [Governance capabilities in other Microsoft Entra features](identity-governance-overview.md#governance-capabilities-in-other-microsoft-entra-features) for more information on governance scenarios that rely on additional features. +>Microsoft Entra ID Governance scenarios may depends upon other features that aren't covered by Microsoft Entra ID Governance. These features may have additional licensing requirements. See [Governance capabilities in other Microsoft Entra features](identity-governance-overview.md#governance-capabilities-in-other-microsoft-entra-features) for more information on governance scenarios that rely on additional features. ### Prerequisites The following table shows what features are available with each license. Note t |Identity governance dashboard - Public Preview||x|x|x| |Insights and reporting - Inactive guest accounts (Preview)||||x| ++## Privileged Identity Management ++To use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses: +++### Valid licenses for PIM ++You'll need either Microsoft Entra ID Governance licenses or Azure AD Premium P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles with a Microsoft Entra Premium P2 or Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required. ++### Licenses you must have for PIM +Ensure that your directory has Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses for the following categories of users: ++- Users with eligible and/or time-bound assignments to Azure AD or Azure roles managed using PIM +- Users with eligible and/or time-bound assignments as members or owners of PIM for Groups +- Users able to approve or reject activation requests in PIM +- Users assigned to an access review +- Users who perform access reviews +++### Example license scenarios for PIM ++Here are some example license scenarios to help you determine the number of licenses you must have. ++| Scenario | Calculation | Number of licenses | +| | | | +| Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 | +| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 | +| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the usersΓÇÖ managers of which six aren't in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 | ++### When a license expires for PIM ++If a Microsoft Azure AD Premium P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory: ++- Permanent role assignments to Azure AD roles will be unaffected. +- The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles. +- Eligible role assignments of Azure AD roles will be removed, as users will no longer be able to activate privileged roles. +- Any ongoing access reviews of Azure AD roles will end, and Privileged Identity Management configuration settings will be removed. +- Privileged Identity Management will no longer send emails on role assignment changes. + ## Next steps - [What is Microsoft Entra ID Governance?](identity-governance-overview.md) |
active-directory | Lifecycle Workflow Tasks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflow-tasks.md | Example of usage within the workflow: ### Add user to groups -Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md). +Allows users to be added to Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/connect/how-to-connect-group-writeback-v2.md). You're able to customize the task name and description for this task. For Microsoft Graph, the parameters for the **Disable user account** task are as ### Remove user from selected groups -Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md). +Allows users to be removed from Microsoft 365 and cloud-only security groups. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/connect/how-to-connect-group-writeback-v2.md). You're able to customize the task name and description for this task in the Azure portal. For Microsoft Graph, the parameters for the **Remove user from selected groups** ### Remove users from all groups -Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/how-to-connect-group-writeback-v2.md). +Allows users to be removed from every Microsoft 365 and cloud-only security group they're a member of. Mail-enabled, distribution, dynamic and role-assignable groups aren't supported. To control access to on-premises applications and resources, you need to enable group writeback. For more information, see [Azure AD Connect group writeback](../hybrid/connect/how-to-connect-group-writeback-v2.md). Example of usage within the workflow: - [Manage lifecycle workflows properties](manage-workflow-properties.md) - [Manage lifecycle workflow versions](manage-workflow-tasks.md)- |
active-directory | Lifecycle Workflows Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflows-deployment.md | Lifecycle Workflows are an [Azure AD Identity Governance](identity-governance-ov Planning your Lifecycle Workflow deployment is essential to make sure you achieve your desired governance strategy for users in your organization. -For more information on deployment plans, see [Azure AD deployment plans](../fundamentals/deployment-plans.md) +For more information on deployment plans, see [Azure AD deployment plans](../architecture/deployment-plans.md) ## License requirements Consider your organizational needs to determine the strategy for deploying Lifec ### Engage the right stakeholders -When technology projects fail, they typically do so because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/deployment-plans.md) and that project roles are clear. +When technology projects fail, they typically do so because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../architecture/deployment-plans.md) and that project roles are clear. For Lifecycle Workflows, you'll likely include representatives from the following teams within your organization: The following information is important information about your organization and t |Item|Description|Documentation| |--|--|--|-|Inbound Provisioning|You have a process to create user accounts for employees in Azure AD such as HR inbound, SuccessFactors, or MIM.<br><br> Alternatively you have a process to create user accounts in Active Directory and those accounts are provisioned to Azure AD.|[Workday to Active Directory](../saas-apps/workday-inbound-tutorial.md)<br><br>[Workday to Azure AD](../saas-apps/workday-inbound-tutorial.md)<br><br>[SuccessFactors to Active Directory](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)</br></br>[SuccessFactors to Azure AD](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)<br><br>[Azure AD Connect](../hybrid/whatis-azure-ad-connect-v2.md)<br><br>[Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md)| +|Inbound Provisioning|You have a process to create user accounts for employees in Azure AD such as HR inbound, SuccessFactors, or MIM.<br><br> Alternatively you have a process to create user accounts in Active Directory and those accounts are provisioned to Azure AD.|[Workday to Active Directory](../saas-apps/workday-inbound-tutorial.md)<br><br>[Workday to Azure AD](../saas-apps/workday-inbound-tutorial.md)<br><br>[SuccessFactors to Active Directory](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)</br></br>[SuccessFactors to Azure AD](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)<br><br>[Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect-v2.md)<br><br>[Azure AD Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md)| |Attribute synchronization|The accounts in Azure AD have the employeeHireDate and employeeLeaveDateTime attributes populated. The values may be populated when the accounts are created from an HR system or synchronized from AD using Azure AD Connect or cloud sync. You have extra attributes that are used to determine the scope such as department, populated or the ability to populate, with data.|[How to synchronize attributes for Lifecycle Workflows](how-to-lifecycle-workflow-sync-attributes.md) ## Understanding parts of a workflow In your pilot, we recommend that you: * Start with Lifecycle Workflows where the results are applied to a small subset of users. * Monitor audit logs to ensure all events are properly audited. -For more information, see [Best practices for a pilot.](../fundamentals/deployment-plans.md). +For more information, see [Best practices for a pilot.](../architecture/deployment-plans.md). Learn about the following related technologies: * [How to synchronize attributes for Lifecycle Workflows](how-to-lifecycle-workflow-sync-attributes.md) * [Understanding Lifecycle Workflows](understanding-lifecycle-workflows.md)-* [Lifecycle Workflow templates.](lifecycle-workflow-templates.md) +* [Lifecycle Workflow templates.](lifecycle-workflow-templates.md) |
active-directory | Manage Access Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-access-review.md | -> This article discusses conducting access reviews for users and applications. To see information on conducting an access review for multiple resources in access packages see here [Review access of an access package in Azure AD entitlement management](entitlement-management-access-reviews-review-access.md). If you want to review user or service principal access to Azure AD or Azure resource roles, see [Start an access review in Azure AD Privileged Identity Management](../privileged-identity-management/pim-how-to-start-security-review.md). +> This article discusses conducting access reviews for users and applications. To see information on conducting an access review for multiple resources in access packages see here [Review access of an access package in Azure AD entitlement management](entitlement-management-access-reviews-review-access.md). If you want to review user or service principal access to Azure AD or Azure resource roles, see [Start an access review in Azure AD Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). ## Prerequisites In some organizations, guests might not be aware of their group memberships. ## Next steps [Create an access review of groups or applications](create-access-review.md)-- |
active-directory | Manage Guest Access With Access Reviews | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-guest-access-with-access-reviews.md | With access reviews, you can easily enable collaboration across organizational b You also can easily ensure that guest users have appropriate access. You can ask the guests themselves or a decision maker to participate in an access review and re-certify (or attest) to the guests' access. The reviewers can give their input on each user's need for continued access, based on suggestions from Azure AD. When an access review is finished, you can then make changes and remove access for guests who no longer need it. > [!NOTE]-> This document focuses on reviewing guest users' access. If you want to review all users' access, not just guests, see [Manage user access with access reviews](manage-user-access-with-access-reviews.md). If you want to review users' membership in administrative roles, such as global administrator, see [Start an access review in Azure AD Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). +> This document focuses on reviewing guest users' access. If you want to review all users' access, not just guests, see [Manage user access with access reviews](manage-user-access-with-access-reviews.md). If you want to review users' membership in administrative roles, such as global administrator, see [Start an access review in Azure AD Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). ## Prerequisites You can use access reviews to ensure that users who were invited and added to a 5. If the group isn't used for access management, you also can remove users who weren't selected to participate in the review because they didn't accept their invitation. Not accepting might indicate that the invited user's email address had a typo. If a group is used as a distribution list, perhaps some guest users weren't selected to participate because they're contact objects. -### Ask a sponsor to review a guest's membership in a group +### Ask an authorized user to review a guest's membership in a group -You can ask a sponsor, such as the owner of a group, to review a guest's need for continued membership in a group. +You can ask an authorized user, such as the owner of a group, to review a guest's need for continued membership in a group. 1. To create an access review for the group, select the review to include guest user members only. Then specify one or more reviewers. For more information, see [Create an access review of groups or applications](create-access-review.md). You can use access reviews to ensure that users who were invited for a particula 4. In addition to users who denied their own need for continued access, you also can remove guest users who didn't respond. Non-responding users potentially no longer receive email. You also can remove guest users who weren't selected to participate, especially if they weren't recently invited. Those users didn't accept their invitation and so didn't have access to the application. -### Ask a sponsor to review a guest's access to an application +### Ask an authorized user to review a guest's access to an application -You can ask a sponsor, such as the owner of an application, to review guest's need for continued access to the application. +You can ask an authorized user, such as the owner of an application, to review guest's need for continued access to the application. 1. To create an access review for the application, select the review to include guests only. Then specify one or more users as reviewers. For more information, see [Create an access review of groups or applications](create-access-review.md). This will immediately block sign in to the guest user account and then automatic ## Next steps -- [Create an access review of groups or applications](create-access-review.md)+- [Create an access review of groups or applications](create-access-review.md) |
active-directory | Manage User Access With Access Reviews | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/manage-user-access-with-access-reviews.md | -> If you want to review only guest users' access and not review all types of users' access, see [Manage guest user access with access reviews](manage-guest-access-with-access-reviews.md). If you want to review users' membership in administrative roles such as global administrator, see [Start an access review in Azure AD Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). +> If you want to review only guest users' access and not review all types of users' access, see [Manage guest user access with access reviews](manage-guest-access-with-access-reviews.md). If you want to review users' membership in administrative roles such as global administrator, see [Start an access review in Azure AD Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). ## Prerequisites You can have one or more users as reviewers in an access review. ## Next steps -[Create an access review of groups or applications](create-access-review.md) +[Create an access review of groups or applications](create-access-review.md) |
active-directory | Tutorial Prepare User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/tutorial-prepare-user-accounts.md | The off-boarding tutorials only require one account that has group and Teams mem ## Before you begin -In most cases, users are going to be provisioned to Azure AD either from an on-premises solution (such as Azure AD Connect or Cloud sync) or with an HR solution. These users have the attributes and values populated at the time of creation. Setting up the infrastructure to provision users is outside the scope of this tutorial. For information, see [Tutorial: Basic Active Directory environment](../cloud-sync/tutorial-basic-ad-azure.md) and [Tutorial: Integrate a single forest with a single Azure AD tenant](../cloud-sync/tutorial-single-forest.md) +In most cases, users are going to be provisioned to Azure AD either from an on-premises solution (such as Azure AD Connect or Cloud sync) or with an HR solution. These users have the attributes and values populated at the time of creation. Setting up the infrastructure to provision users is outside the scope of this tutorial. For information, see [Tutorial: Basic Active Directory environment](../hybrid/cloud-sync/tutorial-basic-ad-azure.md) and [Tutorial: Integrate a single forest with a single Azure AD tenant](../hybrid/cloud-sync/tutorial-single-forest.md) ## Create users in Azure AD The manager attribute is used for email notification tasks. It's used by the li :::image type="content" source="media/tutorial-lifecycle-workflows/graph-get-manager.png" alt-text="Screenshot of getting a manager in Graph explorer." lightbox="media/tutorial-lifecycle-workflows/graph-get-manager.png"::: -For more information about updating manager information for a user in Graph API, see [assign manager](/graph/api/user-post-manager?view=graph-rest-1.0&tabs=http&preserve-view=true) documentation. You can also set this attribute in the Azure Admin center. For more information, see [add or change profile information](../fundamentals/active-directory-users-profile-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). +For more information about updating manager information for a user in Graph API, see [assign manager](/graph/api/user-post-manager?view=graph-rest-1.0&tabs=http&preserve-view=true) documentation. You can also set this attribute in the Azure Admin center. For more information, see [add or change profile information](../fundamentals/how-to-manage-user-profile-info.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context). ### Enabling the Temporary Access Pass (TAP) |
active-directory | Custom Attribute Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/custom-attribute-mapping.md | -For additional information on directory extensions see [Using directory extension attributes in claims](../../develop/active-directory-schema-extensions.md) +For additional information on directory extensions see [Using directory extension attributes in claims](../../develop/schema-extensions.md) You can see the available attributes by using [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). You can also use this feature to create dynamic groups in Azure AD. For more information on extension attributes, see [Syncing extension attributes - [Understand the Azure AD schema and custom expressions](concept-attributes.md) - [Azure AD Connect sync: Directory extensions](../connect/how-to-connect-sync-feature-directory-extensions.md)-- [Attribute mapping in Azure AD Connect cloud sync](how-to-attribute-mapping.md)+- [Attribute mapping in Azure AD Connect cloud sync](how-to-attribute-mapping.md) |
active-directory | How To Cloud Sync Workbook | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-cloud-sync-workbook.md | You can create custom queries and show the data on Azure dashboards. To learn ho Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong. -To learn more about alerts, see [Azure Monitor Log Alerts](../../../azure-monitor/alerts/alerts-log.md). +To learn more about alerts, see [Azure Monitor Log Alerts](../../../azure-monitor/alerts/alerts-create-new-alert-rule.md). ## Next steps - [What is provisioning?](../what-is-provisioning.md) - [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md) - [Known limitations](how-to-prerequisites.md#known-limitations)-- [Error codes](reference-error-codes.md)+- [Error codes](reference-error-codes.md) |
active-directory | How To Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-prerequisites.md | For more information on how to prepare your Active Directory for group Managed S ### In the Azure portal -1. Create a cloud-only hybrid identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. Learn about how to [add a cloud-only hybrid identity administrator account](../../fundamentals/add-users-azure-active-directory.md). Finishing this step is critical to ensure that you don't get locked out of your tenant. +1. Create a cloud-only hybrid identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. Learn about how to [add a cloud-only hybrid identity administrator account](../../fundamentals/add-users.md). Finishing this step is critical to ensure that you don't get locked out of your tenant. 1. Add one or more [custom domain names](../../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names. ### In your directory in Active Directory |
active-directory | Tutorial Existing Forest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-existing-forest.md | In this scenario, there's an existing forest synced using Azure AD Connect sync ## Prerequisites ### In the Azure portal -1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant. +1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../../fundamentals/add-users.md). Completing this step is critical to ensure that you don't get locked out of your tenant. 2. Add one or more [custom domain names](../../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names. ### In your on-premises environment |
active-directory | Tutorial Single Forest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-single-forest.md | You can use the environment you create in this tutorial for testing or for getti ### In the Azure portal -1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant. +1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../../fundamentals/add-users.md). Completing this step is critical to ensure that you don't get locked out of your tenant. 2. Add one or more [custom domain names](../../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names. ### In your on-premises environment |
active-directory | Choose Ad Authn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/choose-ad-authn.md | The following diagrams outline the high-level architecture components required f |What user account states are supported?|Disabled accounts<br>(up to 30-minute delay)|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours| |What are the Conditional Access options?|[Azure AD Conditional Access, with Azure AD Premium](../../conditional-access/overview.md)|[Azure AD Conditional Access, with Azure AD Premium](../../conditional-access/overview.md)|[Azure AD Conditional Access, with Azure AD Premium](../../conditional-access/overview.md)<br><br>[AD FS claim rules](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator)| |Is blocking legacy protocols supported?|[Yes](../../conditional-access/overview.md)|[Yes](../../conditional-access/overview.md)|[Yes](/windows-server/identity/ad-fs/operations/access-control-policies-w2k12)|-|Can you customize the logo, image, and description on the sign-in pages?|[Yes, with Azure AD Premium](../../fundamentals/customize-branding.md)|[Yes, with Azure AD Premium](../../fundamentals/customize-branding.md)|[Yes](how-to-connect-fed-management.md)| +|Can you customize the logo, image, and description on the sign-in pages?|[Yes, with Azure AD Premium](../../fundamentals/how-to-customize-branding.md)|[Yes, with Azure AD Premium](../../fundamentals/how-to-customize-branding.md)|[Yes](how-to-connect-fed-management.md)| |What advanced scenarios are supported?|[Smart password lockout](../../authentication/howto-password-smart-lockout.md)<br><br>[Leaked credentials reports, with Azure AD Premium P2](../../identity-protection/overview-identity-protection.md)|[Smart password lockout](../../authentication/howto-password-smart-lockout.md)|Multisite low-latency authentication system<br><br>[AD FS extranet lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection)<br><br>[Integration with third-party identity systems](how-to-connect-fed-compatibility.md)| > [!NOTE] Consider each authentication method. Does the effort to deploy the solution, and In today's world, threats are present 24 hours a day and come from everywhere. Implement the correct authentication method, and it will mitigate your security risks and protect your identities. -[Get started](../../fundamentals/active-directory-whatis.md) with Azure AD and deploy the right authentication solution for your organization. +[Get started](../../fundamentals/whatis.md) with Azure AD and deploy the right authentication solution for your organization. -If you're thinking about migrating from federated to cloud authentication, learn more about [changing the sign-in method](plan-connect-user-signin.md). To help you plan and implement the migration, use [these project deployment plans](../../fundamentals/deployment-plans.md), or consider using the new [Staged Rollout](how-to-connect-staged-rollout.md) feature to migrate federated users to using cloud authentication in a staged approach. +If you're thinking about migrating from federated to cloud authentication, learn more about [changing the sign-in method](plan-connect-user-signin.md). To help you plan and implement the migration, use [these project deployment plans](../../architecture/deployment-plans.md), or consider using the new [Staged Rollout](how-to-connect-staged-rollout.md) feature to migrate federated users to using cloud authentication in a staged approach. |
active-directory | Cloud Governed Management For On Premises | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/cloud-governed-management-for-on-premises.md | To begin migrating federated applications to Azure AD as the identity provider, * The white paper [Migrating Your Applications to Azure Active Directory](https://aka.ms/migrateapps/whitepaper), which presents the benefits of migration and describes how to plan for migration in four clearly-outlined phases: discovery, classification, migration, and ongoing management. You'll be guided through how to think about the process and break down your project into easy-to-consume pieces. Throughout the document are links to important resources that will help you along the way. -* The solution guide [Migrating Application Authentication from Active Directory Federation Services to Azure Active Directory](../../manage-apps/migrate-adfs-apps-to-azure.md) explores in more detail the same four phases of planning and executing an application migration project. In this guide, you'll learn how to apply those phases to the specific goal of moving an application from Active Directory Federation Services (AD FS) to Azure AD. +* The solution guide [Migrating Application Authentication from Active Directory Federation Services to Azure Active Directory](../../manage-apps/migrate-adfs-apps-stages.md) explores in more detail the same four phases of planning and executing an application migration project. In this guide, you'll learn how to apply those phases to the specific goal of moving an application from Active Directory Federation Services (AD FS) to Azure AD. * The [Active Directory Federation Services Migration Readiness Script](https://aka.ms/migrateapps/adfstools) can be run on existing on-premises Active Directory Federation Services (AD FS) servers to determine the readiness of applications for migration to Azure AD. |
active-directory | Four Steps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/four-steps.md | Likewise, the [Self-service Password Management report](../../authentication/how ### Self-service app management -Before your users can self-discover applications from their access panel, you need to enable [self-service application access](../../manage-apps/access-panel-manage-self-service-access.md) to any applications that you wish to allow users to self-discover and request access to them. The request can optionally require approval before access being granted. +Before your users can self-discover applications from their access panel, you need to enable [self-service application access](../../manage-apps/manage-self-service-access.md) to any applications that you wish to allow users to self-discover and request access to them. The request can optionally require approval before access being granted. ### Self-service group management We recommend that you print the following checklist for reference as you begin y Learn how you can increase your secure posture using the capabilities of Azure Active Directory and this five-step checklist - [Five steps to securing your identity infrastructure](../../../security/fundamentals/steps-secure-identity.md). -Learn how the identity features in Azure AD can help you accelerate your transition to cloud governed management by providing the solutions and capabilities that allow organizations to quickly adopt and move more of their identity management from traditional on-premises systems to Azure AD - [How Azure AD Delivers Cloud Governed Management for on-premises Workloads](./cloud-governed-management-for-on-premises.md). +Learn how the identity features in Azure AD can help you accelerate your transition to cloud governed management by providing the solutions and capabilities that allow organizations to quickly adopt and move more of their identity management from traditional on-premises systems to Azure AD - [How Azure AD Delivers Cloud Governed Management for on-premises Workloads](./cloud-governed-management-for-on-premises.md). |
active-directory | How To Connect Fed Group Claims | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-group-claims.md | Azure Active Directory (Azure AD) can provide a user's group membership informat ## Important caveats for this functionality - Support for use of `sAMAccountName` and security identifier (SID) attributes synced from on-premises is designed to enable moving existing applications from Active Directory Federation Services (AD FS) and other identity providers. Groups managed in Azure AD don't contain the attributes necessary to emit these claims.-- In order to avoid the number of groups limit if your users have large numbers of group memberships, you can restrict the groups emitted in claims to the relevant groups for the application. Read more about emitting groups assigned to the application for [JWT tokens](../../develop\active-directory-optional-claims.md#configuring-groups-optional-claims) and [SAML tokens](#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration). If assigning groups to your applications is not possible, you can also configure a [group filter](#group-filtering) to reduce the number of groups emitted in the claim. Group filtering applies to tokens emitted for apps where group claims and filtering were configured in the **Enterprise apps** blade in the portal.+- In order to avoid the number of groups limit if your users have large numbers of group memberships, you can restrict the groups emitted in claims to the relevant groups for the application. Read more about emitting groups assigned to the application for [JWT tokens](../../develop/optional-claims.md#configure-groups-optional-claims) and [SAML tokens](#add-group-claims-to-tokens-for-saml-applications-using-sso-configuration). If assigning groups to your applications is not possible, you can also configure a [group filter](#group-filtering) to reduce the number of groups emitted in the claim. Group filtering applies to tokens emitted for apps where group claims and filtering were configured in the **Enterprise apps** blade in the portal. - Group claims have a five-group limit if the token is issued through the implicit flow. Tokens requested via the implicit flow will have a `"hasgroups":true` claim only if the user is in more than five groups. - We recommend basing in-app authorization on application roles rather than groups when: However, if an existing application expects to consume group information via cla - When you're using group membership for in-application authorization, it's preferable to use the group `ObjectID` attribute. The group `ObjectID` attribute is immutable and unique in Azure AD. It's available for all groups. - If you're using the on-premises group `sAMAccountName` attribute for authorization, use domain-qualified names. It reduces the chance of names clashing. `sAMAccountName` might be unique within an Active Directory domain, but if more than one Active Directory domain is synchronized with an Azure AD tenant, there's a possibility for more than one group to have the same name.-- Consider using [application roles](../../develop/howto-add-app-roles-in-azure-ad-apps.md) to provide a layer of indirection between the group membership and the application. The application then makes internal authorization decisions based on role claims in the token.+- Consider using [application roles](../../develop/howto-add-app-roles-in-apps.md) to provide a layer of indirection between the group membership and the application. The application then makes internal authorization decisions based on role claims in the token. - If the application is configured to get group attributes that are synced from Active Directory and a group doesn't contain those attributes, it won't be included in the claims. - Group claims in tokens include nested groups, except when you're using the option to restrict the group claims to groups that are assigned to the application. After you add a group claim configuration to the **User Attributes & Claims** co ## Configure the Azure AD application registration for group attributes -You can also configure group claims in the [optional claims](../../develop/active-directory-optional-claims.md) section of the [application manifest](../../develop/reference-app-manifest.md). +You can also configure group claims in the [optional claims](../../develop/optional-claims.md) section of the [application manifest](../../develop/reference-app-manifest.md). 1. In the portal, select **Azure Active Directory** > **Application Registrations** > **Select Application** > **Manifest**. Emit group names to be returned in `NetbiosDomain\sAMAccountName` format as the - [Add authorization using groups & group claims to an ASP.NET Core web app (code sample)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) - [Assign a user or group to an enterprise app](../../manage-apps/assign-user-or-group-access-portal.md)-- [Configure role claims](../../develop/active-directory-enterprise-app-role-management.md)+- [Configure role claims](../../develop/enterprise-app-role-management.md) |
active-directory | How To Connect Health Agent Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-agent-install.md | The following table lists requirements for using Azure AD Connect Health: | Requirement | Description | | | |-| You have an Azure Active Directory (Azure AD) Premium (P1 or P2) Subscription. |Azure AD Connect Health is a feature of Azure AD Premium (P1 or P2). For more information, see [Sign up for Azure AD Premium](../../fundamentals/active-directory-get-started-premium.md). <br /><br />To start a free 30-day trial, see [Start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). | -| You're a global administrator in Azure AD. |Currently, only Global Administrator accounts can install and configure health agents. For more information, see [Administering your Azure AD directory](../../fundamentals/active-directory-whatis.md). <br /><br /> By using Azure role-based access control (Azure RBAC), you can allow other users in your organization to access Azure AD Connect Health. For more information, see [Azure RBAC for Azure AD Connect Health](how-to-connect-health-operations.md#manage-access-with-azure-rbac). <br /><br />**Important**: Use a work or school account to install the agents. You can't use a Microsoft account to install the agents. For more information, see [Sign up for Azure as an organization](../../fundamentals/sign-up-organization.md). | +| You have an Azure Active Directory (Azure AD) Premium (P1 or P2) Subscription. |Azure AD Connect Health is a feature of Azure AD Premium (P1 or P2). For more information, see [Sign up for Azure AD Premium](../../fundamentals/get-started-premium.md). <br /><br />To start a free 30-day trial, see [Start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). | +| You're a global administrator in Azure AD. |Currently, only Global Administrator accounts can install and configure health agents. For more information, see [Administering your Azure AD directory](../../fundamentals/whatis.md). <br /><br /> By using Azure role-based access control (Azure RBAC), you can allow other users in your organization to access Azure AD Connect Health. For more information, see [Azure RBAC for Azure AD Connect Health](how-to-connect-health-operations.md#manage-access-with-azure-rbac). <br /><br />**Important**: Use a work or school account to install the agents. You can't use a Microsoft account to install the agents. For more information, see [Sign up for Azure as an organization](../../fundamentals/sign-up-organization.md). | | The Azure AD Connect Health agent is installed on each targeted server. | Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities. <br /><br />For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and on the Web Application Proxy server. Similarly, to get data from your on-premises Azure Active Directory Domain Services (Azure AD DS) infrastructure, you must install the agent on the domain controllers. | | The Azure service endpoints have outbound connectivity. | During installation and runtime, the agent requires connectivity to Azure AD Connect Health service endpoints. If firewalls block outbound connectivity, add the [outbound connectivity endpoints](how-to-connect-health-agent-install.md#outbound-connectivity-to-azure-service-endpoints) to an allowlist. | |Outbound connectivity is based on IP addresses. | For information about firewall filtering based on IP addresses, see [Azure IP ranges](https://www.microsoft.com/download/details.aspx?id=56519).| |
active-directory | How To Connect Health Diagnose Sync Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-diagnose-sync-errors.md | The sync error will be resolved after the next sync. Connect Health will no long ## Failures and error messages **User with conflicting attribute is soft deleted in the Azure Active Directory. Ensure the user is hard deleted before retry.** -The user with conflicting attribute in Azure AD should be cleaned before you can apply fix. Check out [how to delete the user permanently in Azure AD](../../fundamentals/active-directory-users-restore.md) before retrying the fix. The user will also be automatically deleted permanently after 30 days in soft deleted state. +The user with conflicting attribute in Azure AD should be cleaned before you can apply fix. Check out [how to delete the user permanently in Azure AD](../../fundamentals/users-restore.md) before retrying the fix. The user will also be automatically deleted permanently after 30 days in soft deleted state. **Updating source anchor to cloud-based user in your tenant is not supported.** Cloud-based user in Azure AD should not have source anchor. Updating source anchor is not supported in this case. Manual fix is required from on premises. |
active-directory | How To Connect Install Roadmap | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-roadmap.md | If your ADFS server has not been configured to automatically update certificates ## Get started with Azure AD Connect Health To get started with Azure AD Connect Health, use the following steps: -1. [Get Azure AD Premium](../../fundamentals/active-directory-get-started-premium.md) or [start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). +1. [Get Azure AD Premium](../../fundamentals/get-started-premium.md) or [start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). 2. [Download and install Azure AD Connect Health Agents](#download-and-install-azure-ad-connect-health-agent) on your identity servers. 3. View the Azure AD Connect Health dashboard at [https://aka.ms/aadconnecthealth](https://aka.ms/aadconnecthealth). |
active-directory | How To Connect Monitor Federation Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-monitor-federation-changes.md | To monitor the trust relationship, we recommend you set up alerts to be notified Follow these steps to set up alerts to monitor the trust relationship: 1. [Configure Azure AD audit logs](../../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) to flow to an Azure Log Analytics Workspace. -2. [Create an alert rule](../../../azure-monitor/alerts/alerts-log.md) that triggers based on Azure AD log query. +2. [Create an alert rule](../../../azure-monitor/alerts/alerts-create-new-alert-rule.md) that triggers based on Azure AD log query. 3. [Add an action group](../../../azure-monitor/alerts/action-groups.md) to the alert rule that gets notified when the alert condition is met. After the environment is configured, the data flows as follows: After the environment is configured, the data flows as follows: ## Next steps - [Integrate Azure AD logs with Azure Monitor logs](../../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)-- [Create, view, and manage log alerts using Azure Monitor](../../../azure-monitor/alerts/alerts-log.md)+- [Create, view, and manage log alerts using Azure Monitor](../../../azure-monitor/alerts/alerts-create-new-alert-rule.md) - [Manage AD FS trust with Azure AD using Azure AD Connect](how-to-connect-azure-ad-trust.md) - [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs) |
active-directory | How To Connect Pta Quick Start | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-pta-quick-start.md | Ensure that the following prerequisites are in place. ### In the Entra admin center -1. Create a cloud-only Hybrid Identity Administrator account or a Hybrid Identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only Hybrid Identity Administrator account](../../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant. +1. Create a cloud-only Hybrid Identity Administrator account or a Hybrid Identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only Hybrid Identity Administrator account](../../fundamentals/add-users.md). Completing this step is critical to ensure that you don't get locked out of your tenant. 2. Add one or more [custom domain names](../../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names. ### In your on-premises environment |
active-directory | How To Connect Pta Upgrade Preview Authentication Agents | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-pta-upgrade-preview-authentication-agents.md | To check the versions of your Authentication Agents, on each server identified i Before upgrading, ensure that you have the following items in place: -1. **Create cloud-only Global Administrator account**: DonΓÇÖt upgrade without having a cloud-only Global Administrator account to use in emergency situations where your Pass-through Authentication Agents are not working properly. Learn about [adding a cloud-only Global Administrator account](../../fundamentals/add-users-azure-active-directory.md). Doing this step is critical and ensures that you don't get locked out of your tenant. +1. **Create cloud-only Global Administrator account**: DonΓÇÖt upgrade without having a cloud-only Global Administrator account to use in emergency situations where your Pass-through Authentication Agents are not working properly. Learn about [adding a cloud-only Global Administrator account](../../fundamentals/add-users.md). Doing this step is critical and ensures that you don't get locked out of your tenant. 2. **Ensure high availability**: If not completed previously, install a second standalone Authentication Agent to provide high availability for sign-in requests, using these [instructions](how-to-connect-pta-quick-start.md#step-4-ensure-high-availability). ## Upgrading the Authentication Agent on your Azure AD Connect server |
active-directory | How To Connect Staged Rollout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-staged-rollout.md | To configure Staged Rollout, follow these steps: 1. On the *Azure AD Connect* page, under the *Staged rollout of cloud authentication*, select the **Enable staged rollout for managed user sign-in** link. -1. On the *Enable staged rollout feature* page, select the options you want to enable: [Password Hash Sync](./whatis-phs.md), [Pass-through authentication](./how-to-connect-pta.md), [Seamless single sign-on](./how-to-connect-sso.md), or [Certificate-based Authentication](../../authentication/active-directory-certificate-based-authentication-get-started.md). For example, if you want to enable **Password Hash Sync** and **Seamless single sign-on**, slide both controls to **On**. +1. On the *Enable staged rollout feature* page, select the options you want to enable: [Password Hash Sync](./whatis-phs.md), [Pass-through authentication](./how-to-connect-pta.md), [Seamless single sign-on](./how-to-connect-sso.md), or [Certificate-based Authentication](../../authentication/certificate-based-authentication-federation-get-started.md). For example, if you want to enable **Password Hash Sync** and **Seamless single sign-on**, slide both controls to **On**. 1. Add groups to the features you selected. For example, *pass-through authentication* and *seamless SSO*. To avoid a time-out, ensure that the security groups contain no more than 200 members initially. |
active-directory | Howto Troubleshoot Upn Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/howto-troubleshoot-upn-changes.md | If the userPrincipalName attribute value doesn't correspond to a verified domain Use our best practices to test bulk UPN changes. Have a tested roll-back plan for reverting UPNs if issues can't be resolved. After your pilot is running, target small user sets, with organizational roles, and sets of apps or devices. This process helps you understand the user experience. Include this information in your communications to stakeholders and users. -Learn more: [Azure Active Directory deployment plans](../../fundamentals/deployment-plans.md) +Learn more: [Azure Active Directory deployment plans](../../architecture/deployment-plans.md) Create a procedure to change UPNs for individual users. We recommend a procedure that includes documentation about known issues and workarounds. |
active-directory | Migrate From Federation To Cloud Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/migrate-from-federation-to-cloud-authentication.md | Although this deployment changes no other relying parties in your AD FS farm, yo ## Plan the project -When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../../fundamentals/deployment-plans.md) and that stakeholder roles in the project are well understood. +When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../../architecture/deployment-plans.md) and that stakeholder roles in the project are well understood. ### Plan communications You can't customize Azure AD sign-in experience. No matter how your users signed #### Organization branding -You can [customize the Azure AD sign-in page](../../fundamentals/customize-branding.md). Some visual changes from AD FS on sign-in pages should be expected after the conversion. +You can [customize the Azure AD sign-in page](../../fundamentals/how-to-customize-branding.md). Some visual changes from AD FS on sign-in pages should be expected after the conversion. >[!NOTE] >Organization branding isn't available in free Azure AD licenses unless you've a Microsoft 365 license. This section includes prework before you switch your sign-in method and convert Create groups for staged rollout and also for Conditional Access policies if you decide to add them. -We recommend you use a group mastered in Azure AD, also known as a cloud-only group. You can use Azure AD security groups or Microsoft 365 Groups for both moving users to MFA and for Conditional Access policies. For more information, see [creating an Azure AD security group](../../fundamentals/active-directory-groups-create-azure-portal.md), and this [overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups). +We recommend you use a group mastered in Azure AD, also known as a cloud-only group. You can use Azure AD security groups or Microsoft 365 Groups for both moving users to MFA and for Conditional Access policies. For more information, see [creating an Azure AD security group](../../fundamentals/how-to-manage-groups.md), and this [overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups). The members in a group are automatically enabled for staged rollout. Nested and dynamic groups aren't supported for staged rollout. You can move SaaS applications that are currently federated with ADFS to Azure A For more information, see ΓÇô -- [Moving application authentication from Active Directory Federation Services to Azure Active Directory](../../manage-apps/migrate-adfs-apps-to-azure.md) and+- [Moving application authentication from Active Directory Federation Services to Azure Active Directory](../../manage-apps/migrate-adfs-apps-stages.md) and - [AD FS to Azure AD application migration playbook for developers](/samples/azure-samples/ms-identity-adfs-to-aad/ms-identity-dotnet-adfs-to-aad) ### Remove relying party trust For a full list of steps to take to completely remove AD FS from the environment ## Next steps - [Learn about migrating applications](../../manage-apps/migration-resources.md)-- [Deploy other identity features](../../fundamentals/deployment-plans.md)+- [Deploy other identity features](../../architecture/deployment-plans.md) |
active-directory | Reference Connect Accounts Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-accounts-permissions.md | Legend: - Non-bold = A supported option - Local account = Local user account on the server - Domain account = Domain user account-- sMSA = [standalone managed service account](../../fundamentals/service-accounts-on-premises.md)+- sMSA = [standalone managed service account](../../architecture/service-accounts-on-premises.md) - gMSA = [group managed service account](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) | | Local database<br />Express | Local database/Local SQL Server<br />Custom | Remote SQL Server<br />Custom | To use this option, on the [Install required components](how-to-connect-install- :::image type="content" source="media/reference-connect-accounts-permissions/serviceaccount.png" alt-text="Screenshot that shows selecting Managed Service Account in Windows Server."::: -You also can use an [sMSA](../../fundamentals/service-accounts-on-premises.md) in this scenario. However, you can use an sMSA only on the local computer, and there's no benefit to using an sMSA instead of the default VSA. +You also can use an [sMSA](../../architecture/service-accounts-on-premises.md) in this scenario. However, you can use an sMSA only on the local computer, and there's no benefit to using an sMSA instead of the default VSA. The sMSA feature requires Windows Server 2012 or later. If you need to use an earlier version of an operating system and you use remote SQL Server, you must use a [user account](#user-account). |
active-directory | Tshoot Connect Pass Through Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-pass-through-authentication.md | -> If you are facing user sign-in issues with Pass-through Authentication, don't disable the feature or uninstall Pass-through Authentication Agents without having a cloud-only Global Administrator account or a Hybrid Identity Administrator account to fall back on. Learn about [adding a cloud-only Global Administrator account](../../fundamentals/add-users-azure-active-directory.md). Doing this step is critical and ensures that you don't get locked out of your tenant. +> If you are facing user sign-in issues with Pass-through Authentication, don't disable the feature or uninstall Pass-through Authentication Agents without having a cloud-only Global Administrator account or a Hybrid Identity Administrator account to fall back on. Learn about [adding a cloud-only Global Administrator account](../../fundamentals/add-users.md). Doing this step is critical and ensures that you don't get locked out of your tenant. ## General issues |
active-directory | Decommission Connect Sync V1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/decommission-connect-sync-v1.md | If you aren't yet eligible to move to cloud sync, use this table for more inform ## Next steps -- [What is Azure AD Connect V2?](whatis-azure-ad-connect-v2.md)-- [Azure AD Cloud Sync](../cloud-sync/what-is-cloud-sync.md)-- [Azure AD Connect version history](reference-connect-version-history.md)+- [What is Azure AD Connect V2?](./connect/whatis-azure-ad-connect-v2.md) +- [Azure AD Cloud Sync](./cloud-sync/what-is-cloud-sync.md) +- [Azure AD Connect version history](./connect/reference-connect-version-history.md) |
active-directory | Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/install.md | Express settings are the default option to install Azure AD Connect, and it's us 4. On **Express settings**, select **Use express settings**. 5. n **Connect to Azure AD**, enter the username and password of the Hybrid Identity Administrator account, and then select **Next**. 6. On **Connect to AD DS**, enter the username and password for an Enterprise Admin account. You can enter the domain part in either NetBIOS or FQDN format, like `FABRIKAM\administrator` or `fabrikam.com\administrator`. Select **Next**- 7. The [Azure AD sign-in configuration](plan-connect-user-signin.md#azure-ad-sign-in-configuration) page appears only if you didn't complete the step to [verify your domains](../fundamentals/add-custom-domain.md) in the [prerequisites](how-to-connect-install-prerequisites.md) + 7. The [Azure AD sign-in configuration](./connect/plan-connect-user-signin.md#azure-ad-sign-in-configuration) page appears only if you didn't complete the step to [verify your domains](../fundamentals/add-custom-domain.md) in the [prerequisites](./connect/how-to-connect-install-prerequisites.md) 8. On **Ready to configure**, select **Install** 9. When the installation is finished, select **Exit**. 10. Before you use Synchronization Service Manager or Synchronization Rule Editor, sign out, and then sign in again. |
active-directory | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/prerequisites.md | For more information on the cloud sync prerequisites, see [Azure AD Connect prer |--|--| |Enterprise administrator|Required to install Azure AD Connect.| |Hybrid Identity administrator|Required to configure cloud sync. This account cannot be a guest account. This account must be a school or organization account and can't be a Microsoft account.|-|Custom settings|If you use the custom settings installation path, you have more options. You can specify the following information:</br>ΓÇó [AD DS Connector account](reference-connect-accounts-permissions.md)</br>ΓÇó [ADSync Service account](reference-connect-accounts-permissions.md)</br>ΓÇó [Azure AD Connector account](reference-connect-accounts-permissions.md). </br>For more information, see [Custom installation settings](reference-connect-accounts-permissions.md#custom-settings).| +|Custom settings|If you use the custom settings installation path, you have more options. You can specify the following information:</br>ΓÇó [AD DS Connector account](./connect/reference-connect-accounts-permissions.md)</br>ΓÇó [ADSync Service account](./connect/reference-connect-accounts-permissions.md)</br>ΓÇó [Azure AD Connector account](./connect/reference-connect-accounts-permissions.md). </br>For more information, see [Custom installation settings](./connect/reference-connect-accounts-permissions.md#custom-settings).| For more information on the Azure AD Connect accounts, see [Azure AD Connect: Accounts and permissions](connect/reference-connect-accounts-permissions.md). |
active-directory | What Is Inter Directory Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/what-is-inter-directory-provisioning.md | Inter-directory provisioning allows us to create [hybrid identity](whatis-hybrid Azure AD currently supports three methods for accomplishing inter-directory provisioning. These methods are: -- [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md) -a new Microsoft agent designed to meet and accomplish your hybrid identity goals. It is provides a light-weight inter -directory provisioning experience between Active Directory and Azure AD and is configured via the portal.+- [Azure AD Connect cloud sync](./cloud-sync/what-is-cloud-sync.md) -a new Microsoft agent designed to meet and accomplish your hybrid identity goals. It is provides a light-weight inter -directory provisioning experience between Active Directory and Azure AD and is configured via the portal. -- [Azure AD Connect](whatis-azure-ad-connect.md) - the Microsoft tool designed to meet and accomplish your hybrid identity, including inter-directory provisioning from Active Directory to Azure AD.+- [Azure AD Connect](./connect/whatis-azure-ad-connect.md) - the Microsoft tool designed to meet and accomplish your hybrid identity, including inter-directory provisioning from Active Directory to Azure AD. - [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) - Microsoft's on-premises identity and access management solution that helps you manage the users, credentials, policies, and access within your organization. Additionally, MIM provides advanced inter-directory provisioning to achieve hybrid identity environments for Active Directory, Azure AD, and other directories. Azure AD currently supports three methods for accomplishing inter-directory prov This capability of inter-directory provisioning offers the following significant business benefits: -- [Password hash synchronization](whatis-phs.md) - A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.-- [Pass-through authentication](how-to-connect-pta.md) - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.-- [Federation integration](how-to-connect-fed-whatis.md) - can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.-- [Synchronization](how-to-connect-sync-whatis.md) - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.-- [Health Monitoring](whatis-azure-ad-connect.md) - can provide robust monitoring and provide a central location in the Azure portal to view this activity. +- [Password hash synchronization](./connect/whatis-phs.md) - A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD. +- [Pass-through authentication](./connect/how-to-connect-pta.md) - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment. +- [Federation integration](./connect/how-to-connect-fed-whatis.md) - can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments. +- [Synchronization](./connect/how-to-connect-sync-whatis.md) - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes. +- [Health Monitoring](./connect/whatis-azure-ad-connect.md) - can provide robust monitoring and provide a central location in the Azure portal to view this activity. ## Next steps - [What is identity lifecycle management](../governance/what-is-identity-lifecycle-management.md) |
active-directory | Concept Identity Protection Risks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-identity-protection-risks.md | Microsoft doesn't provide specific details about how risk is calculated. Each le ### Password hash synchronization -Risk detections like leaked credentials require the presence of password hashes for detection to occur. For more information about password hash synchronization, see the article, [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md). +Risk detections like leaked credentials require the presence of password hashes for detection to occur. For more information about password hash synchronization, see the article, [Implement password hash synchronization with Azure AD Connect sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md). ### Why are there risk detections generated for disabled user accounts? |
active-directory | Concept Workload Identity Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-workload-identity-risk.md | -A [workload identity](../develop/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they: +A [workload identity](../workload-identities/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they: - CanΓÇÖt perform multifactor authentication. - Often have no formal lifecycle process. Some of the key questions to answer during your investigation include: - Have there been suspicious configuration changes to accounts? - Did the account acquire unauthorized application roles? -The [Azure Active Directory security operations guide for Applications](../fundamentals/security-operations-applications.md) provides detailed guidance on the above investigation areas. +The [Azure Active Directory security operations guide for Applications](../architecture/security-operations-applications.md) provides detailed guidance on the above investigation areas. Once you determine if the workload identity was compromised, dismiss the accountΓÇÖs risk, or confirm the account as compromised in the Risky workload identities report. You can also select ΓÇ£Disable service principalΓÇ¥ if you want to block the account from further sign-ins. |
active-directory | How To Deploy Identity Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/how-to-deploy-identity-protection.md | This deployment plan extends concepts introduced in the [Conditional Access depl * Create or modify Conditional Access policies * [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) * [Security Administrator](../roles/permissions-reference.md#security-administrator)-* A test user (non-administrator) that allows you to verify policies work as expected before deploying to real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md). -* A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md). +* A test user (non-administrator) that allows you to verify policies work as expected before deploying to real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users.md). +* A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/how-to-manage-groups.md). ### Engage the right stakeholders |
active-directory | Howto Export Risk Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-export-risk-data.md | Organizations can use the [Microsoft Graph API to programmatically interact with ## Next steps - [What is Azure Active Directory monitoring?](../reports-monitoring/overview-monitoring.md)-- [Install and use the log analytics views for Azure Active Directory](../reports-monitoring/howto-install-use-log-analytics-views.md)+- [Install and use the log analytics views for Azure Active Directory](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) - [Connect data from Azure Active Directory (Azure AD) Identity Protection](../../sentinel/data-connectors/azure-active-directory-identity-protection.md) - [Azure Active Directory Identity Protection and the Microsoft Graph PowerShell SDK](howto-identity-protection-graph-api.md) - [Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
active-directory | Add Application Portal Setup Oidc Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-setup-oidc-sso.md | -Add an application that supports [OpenID Connect (OIDC)](../develop/active-directory-v2-protocols.md) based single sign-on (SSO) to your Azure Active Directory (Azure AD) tenant. +Add an application that supports [OpenID Connect (OIDC)](../develop/v2-protocols.md) based single sign-on (SSO) to your Azure Active Directory (Azure AD) tenant. It is recommended that you use a non-production environment to test the steps in this page. |
active-directory | Application Management Certs Faq | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-management-certs-faq.md | You can export all app registrations with expiring secrets, certificates and the ## Where can I find the information about soon to expire certificates renewal steps? -You can find the steps [here](manage-certificates-for-federated-single-sign-on.md#renew-a-certificate-that-will-soon-expire). +You can find the steps [here](./tutorial-manage-certificates-for-federated-single-sign-on.md#renew-a-certificate-that-will-soon-expire). ## How can I customize the expiration date for the certificates issued by Azure AD? -By default, Azure AD configures a certificate to expire after three years when it is created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you need to create a new certificate. For steps on how to do so, please refer [Customize the expiration date for your federation certificate and roll it over to a new certificate](manage-certificates-for-federated-single-sign-on.md#customize-the-expiration-date-for-your-federation-certificate-and-roll-it-over-to-a-new-certificate). +By default, Azure AD configures a certificate to expire after three years when it is created automatically during SAML single sign-on configuration. Because you can't change the date of a certificate after you save it, you need to create a new certificate. For steps on how to do so, please refer [Customize the expiration date for your federation certificate and roll it over to a new certificate](./tutorial-manage-certificates-for-federated-single-sign-on.md#customize-the-expiration-date-for-your-federation-certificate-and-roll-it-over-to-a-new-certificate). > [!NOTE] > The recommended way to create SAML applications is through the Azure AD Application Gallery, which will automatically create a three-year valid X509 certificate for you. Azure AD will send an email notification 60, 30, and 7 days before the SAML cert > [!NOTE] > You can add up to 5 email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails. -To specify the emails you want the notifications to be sent to, see [Add email notification addresses for certificate expiration](manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration). +To specify the emails you want the notifications to be sent to, see [Add email notification addresses for certificate expiration](./tutorial-manage-certificates-for-federated-single-sign-on.md#add-email-notification-addresses-for-certificate-expiration). There is no option to edit or customize these email notifications received from `aadnotification@microsoft.com`. However, you can export app registrations with expiring secrets and certificates through [PowerShell scripts](app-management-powershell-samples.md). To configure an on-premises app to use a custom domain, you need a verified Azur ## I need to update the token signing certificate on the application side. Where can I get it on Azure AD side? -You can renew a SAML X.509 Certificate, see [SAML Signing certificate](configure-saml-single-sign-on.md#saml-signing-certificate). +You can renew a SAML X.509 Certificate, see [SAML Signing certificate](../develop/single-sign-on-saml-protocol.md). ## What is Azure AD signing key rollover? -You can find more details [here](../develop/active-directory-signing-key-rollover.md). +You can find more details [here](../develop/signing-key-rollover.md). ## How do I renew application token encryption certificate? To renew an application token encryption certificate, see [How to renew a token ## How do I renew application token signing certificate? -To renew an application token signing certificate, see [How to renew a token signing certificate for an enterprise application](manage-certificates-for-federated-single-sign-on.md). +To renew an application token signing certificate, see [How to renew a token signing certificate for an enterprise application](./tutorial-manage-certificates-for-federated-single-sign-on.md). ## How do I update Azure AD after changing my federation certificates? -To update Azure AD after changing your federation certificates, see [Renew federation certificates for Microsoft 365 and Azure Active Directory](../hybrid/how-to-connect-fed-o365-certs.md). +To update Azure AD after changing your federation certificates, see [Renew federation certificates for Microsoft 365 and Azure Active Directory](../hybrid/connect/how-to-connect-fed-o365-certs.md). ## Can I use the same SAML certificate across different apps? |
active-directory | Application Sign In Problem Application Error | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-problem-application-error.md | To change the User Identifier value, follow these steps: ### Change the NameID format -If the application expects another format for the **NameID** (User Identifier) attribute, see the [Edit nameID](../develop/active-directory-saml-claims-customization.md#edit-nameid) section to change the NameID format. +If the application expects another format for the **NameID** (User Identifier) attribute, see the [Edit nameID](../develop/saml-claims-customization.md#edit-nameid) section to change the NameID format. Azure AD selects the format for the **NameID** attribute (User Identifier) based on the value that's selected or the format that's requested by the app in the SAML AuthRequest. For more information, see the "NameIDPolicy" section of [Single sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md#nameidpolicy). |
active-directory | Application Sign In Problem First Party Microsoft | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-problem-first-party-microsoft.md | Application access can be blocked because the proper permissions consent operati - For any Open ID Connect-enabled application that requests permissions, navigating to the applicationΓÇÖs sign-in screen performs a user level consent to the application for the signed-in user. -- If you wish to do this programmatically, see [Requesting individual user consent](../develop/v2-permissions-and-consent.md#requesting-individual-user-consent).+- If you wish to do this programmatically, see [Requesting individual user consent](../develop/permissions-consent-overview.md#requesting-individual-user-consent). ### Perform administrator-level consent operation for any application - For **only applications developed using the V1 application model**, you can force this administrator level consent to occur by adding ΓÇ£**?prompt=admin\_consent**ΓÇ¥ to the end of an applicationΓÇÖs sign-in URL. -- For **any application developed using the V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).+- For **any application developed using the V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/permissions-consent-overview.md#using-the-admin-consent-endpoint). ### Perform administrator-level consent for a single-tenant application - For **single-tenant applications** that request permissions (like those you're developing or own in your organization), you can perform an **administrative-level consent** operation on behalf of all users by signing in as a Global Administrator and clicking on the **Grant permissions** button at the top of the **Application Registry -> All Applications -> Select an App -> Required Permissions** pane. -- For **any application developed using the V1 or V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).+- For **any application developed using the V1 or V2 application model**, you can enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/permissions-consent-overview.md#using-the-admin-consent-endpoint). ### Perform administrator-level consent for a multi-tenant application - For **multi-tenant applications** that request permissions (like an application a third party, or Microsoft, develops), you can perform an **administrative-level consent** operation. Sign in as a Global Administrator and clicking on the **Grant permissions** button under the **Enterprise Applications -> All Applications -> Select an App -> Permissions** pane (available soon). -- You can also enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint).+- You can also enforce this administrator-level consent to occur by following the instructions under the **Request the permissions from a directory admin** section of [Using the admin consent endpoint](../develop/permissions-consent-overview.md#using-the-admin-consent-endpoint). ## Next steps -[Using the admin consent endpoint](../develop/v2-permissions-and-consent.md#using-the-admin-consent-endpoint) +[Using the admin consent endpoint](../develop/permissions-consent-overview.md#using-the-admin-consent-endpoint) |
active-directory | Application Sign In Unexpected User Consent Error | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md | End-users won't be able to grant consent to apps that have been detected as risk [Apps, permissions, and consent in Azure Active Directory (v1 endpoint)](../develop/quickstart-register-app.md)<br> -[Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/v2-permissions-and-consent.md) +[Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/permissions-consent-overview.md) [Unexpected consent prompt when signing in to an application](application-sign-in-unexpected-user-consent-prompt.md) |
active-directory | Application Sign In Unexpected User Consent Prompt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt.md | Determining whether an individual user can consent to an application can be conf * [Apps, permissions, and consent in Azure Active Directory (v1.0 endpoint)](../develop/quickstart-register-app.md) -* [Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/v2-permissions-and-consent.md) +* [Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/permissions-consent-overview.md) * [Unexpected error when performing consent to an application](application-sign-in-unexpected-user-consent-error.md) |
active-directory | Certificate Signing Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/certificate-signing-options.md | Next, change the certificate signing options in the SAML token for that applicat ## Next steps -* [Configure single sign-on to applications that are not in the Azure Active Directory App Gallery](./configure-saml-single-sign-on.md) +* [Configure single sign-on to applications that are not in the Azure Active Directory App Gallery](../develop/single-sign-on-saml-protocol.md) * [Troubleshoot SAML-based single sign-on](./debug-saml-sso-issues.md) |
active-directory | Cloudflare Conditional Access Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-conditional-access-policies.md | Learn more: [What is Conditional Access?](../conditional-access/overview.md) * An Azure AD subscription * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) * An Azure AD tenant linked to the Azure AD subscription- * See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md) + * See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/create-new-tenant.md) * Global Administrator permissions * Configured users in the Azure AD subscription * A Cloudflare account |
active-directory | Cloudflare Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-integration.md | In this tutorial, learn to integrate Azure Active Directory (Azure AD) with Clou * An Azure AD subscription * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) * An Azure AD tenant linked to the Azure AD subscription- * See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md) + * See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/create-new-tenant.md) * A Cloudflare Zero Trust account * If you don't have one, go to [Get started with Cloudflare's Zero Trust platform](https://dash.cloudflare.com/sign-up/teams) |
active-directory | Configure Permission Classifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-permission-classifications.md | DELETE https://graph.microsoft.com/v1.0/servicePrincipals(appId='00000003-0000-0 ## Next steps - [Manage app consent policies](manage-app-consent-policies.md)-- [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md)+- [Permissions and consent in the Microsoft identity platform](../develop/permissions-consent-overview.md) |
active-directory | Configure User Consent Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-user-consent-groups.md | To learn more: * [Configure the admin consent workflow](configure-admin-consent-workflow.md) * [Learn how to manage consent to applications and evaluate consent requests](manage-consent-requests.md) * [Grant tenant-wide admin consent to an application](grant-admin-consent.md)-* [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md) +* [Permissions and consent in the Microsoft identity platform](../develop/permissions-consent-overview.md) To get help or find answers to your questions: |
active-directory | Datawiza Configure Sha | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-configure-sha.md | Learn more: [Zero Trust security](../../security/fundamentals/zero-trust.md) Datawiza integration includes the following components: -* **[Azure AD](../fundamentals/active-directory-whatis.md)** - Identity and access management service that helps users sign in and access external and internal resources +* **[Azure AD](../fundamentals/whatis.md)** - Identity and access management service that helps users sign in and access external and internal resources * **Datawiza Access Proxy (DAP)** - This service transparently passes identity information to applications through HTTP headers * **Datawiza Cloud Management Console (DCMC)** - UI and RESTful APIs for administrators to manage the DAP configuration and access control policies To get started, you need: * An Azure subscription * If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/)-* An [Azure AD tenant](../fundamentals/active-directory-access-create-new-tenant.md) linked to the Azure subscription +* An [Azure AD tenant](../fundamentals/create-new-tenant.md) linked to the Azure subscription * [Docker](https://docs.docker.com/get-docker/) and [docker-compose](https://docs.docker.com/compose/install/) are required to run DAP * Your applications can run on platforms, such as a virtual machine (VM) or bare metal * An on-premises or cloud-hosted application to transition from a legacy identity system to Azure AD To get started, you need: * [Tutorial: Configure Azure Active Directory B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md) * [Tutorial: Configure Datawiza to enable Azure AD MFA and SSO to Oracle JD Edwards](datawiza-sso-oracle-jde.md)-* [Tutorial: Configure Datawiza to enable Azure AD MFA and SSO to Oracle PeopleSoft](datawiza-azure-ad-sso-oracle-peoplesoft.md) +* [Tutorial: Configure Datawiza to enable Azure AD MFA and SSO to Oracle PeopleSoft](./datawiza-sso-oracle-peoplesoft.md) * Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com) |
active-directory | Datawiza Sso Mfa Oracle Ebs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-mfa-oracle-ebs.md | To complete the steps in this article, you need: * An Azure AD tenant linked to the Azure subscription. * An account with Azure AD Application Administrator permissions. For more information, see [Azure AD built-in roles](../roles/permissions-reference.md). * Docker and Docker Compose, to run DAP. For more information, see [Get Docker](https://docs.docker.com/get-docker/) and [Docker Compose Overview](https://docs.docker.com/compose/install/).-* User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory. For more information, see [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md). +* User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory. For more information, see [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md). * An Oracle EBS environment. ## Configure the Oracle EBS environment for SSO and create the DBC file To provide more security for sign-ins, you can enable Multi-Factor Authenticatio ## Next steps - [Video: Enable SSO and MFA for Oracle JD Edwards with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90)-- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-with-azure-ad.md)+- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-configure-sha.md) - [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md) - [Datawiza user guides](https://docs.datawiza.com/) |
active-directory | Datawiza Sso Mfa To Owa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-mfa-to-owa.md | You need the following components. Prior DAP experience isn't necessary. - An Azure AD tenant linked to the Azure account - - See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md) + - See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/create-new-tenant.md) - Docker and Docker Compose are required to run DAP You need the following components. Prior DAP experience isn't necessary. directory - See, [Azure AD Connect sync: Understand and customize- synchronization](../hybrid/how-to-connect-sync-whatis.md) + synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) - An account with Microsoft Entra ID Application Administrator permissions To provide more sign-in security, you can enforce Microsoft Entra ID Multi-Facto - [Video: Enable SSO and MFA for Oracle JD Edwards with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90) -- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](datawiza-with-azure-ad.md)+- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-configure-sha.md) - Go to docs.datawiza.com for [Datawiza user guides](https://docs.datawiza.com/) |
active-directory | Datawiza Sso Oracle Jde | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-oracle-jde.md | The scenario solution has the following components: * **Datawiza Access Proxy (DAP)** - container-based reverse-proxy that implements OpenID Connect (OIDC), OAuth, or Security Assertion Markup Language (SAML) for user sign-in flow. It passes identity transparently to applications through HTTP headers. * **Datawiza Cloud Management Console (DCMC)** -a console to manage DAP. Administrators use UI and RESTful APIs to configure DAP and access control policies. -Learn more: [Datawiza and Azure AD Authentication Architecture](./datawiza-with-azure-ad.md#datawiza-with-azure-ad-authentication-architecture) +Learn more: [Datawiza and Azure AD Authentication Architecture](./datawiza-configure-sha.md#datawiza-with-azure-ad-authentication-architecture) ## Prerequisites Ensure the following prerequisites are met. * An Azure subscription. * If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free) * An Azure AD tenant linked to the Azure subscription- * See, [Quickstart: Create a new tenant in Azure Active Directory.](../fundamentals/active-directory-access-create-new-tenant.md) + * See, [Quickstart: Create a new tenant in Azure Active Directory.](../fundamentals/create-new-tenant.md) * Docker and Docker Compose * Go to docs.docker.com to [Get Docker](https://docs.docker.com/get-docker) and [Install Docker Compose](https://docs.docker.com/compose/install) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory- * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An account with Azure AD and the Application administrator role * See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles) * An Oracle JDE environment To confirm Oracle JDE application access occurs, a prompt appears to use an Azur ## Next steps * Video [Enable SSO and MFA for Oracle JDE) with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90)-* [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-with-azure-ad.md) +* [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-configure-sha.md) * [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md) * Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com/) |
active-directory | Datawiza Sso Oracle Peoplesoft | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/datawiza-sso-oracle-peoplesoft.md | The scenario solution has the following components: * **Datawiza Cloud Management Console (DCMC)** - administrators manage DAP with UI and RESTful APIs to configure DAP and access control policies * **Oracle PeopleSoft application** - legacy application to be protected by Azure AD and DAP -Learn more: [Datawiza and Azure AD authentication architecture](./datawiza-with-azure-ad.md#datawiza-with-azure-ad-authentication-architecture) +Learn more: [Datawiza and Azure AD authentication architecture](./datawiza-configure-sha.md#datawiza-with-azure-ad-authentication-architecture) ## Prerequisites Ensure the following prerequisites are met. * An Azure subscription * If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free) * An Azure AD tenant linked to the Azure subscription- * See, [Quickstart: Create a new tenant in Azure Active Directory](../fundamentals/active-directory-access-create-new-tenant.md) + * See, [Quickstart: Create a new tenant in Azure Active Directory](../fundamentals/create-new-tenant.md) * Docker and Docker Compose * Go to docs.docker.com to [Get Docker](https://docs.docker.com/get-docker) and [Install Docker Compose](https://docs.docker.com/compose/install) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to an on-premises directory- * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An account with Azure AD and the Application Administrator role * See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles) * An Oracle PeopleSoft environment To confirm Oracle PeopleSoft application access occurs correctly, a prompt appea ## Next steps - Video: [Enable SSO and MFA for Oracle JD Edwards with Azure AD via Datawiza](https://www.youtube.com/watch?v=_gUGWHT5m90)-- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-with-azure-ad.md)+- [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-configure-sha.md) - [Tutorial: Configure Azure AD B2C with Datawiza to provide secure hybrid access](../../active-directory-b2c/partner-datawiza.md) - Go to docs.datawiza.com for Datawiza [User Guides](https://docs.datawiza.com/) |
active-directory | Debug Saml Sso Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/debug-saml-sso-issues.md | To resolve the error, follow these steps, or watch this [short video about how t ## Next steps -Now that single sign-on is working to your application, you could [Automate user provisioning and deprovisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/app-based-conditional-access.md). +Now that single sign-on is working to your application, you could [Automate user provisioning and deprovisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/howto-policy-approved-app-or-app-protection.md). |
active-directory | F5 Big Ip Forms Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-forms-advanced.md | You need the following components: * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature trial. See [Free Trials](https://www.f5.com/trial/big-ip-trial.php) * User identities synchronized from an on-premises directory to Azure AD- * See [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An SSL certificate to publish services over HTTPS, or use default certificates while testing * See [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile) * A form-based authentication application, or set up an IIS FBA app for testing |
active-directory | F5 Big Ip Header Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-header-advanced.md | For the scenario you need: * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php). * User identities synchronized from an on-premises directory to Azure AD- * [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An SSL certificate to publish services over HTTPS, or use default certificates while testing * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile) * A header-based application or an IIS header app for testing Learn more: [What is Conditional Access?](../conditional-access/overview.md) ![Screenshot of User Attributes and Claims information such as surname, email address, identity, etc.](./media/f5-big-ip-header-advanced/user-attributes-claims.png) > [!NOTE]- > Add other claims the BIG-IP published application expects as headers. More defined claims are issued if they're in Azure AD. Define directory memberships and user objects in Azure AD before claims can be issued. See, [Configure group claims for applications by using Azure AD](../hybrid/how-to-connect-fed-group-claims.md). + > Add other claims the BIG-IP published application expects as headers. More defined claims are issued if they're in Azure AD. Define directory memberships and user objects in Azure AD before claims can be issued. See, [Configure group claims for applications by using Azure AD](../hybrid/connect/how-to-connect-fed-group-claims.md). 22. In the **SAML Signing Certificate** section, select **Download**. 23. The **Federation Metadata XML** file is saved on your computer. |
active-directory | F5 Big Ip Headers Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-headers-easy-button.md | For the scenario you need: * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php) * User identities synchronized from an on-premises directory to Azure AD- * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An SSL web certificate to publish services over HTTPS, or use default BIG-IP certs for testing * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile) * A header-based application or set up an IIS header app for testing |
active-directory | F5 Big Ip Kerberos Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-kerberos-advanced.md | Prior BIG-IP experience isn't necessary. You need: * F5 BIG-IP APM standalone license * F5 BIG-IP APM add-on license on a BIG-IP Local Traffic Manager (LTM) * 90-day BIG-IP [Free Trial](https://www.f5.com/trial/big-ip-trial.php) license-* User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory -* An account with Azure AD Application Administrator [permissions](../users-groups-roles/directory-assign-admin-roles.md) +* User identities [synchronized](../hybrid/connect/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory +* An account with Azure AD Application Administrator [permissions](../roles/permissions-reference.md) * A web server [certificate](../manage-apps/f5-bigip-deployment-guide.md) for publishing services over HTTPS, or use default BIG-IP certificates while testing * A Kerberos application, or go to active-directory-wp.com to learn to configure [SSO with IIS on Windows](https://active-directory-wp.com/docs/Networking/Single_Sign_On/SSO_with_IIS_on_Windows.html) Configure the BIG-IP registration to fulfill SAML tokens that the BIG-IP APM req ![Screenshot of the Federation Metadata XML Download option.](./media/f5-big-ip-kerberos-advanced/edit-saml-signing-certificate.png) > [!NOTE]-> SAML signing certificates that Azure AD creates have a lifespan of three years. For more information, see [Managed certificates for federated single sign-on](./manage-certificates-for-federated-single-sign-on.md). +> SAML signing certificates that Azure AD creates have a lifespan of three years. For more information, see [Managed certificates for federated single sign-on](./tutorial-manage-certificates-for-federated-single-sign-on.md). ## Grant access to users and groups |
active-directory | F5 Big Ip Kerberos Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md | Prior BIG-IP experience isn't necessary, but you need: * F5 BIG-IP APM standalone * F5 BIG-IP APM add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP [Free Trial](https://www.f5.com/trial/big-ip-trial.php) license-* User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory +* User identities [synchronized](../hybrid/connect/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD, or created in Azure AD and flowed back to your on-premises directory * An account with Azure AD Application Admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator) * An [SSL Web certificate](./f5-bigip-deployment-guide.md) for publishing services over HTTPS, or use the default BIG-IP certificates while testing * A Kerberos application, or go to active-directory-wp.com to learn to configure [SSO with IIS on Windows](https://active-directory-wp.com/docs/Networking/Single_Sign_On/SSO_with_IIS_on_Windows.html). |
active-directory | F5 Big Ip Ldap Header Easybutton | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md | Prior BIG-IP experience isn't necessary, but you need: - F5 BIG-IP Access Policy Manager™ (APM) standalone license - F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) - 90-day BIG-IP product [Free Trial](https://www.f5.com/trial/big-ip-trial.php)-- User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD+- User identities [synchronized](../hybrid/connect/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD - An account with Azure AD Application Admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator) - An [SSL Web certificate](./f5-bigip-deployment-guide.md#ssl-profile) for publishing services over HTTPS, or use default BIG-IP certificates while testing - A header-based application or [set up a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing |
active-directory | F5 Big Ip Oracle Enterprise Business Suite Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md | You need the following components: * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature trial. See, [Free Trials](https://www.f5.com/trial/big-ip-trial.php). * User identities synchronized from an on-premises directory to Azure AD- * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An SSL certificate to publish services over HTTPS, or use default certificates while testing * See, [SSL profile](./f5-bigip-deployment-guide.md#ssl-profile) * An Oracle EBS, Oracle AccessGate, and an LDAP-enabled Oracle Internet Database (OID) |
active-directory | F5 Big Ip Oracle Jde Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-jde-easy-button.md | In this tutorial SHA supports SP- and IdP-initiated flows. The following diagram * F5 BIG-IP APM add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to the on-premises directory- * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An account with Azure AD Application Admin permissions * See, [Azure AD built-in roles](../roles/permissions-reference.md) * An SSL Web certificate to publish services over HTTPS, or use default BIG-IP certs for testing |
active-directory | F5 Big Ip Oracle Peoplesoft Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-oracle-peoplesoft-easy-button.md | For this scenario, SHA supports SP- and IdP-initiated flows. The following diagr * F5 BIG-IP APM add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to the on-premises directory- * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An account with Azure AD Application Admin permissions * See, [Azure AD built-in roles](../roles/permissions-reference.md) * An SSL Web certificate to publish services over HTTPS, or use default BIG-IP certs for testing |
active-directory | F5 Big Ip Sap Erp Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-sap-erp-easy-button.md | SHA supports SP and IdP initiated flows. The following image illustrates the SP- * F5 BIG-IP APM add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM) * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php) * User identities synchronized from an on-premises directory to Azure AD, or created in Azure AD and flowed back to the on-premises directory- * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) + * See, [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) * An account with Azure AD Application Admin permissions * See, [Azure AD built-in roles](../roles/permissions-reference.md) * An SSL Web certificate to publish services over HTTPS, or use default BIG-IP certs for testing |
active-directory | F5 Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-integration.md | The following diagram illustrates the front-end pre-authentication exchange betw 2. BIG-IP redirects the user to the SAML identity provider (IdP), Azure AD, for pre-authentication 3. Azure AD processes Conditional Access policies and [session controls](../conditional-access/concept-conditional-access-session.md) for authorization 4. User goes back to BIG-IP, and presents the SAML claims issued by Azure AD-5. BIG-IP requests session information for [SSO](../hybrid/how-to-connect-sso.md) and [role-based access control (RBAC)](../../role-based-access-control/overview.md) to the published service +5. BIG-IP requests session information for [SSO](../hybrid/connect/how-to-connect-sso.md) and [role-based access control (RBAC)](../../role-based-access-control/overview.md) to the published service 6. BIG-IP forwards the client request to the back-end service ## User experience |
active-directory | F5 Passwordless Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-passwordless-vpn.md | Prior experience or knowledge of F5 BIG-IP isn't necessary, however, you'll need - An Azure AD subscription - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/trial/get-started-active-directory/) or above-- User identities [synchronized from their on-premises directory](../hybrid/how-to-connect-sync-whatis.md) to Azure AD.+- User identities [synchronized from their on-premises directory](../hybrid/connect/how-to-connect-sync-whatis.md) to Azure AD. - An account with Azure AD application admin [permissions](../roles/permissions-reference.md#application-administrator) - BIG-IP infrastructure with client traffic routing to and from the BIG-IP - Or [deploy a BIG-IP Virtual Edition into Azure](f5-bigip-deployment-guide.md) Set up a SAML federation trust between the BIG-IP to allow the Azure AD BIG-IP t ![Screenshot of user attributes and claims properties.](media/f5-passwordless-vpn/user-attributes-claims.png) -You can add other claims to your BIG-IP published service. Claims defined in addition to the default set are issued if they're in Azure AD. Define directory [roles or group](../hybrid/how-to-connect-fed-group-claims.md) memberships against a user object in Azure AD, before they can be issued as a claim. +You can add other claims to your BIG-IP published service. Claims defined in addition to the default set are issued if they're in Azure AD. Define directory [roles or group](../hybrid/connect/how-to-connect-fed-group-claims.md) memberships against a user object in Azure AD, before they can be issued as a claim. ![Screenshot of Federation Metadata XML Download option.](media/f5-passwordless-vpn/saml-signing-certificate.png) |
active-directory | Grant Consent Single User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/grant-consent-single-user.md | When a user grants consent for themselves, the following events occur more often 1. For each API to which the application requires access, a delegated permission grant to that API is created for the permissions that are needed by the application, for access on behalf of the user. A delegated permission grant authorizes an application to access an API on behalf of a user, when that user has signed in. -1. The user is assigned the client application. Assigning the application to the user ensures that the application is listed in the [My Apps](my-apps-deployment-plan.md) portal for that user, which allows them to review and revoke the access that has been granted on their behalf. +1. The user is assigned the client application. Assigning the application to the user ensures that the application is listed in the [My Apps](./myapps-overview.md) portal for that user, which allows them to review and revoke the access that has been granted on their behalf. ## Prerequisites In the example, the resource enterprise application is Microsoft Graph of object - [Configure the admin consent workflow](configure-admin-consent-workflow.md) - [Configure how users consent to applications](configure-user-consent.md)-- [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md)+- [Permissions and consent in the Microsoft identity platform](../develop/permissions-consent-overview.md) |
active-directory | Howto Enforce Signed Saml Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/howto-enforce-signed-saml-authentication.md | If enabled Azure Active Directory will validate the requests against the public ## Next steps -* Find out [How Azure AD uses the SAML protocol](../develop/active-directory-saml-protocol-reference.md) -* Learn the format, security characteristics, and contents of [SAML tokens in Azure AD](../develop/reference-saml-tokens.md) +* Find out [How Azure AD uses the SAML protocol](../develop/saml-protocol-reference.md) +* Learn the format, security characteristics, and contents of [SAML tokens in Azure AD](../develop/reference-saml-tokens.md) |
active-directory | Howto Saml Token Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/howto-saml-token-encryption.md | To configure token encryption, follow these steps: ## Next steps -* Find out [How Azure AD uses the SAML protocol](../develop/active-directory-saml-protocol-reference.md) +* Find out [How Azure AD uses the SAML protocol](../develop/saml-protocol-reference.md) * Learn the format, security characteristics, and contents of [SAML tokens in Azure AD](../develop/reference-saml-tokens.md) |
active-directory | Manage App Consent Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-app-consent-policies.md | To learn more: * [Configure the admin consent workflow](configure-admin-consent-workflow.md) * [Learn how to manage consent to applications and evaluate consent requests](manage-consent-requests.md) * [Grant tenant-wide admin consent to an application](grant-admin-consent.md)-* [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md) +* [Permissions and consent in the Microsoft identity platform](../develop/permissions-consent-overview.md) To get help or find answers to your questions: |
active-directory | Manage Consent Requests | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-consent-requests.md | When you're evaluating a request to grant admin consent, here are some recommend - Understand the [permissions and consent framework](../develop/permissions-consent-overview.md) in the Microsoft identity platform. -- Understand the difference between [delegated permissions and application permissions](../develop/v2-permissions-and-consent.md#permission-types).+- Understand the difference between [delegated permissions and application permissions](../develop/permissions-consent-overview.md#permission-types). Application permissions allow the application to access the data for the entire organization, without any user interaction. Delegated permissions allow the application to act on behalf of a user who was signed into the application at some point. |
active-directory | Manage Self Service Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-self-service-access.md | -Before your users can self-discover applications from the [My Apps portal](my-apps-deployment-plan.md), you need to enable **Self-service application access** for the applications. This functionality is available for applications that were added from the Azure AD Gallery, [Azure AD Application Proxy](../app-proxy/application-proxy.md), or were added using [user or admin consent](../develop/application-consent-experience.md). +Before your users can self-discover applications from the [My Apps portal](./myapps-overview.md), you need to enable **Self-service application access** for the applications. This functionality is available for applications that were added from the Azure AD Gallery, [Azure AD Application Proxy](../app-proxy/application-proxy.md), or were added using [user or admin consent](../develop/application-consent-experience.md). Using this feature, you can: |
active-directory | Migrate Adfs Application Activity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-application-activity.md | The AD FS application activity data is available to users who are assigned any o * Your organization must be currently using AD FS to access applications. * Azure AD Connect Health must be enabled in your Azure AD tenant. * The Azure AD Connect Health for AD FS agent must be installed.-* [Learn more about Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md) -* [Get started with setting up Azure AD Connect Health and install the AD FS agent](../hybrid/how-to-connect-health-agent-install.md) +* [Learn more about Azure AD Connect Health](../hybrid/connect/how-to-connect-health-adfs.md) +* [Get started with setting up Azure AD Connect Health and install the AD FS agent](../hybrid/connect/how-to-connect-health-agent-install.md) >[!IMPORTANT] >There are a couple reasons you won't see all the applications you are expecting after you have installed Azure AD Connect Health. The AD FS application activity report only shows AD FS relying parties with user logins in the last 30 days. Also, the report won't display Microsoft related relying parties such as Office 365. The following table lists all configuration tests that are performed on AD FS ap |Test-ADFSRPDelegationAuthorizationRules | Pass/Fail  | The application has custom delegation authorization rules defined. This is a WS-Trust concept that Azure AD supports by using modern authentication protocols, such as OpenID Connect and OAuth 2.0. [Learn more about the Microsoft Identity Platform](../develop/v2-protocols-oidc.md).  | |Test-ADFSRPImpersonationAuthorizationRules  | Pass/Warning  | The application has custom impersonation authorization rules defined. This is a WS-Trust concept that Azure AD supports by using modern authentication protocols, such as OpenID Connect and OAuth 2.0. [Learn more about the Microsoft Identity Platform](../develop/v2-protocols-oidc.md).  | |Test-ADFSRPIssuanceAuthorizationRules <br> At least one non-migratable rule was detected for IssuanceAuthorization.  | Pass/Warning  | The application has custom issuance authorization rules defined in AD FS. Azure AD supports this functionality with Azure AD Conditional Access. [Learn more about Conditional Access](../conditional-access/overview.md). <br> You can also restrict access to an application by user or groups assigned to the application. [Learn more about assigning users and groups to access applications](./assign-user-or-group-access-portal.md).    |-|Test-ADFSRPIssuanceTransformRules <br> At least one non-migratable rule was detected for IssuanceTransform.  | Pass/Warning  | The application has custom issuance transform rules defined in AD FS. Azure AD supports customizing the claims issued in the token. To learn more, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).   | +|Test-ADFSRPIssuanceTransformRules <br> At least one non-migratable rule was detected for IssuanceTransform.  | Pass/Warning  | The application has custom issuance transform rules defined in AD FS. Azure AD supports customizing the claims issued in the token. To learn more, see [Customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md).   | |Test-ADFSRPMonitoringEnabled <br> Relying Party has MonitoringEnabled set to true.  | Pass/Warning  | This setting in AD FS lets you specify whether AD FS is configured to automatically update the application based on changes within the federation metadata. Azure AD doesn’t support this today but should not block the migration of the application to Azure AD.   | |Test-ADFSRPNotBeforeSkew <br> NotBeforeSkewCheckResult | Pass/Warning  | AD FS allows a time skew based on the NotBefore and NotOnOrAfter times in the SAML token. Azure AD automatically handles this by default.  | |Test-ADFSRPRequestMFAFromClaimsProviders <br> Relying Party has RequestMFAFromClaimsProviders set to true.  | Pass/Warning  | This setting in AD FS determines the behavior for MFA when the user comes from a different claims provider. In Azure AD, you can enable external collaboration using Azure AD B2B. Then, you can apply Conditional Access policies to protect guest access. Learn more about [Azure AD B2B](../external-identities/what-is-b2b.md) and [Conditional Access](../conditional-access/overview.md).  | The following table lists all claim rule tests that are performed on AD FS appli |Property |Description | |||-|UNSUPPORTED_CONDITION_PARAMETER | The condition statement uses Regular Expressions to evaluate if the claim matches a certain pattern.  To achieve a similar functionality in Azure AD, you can use pre-defined transformation such as  IfEmpty(), StartWith(), Contains(), among others. For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).  | -|UNSUPPORTED_CONDITION_CLASS | The condition statement has multiple conditions that need to be evaluated before running the issuance statement. Azure AD may support this functionality with the claim’s transformation functions where you can evaluate multiple claim values.  For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).  | -|UNSUPPORTED_RULE_TYPE | The claim rule couldn’t be recognized. For more information on how to configure claims in Azure AD, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).  | +|UNSUPPORTED_CONDITION_PARAMETER | The condition statement uses Regular Expressions to evaluate if the claim matches a certain pattern.  To achieve a similar functionality in Azure AD, you can use pre-defined transformation such as  IfEmpty(), StartWith(), Contains(), among others. For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md).  | +|UNSUPPORTED_CONDITION_CLASS | The condition statement has multiple conditions that need to be evaluated before running the issuance statement. Azure AD may support this functionality with the claim’s transformation functions where you can evaluate multiple claim values.  For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md).  | +|UNSUPPORTED_RULE_TYPE | The claim rule couldn’t be recognized. For more information on how to configure claims in Azure AD, see [Customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md).  | |CONDITION_MATCHES_UNSUPPORTED_ISSUER | The condition statement uses an Issuer that is not supported in Azure AD. Currently, Azure AD doesn’t source claims from stores different that Active Directory or Azure AD. If this is blocking you from migrating applications to Azure AD, [let us know](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789). |-|UNSUPPORTED_CONDITION_FUNCTION | The condition statement uses an aggregate function to issue or add a single claim regardless of the number of matches.  In Azure AD, you can evaluate the attribute of a user to decide what value to use for the claim with functions like IfEmpty(), StartWith(), Contains(), among others. For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).  | -|RESTRICTED_CLAIM_ISSUED | The condition statement uses a claim that is restricted in Azure AD. You may be able to issue a restricted claim, but you can’t modify its source or apply any transformation. For more information, see [Customize claims emitted in tokens for a specific app in Azure AD](../develop/active-directory-claims-mapping.md).  | +|UNSUPPORTED_CONDITION_FUNCTION | The condition statement uses an aggregate function to issue or add a single claim regardless of the number of matches.  In Azure AD, you can evaluate the attribute of a user to decide what value to use for the claim with functions like IfEmpty(), StartWith(), Contains(), among others. For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md).  | +|RESTRICTED_CLAIM_ISSUED | The condition statement uses a claim that is restricted in Azure AD. You may be able to issue a restricted claim, but you can’t modify its source or apply any transformation. For more information, see [Customize claims emitted in tokens for a specific app in Azure AD](../develop/saml-claims-customization.md).  | |EXTERNAL_ATTRIBUTE_STORE | The issuance statement uses an attribute store different that Active Directory. Currently, Azure AD doesn’t source claims from stores different that Active Directory or Azure AD. If this result is blocking you from migrating applications to Azure AD, [let us know](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789).  |-|UNSUPPORTED_ISSUANCE_CLASS | The issuance statement uses ADD to add claims to the incoming claim set. In Azure AD, this may be configured as multiple claim transformations.  For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-claims-mapping.md). | -|UNSUPPORTED_ISSUANCE_TRANSFORMATION | The issuance statement uses Regular Expressions to transform the value of the claim to be emitted. To achieve similar functionality in Azure AD, you can use pre-defined transformation such as Extract(), Trim(), ToLower, among others. For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).  | +|UNSUPPORTED_ISSUANCE_CLASS | The issuance statement uses ADD to add claims to the incoming claim set. In Azure AD, this may be configured as multiple claim transformations.  For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md). | +|UNSUPPORTED_ISSUANCE_TRANSFORMATION | The issuance statement uses Regular Expressions to transform the value of the claim to be emitted. To achieve similar functionality in Azure AD, you can use pre-defined transformation such as Extract(), Trim(), ToLower, among others. For more information, see [Customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md).  | ## Troubleshooting The following table lists all claim rule tests that are performed on AD FS appli * [Video: How to use the AD FS activity report to migrate an application](https://www.youtube.com/watch?v=OThlTA239lU) * [Managing applications with Azure Active Directory](what-is-application-management.md) * [Manage access to apps](what-is-access-management.md)-* [Azure AD Connect federation](../hybrid/how-to-connect-fed-whatis.md) +* [Azure AD Connect federation](../hybrid/connect/how-to-connect-fed-whatis.md) |
active-directory | Migrate Adfs Apps Phases Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-apps-phases-overview.md | Your applications are likely using the following types of authentication: To ensure that the users can easily and securely access applications, your goal is to have a single set of access controls and policies across your on-premises and cloud environments. -[Azure AD](../fundamentals/active-directory-whatis.md) offers a universal identity platform that provides your employees, partners, and customers a single identity to access the applications they want and collaborate from any platform and device. +[Azure AD](../fundamentals/whatis.md) offers a universal identity platform that provides your employees, partners, and customers a single identity to access the applications they want and collaborate from any platform and device. :::image type="content" source="media/migrate-adfs-apps-phases-overview/connectivity.png" alt-text="Diagram showing Azure AD connectivity."::: -Azure AD has a [full suite of identity management capabilities](../fundamentals/active-directory-whatis.md#which-features-work-in-azure-ad). Standardizing your app authentication and authorization to Azure AD gets you the benefits that these capabilities provide. +Azure AD has a [full suite of identity management capabilities](../fundamentals/whatis.md#which-features-work-in-azure-ad). Standardizing your app authentication and authorization to Azure AD gets you the benefits that these capabilities provide. You can find more migration resources at [https://aka.ms/migrateapps](./migration-resources.md) |
active-directory | Migrate Adfs Apps Stages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-apps-stages.md | For more information, see: * [Using Azure AD Application Proxy to publish on-premises apps for remote users](../app-proxy/what-is-application-proxy.md). * [What is application management?](what-is-application-management.md) * [AD FS application activity report to migrate applications to Azure AD](migrate-adfs-application-activity.md).-* [Monitor AD FS using Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md). +* [Monitor AD FS using Azure AD Connect Health](../hybrid/connect/how-to-connect-health-adfs.md). ## The migration process Update the configuration of your production app to point to your production Azur :::image type="content" source="media/migrate-adfs-apps-stages/stage4.jpg" alt-text="Diagram showing migration stage 4."::: - Apps that authenticate with AD FS can use Active Directory groups for permissions. Use [Azure AD Connect sync](../hybrid/how-to-connect-sync-whatis.md) to sync identity data between your on-premises environment and Azure AD before you begin migration. Verify those groups and membership before migration so that you can grant access to the same users when the application is migrated. + Apps that authenticate with AD FS can use Active Directory groups for permissions. Use [Azure AD Connect sync](../hybrid/connect/how-to-connect-sync-whatis.md) to sync identity data between your on-premises environment and Azure AD before you begin migration. Verify those groups and membership before migration so that you can grant access to the same users when the application is migrated. ## Line of business apps |
active-directory | Migrate Adfs Discover Scope Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-discover-scope-apps.md | The first decision in the migration process is which apps to migrate, which if a Discover applications using ADFS: -- **Use Azure AD Connect Health for ADFS**: If you have an Azure AD Premium license, we recommend deploying [Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md) to analyze the app usage in your on-premises environment. You can use the [ADFS application report](./migrate-adfs-application-activity.md) to discover ADFS applications that can be migrated and evaluate the readiness of the application to be migrated.+- **Use Azure AD Connect Health for ADFS**: If you have an Azure AD Premium license, we recommend deploying [Azure AD Connect Health](../hybrid/connect/how-to-connect-health-adfs.md) to analyze the app usage in your on-premises environment. You can use the [ADFS application report](./migrate-adfs-application-activity.md) to discover ADFS applications that can be migrated and evaluate the readiness of the application to be migrated. -- If you donΓÇÖt have Azure AD Premium licenses, we recommend using the ADFS to Azure AD app migration tools based on [PowerShell](https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration). Refer to [solution guide](./migrate-adfs-apps-to-azure.md):+- If you donΓÇÖt have Azure AD Premium licenses, we recommend using the ADFS to Azure AD app migration tools based on [PowerShell](https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration). Refer to [solution guide](./migrate-adfs-apps-stages.md): > [!VIDEO https://www.youtube.com/embed/PxLIacDpHh4] Once you've taken the automated approaches described in this article, you have a Once you find your apps, you identify these types of apps in your organization: -- Apps that use modern authentication protocols such as [Security Assertion Markup Language (SAML)](../fundamentals/auth-saml.md) or [OpenID Connect (OIDC)](../fundamentals/auth-oidc.md).+- Apps that use modern authentication protocols such as [Security Assertion Markup Language (SAML)](../architecture/auth-saml.md) or [OpenID Connect (OIDC)](../architecture/auth-oidc.md). - Apps that use legacy authentication such as [Kerberos](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889) or NT LAN Manager (NTLM) that you choose to modernize. - Apps that use legacy authentication protocols that you choose NOT to modernize - New Line of Business (LoB) apps For certain apps using legacy authentication protocols, sometimes modernizing th - Apps connected to an on-premises identity or federation provider that you don't want to change. - Apps developed using on-premises authentication standards that you have no plans to move -Azure AD can bring great benefits to these legacy apps. You can enable modern Azure AD security and governance features like [Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md), [Conditional Access](../conditional-access/overview.md), [Identity Protection](../identity-protection/index.yml), [Delegated Application Access](./access-panel-manage-self-service-access.md), and [Access Reviews](../governance/manage-user-access-with-access-reviews.md#create-and-perform-an-access-review) against these apps without touching the app at all! +Azure AD can bring great benefits to these legacy apps. You can enable modern Azure AD security and governance features like [Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md), [Conditional Access](../conditional-access/overview.md), [Identity Protection](../identity-protection/index.yml), [Delegated Application Access](./manage-self-service-access.md), and [Access Reviews](../governance/manage-user-access-with-access-reviews.md#create-and-perform-an-access-review) against these apps without touching the app at all! - Start by extending these apps into the cloud with [Azure AD Application Proxy](../app-proxy/application-proxy.md). - Or explore using on of our [Secure Hybrid Access (SHA) partner integrations](secure-hybrid-access.md) that you might have deployed already. |
active-directory | Migrate Adfs Plan Management Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-plan-management-insights.md | Azure AD provides a centralized access location to manage your migrated apps. Si You can also use the [Azure portal](https://portal.azure.com/) to audit all your apps from a centralized location, -- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Azure AD Reporting API](../reports-monitoring/concept-reporting-api.md) to integrate into your favorite tools.+- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Azure AD Reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) to integrate into your favorite tools. - **View the permissions for an app** using **Enterprise Applications, Permissions** for apps using OAuth/OpenID Connect.-- **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Azure AD Reporting API.](../reports-monitoring/concept-reporting-api.md)+- **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Azure AD Reporting API.](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) - **Visualize your appΓÇÖs usage** from the [Azure AD Power BI content pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md) ## Exit criteria You're successful in this phase when you: Deployment plans walk you through the business value, planning, implementation steps, and management of Azure AD solutions, including app migration scenarios. They bring together everything that you need to start deploying and getting value out of Azure AD capabilities. The deployment guides include content such as Microsoft recommended best practices, end-user communications, planning guides, implementation steps, test cases, and more. -Many [deployment plans](../fundamentals/deployment-plans.md) are available for your use, and weΓÇÖre always making more! +Many [deployment plans](../architecture/deployment-plans.md) are available for your use, and weΓÇÖre always making more! ## Contact support Visit the following support links to create or track support ticket and monitor ## Next steps -- [Migration process](migrate-adfs-apps-to-azure.md)+- [Migration process](./migrate-adfs-apps-stages.md) |
active-directory | Migrate Adfs Represent Security Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-represent-security-policies.md | Explicit group authorization in AD FS: To map this rule to Azure AD: -1. In the [Entra portal](https://entra.microsoft.com/#home), [create a user group](../fundamentals/active-directory-groups-create-azure-portal.md) that corresponds to the group of users from AD FS. +1. In the [Entra portal](https://entra.microsoft.com/#home), [create a user group](../fundamentals/how-to-manage-groups.md) that corresponds to the group of users from AD FS. 1. Assign app permissions to the group: :::image type="content" source="media/migrate-adfs-represent-security-policies/allow-a-group-explicitly-2.png" alt-text="Screenshot shows how to add a user assignment to the app."::: The users/groups selector is a rule that allows you to enforce MFA on a per-grou Specify MFA rules for a user or a group in Azure AD: -1. Create a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json). +1. Create a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json). 1. Select **Assignments**. Add the user(s) or group(s) for which you want to enforce MFA. 1. Configure the **Access controls** options as shown in the following screenshots: Specify MFA rules for a user or a group in Azure AD: Specify MFA rules for unregistered devices in Azure AD: -1. Create a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json). +1. Create a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json). 1. Set the **Assignments** to **All users**. 1. Configure the **Access controls** options as shown below: When you set the **For multiple controls** option to **Require one of the select Specify MFA rules based on a user's location in Azure AD: -1. Create a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json). +1. Create a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json). 1. Set the **Assignments** to **All users**. 1. [Configure named locations in Azure AD](../conditional-access/location-condition.md). Otherwise, federation from inside your corporate network is trusted. 1. Configure the **Conditions rules** to specify the locations for which you would like to enforce MFA. Built-in access control policies in AD FS 2016: :::image type="content" source="media/migrate-adfs-represent-security-policies/map-built-in-access-control-policies-1.png" alt-text="Screenshot shows Azure AD built in access control."::: -To implement built-in policies in Azure AD, use a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json) and configure the access controls, or use the custom policy designer in AD FS 2016 to configure access control policies. The Rule Editor has an exhaustive list of Permit and Except options that can help you make all kinds of permutations. +To implement built-in policies in Azure AD, use a [new Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json) and configure the access controls, or use the custom policy designer in AD FS 2016 to configure access control policies. The Rule Editor has an exhaustive list of Permit and Except options that can help you make all kinds of permutations. :::image type="content" source="media/migrate-adfs-represent-security-policies/map-built-in-access-control-policies-2.png" alt-text="Screenshot shows Azure AD built in access control policies."::: Here's an example of how to configure the Exclude option for trusted locations i When you map authorization rules, apps that authenticate with AD FS may use Active Directory groups for permissions. In such a case, use [Azure AD Connect](https://go.microsoft.com/fwlink/?LinkId=615771) to sync these groups with Azure AD before migrating the applications. Make sure that you verify those groups and membership before migration so that you can grant access to the same users when the application is migrated. -For more information, see [Prerequisites for using Group attributes synchronized from Active Directory](../hybrid/how-to-connect-fed-group-claims.md). +For more information, see [Prerequisites for using Group attributes synchronized from Active Directory](../hybrid/connect/how-to-connect-fed-group-claims.md). ### Set up user self-provisioning |
active-directory | Migrate Adfs Saml Based Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-saml-based-sso.md | To configure a SaaS application for SAML-based SSO, see [Quickstart: Set up SAML Many SaaS applications have an [application-specific tutorial](../saas-apps/tutorial-list.md) that steps you through the configuration for SAML-based SSO. -Some apps can be migrated easily. Apps with more complex requirements, such as custom claims, may require extra configuration in Azure AD and/or [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md). For information about supported claims mappings, see [How to: Customize claims emitted in tokens for a specific app in a tenant (Preview)](../develop/active-directory-claims-mapping.md). +Some apps can be migrated easily. Apps with more complex requirements, such as custom claims, may require extra configuration in Azure AD and/or [Azure AD Connect Health](../hybrid/connect/whatis-azure-ad-connect.md). For information about supported claims mappings, see [How to: Customize claims emitted in tokens for a specific app in a tenant (Preview)](../develop/saml-claims-customization.md). Keep in mind the following limitations when mapping attributes: -* Not all attributes that can be issued in AD FS show up in Azure AD as attributes to emit to SAML tokens, even if those attributes are synced. When you edit the attribute, the **Value** dropdown list shows you the different attributes that are available in Azure AD. Check [Azure AD Connect sync articles](../hybrid/how-to-connect-sync-whatis.md) configuration to ensure that a required attributeΓÇöfor example, **samAccountName**ΓÇöis synced to Azure AD. You can use the extension attributes to emit any claim that isn't part of the standard user schema in Azure AD. +* Not all attributes that can be issued in AD FS show up in Azure AD as attributes to emit to SAML tokens, even if those attributes are synced. When you edit the attribute, the **Value** dropdown list shows you the different attributes that are available in Azure AD. Check [Azure AD Connect sync articles](../hybrid/connect/how-to-connect-sync-whatis.md) configuration to ensure that a required attributeΓÇöfor example, **samAccountName**ΓÇöis synced to Azure AD. You can use the extension attributes to emit any claim that isn't part of the standard user schema in Azure AD. * In the most common scenarios, only the **NameID** claim and other common user identifier claims are required for an app. To determine if any extra claims are required, examine what claims you're issuing from AD FS. * Not all claims can be issued, as some claims are protected in Azure AD.-* The ability to use encrypted SAML tokens is now in preview. See [How to: customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md). +* The ability to use encrypted SAML tokens is now in preview. See [How to: customize claims issued in the SAML token for enterprise applications](../develop/saml-claims-customization.md). ## Software as a service (SaaS) apps For any issues with onboarding your SaaS apps, you can contact the [SaaS Applica ## SAML signing certificates for SSO -Signing certificates are an important part of any SSO deployment. Azure AD creates the signing certificates to establish SAML-based federated SSO to your SaaS applications. Once you add either gallery or non-gallery applications, you'll configure the added application using the federated SSO option. See [Manage certificates for federated single sign-on in Azure Active Directory](manage-certificates-for-federated-single-sign-on.md). +Signing certificates are an important part of any SSO deployment. Azure AD creates the signing certificates to establish SAML-based federated SSO to your SaaS applications. Once you add either gallery or non-gallery applications, you'll configure the added application using the federated SSO option. See [Manage certificates for federated single sign-on in Azure Active Directory](./tutorial-manage-certificates-for-federated-single-sign-on.md). ## SAML token encryption Apps that you can move easily today include SAML 2.0 apps that use the standard * Email address * Given name * Surname-* Alternate attribute as SAML **NameID**, including the Azure AD mail attribute, mail prefix, employee ID, extension attributes 1-15, or on-premises **SamAccountName** attribute. For more information, see [Editing the NameIdentifier claim](../develop/active-directory-saml-claims-customization.md). +* Alternate attribute as SAML **NameID**, including the Azure AD mail attribute, mail prefix, employee ID, extension attributes 1-15, or on-premises **SamAccountName** attribute. For more information, see [Editing the NameIdentifier claim](../develop/saml-claims-customization.md). * Custom claims. The following require more configuration steps to migrate to Azure AD: The following require more configuration steps to migrate to Azure AD: * Apps with multiple Reply URL endpoints. You configure them in Azure AD using PowerShell or the Entra portal interface. * WS-Federation apps such as SharePoint apps that require SAML version 1.1 tokens. You can configure them manually using PowerShell. You can also add a preintegrated generic template for SharePoint and SAML 1.1 applications from the gallery. We support the SAML 2.0 protocol. * Complex claims issuance transforms rules. For information about supported claims mappings, see:- * [Claims mapping in Azure Active Directory](../develop/active-directory-claims-mapping.md). - * [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/active-directory-saml-claims-customization.md). + * [Claims mapping in Azure Active Directory](../develop/saml-claims-customization.md). + * [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/saml-claims-customization.md). ## Apps and configurations not supported in Azure AD today |
active-directory | Migrate Applications From Okta | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-applications-from-okta.md | Map the default Okta authorization server to Microsoft Graph scopes or permissio - [Migrate Okta federation to Azure AD](migrate-okta-federation.md) - [Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning.md)-- [Migrate Okta sign-on policies to Azure AD Conditional Access](migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md)+- [Migrate Okta sign-on policies to Azure AD Conditional Access](./migrate-okta-sign-on-policies-conditional-access.md) |
active-directory | Migrate Okta Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-federation.md | Set up the sign-in method: * **Password hash synchronization** - an extension of the directory synchronization feature implemented by Azure AD Connect server or cloud-provisioning agents * Use this feature to sign in to Azure AD services like Microsoft 365 * Sign in to the service with the password to sign in to the on-premises Active Directory instance- * See, [What is password hash synchronization with Azure AD?](../hybrid/whatis-phs.md) + * See, [What is password hash synchronization with Azure AD?](../hybrid/connect/whatis-phs.md) * **Pass-through authentication** - sign in to on-premises and cloud applications with the same passwords * When users sign in through Azure AD, the pass-through authentication agent validates passwords against the on-premises AD- * See, [User sign-in with Azure Active Directory Pass-through Authentication](../hybrid/how-to-connect-pta.md) + * See, [User sign-in with Azure Active Directory Pass-through Authentication](../hybrid/connect/how-to-connect-pta.md) * **Seamless SSO** - signs in users on corporate desktops connected to the corporate network * Users have access to cloud applications without other on-premises components- * See, [Azure AD seamless SSO](../hybrid/how-to-connect-sso.md) + * See, [Azure AD seamless SSO](../hybrid/connect/how-to-connect-sso.md) To create a seamless authentication user experience in Azure AD, deploy seamless SSO to password hash synchronization or pass-through authentication. -For prerequisites of seamless SSO see, [Quickstart: Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites). +For prerequisites of seamless SSO see, [Quickstart: Azure Active Directory Seamless single sign-on](../hybrid/connect/how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites). For this tutorial, you configure password hash synchronization and seamless SSO. For this tutorial, you configure password hash synchronization and seamless SSO. Before you test defederating a domain, in Azure AD use a cloud authentication staged rollout to test defederating users. -Learn more: [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md) +Learn more: [Migrate to cloud authentication using Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md) After you enable password hash sync and seamless SSO on the Azure AD Connect server, configure a staged rollout: After you configure the Okta app in Azure AD and configure the IDP in the Okta p After you configure the Okta reverse-federation app, ask users to conduct testing on the managed authentication experience. We recommend you configure company branding to help users recognize the tenant. -Learn more: [Configure your company branding](../fundamentals/customize-branding.md). +Learn more: [Configure your company branding](../fundamentals/how-to-customize-branding.md). >[!IMPORTANT] >Before you defederate the domains from Okta, identify needed Conditional Access policies. You can secure your environment before cut-off. See, [Tutorial: Migrate Okta sign-on policies to Azure AD Conditional Access](migrate-okta-sign-on-policies-conditional-access.md). |
active-directory | Migrate Okta Sync Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sync-provisioning.md | In this tutorial, learn to migrate user provisioning from Okta to Azure Active D When you switch from Okta provisioning to Azure AD, there are two choices. Use an Azure AD Connect server or Azure AD cloud provisioning. -Learn more: [Comparison between Azure AD Connect and cloud sync](../cloud-sync/what-is-cloud-sync.md#comparison-between-azure-ad-connect-and-cloud-sync). +Learn more: [Comparison between Azure AD Connect and cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md#comparison-between-azure-ad-connect-and-cloud-sync). Azure AD cloud provisioning is the most familiar migration path for Okta customers who use Universal Sync or User Sync. The cloud provisioning agents are lightweight. You can install them on, or near, domain controllers like the Okta directory sync agents. Don't install them on the same server. When you synchronize users, use an Azure AD Connect server if your organization - Support for writeback >[!NOTE]- >Take all prerequisites into consideration when you install Azure AD Connect or Azure AD cloud provisioning. Before you continue with installation, see [Prerequisites for Azure AD Connect](../hybrid/how-to-connect-install-prerequisites.md). + >Take all prerequisites into consideration when you install Azure AD Connect or Azure AD cloud provisioning. Before you continue with installation, see [Prerequisites for Azure AD Connect](../hybrid/connect/how-to-connect-install-prerequisites.md). ## Confirm ImmutableID attribute synchronized by Okta The following command gets on-premises Azure AD users and exports a list of thei After you prepare your list of source and destination targets, install an Azure AD Connect server. If you use Azure AD Connect cloud provisioning, skip this section. -1. Download and install Azure AD Connect on a server. See, [Custom installation of Azure Active Directory Connect](../hybrid/how-to-connect-install-custom.md). +1. Download and install Azure AD Connect on a server. See, [Custom installation of Azure Active Directory Connect](../hybrid/connect/how-to-connect-install-custom.md). 2. In the left panel, select **Identifying users**. 3. On the **Uniquely identifying your users** page, under **Select how users should be identified with Azure AD**, select **Choose a specific attribute**. 4. If you haven't modified the Okta default, select **mS-DS-ConsistencyGUID**. In this example, Okta stamped the **mail** attribute to the user's account, alth ## Install Azure AD cloud sync agents -After you prepare your list of source and destination targets, install and configure Azure AD cloud sync agents. See, [Tutorial: Integrate a single forest with a single Azure AD tenant](../cloud-sync/tutorial-single-forest.md). +After you prepare your list of source and destination targets, install and configure Azure AD cloud sync agents. See, [Tutorial: Integrate a single forest with a single Azure AD tenant](../hybrid/cloud-sync/tutorial-single-forest.md). > [!NOTE] > If you use an Azure AD Connect server, skip this section. After you disable Okta provisioning, the Azure AD cloud sync agent can synchroni - [Tutorial: Migrate your applications from Okta to Azure AD](migrate-applications-from-okta.md) - [Tutorial: Migrate Okta federation to Azure AD-managed authentication](migrate-okta-federation.md)-- [Tutorial: Migrate Okta sign-on policies to Azure AD Conditional Access](migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md)+- [Tutorial: Migrate Okta sign-on policies to Azure AD Conditional Access](./migrate-okta-sign-on-policies-conditional-access.md) |
active-directory | Migration Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migration-resources.md | Resources to help you migrate application access and authentication to Azure Act | [Deployment plan: Migrating from AD FS to pass-through authentication](https://aka.ms/ADFSTOPTADPDownload)|Azure AD pass-through authentication helps users sign in to both on-premises and cloud-based applications by using the same password. This feature provides your users with a better experience since they have one less password to remember. It also reduces IT help desk costs because users are less likely to forget how to sign in when they only need to remember one password. When people sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.| | [Deployment plan: Enabling single sign-on to a SaaS app with Azure AD](https://aka.ms/SSODPDownload) | Single sign-on (SSO) helps you access all the apps and resources you need to do business, while signing in only once, using a single user account. For example, after a user has signed in, the user can move from Microsoft Office, to SalesForce, to Box without authenticating (for example, typing a password) a second time. | [Deployment plan: Extending apps to Azure AD with Application Proxy](../app-proxy/application-proxy-deployment-plan.md)| Providing access from employee laptops and other devices to on-premises applications has traditionally involved virtual private networks (VPNs) or demilitarized zones (DMZs). Not only are these solutions complex and hard to make secure, but they're costly to set up and manage. Azure AD Application Proxy makes it easier to access on-premises applications. |-| [Other deployment plans](../fundamentals/deployment-plans.md) | Find more deployment plans for deploying features such as Azure AD multi-factor authentication, Conditional Access, user provisioning, seamless SSO, self-service password reset, and more! | +| [Other deployment plans](../architecture/deployment-plans.md) | Find more deployment plans for deploying features such as Azure AD multi-factor authentication, Conditional Access, user provisioning, seamless SSO, self-service password reset, and more! | | [Migrating apps from Symantec SiteMinder to Azure AD](https://azure.microsoft.com/mediahandler/files/resourcefiles/migrating-applications-from-symantec-siteminder-to-azure-active-directory/Migrating-applications-from-Symantec-SiteMinder-to-Azure-Active-Directory.pdf) | Get step by step guidance on application migration and integration options with an example that walks you through migrating applications from Symantec SiteMinder to Azure AD. | | [Identity governance for applications](../governance/identity-governance-applications-prepare.md)| This guide outlines what you need to do if you're migrating identity governance for an application from a previous identity governance technology, to connect Azure AD to that application.| | [Active Directory Federation Services (AD FS) decommission guide](/windows-server/identity/ad-fs/decommission/adfs-decommission-guide) | This guide explains the prerequisites for decommissioning, including migrating user authentication and applications to Azure AD. It also provides step-by-step instructions for decommissioning the AD FS servers, including removing load balancer entries, uninstalling WAP and AD FS servers, and deleting SSL certificates and databases. | | [Videos - Phases of migrating apps from ADFS to Azure AD](app-management-videos.md#phases-of-migrating-apps-from-adfs-to-azure-ad) | These videos illustrate the five phases of a typical ADFS to Azure AD migration process|- |
active-directory | Myapps Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/myapps-overview.md | In the Azure portal, define the logo and name for the application to represent c :::image type="content" source="./media/myapps-overview/banner-logo.png" alt-text="Screenshot that shows the banner logo in the My Apps portal."::: -For more information, see [Add branding to your organization's sign-in page](../fundamentals/customize-branding.md). +For more information, see [Add branding to your organization's sign-in page](../fundamentals/how-to-customize-branding.md). ## Manage access to applications |
active-directory | Plan An Application Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/plan-an-application-integration.md | As mentioned above, there may be applications that haven't been managed by your The following articles discuss the different ways applications integrate with Azure AD, and provide some guidance. -* [Determining which Active Directory to use](../fundamentals/active-directory-whatis.md) +* [Determining which Active Directory to use](../fundamentals/whatis.md) * [Using applications in the Azure application gallery](what-is-single-sign-on.md) * [Integrating SaaS applications tutorials list](../saas-apps/tutorial-list.md) The following articles discuss the different ways applications integrate with Az You can add any application that already exists in your organization, or any third-party application from a vendor who is not already part of the Azure AD gallery. Depending on your [license agreement](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing), the following capabilities are available: * Self-service integration of any application that supports [Security Assertion Markup Language (SAML) 2.0](https://wikipedia.org/wiki/SAML_2.0) identity providers (SP-initiated or IdP-initiated)-* Self-service integration of any web application that has an HTML-based sign-in page using [password-based SSO](sso-options.md#password-based-sso) +* Self-service integration of any web application that has an HTML-based sign-in page using [password-based SSO](./plan-sso-deployment.md#password-based-sso) * Self-service connection of applications that use the [System for Cross-Domain Identity Management (SCIM) protocol for user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md) * Ability to add links to any application in the [Office 365 app launcher](https://support.microsoft.com/office/meet-the-microsoft-365-app-launcher-79f12104-6fed-442f-96a0-eb089a3f476a) or [My Apps](https://myapplications.microsoft.com/) -If you're looking for developer guidance on how to integrate custom apps with Azure AD, see [Authentication Scenarios for Azure AD](../develop/authentication-vs-authorization.md). When you develop an app that uses a modern protocol like [OpenId Connect/OAuth](../develop/active-directory-v2-protocols.md) to authenticate users, you can register it with the Microsoft identity platform by using the [App registrations](../develop/quickstart-register-app.md) experience in the Azure portal. +If you're looking for developer guidance on how to integrate custom apps with Azure AD, see [Authentication Scenarios for Azure AD](../develop/authentication-vs-authorization.md). When you develop an app that uses a modern protocol like [OpenId Connect/OAuth](../develop/v2-protocols.md) to authenticate users, you can register it with the Microsoft identity platform by using the [App registrations](../develop/quickstart-register-app.md) experience in the Azure portal. ### Authentication Types -Each of your applications may have different authentication requirements. With Azure AD, signing certificates can be used with applications that use SAML 2.0, WS-Federation, or OpenID Connect Protocols and Password Single Sign On. For more information about application authentication types, see [Managing Certificates for Federated Single Sign-On in Azure Active Directory](manage-certificates-for-federated-single-sign-on.md) and [Password based single sign on](what-is-single-sign-on.md). +Each of your applications may have different authentication requirements. With Azure AD, signing certificates can be used with applications that use SAML 2.0, WS-Federation, or OpenID Connect Protocols and Password Single Sign On. For more information about application authentication types, see [Managing Certificates for Federated Single Sign-On in Azure Active Directory](./tutorial-manage-certificates-for-federated-single-sign-on.md) and [Password based single sign on](what-is-single-sign-on.md). ### Enabling SSO with Azure AD App Proxy The following articles describe ways you can manage access to applications once ## Next steps -For in-depth information, you can download Azure Active Directory deployment plans from [GitHub](../fundamentals/deployment-plans.md). For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the [Azure portal](https://portal.azure.com). +For in-depth information, you can download Azure Active Directory deployment plans from [GitHub](../architecture/deployment-plans.md). For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the [Azure portal](https://portal.azure.com). To download a deployment plan from the Azure portal: |
active-directory | Plan Sso Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/plan-sso-deployment.md | Always use the role with the fewest permissions available to accomplish the requ | Infrastructure admins | Certificate rollover owner | Cloud Application Administrator | | Business owner/stakeholder | User attestation in application, configuration on users with permissions | None | -To learn more about Azure AD administrative roles, see [Azure AD built-in roles](../users-groups-roles/directory-assign-admin-roles.md). +To learn more about Azure AD administrative roles, see [Azure AD built-in roles](../roles/permissions-reference.md). ## Certificates You change that certificate duration in the Azure portal. Make sure to document - Owner On-Call for application troubleshooting support - Closely monitored email distribution list for certificate-related change notifications -Set up a process for how you'll handle a certificate change between Azure AD and your application. By having this process in place, you can help prevent or minimize an outage due to a certificate expiring or a forced certificate rollover. For more information, see [Manage certificates for federated single sign-on in Azure Active Directory](manage-certificates-for-federated-single-sign-on.md). +Set up a process for how you'll handle a certificate change between Azure AD and your application. By having this process in place, you can help prevent or minimize an outage due to a certificate expiring or a forced certificate rollover. For more information, see [Manage certificates for federated single sign-on in Azure Active Directory](./tutorial-manage-certificates-for-federated-single-sign-on.md). ## Communications From the sign-in perspective, applications with shared accounts aren't different - Reset the shared credentials. After the application is deployed in Azure AD, individuals don't need the password of the shared account. Azure AD stores the password and you should consider setting it to be long and complex. - Configure automatic rollover of the password if the application supports it. That way, not even the administrator who did the initial setup knows the password of the shared account. +<a id='choosing-a-single-sign-on-method'></a> +<a id='password-based-sso'></a> + ## Single sign-on options There are several ways you can configure an application for SSO. Choosing an SSO method depends on how the application is configured for authentication. This flowchart can help you decide which SSO method is best for your situation. The following SSO protocols are available to use: -- **OpenID Connect and OAuth** - Choose OpenID Connect and OAuth 2.0 if the application you're connecting to supports it. For more information, see [OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform](../develop/active-directory-v2-protocols.md). For steps to implement OpenID Connect SSO, see [Set up OIDC-based single sign-on for an application in Azure Active Directory](add-application-portal-setup-oidc-sso.md).+- **OpenID Connect and OAuth** - Choose OpenID Connect and OAuth 2.0 if the application you're connecting to supports it. For more information, see [OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform](../develop/v2-protocols.md). For steps to implement OpenID Connect SSO, see [Set up OIDC-based single sign-on for an application in Azure Active Directory](add-application-portal-setup-oidc-sso.md). - **SAML** - Choose SAML whenever possible for existing applications that don't use OpenID Connect or OAuth. For more information, see [single sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md). |
active-directory | Protect Against Consent Phishing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/protect-against-consent-phishing.md | If the organization has been impacted by an application disabled by Microsoft, t Administrators should be in control of application use by providing the right insights and capabilities to control how applications are allowed and used within organizations. While attackers never rest, there are steps organizations can take to improve the security posture. Some best practices to follow include: - Educate your organization on how our permissions and consent framework works:- - Understand the data and the permissions an application is asking for and understand how [permissions and consent](../develop/v2-permissions-and-consent.md) works within the platform. + - Understand the data and the permissions an application is asking for and understand how [permissions and consent](../develop/permissions-consent-overview.md) works within the platform. - Make sure that administrators know how to [manage and evaluate consent requests](./manage-consent-requests.md). - Routinely [audit applications and consented permissions](../../security/fundamentals/steps-secure-identity.md#audit-apps-and-consented-permissions) in the organization to make sure that applications are accessing only the data they need and are adhering to the principles of least privilege. - Know how to spot and block common consent phishing tactics: Administrators should be in control of application use by providing the right in - [Managing access to applications](./what-is-access-management.md) - [Restrict user consent operations in Azure AD](../../security/fundamentals/steps-secure-identity.md#restrict-user-consent-operations) - [Compromised and malicious applications investigation](/security/compass/incident-response-playbook-compromised-malicious-app)- |
active-directory | Secure Hybrid Access Integrations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access-integrations.md | There are several ways to enable SSO for IT administrators to your solution. See Microsoft Graph uses OIDC/OAuth. Customers use OIDC to sign in to your solution. Use the JSON Web Token (JWT) Azure AD issues to interact with Microsoft Graph. See, [OpenID Connect on the Microsoft identity platform](../develop/v2-protocols-oidc.md). -If your solution uses SAML for IT administrator SSO, the SAML token won't enable your solution to interact with Microsoft Graph. You can use SAML for IT administrator SSO, but your solution needs to support OIDC integration with Azure AD, so it can get a JWT from Azure AD to interact with Microsoft Graph. See, [How the Microsoft identity platform uses the SAML protocol](../develop/active-directory-saml-protocol-reference.md). +If your solution uses SAML for IT administrator SSO, the SAML token won't enable your solution to interact with Microsoft Graph. You can use SAML for IT administrator SSO, but your solution needs to support OIDC integration with Azure AD, so it can get a JWT from Azure AD to interact with Microsoft Graph. See, [How the Microsoft identity platform uses the SAML protocol](../develop/saml-protocol-reference.md). You can use one of the following SAML approaches: The following VPN solution providers connect with Azure AD to enable modern auth The following software-defined perimeter (SDP) solutions providers connect with Azure AD for authentication and authorization methods like SSO and MFA. * **Datawiza Access Broker**- * [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-with-azure-ad.md) + * [Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-configure-sha.md) * **Perimeter 81** * [Tutorial: Azure AD SSO integration with Perimeter 81](../saas-apps/perimeter-81-tutorial.md) * **Silverfort Authentication Platform** |
active-directory | Secure Hybrid Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access.md | The following partners offer solutions to support [Conditional Access policies p |Akamai Technologies|[Tutorial: Azure AD SSO integration with Akamai](../saas-apps/akamai-tutorial.md)| |Citrix Systems, Inc.|[Tutorial: Azure AD SSO integration with Citrix ADC SAML Connector for Azure AD (Kerberos-based authentication)](../saas-apps/citrix-netscaler-tutorial.md)| |Cloudflare, Inc.|[Tutorial: Configure Cloudflare with Azure AD for secure hybrid access](cloudflare-integration.md)|-|Datawiza|[Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](datawiza-with-azure-ad.md)| +|Datawiza|[Tutorial: Configure Secure Hybrid Access with Azure AD and Datawiza](./datawiza-configure-sha.md)| |F5, Inc.|[Integrate F5 BIG-IP with Azure AD](f5-integration.md)</br>[Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO](f5-passwordless-vpn.md)| |Progress Software Corporation, Progress Kemp|[Tutorial: Azure AD SSO integration with Kemp LoadMaster Azure AD integration](../saas-apps/kemp-tutorial.md)| |Perimeter 81 Ltd.|[Tutorial: Azure AD SSO integration with Perimeter 81](../saas-apps/perimeter-81-tutorial.md)| The following partners offer solutions to support [Conditional Access policies p ## Next steps Select a partner in the tables mentioned to learn how to integrate their solution with Azure AD.- |
active-directory | Silverfort Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/silverfort-integration.md | Set up Silverfort Azure AD Adapter in your Azure AD tenant: 20. Return to the Azure AD console, and navigate to **Enterprise applications**. The new Silverfort application appears. You can include this application in Conditional Access policies. -Learn more: [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json%23create-a-conditional-access-policy). +Learn more: [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json#create-a-conditional-access-policy). ## Next steps |
active-directory | Troubleshoot Password Based Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/troubleshoot-password-based-sso.md | To use password-based single sign-on (SSO) in My Apps, the browser extension mus ## My Apps browser extension not installed -Make sure the browser extension is installed. To learn more, see [Plan an Azure Active Directory My Apps deployment](my-apps-deployment-plan.md). +Make sure the browser extension is installed. To learn more, see [Plan an Azure Active Directory My Apps deployment](./myapps-overview.md). ## Single sign-on not configured The following information explains what each notification item means and provide ## Next steps - [Quickstart Series on Application Management](view-applications-portal.md)-- [Plan a My Apps deployment](my-apps-deployment-plan.md)+- [Plan a My Apps deployment](./myapps-overview.md) |
active-directory | Troubleshoot Saml Based Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/troubleshoot-saml-based-sso.md | Azure AD doesnΓÇÖt provide a URL to get the metadata. The metadata can only be r ## Customize SAML claims sent to an application -To learn how to customize the SAML attribute claims sent to your application, see [Claims mapping in Azure Active Directory](../develop/active-directory-claims-mapping.md) for more information. +To learn how to customize the SAML attribute claims sent to your application, see [Claims mapping in Azure Active Directory](../develop/saml-claims-customization.md) for more information. ## Next steps |
active-directory | Tutorial Manage Access Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tutorial-manage-access-security.md | Using the information in this tutorial, an administrator learns how to: [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -For the application that the administrator added to their tenant, they want to set it up so that all users in the organization can use it and not have to individually request consent to use it. To avoid the need for user consent, they can grant consent for the application on behalf of all users in the organization. For more information, see [Consent and permissions overview](consent-and-permissions-overview.md). +For the application that the administrator added to their tenant, they want to set it up so that all users in the organization can use it and not have to individually request consent to use it. To avoid the need for user consent, they can grant consent for the application on behalf of all users in the organization. For more information, see [Consent and permissions overview](./user-admin-consent-overview.md). 1. Sign in to the [Azure portal](https://portal.azure.com) with one of the roles listed in the prerequisites. 2. Search for and select **Azure Active Directory**. |
active-directory | V2 Howto App Gallery Listing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/v2-howto-app-gallery-listing.md | To publish your application in the gallery, you must first read and agree to spe - For password SSO, make sure that your application supports form authentication so that password vaulting can be used. - For federated applications (OpenID and SAML/WS-Fed), the application must support the [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/). Enterprise gallery applications must support multiple user configurations and not any specific user. - For federated applications (OpenID and SAML/WS-Fed), the application can be single **or** multitenanted- - For Open ID Connect, if the application is multitenanted the [Azure AD consent framework](../develop/consent-framework.md) must be correctly implemented. + - For Open ID Connect, if the application is multitenanted the [Azure AD consent framework](../develop/application-consent-experience.md) must be correctly implemented. - Provisioning is optional yet highly recommended. To learn more about Azure AD SCIM, see [build a SCIM endpoint and configure user provisioning with Azure AD](../app-provisioning/use-scim-to-provision-users-and-groups.md). You can sign up for a free, test Development account. It's free for 90 days and you get all of the premium Azure AD features with it. You can also extend the account if you use it for development work: [Join the Microsoft 365 Developer Program](/office/developer-program/microsoft-365-developer-program). |
active-directory | Ways Users Get Assigned To Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/ways-users-get-assigned-to-applications.md | There are several ways a user can be assigned an application. Assignment can be * A static security group created in the cloud * A [dynamic security group](../enterprise-users/groups-dynamic-membership.md) created in the cloud * A Microsoft 365 group created in the cloud- * The [All Users](../fundamentals/active-directory-groups-create-azure-portal.md) group + * The [All Users](../fundamentals/how-to-manage-groups.md) group * An administrator enables [Self-service Application Access](./manage-self-service-access.md) to allow a user to add an application using [My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) **Add App** feature **without business approval** * An administrator enables [Self-service Application Access](./manage-self-service-access.md) to allow a user to add an application using [My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) **Add App** feature, but only **with prior approval from a selected set of business approvers** * An administrator enables [Self-service Group Management](../enterprise-users/groups-self-service-management.md) to allow a user to join a group that an application is assigned to **without business approval** There are several ways a user can be assigned an application. Assignment can be * One of the application's roles is included in an [entitlement management access package](../governance/entitlement-management-access-package-resources.md), and a user requests or is assigned to that access package * An administrator assigns a license to a user directly, for a Microsoft service such as [Microsoft 365](https://products.office.com/) * An administrator assigns a license to a group that the user is a member of, for a Microsoft service such as [Microsoft 365](https://products.office.com/)-* A user [consents to an application](consent-and-permissions-overview.md#user-consent) on behalf of themselves. +* A user [consents to an application](./user-admin-consent-overview.md#user-consent) on behalf of themselves. ## Next steps |
active-directory | What Is Access Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/what-is-access-management.md | Azure AD's application assignment focuses on two primary assignment modes: * **Individual assignment** An IT admin with directory Global Administrator permissions can select individual user accounts and grant them access to the application. -* **Group-based assignment (requires Azure AD Premium P1 or P2)** An IT admin with directory Global Administrator permissions can assign a group to the application. Specific users' access is determined by whether they are members of the group at the time they try to access the application. In other words, an administrator can effectively create an assignment rule stating "any current member of the assigned group has access to the application". Using this assignment option, administrators can benefit from any of Azure AD group management options, including [attribute-based dynamic groups](../fundamentals/active-directory-groups-create-azure-portal.md), external system groups (for example, on-premises Active Directory or Workday), or Administrator-managed or self-service-managed groups. A single group can be easily assigned to multiple apps, making sure that applications with assignment affinity can share assignment rules, reducing the overall management complexity. +* **Group-based assignment (requires Azure AD Premium P1 or P2)** An IT admin with directory Global Administrator permissions can assign a group to the application. Specific users' access is determined by whether they are members of the group at the time they try to access the application. In other words, an administrator can effectively create an assignment rule stating "any current member of the assigned group has access to the application". Using this assignment option, administrators can benefit from any of Azure AD group management options, including [attribute-based dynamic groups](../fundamentals/how-to-manage-groups.md), external system groups (for example, on-premises Active Directory or Workday), or Administrator-managed or self-service-managed groups. A single group can be easily assigned to multiple apps, making sure that applications with assignment affinity can share assignment rules, reducing the overall management complexity. >[!NOTE]- >[Nested group](../fundamentals/active-directory-groups-membership-azure-portal.md) memberships aren't supported for group-based assignment to applications at this time. + >[Nested group](../fundamentals/how-to-manage-groups.md) memberships aren't supported for group-based assignment to applications at this time. Using these two assignment modes, administrators can achieve any desirable assignment management approach. Consider an application like Salesforce. In many organizations, Salesforce is pr With Azure AD, applications like Salesforce can be pre-configured for single sign-on (SSO) and automated provisioning. Once the application is configured, an Administrator can take the one-time action to create and assign the appropriate groups. In this example, an administrator could execute the following assignments: -* [Dynamic groups](../fundamentals/active-directory-groups-create-azure-portal.md) can be defined to automatically represent all members of the marketing and sales teams using attributes like department or role: +* [Dynamic groups](../fundamentals/how-to-manage-groups.md) can be defined to automatically represent all members of the marketing and sales teams using attributes like department or role: * All members of marketing groups would be assigned to the "marketing" role in Salesforce * All members of sales team groups would be assigned to the "sales" role in Salesforce. A further refinement could use multiple groups that represent regional sales teams assigned to different Salesforce roles. |
active-directory | What Is Application Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/what-is-application-management.md | As an administrator, you can [grant tenant-wide admin consent](grant-admin-conse ### Single sign-on -Consider implementing SSO in your application. You can manually configure most applications for SSO. The most popular options in Azure AD are [SAML-based SSO and OpenID Connect-based SSO](../develop/active-directory-v2-protocols.md). Before you start, make sure that you understand the requirements for SSO and how to [plan for deployment](plan-sso-deployment.md). For more information on how to configure SAML-based SSO for an enterprise application in your Azure AD tenant, see [Enable single sign-on for an application by using Azure Active Directory](add-application-portal-setup-sso.md). +Consider implementing SSO in your application. You can manually configure most applications for SSO. The most popular options in Azure AD are [SAML-based SSO and OpenID Connect-based SSO](../develop/v2-protocols.md). Before you start, make sure that you understand the requirements for SSO and how to [plan for deployment](plan-sso-deployment.md). For more information on how to configure SAML-based SSO for an enterprise application in your Azure AD tenant, see [Enable single sign-on for an application by using Azure Active Directory](add-application-portal-setup-sso.md). ### User, group, and owner assignment Do you have an identity provider that you want Azure AD to interact with? [Home ### User portals -Azure AD provides customizable ways to deploy applications to users in your organization. For example, the [My Apps portal or the Microsoft 365 application launcher](end-user-experiences.md). My Apps gives users a single place to start their work and find all the applications to which they have access. As an administrator of an application, you should [plan how the users in your organization will use My Apps](my-apps-deployment-plan.md). +Azure AD provides customizable ways to deploy applications to users in your organization. For example, the [My Apps portal or the Microsoft 365 application launcher](end-user-experiences.md). My Apps gives users a single place to start their work and find all the applications to which they have access. As an administrator of an application, you should [plan how the users in your organization will use My Apps](./myapps-overview.md). ## Configure properties Organizations can enable MFA with [Conditional Access](../conditional-access/ove Different types of security tokens are used in an authentication flow in Azure AD depending on the protocol used. For example, [SAML tokens](../develop/reference-saml-tokens.md) are used for the SAML protocol, and [ID tokens](../develop/id-tokens.md) and [access tokens](../develop/access-tokens.md) are used for the OpenID Connect protocol. Tokens are signed with the unique certificate that's generated in Azure AD and by specific standard algorithms. -You can provide more security by [encrypting the token](howto-saml-token-encryption.md). You can also manage the information in a token including the [roles that are allowed](../develop/howto-add-app-roles-in-azure-ad-apps.md) for the application. +You can provide more security by [encrypting the token](howto-saml-token-encryption.md). You can also manage the information in a token including the [roles that are allowed](../develop/howto-add-app-roles-in-apps.md) for the application. -Azure AD uses the [SHA-256 algorithm](certificate-signing-options.md) by default to sign the SAML response. Use SHA-256 unless the application requires SHA-1. Establish a process for [managing the lifetime of the certificate](manage-certificates-for-federated-single-sign-on.md). The maximum lifetime of a signing certificate is three years. To prevent or minimize outage due to a certificate expiring, use roles and email distribution lists to ensure that certificate-related change notifications are closely monitored. +Azure AD uses the [SHA-256 algorithm](certificate-signing-options.md) by default to sign the SAML response. Use SHA-256 unless the application requires SHA-1. Establish a process for [managing the lifetime of the certificate](./tutorial-manage-certificates-for-federated-single-sign-on.md). The maximum lifetime of a signing certificate is three years. To prevent or minimize outage due to a certificate expiring, use roles and email distribution lists to ensure that certificate-related change notifications are closely monitored. ## Govern and monitor |
active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/whats-new-docs.md | The following PowerShell sample was added: - [Tutorial: Migrate Okta sync provisioning to Azure AD Connect synchronization](migrate-okta-sync-provisioning.md) - [Application management videos](app-management-videos.md)-- [Understand the stages of migrating application authentication from AD FS to Azure AD](migrate-adfs-apps-to-azure.md)-- [Plan application migration to Azure Active Directory](migrate-application-authentication-to-azure-active-directory.md)-- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning-to-azure-active-directory.md)+- [Understand the stages of migrating application authentication from AD FS to Azure AD](./migrate-adfs-apps-stages.md) +- [Plan application migration to Azure Active Directory](./migrate-adfs-apps-phases-overview.md) +- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](./migrate-okta-sync-provisioning.md) - [Tutorial: Configure F5 BIG-IP Easy Button for SSO to Oracle JDE](f5-big-ip-oracle-jde-easy-button.md) - [Tutorial: Configure F5 BIG-IP Easy Button for SSO to Oracle PeopleSoft](f5-big-ip-oracle-peoplesoft-easy-button.md)-- [Tutorial: Configure Cloudflare with Azure Active Directory for secure hybrid access](cloudflare-azure-ad-integration.md)+- [Tutorial: Configure Cloudflare with Azure Active Directory for secure hybrid access](./cloudflare-integration.md) - [Tutorial: Configure F5 BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md) - [Tutorial: Migrate Okta federation to Azure Active Directory-managed authentication](migrate-okta-federation.md) |
active-directory | How Manage User Assigned Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md | For a full list of Azure CLI identity commands, see [az identity](/cli/azure/ide For information on how to assign a user-assigned managed identity to an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using Azure CLI](qs-configure-cli-windows-vm.md#user-assigned-managed-identity). -Learn how to use [workload identity federation for managed identities](../develop/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. +Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. ::: zone-end Remove-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP> -Name <USER AS For a full list and more details of the Azure PowerShell managed identities for Azure resources commands, see [Az.ManagedServiceIdentity](/powershell/module/az.managedserviceidentity#managed_service_identity). -Learn how to use [workload identity federation for managed identities](../develop/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. +Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. ::: zone-end To create a user-assigned managed identity, use the following template. Replace To assign a user-assigned managed identity to an Azure VM using a Resource Manager template, see [Configure managed identities for Azure resources on an Azure VM using a template](qs-configure-template-windows-vm.md). -Learn how to use [workload identity federation for managed identities](../develop/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. +Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. ::: zone-end For information on how to assign a user-assigned managed identity to an Azure VM - [Configure managed identities for Azure resources on an Azure VM using REST API calls](qs-configure-rest-vm.md#user-assigned-managed-identity) - [Configure managed identities for Azure resources on a virtual machine scale set using REST API calls](qs-configure-rest-vmss.md#user-assigned-managed-identity) -Learn how to use [workload identity federation for managed identities](../develop/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. +Learn how to use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets. ::: zone-end |
active-directory | How To Assign App Role Managed Identity Cli | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-cli.md | In this article, you learn how to assign a managed identity to an application ro echo "object id for server service principal is: $serverSPOID" ``` -1. Add an [app role](../develop/howto-add-app-roles-in-azure-ad-apps.md) to the application you created in step 3. You can create the role using the Azure portal or using Microsoft Graph. For example, you could add an app role like this: +1. Add an [app role](../develop/howto-add-app-roles-in-apps.md) to the application you created in step 3. You can create the role using the Azure portal or using Microsoft Graph. For example, you could add an app role like this: ```json { |
active-directory | How To Assign App Role Managed Identity Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md | In this article, you learn how to assign a managed identity to an application ro > [!NOTE] > Display names for applications are not unique, so you should verify that you obtain the correct application's service principal. -1. Add an [app role](../develop/howto-add-app-roles-in-azure-ad-apps.md) to the application you created in step 3. You can create the role using the Azure portal or by using Microsoft Graph. For example, you could add an app role by running the following query on Graph explorer: +1. Add an [app role](../develop/howto-add-app-roles-in-apps.md) to the application you created in step 3. You can create the role using the Azure portal or by using Microsoft Graph. For example, you could add an app role by running the following query on Graph explorer: ```http PATCH /applications/{id}/ |
active-directory | How To Managed Identity Regional Move | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-managed-identity-regional-move.md | Moving User-assigned managed identities across Azure regions isn't supported. Y 1. Copy user-assigned managed identity assigned permissions. You can list [Azure role assignments](../../role-based-access-control/role-assignments-list-powershell.md) but that may not be enough depending on how permissions were granted to the user-assigned managed identity. You should confirm that your solution doesn't depend on permissions granted using a service specific option. 1. Create a [new user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-powershell#create-a-user-assigned-managed-identity-2) at the target region.-1. Grant the managed identity the same permissions as the original identity that it's replacing, including Group membership. You can review [Assign Azure roles to a managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.md), and [Group membership](../../active-directory/fundamentals/active-directory-groups-view-azure-portal.md). +1. Grant the managed identity the same permissions as the original identity that it's replacing, including Group membership. You can review [Assign Azure roles to a managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.md), and [Group membership](../fundamentals/groups-view-azure-portal.md). 1. Specify the new identity in the properties of the resource instance that uses the newly created user assigned managed identity. ## Verify |
active-directory | How To Use Vm Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md | The following script demonstrates how to: ## Resource IDs for Azure services -See [Azure services that support Azure AD authentication](services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) for a list of resources that support Azure AD and have been tested with managed identities for Azure resources, and their respective resource IDs. +See [Azure services that support Azure AD authentication](./managed-identities-status.md) for a list of resources that support Azure AD and have been tested with managed identities for Azure resources, and their respective resource IDs. ## Error handling guidance |
active-directory | How To Use Vm Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md | This section documents the possible error responses. A "200 OK" status is a succ | | access_denied | The resource owner or authorization server denied the request. | | | | unsupported_response_type | The authorization server doesn't support obtaining an access token using this method. | | | | invalid_scope | The requested scope is invalid, unknown, or malformed. | |-| 500 Internal server error | unknown | Failed to retrieve token from the Active directory. For details see logs in *\<file path\>* | Verify that the VM has managed identities for Azure resources enabled. See [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration.<br><br>Also verify that your HTTP GET request URI is formatted correctly, particularly the resource URI specified in the query string. See the "Sample request" in the preceding REST section for an example, or [Azure services that support Azure AD authentication](./services-support-managed-identities.md) for a list of services and their respective resource IDs. +| 500 Internal server error | unknown | Failed to retrieve token from the Active directory. For details see logs in *\<file path\>* | Verify that the VM has managed identities for Azure resources enabled. See [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration.<br><br>Also verify that your HTTP GET request URI is formatted correctly, particularly the resource URI specified in the query string. See the "Sample request" in the preceding REST section for an example, or [Azure services that support Azure AD authentication](./managed-identities-status.md) for a list of services and their respective resource IDs. > [!IMPORTANT] > - IMDS is not intended to be used behind a proxy and doing so is unsupported. For examples of how to bypass proxies, refer to the [Azure Instance Metadata Samples](https://github.com/microsoft/azureimds). |
active-directory | Known Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/known-issues.md | In these rare cases the best next steps are ## Next steps -You can review our article listing the [services that support managed identities](services-support-managed-identities.md) and our [frequently asked questions](managed-identities-faq.md) +You can review our article listing the [services that support managed identities](./managed-identities-status.md) and our [frequently asked questions](managed-identities-faq.md) |
active-directory | Managed Identities Status | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identities-status.md | -Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. Using a managed identity, you can authenticate to any [service that supports Azure AD authentication](services-azure-active-directory-support.md) without managing credentials. We are integrating managed identities for Azure resources and Azure AD authentication across Azure. This page provides links to services' content that can use managed identities to access other Azure resources. Each entry in the table includes a link to service documentation discussing managed identities. +Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. Using a managed identity, you can authenticate to any [service that supports Azure AD authentication](./services-id-authentication-support.md) without managing credentials. We are integrating managed identities for Azure resources and Azure AD authentication across Azure. This page provides links to services' content that can use managed identities to access other Azure resources. Each entry in the table includes a link to service documentation discussing managed identities. >[!IMPORTANT] > New technical content is added daily. This list does not include every article that talks about managed identities. Please refer to each service's content set for details on their managed identities support. Resource provider namespace information is available in the article titled [Resource providers for Azure services](../../azure-resource-manager/management/azure-services-resource-providers.md). |
active-directory | Managed Identity Best Practice Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md | -User-assigned identities can be used by multiple resources, and their life cycles are decoupled from the resourcesΓÇÖ life cycles with which theyΓÇÖre associated. [Read which resources support managed identities](./services-support-managed-identities.md). +User-assigned identities can be used by multiple resources, and their life cycles are decoupled from the resourcesΓÇÖ life cycles with which theyΓÇÖre associated. [Read which resources support managed identities](./managed-identities-status.md). This life cycle allows you to separate your resource creation and identity administration responsibilities. User-assigned identities and their role assignments can be configured in advance of the resources that require them. Users who create the resources only require the access to assign a user-assigned identity, without the need to create new identities or role assignments. Get-AzRoleAssignment | Where-Object {$_.ObjectType -eq "Unknown"} | Remove-AzRol ## Limitation of using managed identities for authorization -Using Azure AD **groups** for granting access to services is a great way to simplify the authorization process. The idea is simple ΓÇô grant permissions to a group and add identities to the group so that they inherit the same permissions. This is a well-established pattern from various on-premises systems and works well when the identities represent users. Another option to control authorization in Azure AD is by using [App Roles](../develop/howto-add-app-roles-in-azure-ad-apps.md), which allows you to declare **roles** that are specific to an app (rather than groups, which are a global concept in the directory). You can then [assign app roles to managed identities](how-to-assign-app-role-managed-identity-powershell.md) (as well as users or groups). +Using Azure AD **groups** for granting access to services is a great way to simplify the authorization process. The idea is simple ΓÇô grant permissions to a group and add identities to the group so that they inherit the same permissions. This is a well-established pattern from various on-premises systems and works well when the identities represent users. Another option to control authorization in Azure AD is by using [App Roles](../develop/howto-add-app-roles-in-apps.md), which allows you to declare **roles** that are specific to an app (rather than groups, which are a global concept in the directory). You can then [assign app roles to managed identities](how-to-assign-app-role-managed-identity-powershell.md) (as well as users or groups). In both cases, for non-human identities such as Azure AD Applications and Managed identities, the exact mechanism of how this authorization information is presented to the application is not ideally suited today. Today's implementation with Azure AD and Azure Role Based Access Control (Azure RBAC) uses access tokens issued by Azure AD for authentication of each identity. If the identity is added to a group or role, this is expressed as claims in the access token issued by Azure AD. Azure RBAC uses these claims to further evaluate the authorization rules for allowing or denying access. |
active-directory | Overview For Developers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/overview-for-developers.md | Tokens should be treated like credentials. Don't expose them to users or other s * [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md) * [How to use managed identities with Azure Container Instances](../../container-instances/container-instances-managed-identity.md) * [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing)-* Use [workload identity federation for managed identities](../develop/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets +* Use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/overview.md | You can use managed identities by following the steps below: ## What Azure services support the feature?<a name="which-azure-services-support-managed-identity"></a> -Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of supported Azure services, see [services that support managed identities for Azure resources](./services-support-managed-identities.md). +Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of supported Azure services, see [services that support managed identities for Azure resources](./managed-identities-status.md). ## Which operations can I perform using managed identities? Operations on managed identities can be performed by using an Azure Resource Man * [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md) * [How to use managed identities with Azure Container Instances](../../container-instances/container-instances-managed-identity.md) * [Implementing managed identities for Microsoft Azure Resources](https://www.pluralsight.com/courses/microsoft-azure-resources-managed-identities-implementing)-* Use [workload identity federation for managed identities](../develop/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets +* Use [workload identity federation for managed identities](../workload-identities/workload-identity-federation.md) to access Azure Active Directory (Azure AD) protected resources without managing secrets |
active-directory | Tutorial Linux Vm Access Storage Sas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md | -This tutorial shows you how to use a system-assigned managed identity for a Linux virtual machine (VM) to obtain a storage Shared Access Signature (SAS) credential. Specifically, a [Service SAS credential](../../storage/common/storage-sas-overview.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#types-of-shared-access-signatures). +This tutorial shows you how to use a system-assigned managed identity for a Linux virtual machine (VM) to obtain a storage Shared Access Signature (SAS) credential. Specifically, a [Service SAS credential](../../storage/common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json#types-of-shared-access-signatures). > [!NOTE] > The SAS key generated in this tutorial will not be restricted/bound to the VM. |
active-directory | Tutorial Windows Vm Access Storage Sas | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-storage-sas.md | -This tutorial shows you how to use a system-assigned identity for a Windows virtual machine (VM) to obtain a storage Shared Access Signature (SAS) credential. Specifically, a [Service SAS credential](../../storage/common/storage-sas-overview.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#types-of-shared-access-signatures). +This tutorial shows you how to use a system-assigned identity for a Windows virtual machine (VM) to obtain a storage Shared Access Signature (SAS) credential. Specifically, a [Service SAS credential](../../storage/common/storage-sas-overview.md?toc=/azure/storage/blobs/toc.json#types-of-shared-access-signatures). A Service SAS provides the ability to grant limited access to objects in a storage account, for limited time and a specific service (in our case, the blob service), without exposing an account access key. You can use a SAS credential as usual when doing storage operations, for example when using the Storage SDK. For this tutorial, we demonstrate uploading and downloading a blob using Azure Storage PowerShell. You will learn how to: |
active-directory | Cross Tenant Synchronization Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md | Restoring a previously soft-deleted user in the target tenant isn't supported. **Solution** -Manually restore the soft-deleted user in the target tenant. For more information, see [Restore or remove a recently deleted user using Azure Active Directory](../fundamentals/active-directory-users-restore.md). +Manually restore the soft-deleted user in the target tenant. For more information, see [Restore or remove a recently deleted user using Azure Active Directory](../fundamentals/users-restore.md). #### Symptom - Users are skipped because SMS sign-in is enabled on the user Users are skipped from synchronization. The scoping step includes the following filter with status false: "Filter external users.alternativeSecurityIds EQUALS 'None'" |
active-directory | Cross Tenant Synchronization Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.md | What federation options are supported for users in the target tenant back to the Does cross-tenant synchronization use System for Cross-Domain Identity Management (SCIM)? -- No. Currently, Azure AD supports a SCIM client, but not a SCIM server. For more information, see [SCIM synchronization with Azure Active Directory](../fundamentals/sync-scim.md).+- No. Currently, Azure AD supports a SCIM client, but not a SCIM server. For more information, see [SCIM synchronization with Azure Active Directory](../architecture/sync-scim.md). #### Deprovisioning Does cross-tenant synchronization support deprovisioning users? -- Yes, when the below actions occur in the source tenant, the user will be [soft deleted](../fundamentals/recover-from-deletions.md#soft-deletions) in the target tenant. +- Yes, when the below actions occur in the source tenant, the user will be [soft deleted](../architecture/recover-from-deletions.md#soft-deletions) in the target tenant. - Delete the user in the source tenant - Unassign the user from the cross-tenant synchronization configuration |
active-directory | Pim Complete Roles And Resource Roles Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-complete-roles-and-resource-roles-review.md | -Privileged role administrators can review privileged access once an [access review has been started](pim-create-azure-ad-roles-and-resource-roles-review.md). Privileged Identity Management (PIM) in Azure Active Directory (Azure AD) will automatically send an email that prompts users to review their access. If a user doesn't receive an email, you can send them the instructions for [how to perform an access review](pim-perform-azure-ad-roles-and-resource-roles-review.md). +Privileged role administrators can review privileged access once an [access review has been started](./pim-create-roles-and-resource-roles-review.md). Privileged Identity Management (PIM) in Azure Active Directory (Azure AD) will automatically send an email that prompts users to review their access. If a user doesn't receive an email, you can send them the instructions for [how to perform an access review](./pim-perform-roles-and-resource-roles-review.md). Once the review has been created, follow the steps in this article to complete the review and see the results. On the **Reviewers** page, you may view and add reviewers to your existing acces ## Next steps -- [Create an access review of Azure resource and Azure AD roles in PIM](pim-create-azure-ad-roles-and-resource-roles-review.md)-- [Perform an access review of Azure resource and Azure AD roles in PIM](pim-perform-azure-ad-roles-and-resource-roles-review.md)+- [Create an access review of Azure resource and Azure AD roles in PIM](./pim-create-roles-and-resource-roles-review.md) +- [Perform an access review of Azure resource and Azure AD roles in PIM](./pim-perform-roles-and-resource-roles-review.md) |
active-directory | Pim Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-configure.md | Organizations want to minimize the number of people who have access to secure in However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure and Azure AD resources and can oversee what those users are doing with their privileged access. ## License requirements -For information about licenses for users, see [License requirements to use Privileged Identity Management](subscription-requirements.md). - ## What does it do? Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management: For more information, check out the following articles: [Activate Azure AD roles Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they'll be able to manage that particular resource group. -For more information, check out the following articles: [Approve or deny requests for Azure AD roles](azure-ad-pim-approval-workflow.md), [Approve or deny requests for Azure resource roles](pim-resource-roles-approval-workflow.md), and [Approve activation requests for PIM for Groups](groups-approval-workflow.md) +For more information, check out the following articles: [Approve or deny requests for Azure AD roles](./pim-approval-workflow.md), [Approve or deny requests for Azure resource roles](pim-resource-roles-approval-workflow.md), and [Approve activation requests for PIM for Groups](groups-approval-workflow.md) ### Extend and renew assignments When you use B2B collaboration, you can invite an external user to your organiza ## Next steps - [License requirements to use Privileged Identity Management](subscription-requirements.md)-- [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json)+- [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md?toc=/azure/active-directory/privileged-identity-management/toc.json) - [Deploy Privileged Identity Management](pim-deployment-plan.md) |
active-directory | Pim Create Roles And Resource Roles Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review.md | The need for access to privileged Azure resource and Azure AD roles by employees ## Prerequisites For more information about licenses for PIM, refer to [License requirements to use Privileged Identity Management](subscription-requirements.md). You can track the progress as the reviewers complete their reviews on the **Over :::image type="content" source="./media/pim-create-azure-ad-roles-and-resource-roles-review/access-review-overview.png" alt-text="Access reviews overview page showing the details of the access review for Azure AD roles screenshot." lightbox="./media/pim-create-azure-ad-roles-and-resource-roles-review/access-review-overview.png"::: -If this is a one-time review, then after the access review period is over or the administrator stops the access review, follow the steps in [Complete an access review of Azure resource and Azure AD roles](pim-complete-azure-ad-roles-and-resource-roles-review.md) to see and apply the results. +If this is a one-time review, then after the access review period is over or the administrator stops the access review, follow the steps in [Complete an access review of Azure resource and Azure AD roles](./pim-complete-roles-and-resource-roles-review.md) to see and apply the results. To manage a series of access reviews, navigate to the access review, and you will find upcoming occurrences in Scheduled reviews, and edit the end date or add/remove reviewers accordingly. After one or more access reviews have been started, you may want to modify or up ## Next steps -- [Perform an access review of Azure resource and Azure AD roles in PIM](pim-perform-azure-ad-roles-and-resource-roles-review.md)-- [Complete an access review of Azure resource and Azure AD roles in PIM](pim-complete-azure-ad-roles-and-resource-roles-review.md)+- [Perform an access review of Azure resource and Azure AD roles in PIM](./pim-perform-roles-and-resource-roles-review.md) +- [Complete an access review of Azure resource and Azure AD roles in PIM](./pim-complete-roles-and-resource-roles-review.md) |
active-directory | Pim Deployment Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-deployment-plan.md | In case the role expires, you can **extend** or **renew** these assignments. ## Plan the project -When technology projects fail, itΓÇÖs typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that youΓÇÖre engaging the right stakeholders](../fundamentals/deployment-plans.md) and that stakeholder roles in the project are well understood. +When technology projects fail, itΓÇÖs typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that youΓÇÖre engaging the right stakeholders](../architecture/deployment-plans.md) and that stakeholder roles in the project are well understood. ### Plan a pilot -At each stage of your deployment ensure that you are evaluating that the results are as expected. See [best practices for a pilot](../fundamentals/deployment-plans.md#best-practices-for-a-pilot). +At each stage of your deployment ensure that you are evaluating that the results are as expected. See [best practices for a pilot](../architecture/deployment-plans.md#best-practices-for-a-pilot). * Start with a small set of users (pilot group) and verify that the PIM behaves as expected. Follow these tasks to prepare PIM to manage Azure AD roles. List who has privileged roles in your organization. Review the users assigned, identify administrators who no longer need the role, and remove them from their assignments. -You can use [Azure AD roles access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) to automate the discovery, review, and approval or removal of assignments. +You can use [Azure AD roles access reviews](./pim-create-roles-and-resource-roles-review.md) to automate the discovery, review, and approval or removal of assignments. ### Determine roles to be managed by PIM Minimize Owner and User Access Administrator assignments attached to each subscr As a Global Administrator you can [elevate access to manage all Azure subscriptions](../../role-based-access-control/elevate-access-global-admin.md). You can then find each subscription owner and work with them to remove unnecessary assignments within their subscriptions. -Use [access reviews for Azure resources](./pim-create-azure-ad-roles-and-resource-roles-review.md) to audit and remove unnecessary role assignments. +Use [access reviews for Azure resources](./pim-create-roles-and-resource-roles-review.md) to audit and remove unnecessary role assignments. ### Determine roles to be managed by PIM When these important events occur in Azure resource roles, PIM sends [email noti ### Approve or deny PIM activation requests -[Approve or deny activation requests for Azure AD role](azure-ad-pim-approval-workflow.md)- A delegated approver receives an email notification when a request is pending for approval. +[Approve or deny activation requests for Azure AD role](./pim-approval-workflow.md)- A delegated approver receives an email notification when a request is pending for approval. ### View audit history for Azure Resource roles Configure PIM for Groups members and owners to require approval for activation a * If there is PIM-related issues, see [Troubleshooting a problem with PIM](pim-troubleshoot.md). -* [Deploy other identity features](../fundamentals/deployment-plans.md) -+* [Deploy other identity features](../architecture/deployment-plans.md) |
active-directory | Pim Email Notifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-email-notifications.md | Privileged Identity Management sends emails to end users when the following even ## Next steps - [Configure Azure AD role settings in Privileged Identity Management](pim-how-to-change-default-settings.md)-- [Approve or deny requests for Azure AD roles in Privileged Identity Management](azure-ad-pim-approval-workflow.md)+- [Approve or deny requests for Azure AD roles in Privileged Identity Management](./pim-approval-workflow.md) |
active-directory | Pim Getting Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-getting-started.md | Use Privileged Identity Management (PIM) to manage, control, and monitor access To use Privileged Identity Management, you must have one of the following licenses: -- [!INCLUDE [active-directory-p2-governance-either-license.md](../../../includes/active-directory-p2-governance-either-license.md)]+- [!INCLUDE [entra-id-license-pim.md](../../../includes/entra-id-license-pim.md)] For more information, see [License requirements to use Privileged Identity Management](subscription-requirements.md). |
active-directory | Pim How To Change Default Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-change-default-settings.md | You can require users to enter a support ticket number when they activate the el You can require approval for activation of an eligible assignment. The approver doesn't have to have any roles. When you use this option, you must select at least one approver. We recommend that you select at least two approvers. There are no default approvers. -To learn more about approvals, see [Approve or deny requests for Azure AD roles in Privileged Identity Management](azure-ad-pim-approval-workflow.md). +To learn more about approvals, see [Approve or deny requests for Azure AD roles in Privileged Identity Management](./pim-approval-workflow.md). ### Assignment duration |
active-directory | Pim How To Configure Security Alerts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts.md | Privileged Identity Management (PIM) generates alerts when there's suspicious or ![Screenshot that shows the alerts page with a list of alerts and their severity.](./media/pim-how-to-configure-security-alerts/view-alerts.png) ## License requirements ## Security alerts Severity: **Low** | | | | **Why do I get this alert?** | Users that have been assigned privileged roles they don't need increases the chance of an attack. It's also easier for attackers to remain unnoticed in accounts that aren't actively being used. | | **How to fix?** | Review the users in the list and remove them from privileged roles that they don't need. |-| **Prevention** | Assign privileged roles only to users who have a business justification. </br>Schedule regular [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) to verify that users still need their access. | +| **Prevention** | Assign privileged roles only to users who have a business justification. </br>Schedule regular [access reviews](./pim-create-roles-and-resource-roles-review.md) to verify that users still need their access. | | **In-portal mitigation action** | Removes the account from their privileged role. | | **Trigger** | Triggered if a user goes over a specified number of days without activating a role. | | **Number of days** | This setting specifies the maximum number of days, from 0 to 100, that a user can go without activating a role.| Severity: **Low** | | Description | | | | | **Why do I get this alert?** | The current Azure AD organization doesn't have Microsoft Entra Premium P2 or Microsoft Entra ID Governance. |-| **How to fix?** | Review information about [Azure AD editions](../fundamentals/active-directory-whatis.md). Upgrade to Microsoft Entra Premium P2 or Microsoft Entra ID Governance. | +| **How to fix?** | Review information about [Azure AD editions](../fundamentals/whatis.md). Upgrade to Microsoft Entra Premium P2 or Microsoft Entra ID Governance. | ### Potential stale accounts in a privileged role Severity: **Medium** | | | | **Why do I get this alert?** | This alert is no longer triggered based on the last password change date of for an account. This alert is for accounts in a privileged role that haven't signed in during the past *n* days, where *n* is a number of days that is configurable between 1-365 days. These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers. | | **How to fix?** | Review the accounts in the list. If they no longer need access, remove them from their privileged roles. |-| **Prevention** | Ensure that accounts that are shared are rotating strong passwords when there's a change in the users that know the password. </br>Regularly review accounts with privileged roles using [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) and remove role assignments that are no longer needed. | +| **Prevention** | Ensure that accounts that are shared are rotating strong passwords when there's a change in the users that know the password. </br>Regularly review accounts with privileged roles using [access reviews](./pim-create-roles-and-resource-roles-review.md) and remove role assignments that are no longer needed. | | **In-portal mitigation action** | Removes the account from their privileged role. | | **Best practices** | Shared, service, and emergency access accounts that authenticate using a password and are assigned to highly privileged administrative roles such as Global administrator or Security administrator should have their passwords rotated for the following cases:<ul><li>After a security incident involving misuse or compromise of administrative access rights</li><li>After any user's privileges are changed so that they're no longer an administrator (for example, after an employee who was an administrator leaves IT or leaves the organization)</li><li>At regular intervals (for example, quarterly or yearly), even if there was no known breach or change to IT staffing</li></ul>Since multiple people have access to these accounts' credentials, the credentials should be rotated to ensure that people that have left their roles can no longer access the accounts. [Learn more about securing accounts](../roles/security-planning.md) | |
active-directory | Pim How To Renew Extend | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-how-to-renew-extend.md | They can also renew expired role assignments from within the **Expired** roles t ## Next steps -- [Approve or deny requests for Azure AD roles in Privileged Identity Management](azure-ad-pim-approval-workflow.md)+- [Approve or deny requests for Azure AD roles in Privileged Identity Management](./pim-approval-workflow.md) - [Configure Azure AD role settings in Privileged Identity Management](pim-how-to-change-default-settings.md) |
active-directory | Pim Perform Roles And Resource Roles Review | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-perform-roles-and-resource-roles-review.md | Privileged Identity Management (PIM) simplifies how enterprises manage privilege If you are assigned to an administrative role, your organization's privileged role administrator may ask you to regularly confirm that you still need that role for your job. You might get an email that includes a link, or you can go straight to the [Azure portal](https://portal.azure.com) and begin. -If you're a privileged role administrator or global administrator interested in access reviews, get more details at [How to start an access review](pim-create-azure-ad-roles-and-resource-roles-review.md). +If you're a privileged role administrator or global administrator interested in access reviews, get more details at [How to start an access review](./pim-create-roles-and-resource-roles-review.md). ## Approve or deny access Follow these steps to find and complete the access review: ## Next steps -- [Create an access review of Azure resource and Azure AD roles in PIM](pim-create-azure-ad-roles-and-resource-roles-review.md)-- [Complete an access review of Azure resource and Azure AD roles in PIM](pim-complete-azure-ad-roles-and-resource-roles-review.md)+- [Create an access review of Azure resource and Azure AD roles in PIM](./pim-create-roles-and-resource-roles-review.md) +- [Complete an access review of Azure resource and Azure AD roles in PIM](./pim-complete-roles-and-resource-roles-review.md) |
active-directory | Pim Resource Roles Approval Workflow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md | Here's some information about workflow notifications: ## Next steps - [Email notifications in Privileged Identity Management](pim-email-notifications.md)-- [Approve or deny requests for Azure AD roles in Privileged Identity Management](azure-ad-pim-approval-workflow.md)+- [Approve or deny requests for Azure AD roles in Privileged Identity Management](./pim-approval-workflow.md) |
active-directory | Pim Resource Roles Configure Role Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md | You can require users to enter a support ticket number when they activate the el You can require approval for activation of an eligible assignment. The approver doesn't have to have any roles. When you use this option, you must select at least one approver. We recommend that you select at least two approvers. There are no default approvers. -To learn more about approvals, see [Approve or deny requests for Azure AD roles in Privileged Identity Management](azure-ad-pim-approval-workflow.md). +To learn more about approvals, see [Approve or deny requests for Azure AD roles in Privileged Identity Management](./pim-approval-workflow.md). ### Assignment duration |
active-directory | Pim Resource Roles Overview Dashboards | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-resource-roles-overview-dashboards.md | Below the charts are listed the number of users and groups with new role assignm ## Next steps -- [Start an access review for Azure resource roles in Privileged Identity Management](./pim-create-azure-ad-roles-and-resource-roles-review.md)+- [Start an access review for Azure resource roles in Privileged Identity Management](./pim-create-roles-and-resource-roles-review.md) |
active-directory | Pim Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-troubleshoot.md | Assign the User Access Administrator role to the Privileged identity Management ## Next steps - [License requirements to use Privileged Identity Management](subscription-requirements.md)-- [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md?toc=%2fazure%2factive-directory%2fprivileged-identity-management%2ftoc.json)+- [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md?toc=/azure/active-directory/privileged-identity-management/toc.json) - [Deploy Privileged Identity Management](pim-deployment-plan.md) |
active-directory | Subscription Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/subscription-requirements.md | - Title: License requirements to use Privileged Identity Management -description: Describes the licensing requirements to use Azure AD Privileged Identity Management (PIM). ------- Previously updated : 07/06/2022--------# License requirements to use Privileged Identity Management --To use Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, a tenant must have a valid license. Licenses must also be assigned to the administrators and relevant users. This article describes the license requirements to use Privileged Identity Management. To use Privileged Identity Management, you must have one of the following licenses: --- [!INCLUDE [active-directory-p2-governance-either-license.md](../../../includes/active-directory-p2-governance-either-license.md)]---## Valid licenses --You will need either Microsoft Entra ID Governance licenses or Azure AD Premium P2 licenses to use PIM and all of its settings. Currently, you can scope an access review to service principals with access to Azure AD and Azure resource roles with an Microsoft Entra Premuim P2 or Microsoft Entra ID Governance edition active in your tenant. The licensing model for service principals will be finalized for general availability of this feature and additional licenses may be required. --## Licenses you must have -Ensure that your tenant has either Microsoft Entra ID Governance or Microsoft Azure AD Premium P2 licenses for all users whose identities or access is governed or who interact with an identity governance feature. ---## Example license scenarios --Here are some example license scenarios to help you determine the number of licenses you must have. --| Scenario | Calculation | Number of licenses | -| | | | -| Woodgrove Bank has 10 administrators for different departments and 2 Global Administrators that configure and manage PIM. They make five administrators eligible. | Five licenses for the administrators who are eligible | 5 | -| Graphic Design Institute has 25 administrators of which 14 are managed through PIM. Role activation requires approval and there are three different users in the organization who can approve activations. | 14 licenses for the eligible roles + three approvers | 17 | -| Contoso has 50 administrators of which 42 are managed through PIM. Role activation requires approval and there are five different users in the organization who can approve activations. Contoso also does monthly reviews of users assigned to administrator roles and reviewers are the usersΓÇÖ managers of which six are not in administrator roles managed by PIM. | 42 licenses for the eligible roles + five approvers + six reviewers | 53 | --## When a license expires --If a Microsoft Azure AD Premuim P2, Microsoft Entra ID Governance, or trial license expires, Privileged Identity Management features will no longer be available in your directory: --- Permanent role assignments to Azure AD roles will be unaffected.-- The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.-- Eligible role assignments of Azure AD roles will be removed, as users will no longer be able to activate privileged roles.-- Any ongoing access reviews of Azure AD roles will end, and Privileged Identity Management configuration settings will be removed.-- Privileged Identity Management will no longer send emails on role assignment changes.--## Next steps --- [Deploy Privileged Identity Management](pim-deployment-plan.md)-- [Start using Privileged Identity Management](pim-getting-started.md)-- [Roles you can't manage in Privileged Identity Management](pim-roles.md)- |
active-directory | Concept All Sign Ins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-all-sign-ins.md | To access the sign-ins log for a tenant, you must have one of the following role >To see Conditional Access data in the sign-ins log, you need to be a user in one of the following roles: Company Administrator, Global Reader, Security Administrator, Security Reader, Conditional Access Administrator . -The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade. +The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade. **To access the Azure AD sign-ins log preview:** You can also access the Microsoft 365 activity logs programmatically by using th - [How to download logs in Azure Active Directory](howto-download-logs.md) -- [How to access activity logs in Azure AD](howto-access-activity-logs.md)+- [How to access activity logs in Azure AD](howto-access-activity-logs.md) |
active-directory | Concept Audit Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-audit-logs.md | To access the audit log for a tenant, you must have one of the following roles: Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure AD** and select **Audit log** from the **Monitoring** section. -The audit activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the audit log through the [Microsoft Graph API](/graph/api/resources/azure-ad-auditlog-overview). See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade. +The audit activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the audit log through the [Microsoft Graph API](/graph/api/resources/azure-ad-auditlog-overview). See [Getting started with Azure Active Directory Premium](../fundamentals/get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade. ## What do the logs show? You can also access the Microsoft 365 activity logs programmatically by using th - [Azure AD audit activity reference](reference-audit-activities.md) - [Azure AD logs retention reference](reference-reports-data-retention.md)-- [Azure AD log latencies reference](reference-reports-latencies.md)+- [Azure AD log latencies reference](./reference-azure-ad-sla-performance.md) - [Unknown actors in audit report](/troubleshoot/azure/active-directory/unknown-actors-in-audit-reports) |
active-directory | Concept Provisioning Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-provisioning-logs.md | You can use the provisioning logs to find answers to questions like: ## How do you access the provisioning logs? -To view the provisioning logs, your tenant must have an Azure AD Premium license associated with it. To upgrade your Azure AD edition, see [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md). +To view the provisioning logs, your tenant must have an Azure AD Premium license associated with it. To upgrade your Azure AD edition, see [Getting started with Azure Active Directory Premium](../fundamentals/get-started-premium.md). Application owners can view logs for their own applications. The following roles are required to view provisioning logs: |
active-directory | Concept Sign In Diagnostics Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-sign-in-diagnostics-scenarios.md | Because pass trough authentication is an integration of on premises and cloud au This diagnostic scenario identifies user specific sign-in issues when the authentication method being used is pass through authentication (PTA) and there's a PTA specific error. Errors due to other problems-even when PTA authentication is being used-will still be diagnosed correctly. -The diagnostic results show contextual information about the failure and the user signing in. The results could show other reasons why the sign-in failed, and recommended actions the admin can take to resolve the problem. For more information, see [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/tshoot-connect-pass-through-authentication.md). +The diagnostic results show contextual information about the failure and the user signing in. The results could show other reasons why the sign-in failed, and recommended actions the admin can take to resolve the problem. For more information, see [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/connect/tshoot-connect-pass-through-authentication.md). ### Seamless single sign-on Seamless single sign-on integrates Kerberos authentication with cloud authentication. Because this scenario involves two authentication protocols, it can be difficult to understand where a failure point lies when sign-in problems occur. This diagnostic is intended to make these scenarios easier to diagnose and resolve. -This diagnostic scenario examines the context of the sign-in failure and specific failure cause. The diagnostic results could include contextual information on the sign-in attempt, and suggested actions the admin can take. For more information, see [Troubleshoot Azure Active Directory Seamless single sign-on](../hybrid/tshoot-connect-sso.md). +This diagnostic scenario examines the context of the sign-in failure and specific failure cause. The diagnostic results could include contextual information on the sign-in attempt, and suggested actions the admin can take. For more information, see [Troubleshoot Azure Active Directory Seamless single sign-on](../hybrid/connect/tshoot-connect-sso.md). ## Next steps - [How to use the sign-in diagnostic](howto-use-sign-in-diagnostics.md)-- [How to troubleshoot sign-in errors](howto-troubleshoot-sign-in-errors.md)+- [How to troubleshoot sign-in errors](howto-troubleshoot-sign-in-errors.md) |
active-directory | Concept Sign Ins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-sign-ins.md | To access the sign-ins log for a tenant, you must have one of the following role - Global Reader - Reports Reader -The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade. +The sign-in activity report is available in [all editions of Azure AD](reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data). If you have an Azure Active Directory P1 or P2 license, you can access the sign-in activity report through the Microsoft Graph API. See [Getting started with Azure Active Directory Premium](../fundamentals/get-started-premium.md) to upgrade your Azure Active Directory edition. It will take a couple of days for the data to show up in Graph after you upgrade to a premium license with no data activities before the upgrade. **To access the Azure AD sign-ins log:** |
active-directory | Howto Access Activity Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-access-activity-logs.md | Integrating Azure AD logs with Azure Monitor logs provides a centralized locatio ### Quick steps 1. Sign in to the [Azure portal](https://portal.azure.com) using one of the required roles.-1. [Create a Log Analytics workspace](../../azure-monitor/learn/quick-create-workspace.md). +1. [Create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md). 1. Go to **Azure AD** > **Diagnostic settings**. 1. Choose the logs you want to stream, select the **Send to Log Analytics workspace** option, and complete the fields. 1. Go to **Azure AD** > **Log Analytics** and begin querying the data. Use the following basic steps to archive or download your activity logs. - [Stream logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md) - [Archive logs to a storage account](quickstart-azure-monitor-route-logs-to-storage-account.md) - [Integrate logs with Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md)- |
active-directory | Howto Manage Inactive User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md | The last sign-in date and time shown on this tile may take up to 6 hours to upda ## Next steps -* [Get data using the Azure Active Directory reporting API with certificates](tutorial-access-api-with-certificates.md) +* [Get data using the Azure Active Directory reporting API with certificates](./howto-configure-prerequisites-for-reporting-api.md) * [Audit API reference](/graph/api/resources/directoryaudit) * [Sign-in activity report API reference](/graph/api/resources/signin) |
active-directory | Howto Troubleshoot Sign In Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-troubleshoot-sign-in-errors.md | The following failure reasons and details are common: If you need more specifics to research, you can use the **sign-in error code** for further research. - Enter the error code into the **[Error code lookup tool](https://login.microsoftonline.com/error)** to get the error code description and remediation information.-- Search for an error code in the **[sign-ins error codes reference](../develop/reference-aadsts-error-codes.md)**. +- Search for an error code in the **[sign-ins error codes reference](../develop/reference-error-codes.md)**. The following error codes are associated with sign-in events, but this list isn't exhaustive: |
active-directory | Howto Use Azure Monitor Workbooks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md | When using workbooks, you can either start with an empty workbook, or use an exi To use Azure Workbooks for Azure AD, you need: -- An Azure AD tenant with a [Premium P1 license](../fundamentals/active-directory-get-started-premium.md)+- An Azure AD tenant with a [Premium P1 license](../fundamentals/get-started-premium.md) - A Log Analytics workspace *and* access to that workspace - The appropriate roles for Azure Monitor *and* Azure AD |
active-directory | Overview Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-monitoring.md | Routing logs to an Azure event hub allows you to integrate with third-party SIEM [Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) is a solution that consolidates monitoring data from different sources and provides a query language and analytics engine that gives you insights into the operation of your applications and resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor and alert on collected data. Learn how to [send data to Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md). -You can also install the pre-built views for Azure AD activity logs to monitor common scenarios involving sign-ins and audit events. Learn how to [install and use log analytics views for Azure AD activity logs](howto-install-use-log-analytics-views.md). +You can also install the pre-built views for Azure AD activity logs to monitor common scenarios involving sign-ins and audit events. Learn how to [install and use log analytics views for Azure AD activity logs](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md). ## Next steps |
active-directory | Overview Reports | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-reports.md | The [audit logs report](concept-audit-logs.md) provides you with records of syst #### What Azure AD license do you need to access the audit logs report? -The audit logs report is available for features for which you have licenses. If you have a license for a specific feature, you also have access to the audit log information for it. A detailed feature comparison as per [different types of licenses](../fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) can be seen on the [Azure Active Directory pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). For more information, see [Azure Active Directory features and capabilities](../fundamentals/active-directory-whatis.md#which-features-work-in-azure-ad). +The audit logs report is available for features for which you have licenses. If you have a license for a specific feature, you also have access to the audit log information for it. A detailed feature comparison as per [different types of licenses](../fundamentals/whatis.md#what-are-the-azure-ad-licenses) can be seen on the [Azure Active Directory pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). For more information, see [Azure Active Directory features and capabilities](../fundamentals/whatis.md#which-features-work-in-azure-ad). ### Sign-ins report To access the sign-ins activity report, your tenant must have an Azure AD Premiu ## Programmatic access -In addition to the user interface, Azure AD also provides you with [programmatic access](concept-reporting-api.md) to the reports data, through a set of REST-based APIs. You can call these APIs from various programming languages and tools. +In addition to the user interface, Azure AD also provides you with [programmatic access](./howto-configure-prerequisites-for-reporting-api.md) to the reports data, through a set of REST-based APIs. You can call these APIs from various programming languages and tools. ## Next steps |
active-directory | Plan Monitoring And Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md | For detailed feature and licensing information, see the [Azure Active Directory To deploy Azure AD monitoring and reporting you'll need a user who is a Global Administrator or Security Administrator for the Azure AD tenant. * [Azure Monitor data platform](../../azure-monitor/data-platform.md)-* [Azure Monitor naming and terminology changes](../../azure-monitor/terminology.md) +* [Azure Monitor naming and terminology changes](../../azure-monitor/overview.md) * [How long does Azure AD store reporting data?](./reference-reports-data-retention.md) * An Azure storage account that you have `ListKeys` permissions for. We recommend that you use a general storage account and not a Blob storage account. For storage pricing information, see the [Azure Storage pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=storage). * An Azure Event Hubs namespace to integrate with third-party SIEM solutions. Reporting and monitoring are used to meet your business requirements, gain insig ## Stakeholders, communications, and documentation -When technology projects fail, they typically do so due to mismatched expectations on effect, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/deployment-plans.md). Also ensure that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and responsibilities. +When technology projects fail, they typically do so due to mismatched expectations on effect, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../architecture/deployment-plans.md). Also ensure that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and responsibilities. Stakeholders need to access Azure AD logs to gain operational insights. Likely users include security team members, internal or external auditors, and the identity and access management operations team. Learn More About [Azure AD Administrative Roles](../roles/permissions-reference. ### Engage stakeholders -Successful projects align expectations, outcomes, and responsibilities. See, [Azure Active Directory deployment plans](../fundamentals/deployment-plans.md). Document and communicate stakeholder roles that require input and accountability. +Successful projects align expectations, outcomes, and responsibilities. See, [Azure Active Directory deployment plans](../architecture/deployment-plans.md). Document and communicate stakeholder roles that require input and accountability. ### Communications plan Learn more: - Consider implementing [Azure role-based access control](../../role-based-access-control/overview.md) - [Learn more about report retention policies](./reference-reports-data-retention.md). - [Analyze Azure AD activity logs with Azure Monitor logs](./howto-analyze-activity-logs-log-analytics.md)- |
active-directory | Quickstart Access Log With Graph Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-access-log-with-graph-api.md | With the information in the Azure Active Directory (Azure AD) sign-in logs, you To complete the scenario in this quickstart, you need: - **Access to an Azure AD tenant**: If you don't have access to an Azure AD tenant, see [Create your Azure free account today](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). -- **A test account called Isabella Simonsen**: If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users-azure-active-directory.md#add-a-new-user).+- **A test account called Isabella Simonsen**: If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users.md#add-a-new-user). - **Access to the reporting API**: If you haven't configured access yet, see [How to configure the prerequisites for the reporting API](howto-configure-prerequisites-for-reporting-api.md). The goal of this step is to create a record of a failed sign-in in the Azure AD 1. Sign in to the [Azure portal](https://portal.azure.com) as Isabella Simonsen using an incorrect password. -2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-ins log. For more information, see [Activity reports](reference-reports-latencies.md#activity-reports). +2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-ins log. For more information, see [Activity reports](./overview-reports.md#activity-reports). Review the outcome of your query. ## Clean up resources -When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users-azure-active-directory.md#delete-a-user). +When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users.md#delete-a-user). ## Next steps |
active-directory | Quickstart Analyze Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-analyze-sign-in.md | With the information in the Azure AD sign-ins log, you can figure out what happe To complete the scenario in this quickstart, you need: - **Access to an Azure AD tenant** - If you don't have access to an Azure AD tenant, see [Create your Azure free account today](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). -- **A test account called Isabella Simonsen** - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users-azure-active-directory.md#add-a-new-user).+- **A test account called Isabella Simonsen** - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users.md#add-a-new-user). ## Perform a failed sign-in The goal of this step is to create a record of a failed sign-in in the Azure AD 1. Sign in to the [Azure portal](https://portal.azure.com) as Isabella Simonsen using an incorrect password. -2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-ins log. For more information, see [Activity reports](reference-reports-latencies.md#activity-reports). +2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-ins log. For more information, see [Activity reports](./overview-reports.md#activity-reports). Now, that you know how to find an entry in the sign-in log by name, you should a ## Clean up resources -When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users-azure-active-directory.md#delete-a-user). +When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users.md#delete-a-user). ## Next steps |
active-directory | Quickstart Filter Audit Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-filter-audit-log.md | This quickstart shows how to you can locate a newly created user account in your To complete the scenario in this quickstart, you need: - **Access to an Azure AD tenant** - If you don't have access to an Azure AD tenant, see [Create your Azure free account today](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). -- **A test account called Isabella Simonsen** - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users-azure-active-directory.md#add-a-new-user).+- **A test account called Isabella Simonsen** - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users.md#add-a-new-user). ## Find the new user account This section provides you with the steps to filter your audit log. ## Clean up resources -When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users-azure-active-directory.md#delete-a-user). +When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users.md#delete-a-user). ## Next steps |
active-directory | Recommendation Mfa From Known Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-mfa-from-known-devices.md | This recommendation improves your user's productivity and minimizes the sign-in 1. Adjust the number of days in the **remember multi-factor authentication on trusted device** section to 90 days. - ![Remember MFA on trusted devices](./media/recommendation-mfa-from-known-devices\remember-mfa-on-trusted-devices.png) + ![Remember MFA on trusted devices](./media/recommendation-mfa-from-known-devices/remember-mfa-on-trusted-devices.png) ## Next steps - [Review the Azure AD recommendations overview](overview-recommendations.md) - [Learn how to use Azure AD recommendations](howto-use-recommendations.md)-- [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation)+- [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation) |
active-directory | Recommendation Migrate Apps From Adfs To Azure Ad | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-migrate-apps-from-adfs-to-azure-ad.md | Using Azure AD gives you granular per-application access controls to secure acce ## Action plan -1. [Install Azure AD Connect Health](../hybrid/how-to-connect-install-roadmap.md) on your AD FS server. +1. [Install Azure AD Connect Health](../hybrid/connect/how-to-connect-install-roadmap.md) on your AD FS server. 1. [Review the AD FS application activity report](../manage-apps/migrate-adfs-application-activity.md) to get insights about your AD FS applications. -1. Read the solution guide for [migrating applications to Azure AD](../manage-apps/migrate-adfs-apps-to-azure.md). -1. Migrate applications to Azure AD. For more information, see the article [Migrate from federation to cloud authentication](../hybrid/migrate-from-federation-to-cloud-authentication.md). +1. Read the solution guide for [migrating applications to Azure AD](../manage-apps/migrate-adfs-apps-stages.md). +1. Migrate applications to Azure AD. For more information, see the article [Migrate from federation to cloud authentication](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md). ### Guided walkthrough |
active-directory | Recommendation Migrate From Adal To Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-migrate-from-adal-to-msal.md | The first step to migrating your apps from ADAL to MSAL is to identify all appli ### [Azure portal](#tab/Azure-portal) -There are four steps to identifying and updating your apps in the Azure portal. The following steps are covered in detail in the [List all apps using ADAL](../develop/howto-get-list-of-all-active-directory-auth-library-apps.md) article. +There are four steps to identifying and updating your apps in the Azure portal. The following steps are covered in detail in the [List all apps using ADAL](../develop/howto-get-list-of-all-auth-library-apps.md) article. 1. Send Azure AD sign-in event to Azure Monitor.-1. [Access the sign-ins workbook in Azure AD.](../develop/howto-get-list-of-all-active-directory-auth-library-apps.md) +1. [Access the sign-ins workbook in Azure AD.](../develop/howto-get-list-of-all-auth-library-apps.md) 1. Identify the apps that use ADAL. 1. Update your code. - The steps to update your code vary depending on the type of application. Yes. If an application was marked as completed - so no ADAL requests were made d - [Review the Azure AD recommendations overview](overview-recommendations.md) - [Learn how to use Azure AD recommendations](howto-use-recommendations.md)-- [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation)+- [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation) |
active-directory | Recommendation Renew Expiring Service Principal Credential | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-renew-expiring-service-principal-credential.md | When renewing service principal credentials using Microsoft Graph, you need to r - [Review the Azure AD recommendations overview](overview-recommendations.md) - [Learn how to use Azure AD recommendations](howto-use-recommendations.md) - [Explore the Microsoft Graph API properties for recommendations](/graph/api/resources/recommendation)-- [Learn about securing service principals](../fundamentals/service-accounts-principal.md)+- [Learn about securing service principals](../architecture/service-accounts-principal.md) |
active-directory | Reference Audit Activities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-audit-activities.md | With [Azure AD Identity Governance access reviews](../governance/manage-user-acc ## Account provisioning -Each time an account is provisioned in your Azure AD tenant, a log for that account is captured. Automated provisioning, such as with [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md), will be found in this log. The Account provisioning service only has one audit category in the logs. +Each time an account is provisioned in your Azure AD tenant, a log for that account is captured. Automated provisioning, such as with [Azure AD Connect cloud sync](../hybrid/cloud-sync/what-is-cloud-sync.md), will be found in this log. The Account provisioning service only has one audit category in the logs. |Audit Category|Activity| ||| The Self-service password management logs provide insight into changes made to p - [Azure AD reports overview](overview-reports.md). - [Audit logs report](concept-audit-logs.md). -- [Programmatic access to Azure AD reports](concept-reporting-api.md)+- [Programmatic access to Azure AD reports](./howto-configure-prerequisites-for-reporting-api.md) |
active-directory | Reference Azure Ad Sla Performance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md | To access your tenant-level SLA performance: ## Next steps * [Azure AD reports overview](overview-reports.md)-* [Programmatic access to Azure AD reports](concept-reporting-api.md) +* [Programmatic access to Azure AD reports](./howto-configure-prerequisites-for-reporting-api.md) * [Azure Active Directory risk detections](../identity-protection/overview-identity-protection.md) |
active-directory | Reference Basic Info Sign In Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-basic-info-sign-in-logs.md | This value shows whether continuous access evaluation (CAE) was applied to the s ## Next steps * [Learn about exporting Azure AD sign-in logs](concept-activity-logs-azure-monitor.md)-* [Explore the sign-in diagnostic in Azure AD](overview-sign-in-diagnostics.md) +* [Explore the sign-in diagnostic in Azure AD](./howto-use-sign-in-diagnostics.md) |
active-directory | Reference Powershell Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-powershell-reporting.md | The following image shows an example for this command. - [Azure AD reports overview](overview-reports.md). - [Audit logs report](concept-audit-logs.md). -- [Programmatic access to Azure AD reports](concept-reporting-api.md)+- [Programmatic access to Azure AD reports](./howto-configure-prerequisites-for-reporting-api.md) |
active-directory | Troubleshoot Audit Data Verified Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/troubleshoot-audit-data-verified-domain.md | Additionally, in most cases, there are no changes to users as their **UserPrinci ## Next Steps -[Azure AD Connect sync service shadow attributes](../hybrid/how-to-connect-syncservice-shadow-attributes.md) +[Azure AD Connect sync service shadow attributes](../hybrid/connect/how-to-connect-syncservice-shadow-attributes.md) |
active-directory | Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/best-practices.md | Access reviews enable organizations to review administrator's access regularly t - A malicious actor can compromise an account. - People move teams within a company. If there is no auditing, they can amass unnecessary access over time. -For information about access reviews for roles, see [Create an access review of Azure AD roles in PIM](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md). For information about access reviews of groups that are assigned roles, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md). +For information about access reviews for roles, see [Create an access review of Azure AD roles in PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). For information about access reviews of groups that are assigned roles, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md). ## 5. Limit the number of Global Administrators to less than 5 Avoid using on-premises synced accounts for Azure AD role assignments. If your o ## Next steps -- [Securing privileged access for hybrid and cloud deployments in Azure AD](security-planning.md)+- [Securing privileged access for hybrid and cloud deployments in Azure AD](security-planning.md) |
active-directory | Delegate App Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/delegate-app-roles.md | Azure AD has a set of built-in admin roles for granting access to manage configu For more information and to view the description for these roles, see [Azure AD built-in roles](permissions-reference.md). -Follow the instructions in the [Assign roles to users with Azure Active Directory](../fundamentals/active-directory-users-assign-role-azure-portal.md) how-to guide to assign the Application Administrator or Cloud Application Administrator roles. +Follow the instructions in the [Assign roles to users with Azure Active Directory](../fundamentals/how-subscriptions-associated-directory.md) how-to guide to assign the Application Administrator or Cloud Application Administrator roles. > [!IMPORTANT] > Application Administrators and Cloud Application Administrators can add credentials to an application and use those credentials to impersonate the application’s identity. The application may have permissions that are an elevation of privilege over the admin role's permissions. An admin in this role could potentially create or update users or other objects while impersonating the application, depending on the application's permissions. |
active-directory | Delegate By Task | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/delegate-by-task.md | You can further restrict permissions by assigning roles at smaller scopes or by > [!div class="mx-tableFixed"] > | Task | Least privileged role | Additional roles | > | - | | - |-> | [Add or delete services](../hybrid/how-to-connect-health-operations.md) | [Owner](../../role-based-access-control/built-in-roles.md#owner) | | +> | [Add or delete services](../hybrid/connect/how-to-connect-health-operations.md) | [Owner](../../role-based-access-control/built-in-roles.md#owner) | | > | Apply fixes to sync error | [Contributor](../../role-based-access-control/built-in-roles.md#contributor) | [Owner](../../role-based-access-control/built-in-roles.md#owner) | > | Configure notifications | [Contributor](../../role-based-access-control/built-in-roles.md#contributor) | [Owner](../../role-based-access-control/built-in-roles.md#owner) |-> | [Configure settings](../hybrid/how-to-connect-health-operations.md) | [Owner](../../role-based-access-control/built-in-roles.md#owner) | | +> | [Configure settings](../hybrid/connect/how-to-connect-health-operations.md) | [Owner](../../role-based-access-control/built-in-roles.md#owner) | | > | Configure sync notifications | [Contributor](../../role-based-access-control/built-in-roles.md#contributor) | [Owner](../../role-based-access-control/built-in-roles.md#owner) | > | Read ADFS security reports | [Security Reader](../../role-based-access-control/built-in-roles.md#security-reader) | [Contributor](../../role-based-access-control/built-in-roles.md#contributor)<br/>[Owner](../../role-based-access-control/built-in-roles.md#owner) > | Read all configuration | [Reader](../../role-based-access-control/built-in-roles.md#reader) | [Contributor](../../role-based-access-control/built-in-roles.md#contributor)<br/>[Owner](../../role-based-access-control/built-in-roles.md#owner) | |
active-directory | My Staff Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/my-staff-configure.md | To complete this article, you need the following resources and privileges: * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). * An Azure Active Directory tenant associated with your subscription. - * If needed, [create an Azure Active Directory tenant](../fundamentals/sign-up-organization.md) or [associate an Azure subscription with your account](../fundamentals/active-directory-how-subscriptions-associated-directory.md). + * If needed, [create an Azure Active Directory tenant](../fundamentals/sign-up-organization.md) or [associate an Azure subscription with your account](../fundamentals/how-subscriptions-associated-directory.md). * You need *Global Administrator* privileges in your Azure AD tenant to enable SMS-based authentication. * Each user who's enabled in the text message authentication method policy must be licensed, even if they don't use it. Each enabled user must have one of the following Azure AD or Microsoft 365 licenses: |
active-directory | Protected Actions Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/protected-actions-overview.md | We recommend using multi-factor authentication on all accounts, especially accou Conditional Access policies can be applied to limited set of permissions. You can use protected actions in the following areas: - Conditional Access policy management+- Cross-tenant access settings management - Custom rules that define network locations - Protected action management Here's the initial set of permissions: > | microsoft.directory/conditionalAccessPolicies/basic/update | Update basic properties for Conditional Access policies | > | microsoft.directory/conditionalAccessPolicies/create | Create Conditional Access policies | > | microsoft.directory/conditionalAccessPolicies/delete | Delete Conditional Access policies |+> | microsoft.directory/conditionalAccessPolicies/basic/update | Update basic properties for conditional access policies | +> | microsoft.directory/conditionalAccessPolicies/create | Create conditional access policies | +> | microsoft.directory/conditionalAccessPolicies/delete | Delete conditional access policies | +> | microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update | Update allowed cloud endpoints of the cross-tenant access policy| +> | microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update | Update Azure AD B2B collaboration settings of the default cross-tenant access policy | +> | microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of the default cross-tenant access policy | +> | microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of the default cross-tenant access policy. +> | microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update | Update tenant restrictions of the default cross-tenant access policy. +> | microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update | Update Azure AD B2B collaboration settings of cross-tenant access policy for partners. | +> | microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update | Update Azure AD B2B direct connect settings of cross-tenant access policy for partners. | +> | microsoft.directory/crossTenantAccessPolicy/partners/create | Create cross-tenant access policy for partners. | +> | microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update | Update cross-cloud Teams meeting settings of cross-tenant access policy for partners. | +> | microsoft.directory/crossTenantAccessPolicy/partners/delete | Delete cross-tenant access policy for partners. | +> | microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update | Update tenant restrictions of cross-tenant access policy for partners. | > | microsoft.directory/namedLocations/basic/update | Update basic properties of custom rules that define network locations | > | microsoft.directory/namedLocations/create | Create custom rules that define network locations | > | microsoft.directory/namedLocations/delete | Delete custom rules that define network locations | |
active-directory | Security Emergency Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/security-emergency-access.md | Create two or more emergency access accounts. These accounts should be cloud-onl When configuring these accounts, the following requirements must be met: - The emergency access accounts should not be associated with any individual user in the organization. Make sure that your accounts are not connected with any employee-supplied mobile phones, hardware tokens that travel with individual employees, or other employee-specific credentials. This precaution covers instances where an individual employee is unreachable when the credential is needed. It is important to ensure that any registered devices are kept in a known, secure location that has multiple means of communicating with Azure AD.-- Use strong authentication for your emergency access accounts and make sure it doesnΓÇÖt use the same authentication methods as your other administrative accounts. For example, if your normal administrator account uses the Microsoft Authenticator app for strong authentication, use a FIDO2 security key for your emergency accounts. Consider the [dependencies of various authentication methods](../fundamentals/resilience-in-credentials.md), to avoid adding external requirements into the authentication process.+- Use strong authentication for your emergency access accounts and make sure it doesnΓÇÖt use the same authentication methods as your other administrative accounts. For example, if your normal administrator account uses the Microsoft Authenticator app for strong authentication, use a FIDO2 security key for your emergency accounts. Consider the [dependencies of various authentication methods](../architecture/resilience-in-credentials.md), to avoid adding external requirements into the authentication process. - The device or credential must not expire or be in scope of automated cleanup due to lack of use. - In Azure AD Privileged Identity Management, you should make the Global Administrator role assignment permanent rather than eligible for your emergency access accounts. These steps should be performed at regular intervals and for key changes: ## Next steps - [Securing privileged access for hybrid and cloud deployments in Azure AD](security-planning.md)-- [Add users using Azure AD](../fundamentals/add-users-azure-active-directory.md) and [assign the new user to the Global Administrator role](../fundamentals/active-directory-users-assign-role-azure-portal.md)-- [Sign up for Azure AD Premium](../fundamentals/active-directory-get-started-premium.md), if you havenΓÇÖt signed up already+- [Add users using Azure AD](../fundamentals/add-users.md) and [assign the new user to the Global Administrator role](../fundamentals/how-subscriptions-associated-directory.md) +- [Sign up for Azure AD Premium](../fundamentals/get-started-premium.md), if you havenΓÇÖt signed up already - [How to require two-step verification for a user](../authentication/howto-mfa-userstates.md) - [Configure additional protections for Global Administrators in Microsoft 365](/office365/enterprise/protect-your-global-administrator-accounts), if you are using Microsoft 365-- [Start an access review of Global Administrators](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md) and [transition existing Global Administrators to more specific administrator roles](permissions-reference.md)+- [Start an access review of Global Administrators](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) and [transition existing Global Administrators to more specific administrator roles](permissions-reference.md) |
active-directory | Security Planning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/security-planning.md | Ensure all users have signed into their administrative accounts and changed thei Azure AD Connect synchronizes a hash of the hash of a user's password from on-premises Active Directory to a cloud-based Azure AD organization. You can use password hash synchronization as a backup if you use federation with Active Directory Federation Services (AD FS). This backup can be useful if your on-premises Active Directory or AD FS servers are temporarily unavailable. -Password hash sync enables users to sign in to a service by using the same password they use to sign in to their on-premises Active Directory instance. Password hash sync allows Identity Protection to detect compromised credentials by comparing password hashes with passwords known to be compromised. For more information, see [Implement password hash synchronization with Azure AD Connect sync](../hybrid/how-to-connect-password-hash-synchronization.md). +Password hash sync enables users to sign in to a service by using the same password they use to sign in to their on-premises Active Directory instance. Password hash sync allows Identity Protection to detect compromised credentials by comparing password hashes with passwords known to be compromised. For more information, see [Implement password hash synchronization with Azure AD Connect sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md). #### Require multi-factor authentication for users in privileged roles and exposed users Microsoft accounts from other programs, such as Xbox, Live, and Outlook, shouldn #### Monitor Azure activity -The Azure Activity Log provides a history of subscription-level events in Azure. It offers information about who created, updated, and deleted what resources, and when these events occurred. For more information, see [Audit and receive notifications about important actions in your Azure subscription](../../azure-monitor/alerts/alerts-activity-log.md). +The Azure Activity Log provides a history of subscription-level events in Azure. It offers information about who created, updated, and deleted what resources, and when these events occurred. For more information, see [Audit and receive notifications about important actions in your Azure subscription](../../azure-monitor/alerts/alerts-create-new-alert-rule.md). ### Additional steps for organizations managing access to other cloud apps via Azure AD |
active-directory | Configure Cmmc Level 1 Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-1-controls.md | The following table provides a list of practice statement and objectives, and Az | CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - |-| AC.L1-3.1.1<br><br>**Practice statement:** Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).<br><br>**Objectives:**<br>Determine if:<br>[a.] authorized users are identified;<br>[b.] processes acting on behalf of authorized users are identified;<br>[c.] devices (and other systems) authorized to connect to the system are identified;<br>[d.] system access is limited to authorized users;<br>[e.] system access is limited to processes acting on behalf of authorized users; and<br>[f.] system access is limited to authorized devices (including other systems). | You're responsible for setting up Azure AD accounts, which is accomplished from external HR systems, on-premises Active Directory, or directly in the cloud. You configure Conditional Access to only grant access from a known (Registered/Managed) device. In addition, apply the concept of least privilege when granting application permissions. Where possible, use delegated permission. <br><br>Set up users<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md) <li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<li>[Add or delete users ΓÇô Azure Active Directory](../fundamentals/add-users-azure-active-directory.md)<br><br>Set up devices<li>[What is device identity in Azure Active Directory](../devices/overview.md)<br><br>Configure applications<li>[QuickStart: Register an app in the Microsoft identity platform](../develop/quickstart-register-app.md)<li>[Microsoft identity platform scopes, permissions, & consent](../develop/v2-permissions-and-consent.md)<li>[Securing service principals in Azure Active Directory](../fundamentals/service-accounts-principal.md)<br><br>Conditional Access<li>[What is Conditional Access in Azure Active Directory](../conditional-access/overview.md)<li>[Conditional Access require managed device](../conditional-access/require-managed-devices.md) | +| AC.L1-3.1.1<br><br>**Practice statement:** Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).<br><br>**Objectives:**<br>Determine if:<br>[a.] authorized users are identified;<br>[b.] processes acting on behalf of authorized users are identified;<br>[c.] devices (and other systems) authorized to connect to the system are identified;<br>[d.] system access is limited to authorized users;<br>[e.] system access is limited to processes acting on behalf of authorized users; and<br>[f.] system access is limited to authorized devices (including other systems). | You're responsible for setting up Azure AD accounts, which is accomplished from external HR systems, on-premises Active Directory, or directly in the cloud. You configure Conditional Access to only grant access from a known (Registered/Managed) device. In addition, apply the concept of least privilege when granting application permissions. Where possible, use delegated permission. <br><br>Set up users<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md) <li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<li>[Add or delete users ΓÇô Azure Active Directory](../fundamentals/add-users.md)<br><br>Set up devices<li>[What is device identity in Azure Active Directory](../devices/overview.md)<br><br>Configure applications<li>[QuickStart: Register an app in the Microsoft identity platform](../develop/quickstart-register-app.md)<li>[Microsoft identity platform scopes, permissions, & consent](../develop/permissions-consent-overview.md)<li>[Securing service principals in Azure Active Directory](../architecture/service-accounts-principal.md)<br><br>Conditional Access<li>[What is Conditional Access in Azure Active Directory](../conditional-access/overview.md)<li>[Conditional Access require managed device](../conditional-access/concept-conditional-access-grant.md) | | AC.L1-3.1.2<br><br>**Practice statement:** Limit information system access to the types of transactions and functions that authorized users are permitted to execute.<br><br>**Objectives:**<br>Determine if:<br>[a.] the types of transactions and functions that authorized users are permitted to execute are defined; and<br>[b.] system access is limited to the defined types of transactions and functions for authorized users. | You're responsible for configuring access controls such as Role Based Access Controls (RBAC) with built-in or custom roles. Use role assignable groups to manage role assignments for multiple users requiring same access. Configure Attribute Based Access Controls (ABAC) with default or custom security attributes. The objective is to granularly control access to resources protected with Azure AD.<br><br>Set up RBAC<li>[Overview of role-based access control in Active Directory](../roles/custom-overview.md)[Azure AD built-in roles](../roles/permissions-reference.md)<li>[Create and assign a custom role in Azure Active Directory](../roles/custom-create.md)<br><br>Set up ABAC<li>[What is Azure attribute-based access control (Azure ABAC)](../../role-based-access-control/conditions-overview.md)<li>[What are custom security attributes in Azure AD?](../fundamentals/custom-security-attributes-overview.md)<br><br>Configure groups for role assignment<li>[Use Azure AD groups to manage role assignments](../roles/groups-concept.md) |-| AC.L1-3.1.20<br><br>**Practice statement:** Verify and control/limit connections to and use of external information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] connections to external systems are identified;<br>[b.] the use of external systems is identified;<br>[c.] connections to external systems are verified;<br>[d.] the use of external systems is verified;<br>[e.] connections to external systems are controlled and or limited; and<br>[f.] the use of external systems is controlled and or limited. | You're responsible for configuring Conditional Access policies using device controls and or network locations to control and or limit connections and use of external systems. Configure Terms of Use (TOU) for recorded user acknowledgment of terms and conditions for use of external systems for access.<br><br>Set up Conditional Access as required<li>[What is Conditional Access?](../conditional-access/overview.md)<li>[Require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md)<li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<li>[Conditional Access: Filter for devices](../conditional-access/concept-condition-filters-for-devices.md)<br><br>Use Conditional Access to block access<li>[Conditional Access - Block access by location](../conditional-access/howto-conditional-access-policy-location.md)<br><br>Configure terms of use<li>[Terms of use](../conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use](../conditional-access/require-tou.md) | +| AC.L1-3.1.20<br><br>**Practice statement:** Verify and control/limit connections to and use of external information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] connections to external systems are identified;<br>[b.] the use of external systems is identified;<br>[c.] connections to external systems are verified;<br>[d.] the use of external systems is verified;<br>[e.] connections to external systems are controlled and or limited; and<br>[f.] the use of external systems is controlled and or limited. | You're responsible for configuring Conditional Access policies using device controls and or network locations to control and or limit connections and use of external systems. Configure Terms of Use (TOU) for recorded user acknowledgment of terms and conditions for use of external systems for access.<br><br>Set up Conditional Access as required<li>[What is Conditional Access?](../conditional-access/overview.md)<li>[Require managed devices for cloud app access with Conditional Access](../conditional-access/concept-conditional-access-grant.md)<li>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<li>[Conditional Access: Filter for devices](../conditional-access/concept-condition-filters-for-devices.md)<br><br>Use Conditional Access to block access<li>[Conditional Access - Block access by location](../conditional-access/howto-conditional-access-policy-location.md)<br><br>Configure terms of use<li>[Terms of use](../conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use](../conditional-access/require-tou.md) | | AC.L1-3.1.22<br><br>**Practice statement:** Control information posted or processed on publicly accessible information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] individuals authorized to post or process information on publicly accessible systems are identified;<br>[b.] procedures to ensure FCI isn't posted or processed on publicly accessible systems are identified;<br>[c.] a review process is in place prior to posting of any content to publicly accessible systems; and<br>[d.] content on publicly accessible systems is reviewed to ensure that it doesn't include federal contract information (FCI). | You're responsible for configuring Privileged Identity Management (PIM) to manage access to systems where posted information is publicly accessible. Require approvals with justification prior to role assignment in PIM. Configure Terms of Use (TOU) for systems where posted information is publicly accessible for recorded acknowledgment of terms and conditions for posting of publicly accessible information.<br><br>Plan PIM deployment<li>[What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<li>[Plan a Privileged Identity Management deployment](../privileged-identity-management/pim-deployment-plan.md)<br><br>Configure terms of use<li>[Terms of use](../conditional-access/terms-of-use.md)<li>[Conditional Access require terms of use](../conditional-access/require-tou.md)<li>[Configure Azure AD role settings in PIM - Require Justification](../privileged-identity-management/pim-how-to-change-default-settings.md) | ## Identification and Authentication (IA) domain The following table provides a list of practice statement and objectives, and Az | CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - | | IA.L1-3.5.1<br><br>**Practice statement:** Identify information system users, processes acting on behalf of users, or devices.<br><br>**Objectives:**<br>Determine if:<br>[a.] system users are identified;<br>[b.] processes acting on behalf of users are identified; and<br>[c.] devices accessing the system are identified. | Azure AD uniquely identifies users, processes (service principal/workload identities), and devices via the ID property on the respective directory objects. You can filter log files to help with your assessment using the following links. Use the following reference to meet assessment objectives.<br><br>Filtering logs by user properties<li>[User resource type: ID Property](/graph/api/resources/user?view=graph-rest-1.0&preserve-view=true)<br><br>Filtering logs by service properties<li>[ServicePrincipal resource type: ID Property](/graph/api/resources/serviceprincipal?view=graph-rest-1.0&preserve-view=true)<br><br>Filtering logs by device properties<li>[Device resource type: ID Property](/graph/api/resources/device?view=graph-rest-1.0&preserve-view=true) |-IA.L1-3.5.2<br><br>**Practice statement:** Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] the identity of each user is authenticated or verified as a prerequisite to system access;<br>[b.] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and<br>[c.] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. | Azure AD uniquely authenticates or verifies each user, process acting on behalf of user, or device as a prerequisite to system access. Use the following reference to meet assessment objectives.<br><br>Set up user accounts<li>[What is Azure Active Directory authentication?](../authentication/overview-authentication.md)<br><br>[Configure Azure Active Directory to meet NIST authenticator assurance levels](../standards/nist-overview.md)<br><br>Set up service principal accounts<li>[Service principal authentication](../fundamentals/service-accounts-principal.md)<br><br>Set up device accounts<li>[What is a device identity?](../devices/overview.md)<li>[How it works: Device registration](../devices/device-registration-how-it-works.md)<li>[What is a Primary Refresh Token?](../devices/concept-primary-refresh-token.md)<li>What does the PRT contain | +IA.L1-3.5.2<br><br>**Practice statement:** Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] the identity of each user is authenticated or verified as a prerequisite to system access;<br>[b.] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and<br>[c.] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. | Azure AD uniquely authenticates or verifies each user, process acting on behalf of user, or device as a prerequisite to system access. Use the following reference to meet assessment objectives.<br><br>Set up user accounts<li>[What is Azure Active Directory authentication?](../authentication/overview-authentication.md)<br><br>[Configure Azure Active Directory to meet NIST authenticator assurance levels](../standards/nist-overview.md)<br><br>Set up service principal accounts<li>[Service principal authentication](../architecture/service-accounts-principal.md)<br><br>Set up device accounts<li>[What is a device identity?](../devices/overview.md)<li>[How it works: Device registration](../devices/device-registration-how-it-works.md)<li>[What is a Primary Refresh Token?](../devices/concept-primary-refresh-token.md)<li>What does the PRT contain | ## System and Information Integrity (SI) domain The following table provides a list of practice statement and objectives, and Az * [Configure Azure Active Directory for CMMC compliance](configure-for-cmmc-compliance.md) * [Configure CMMC Level 2 Access Control (AC) controls](configure-cmmc-level-2-access-control.md) * [Configure CMMC Level 2 Identification and Authentication (IA) controls](configure-cmmc-level-2-identification-and-authentication.md)-* [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md) +* [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md) |
active-directory | Configure Cmmc Level 2 Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-access-control.md | The following table provides a list of practice statement and objectives, and Az | AC.L2-3.1.6<br><br>**Practice statement:** Use non-privileged accounts or roles when accessing non security functions.<br><br>**Objectives:**<br>Determine if:<br>[a.] non security functions are identified; and <br>[b.] users are required to use non-privileged accounts or roles when accessing non security functions.<br><br>AC.L2-3.1.7<br><br>**Practice statement:** Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.<br><br>**Objectives:**<br>Determine if:<br>[a.] privileged functions are defined;<br>[b.] non-privileged users are defined;<br>[c.] non-privileged users are prevented from executing privileged functions; and<br>[d.] the execution of privileged functions is captured in audit logs. |Requirements in AC.L2-3.1.6 and AC.L2-3.1.7 complement each other. Require separate accounts for privilege and non-privileged use. Configure Privileged Identity Management (PIM) to bring just-in-time(JIT) privileged access and remove standing access. Configure role based Conditional Access policies to limit access to productivity application for privileged users. For highly privileged users, secure devices as part of the privileged access story. All privileged actions are captured in the Azure AD Audit logs.<br>[Securing privileged access overview](/security/compass/overview)<br>[Configure Azure AD role settings in PIM](../privileged-identity-management/pim-how-to-change-default-settings.md)<br>[Users and groups in Conditional Access policy](../conditional-access/concept-conditional-access-users-groups.md)<br>[Why are privileged access devices important](/security/compass/privileged-access-devices) | | AC.L2-3.1.8<br><br>**Practice statement:** Limit unsuccessful sign-on attempts.<br><br>**Objectives:**<br>Determine if:<br>[a.] the means of limiting unsuccessful sign-on attempts is defined; and<br>[b.] the defined means of limiting unsuccessful sign-on attempts is implemented. | Enable custom smart lock-out settings. Configure lock-out threshold and lock-out duration in seconds to implement these requirements.<br>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<br>[Manage Azure AD smart lockout values](../authentication/howto-password-smart-lockout.md) | | AC.L2-3.1.9<br><br>**Practice statement:** Provide privacy and security notices consistent with applicable CUI rules.<br><br>**Objectives:**<br>Determine if:<br>[a.] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and<br>[b.] privacy and security notices are displayed. | With Azure AD, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via Conditional Access policies.<br><br>**Conditional Access** <br>[What is Conditional Access in Azure AD?](../conditional-access/overview.md)<br><br>**Terms of use**<br>[Azure Active Directory terms of use](../conditional-access/terms-of-use.md)<br>[View report of who has accepted and declined](../conditional-access/terms-of-use.md) |-| AC.L2-3.1.10<br><br>**Practice statement:** Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.<br><br>**Objectives:**<br>Determine if:<br>[a.] the period of inactivity after which the system initiates a session lock is defined;<br>[b.] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and<br>[c.] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. | Implement device lock by using a Conditional Access policy to restrict access to compliant or hybrid Azure AD joined devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<br>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<br><br>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)).| +| AC.L2-3.1.10<br><br>**Practice statement:** Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.<br><br>**Objectives:**<br>Determine if:<br>[a.] the period of inactivity after which the system initiates a session lock is defined;<br>[b.] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and<br>[c.] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. | Implement device lock by using a Conditional Access policy to restrict access to compliant or hybrid Azure AD joined devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Microsoft Intune, Configuration Manager, or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)<br>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<br><br>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)).| | AC.L2-3.1.11<br><br>**Practice statement:** Terminate (automatically) a user session after a defined condition.<br><br>**Objectives:**<br>Determine if:<br>[a.] conditions requiring a user session to terminate are defined; and<br>[b.] a user session is automatically terminated after any of the defined conditions occur. | Enable Continuous Access Evaluation (CAE) for all supported applications. For application that don't support CAE, or for conditions not applicable to CAE, implement policies in Microsoft Defender for Cloud Apps to automatically terminate sessions when conditions occur. Additionally, configure Azure Active Directory Identity Protection to evaluate user and sign-in Risk. Use Conditional Access with Identity protection to allow user to automatically remediate risk.<br>[Continuous access evaluation in Azure AD](../conditional-access/concept-continuous-access-evaluation.md)<br>[Control cloud app usage by creating policies](/defender-cloud-apps/control-cloud-apps-with-policies)<br>[What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md) |AC.L2-3.1.12<br><br>**Practice statement:** Monitor and control remote access sessions.<br><br>**Objectives:**<br>Determine if:<br>[a.] remote access sessions are permitted;<br>[b.] the types of permitted remote access are identified;<br>[c.] remote access sessions are controlled; and<br>[d.] remote access sessions are monitored. | In todayΓÇÖs world, users access cloud-based applications almost exclusively remotely from unknown or untrusted networks. It's critical to securing this pattern of access to adopt zero trust principals. To meet these controls requirements in a modern cloud world we must verify each access request explicitly, implement least privilege and assume breach.<br><br>Configure named locations to delineate internal vs external networks. Configure Conditional Access app control to route access via Microsoft Defender for Cloud Apps. Configure Defender for Cloud Apps to control and monitor all sessions.<br>[Zero Trust Deployment Guide for Microsoft Azure Active Directory](https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/)<br>[Location condition in Azure Active Directory Conditional Access](../conditional-access/location-condition.md)<br>[Deploy Cloud App Security Conditional Access App Control for Azure AD apps](/cloud-app-security/proxy-deployment-aad)<br>[What is Microsoft Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security)<br>[Monitor alerts raised in Microsoft Defender for Cloud Apps](/cloud-app-security/monitor-alerts) | | AC.L2-3.1.13<br><br>**Practice statement:** Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.<br><br>**Objectives:**<br>Determine if:<br>[a.] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and<br>[b.] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. | All Azure AD customer-facing web services are secured with the Transport Layer Security (TLS) protocol and are implemented using FIPS-validated cryptography.<br>[Azure Active Directory Data Security Considerations (microsoft.com)](https://azure.microsoft.com/resources/azure-active-directory-data-security-considerations/) | |
active-directory | Configure Cmmc Level 2 Additional Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-additional-controls.md | The following table provides a list of practice statement and objectives, and Az | CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - | | CM.L2-3.4.2<br><br>**Practice statement:** Establish and enforce security configuration settings for information technology products employed in organizational systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and<br>[b.] security configuration settings for information technology products employed in the system are enforced. | Adopt a zero-trust security posture. Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce security configuration settings on the device with MDM solutions such as Microsoft Intune. Microsoft Configuration Manager or group policy objects can also be considered in hybrid deployments and combined with Conditional Access require hybrid Azure AD joined device.<br><br>**Zero-trust**<br>[Securing identity with Zero Trust](/security/zero-trust/identity)<br><br>**Conditional Access**<br>[What is Conditional Access in Azure AD?](../conditional-access/overview.md)<br>[Grant controls in Conditional Access policy](../conditional-access/concept-conditional-access-grant.md)<br><br>**Device policies**<br>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br>[What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security)<br>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<br>[Microsoft endpoint management solutions](/mem/endpoint-manager-overview) |-| CM.L2-3.4.5<br><br>**Practice statement:** Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] physical access restrictions associated with changes to the system are defined;<br>[b.] physical access restrictions associated with changes to the system are documented;<br>[c.] physical access restrictions associated with changes to the system are approved;<br>[d.] physical access restrictions associated with changes to the system are enforced;<br>[e.] logical access restrictions associated with changes to the system are defined;<br>[f.] logical access restrictions associated with changes to the system are documented;<br>[g.] logical access restrictions associated with changes to the system are approved; and<br>[h.] logical access restrictions associated with changes to the system are enforced. | Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Customers don't have physical access to the Azure AD datacenters. As such, each physical access restriction is satisfied by Microsoft and inherited by the customers of Azure AD. Implement Azure AD role based access controls. Eliminate standing privileged access, provide just in time access with approval workflows with Privileged Identity Management.<br>[Overview of Azure Active Directory role-based access control (RBAC)](../roles/custom-overview.md)<br>[What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br>[Approve or deny requests for Azure AD roles in PIM](../privileged-identity-management/azure-ad-pim-approval-workflow.md) | -| CM.L2-3.4.6<br><br>**Practice statement:** Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.<br><br>**Objectives:**<br>Determine if:<br>[a.] essential system capabilities are defined based on the principle of least functionality; and<br>[b.] the system is configured to provide only the defined essential capabilities. | Configure device management solutions (Such as Microsoft Intune) to implement a custom security baseline applied to organizational systems to remove non-essential applications and disable unnecessary services. Leave only the fewest capabilities necessary for the systems to operate effectively. Configure Conditional Access to restrict access to compliant or hybrid Azure AD joined devices. <br>[What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)<br>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md) | -| CM.L2-3.4.7<br><br>**Practice statement:** Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.<br><br>**Objectives:**<br>Determine if:<br>[a.]essential programs are defined;<br>[b.] the use of nonessential programs is defined;<br>[c.] the use of nonessential programs is restricted, disabled, or prevented as defined;<br>[d.] essential functions are defined;<br>[e.] the use of nonessential functions is defined;<br>[f.] the use of nonessential functions is restricted, disabled, or prevented as defined;<br>[g.] essential ports are defined;<br>[h.] the use of nonessential ports is defined;<br>[i.] the use of nonessential ports is restricted, disabled, or prevented as defined;<br>[j.] essential protocols are defined;<br>[k.] the use of nonessential protocols is defined;<br>[l.] the use of nonessential protocols is restricted, disabled, or prevented as defined;<br>[m.] essential services are defined;<br>[n.] the use of nonessential services is defined; and<br>[o.] the use of nonessential services is restricted, disabled, or prevented as defined. | Use Application Administrator role to delegate authorized use of essential applications. Use App Roles or group claims to manage least privilege access within application. Configure user consent to require admin approval and don't allow group owner consent. Configure Admin consent request workflows to enable users to request access to applications that require admin consent. Use Microsoft Defender for Cloud Apps to identify unsanctioned/unknown application use. Use this telemetry to then determine essential/non-essential apps.<br>[Azure AD built-in roles - Application Administrator](../roles/permissions-reference.md)<br>[Azure AD App Roles - App Roles vs. Groups ](../develop/howto-add-app-roles-in-azure-ad-apps.md)<br>[Configure how users consent to applications](../manage-apps/configure-user-consent.md?tabs=azure-portal.md)<br>[Configure group owner consent to apps accessing group data](../manage-apps/configure-user-consent-groups.md?tabs=azure-portal.md)<br>[Configure the admin consent workflow](../manage-apps/configure-admin-consent-workflow.md)<br>[What is Defender for Cloud Apps?](/defender-cloud-apps/what-is-defender-for-cloud-apps)<br>[Discover and manage Shadow IT tutorial](/defender-cloud-apps/tutorial-shadow-it) | +| CM.L2-3.4.5<br><br>**Practice statement:** Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.<br><br>**Objectives:**<br>Determine if:<br>[a.] physical access restrictions associated with changes to the system are defined;<br>[b.] physical access restrictions associated with changes to the system are documented;<br>[c.] physical access restrictions associated with changes to the system are approved;<br>[d.] physical access restrictions associated with changes to the system are enforced;<br>[e.] logical access restrictions associated with changes to the system are defined;<br>[f.] logical access restrictions associated with changes to the system are documented;<br>[g.] logical access restrictions associated with changes to the system are approved; and<br>[h.] logical access restrictions associated with changes to the system are enforced. | Azure Active Directory (Azure AD) is a cloud-based identity and access management service. Customers don't have physical access to the Azure AD datacenters. As such, each physical access restriction is satisfied by Microsoft and inherited by the customers of Azure AD. Implement Azure AD role based access controls. Eliminate standing privileged access, provide just in time access with approval workflows with Privileged Identity Management.<br>[Overview of Azure Active Directory role-based access control (RBAC)](../roles/custom-overview.md)<br>[What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br>[Approve or deny requests for Azure AD roles in PIM](../privileged-identity-management/pim-approval-workflow.md) | +| CM.L2-3.4.6<br><br>**Practice statement:** Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.<br><br>**Objectives:**<br>Determine if:<br>[a.] essential system capabilities are defined based on the principle of least functionality; and<br>[b.] the system is configured to provide only the defined essential capabilities. | Configure device management solutions (Such as Microsoft Intune) to implement a custom security baseline applied to organizational systems to remove non-essential applications and disable unnecessary services. Leave only the fewest capabilities necessary for the systems to operate effectively. Configure Conditional Access to restrict access to compliant or hybrid Azure AD joined devices. <br>[What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Grant controls in Conditional Access policy - Require hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md) | +| CM.L2-3.4.7<br><br>**Practice statement:** Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.<br><br>**Objectives:**<br>Determine if:<br>[a.]essential programs are defined;<br>[b.] the use of nonessential programs is defined;<br>[c.] the use of nonessential programs is restricted, disabled, or prevented as defined;<br>[d.] essential functions are defined;<br>[e.] the use of nonessential functions is defined;<br>[f.] the use of nonessential functions is restricted, disabled, or prevented as defined;<br>[g.] essential ports are defined;<br>[h.] the use of nonessential ports is defined;<br>[i.] the use of nonessential ports is restricted, disabled, or prevented as defined;<br>[j.] essential protocols are defined;<br>[k.] the use of nonessential protocols is defined;<br>[l.] the use of nonessential protocols is restricted, disabled, or prevented as defined;<br>[m.] essential services are defined;<br>[n.] the use of nonessential services is defined; and<br>[o.] the use of nonessential services is restricted, disabled, or prevented as defined. | Use Application Administrator role to delegate authorized use of essential applications. Use App Roles or group claims to manage least privilege access within application. Configure user consent to require admin approval and don't allow group owner consent. Configure Admin consent request workflows to enable users to request access to applications that require admin consent. Use Microsoft Defender for Cloud Apps to identify unsanctioned/unknown application use. Use this telemetry to then determine essential/non-essential apps.<br>[Azure AD built-in roles - Application Administrator](../roles/permissions-reference.md)<br>[Azure AD App Roles - App Roles vs. Groups ](../develop/howto-add-app-roles-in-apps.md)<br>[Configure how users consent to applications](../manage-apps/configure-user-consent.md?tabs=azure-portal.md)<br>[Configure group owner consent to apps accessing group data](../manage-apps/configure-user-consent-groups.md?tabs=azure-portal.md)<br>[Configure the admin consent workflow](../manage-apps/configure-admin-consent-workflow.md)<br>[What is Defender for Cloud Apps?](/defender-cloud-apps/what-is-defender-for-cloud-apps)<br>[Discover and manage Shadow IT tutorial](/defender-cloud-apps/tutorial-shadow-it) | | CM.L2-3.4.8<br><br>**Practice statement:** Apply deny-by-exception (blocklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software.<br><br>**Objectives:**<br>Determine if:<br>[a.] a policy specifying whether allowlist or blocklist is to be implemented is specified;<br>[b.] the software allowed to execute under allowlist or denied use under blocklist is specified; and<br>[c.] allowlist to allow the execution of authorized software or blocklist to prevent the use of unauthorized software is implemented as specified.<br><br>CM.L2-3.4.9<br><br>**Practice statement:** Control and monitor user-installed software.<br><br>**Objectives:**<br>Determine if:<br>[a.] a policy for controlling the installation of software by users is established;<br>[b.] installation of software by users is controlled based on the established policy; and<br>[c.] installation of software by users is monitored. | Configure MDM/configuration management policy to prevent the use of unauthorized software. Configure Conditional Access grant controls to require compliant or hybrid joined device to incorporate device compliance with MDM/configuration management policy into the Conditional Access authorization decision.<br>[What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)<br>[Conditional Access - Require compliant or hybrid joined devices](../conditional-access/howto-conditional-access-policy-compliant-device.md) | ## Incident Response (IR) The following table provides a list of practice statement and objectives, and Az | CMMC practice statement and objectives | Azure AD guidance and recommendations | | - | - |-| PS.L2-3.9.2<br><br>**Practice statement:** Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.<br><br>**Objectives:**<br>Determine if:<br>[a.] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;<br>[b.] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and<br>[c] the system is protected during and after personnel transfer actions. | Configure provisioning (including disablement upon termination) of accounts in Azure AD from external HR systems, on-premises Active Directory, or directly in the cloud. Terminate all system access by revoking existing sessions.<br><br>**Account provisioning**<br>[What is identity provisioning with Azure AD?](../cloud-sync/what-is-provisioning.md)<br>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br>[What is Azure AD Connect cloud sync?](../cloud-sync/what-is-cloud-sync.md)<br><br>**Revoke all associated authenticators**<br>[Revoke user access in an emergency in Azure Active Directory](../enterprise-users/users-revoke-access.md) | +| PS.L2-3.9.2<br><br>**Practice statement:** Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.<br><br>**Objectives:**<br>Determine if:<br>[a.] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;<br>[b.] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and<br>[c] the system is protected during and after personnel transfer actions. | Configure provisioning (including disablement upon termination) of accounts in Azure AD from external HR systems, on-premises Active Directory, or directly in the cloud. Terminate all system access by revoking existing sessions.<br><br>**Account provisioning**<br>[What is identity provisioning with Azure AD?](../hybrid/what-is-provisioning.md)<br>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<br>[What is Azure AD Connect cloud sync?](../hybrid/cloud-sync/what-is-cloud-sync.md)<br><br>**Revoke all associated authenticators**<br>[Revoke user access in an emergency in Azure Active Directory](../enterprise-users/users-revoke-access.md) | ## System and Communications Protection (SC) The following table provides a list of practice statement and objectives, and Az * [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md) * [Configure additional controls](configure-cmmc-level-2-additional-controls.md) * [Conditional Access require managed device - Require Hybrid Azure AD joined device](../conditional-access/concept-conditional-access-grant.md)-* [Conditional Access require managed device - Require device to be marked as compliant](../conditional-access/require-managed-devices.md) +* [Conditional Access require managed device - Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md) * [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune) * [Co-management for Windows 10 devices](/mem/configmgr/comanage/overview) |
active-directory | Configure Cmmc Level 2 Identification And Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-identification-and-authentication.md | The following table provides a list of practice statement and objectives, and Az | IA.L2-3.5.4<br><br>**Practice statement:** Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.<br><br>**Objectives:**<br>Determine if:<br>[a.] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts. | All Azure AD Authentication methods at AAL2 and above are replay resistant.<br>[Achieve NIST authenticator assurance levels with Azure Active Directory](./nist-overview.md) | | IA.L2-3.5.5<br><br>**Practice statement:** Prevent reuse of identifiers for a defined period.<br><br>**Objectives:**<br>Determine if:<br>[a.] a period within which identifiers can't be reused is defined; and<br>[b.] reuse of identifiers is prevented within the defined period. | All user, group, device object globally unique identifiers (GUIDs) are guaranteed unique and non-reusable for the lifetime of the Azure AD tenant.<br>[user resource type - Microsoft Graph v1.0](/graph/api/resources/user?view=graph-rest-1.0&preserve-view=true)<br>[group resource type - Microsoft Graph v1.0](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true)<br>[device resource type - Microsoft Graph v1.0](/graph/api/resources/device?view=graph-rest-1.0&preserve-view=true) | | IA.L2-3.5.6<br><br>**Practice statement:** Disable identifiers after a defined period of inactivity.<br><br>**Objectives:**<br>Determine if:<br>[a.] a period of inactivity after which an identifier is disabled is defined; and<br>[b.] identifiers are disabled after the defined period of inactivity. | Implement account management automation with Microsoft Graph and Azure AD PowerShell. Use Microsoft Graph to monitor sign-in activity and Azure AD PowerShell to take action on accounts within the required time frame.<br><br>**Determine inactivity**<br>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<br><br>**Remove or disable accounts**<br>[Working with users in Microsoft Graph](/graph/api/resources/user)<br>[Get a user](/graph/api/user-get?tabs=http)<br>[Update user](/graph/api/user-update?tabs=http)<br>[Delete a user](/graph/api/user-delete?tabs=http)<br><br>**Work with devices in Microsoft Graph**<br>[Get device](/graph/api/device-get?tabs=http)<br>[Update device](/graph/api/device-update?tabs=http)<br>[Delete device](/graph/api/device-delete?tabs=http)<br><br>**[Use Azure AD PowerShell](/powershell/module/azuread/)**<br>[Get-AzureADUser](/powershell/module/azuread/get-azureaduser)<br>[Set-AzureADUser](/powershell/module/azuread/set-azureaduser)<br>[Get-AzureADDevice](/powershell/module/azuread/get-azureaddevice)<br>[Set-AzureADDevice](/powershell/module/azuread/set-azureaddevice) |-| IA.L2-3.5.7<br><br>**Practice statement:**<br><br>**Objectives:** Enforce a minimum password complexity and change of characters when new passwords are created.<br>Determine if:<br>[a.] password complexity requirements are defined;<br>[b.] password change of character requirements are defined;<br>[c.] minimum password complexity requirements as defined are enforced when new passwords are created; and<br>[d.] minimum password change of character requirements as defined are enforced when new passwords are created.<br><br>IA.L2-3.5.8<br><br>**Practice statement:** Prohibit password reuse for a specified number of generations.<br><br>**Objectives:**<br>Determine if:<br>[a.] the number of generations during which a password cannot be reused is specified; and<br>[b.] reuse of passwords is prohibited during the specified number of generations. | We **strongly encourage** passwordless strategies. This control is only applicable to password authenticators, so removing passwords as an available authenticator renders this control not applicable.<br><br>Per NIST SP 800-63 B Section 5.1.1: Maintain a list of commonly used, expected, or compromised passwords.<br><br>With Azure AD password protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.<br>For customers that require strict password character change, password reuse and complexity requirements use hybrid accounts configured with Password-Hash-Sync. This action ensures the passwords synchronized to Azure AD inherit the restrictions configured in Active Directory password policies. Further protect on-premises passwords by configuring on-premises Azure AD Password Protection for Active Directory Domain Services.<br>[NIST Special Publication 800-63 B](https://pages.nist.gov/800-63-3/sp800-63b.html)<br>[NIST Special Publication 800-53 Revision 5 (IA-5 - Control enhancement (1)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf)<br>[Eliminate bad passwords using Azure AD password protection](../authentication/concept-password-ban-bad.md)<br>[What is password hash synchronization with Azure AD?](../hybrid/whatis-phs.md) | -| IA.L2-3.5.9<br><br>**Practice statement:** Allow temporary password use for system logons with an immediate change to a permanent password.<br><br>**Objectives:**<br>Determine if:<br>[a.] an immediate change to a permanent password is required when a temporary password is used for system sign-on. | An Azure AD user initial password is a temporary single use password that once successfully used is immediately required to be changed to a permanent password. Microsoft strongly encourages the adoption of passwordless authentication methods. Users can bootstrap Passwordless authentication methods using Temporary Access Pass (TAP). TAP is a time and use limited passcode issued by an admin that satisfies strong authentication requirements. Use of passwordless authentication along with the time and use limited TAP completely eliminates the use of passwords (and their reuse).<br>[Add or delete users](../fundamentals/add-users-azure-active-directory.md)<br>[Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md)<br>[Passwordless authentication](../authentication/concept-authentication-passwordless.md) | +| IA.L2-3.5.7<br><br>**Practice statement:**<br><br>**Objectives:** Enforce a minimum password complexity and change of characters when new passwords are created.<br>Determine if:<br>[a.] password complexity requirements are defined;<br>[b.] password change of character requirements are defined;<br>[c.] minimum password complexity requirements as defined are enforced when new passwords are created; and<br>[d.] minimum password change of character requirements as defined are enforced when new passwords are created.<br><br>IA.L2-3.5.8<br><br>**Practice statement:** Prohibit password reuse for a specified number of generations.<br><br>**Objectives:**<br>Determine if:<br>[a.] the number of generations during which a password cannot be reused is specified; and<br>[b.] reuse of passwords is prohibited during the specified number of generations. | We **strongly encourage** passwordless strategies. This control is only applicable to password authenticators, so removing passwords as an available authenticator renders this control not applicable.<br><br>Per NIST SP 800-63 B Section 5.1.1: Maintain a list of commonly used, expected, or compromised passwords.<br><br>With Azure AD password protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.<br>For customers that require strict password character change, password reuse and complexity requirements use hybrid accounts configured with Password-Hash-Sync. This action ensures the passwords synchronized to Azure AD inherit the restrictions configured in Active Directory password policies. Further protect on-premises passwords by configuring on-premises Azure AD Password Protection for Active Directory Domain Services.<br>[NIST Special Publication 800-63 B](https://pages.nist.gov/800-63-3/sp800-63b.html)<br>[NIST Special Publication 800-53 Revision 5 (IA-5 - Control enhancement (1)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf)<br>[Eliminate bad passwords using Azure AD password protection](../authentication/concept-password-ban-bad.md)<br>[What is password hash synchronization with Azure AD?](../hybrid/connect/whatis-phs.md) | +| IA.L2-3.5.9<br><br>**Practice statement:** Allow temporary password use for system logons with an immediate change to a permanent password.<br><br>**Objectives:**<br>Determine if:<br>[a.] an immediate change to a permanent password is required when a temporary password is used for system sign-on. | An Azure AD user initial password is a temporary single use password that once successfully used is immediately required to be changed to a permanent password. Microsoft strongly encourages the adoption of passwordless authentication methods. Users can bootstrap Passwordless authentication methods using Temporary Access Pass (TAP). TAP is a time and use limited passcode issued by an admin that satisfies strong authentication requirements. Use of passwordless authentication along with the time and use limited TAP completely eliminates the use of passwords (and their reuse).<br>[Add or delete users](../fundamentals/add-users.md)<br>[Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md)<br>[Passwordless authentication](../authentication/concept-authentication-passwordless.md) | | IA.L2-3.5.10<br><br>**Practice statement:** Store and transmit only cryptographically protected passwords.<br><br>**Objectives:**<br>Determine if:<br>[a.] passwords are cryptographically protected in storage; and<br>[b.] passwords are cryptographically protected in transit. | **Secret Encryption at Rest**:<br>In addition to disk level encryption, when at rest, secrets stored in the directory are encrypted using the Distributed Key Manager(DKM). The encryption keys are stored in Azure AD core store and in turn are encrypted with a scale unit key. The key is stored in a container that is protected with directory ACLs, for highest privileged users and specific services. The symmetric key is typically rotated every six months. Access to the environment is further protected with operational controls and physical security.<br><br>**Encryption in Transit**:<br>To assure data security, Directory Data in Azure AD is signed and encrypted while in transit between data centers within a scale unit. The data is encrypted and unencrypted by the Azure AD core store tier, which resides inside secured server hosting areas of the associated Microsoft data centers.<br><br>Customer-facing web services are secured with the Transport Layer Security (TLS) protocol.<br>For more information, [download](https://azure.microsoft.com/resources/azure-active-directory-data-security-considerations/) *Data Protection Considerations - Data Security*. On page 15, there are more details.<br>[Demystifying Password Hash Sync (microsoft.com)](https://www.microsoft.com/security/blog/2019/05/30/demystifying-password-hash-sync/)<br>[Azure Active Directory Data Security Considerations](https://aka.ms/aaddatawhitepaper) | |IA.L2-3.5.11<br><br>**Practice statement:** Obscure feedback of authentication information.<br><br>**Objectives:**<br>Determine if:<br>[a.] authentication information is obscured during the authentication process. | By default, Azure AD obscures all authenticator feedback. | |
active-directory | Fedramp Access Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-access-controls.md | Each row in the following table provides prescriptive guidance to help you devel | FedRAMP Control ID and description | Azure AD guidance and recommendations | | - | - |-| **AC-2 ACCOUNT MANAGEMENT**<p><p>**The Organization**<br>**(a.)** Identifies and selects the following types of information system accounts to support organizational missions/business functions: [*Assignment: organization-defined information system account types*];<p><p>**(b.)** Assigns account managers for information system accounts;<p><p>**(c.)** Establishes conditions for group and role membership;<p><p>**(d.)** Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;<p><p>**(e.)** Requires approvals by [*Assignment: organization-defined personnel or roles*] for requests to create information system accounts;<p><p>**(f.)** Creates, enables, modifies, disables, and removes information system accounts in accordance with [*Assignment: organization-defined procedures or conditions*];<p><p>**(g.)** Monitors the use of information system accounts;<p><p>**(h.)** Notifies account managers:<br>(1.) When accounts are no longer required;<br>(2.) When users are terminated or transferred; and<br>(3.) When individual information system usage or need-to-know changes;<p><p>**(i.)** Authorizes access to the information system based on:<br>(1.) A valid access authorization;<br>(2.) Intended system usage; and<br>(3.) Other attributes as required by the organization or associated missions/business functions;<p><p>**(j.)** Reviews accounts for compliance with account management requirements [*FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access*]; and<p><p>**(k.)** Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md)<p>Monitor accounts<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Review accounts<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-create.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md)<p>Resources<br><li>[Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md)<br><li>[Dynamic Groups in Azure AD](../enterprise-users/groups-create-rule.md)<p>                     <p> | -| **AC-2(1)**<br>The organization employs automated mechanisms to support the management of information system accounts.| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md)<br><li>[What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md)<br><li>[SaaS app integration tutorials for use with Azure AD](../saas-apps/tutorial-list.md)<p>Monitor and audit<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)| +| **AC-2 ACCOUNT MANAGEMENT**<p><p>**The Organization**<br>**(a.)** Identifies and selects the following types of information system accounts to support organizational missions/business functions: [*Assignment: organization-defined information system account types*];<p><p>**(b.)** Assigns account managers for information system accounts;<p><p>**(c.)** Establishes conditions for group and role membership;<p><p>**(d.)** Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;<p><p>**(e.)** Requires approvals by [*Assignment: organization-defined personnel or roles*] for requests to create information system accounts;<p><p>**(f.)** Creates, enables, modifies, disables, and removes information system accounts in accordance with [*Assignment: organization-defined procedures or conditions*];<p><p>**(g.)** Monitors the use of information system accounts;<p><p>**(h.)** Notifies account managers:<br>(1.) When accounts are no longer required;<br>(2.) When users are terminated or transferred; and<br>(3.) When individual information system usage or need-to-know changes;<p><p>**(i.)** Authorizes access to the information system based on:<br>(1.) A valid access authorization;<br>(2.) Intended system usage; and<br>(3.) Other attributes as required by the organization or associated missions/business functions;<p><p>**(j.)** Reviews accounts for compliance with account management requirements [*FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access*]; and<p><p>**(k.)** Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Azure AD to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Azure AD audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Azure AD entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<br><li>[Add or delete users using Azure Active Directory](../fundamentals/add-users.md)<p>Monitor accounts<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Review accounts<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-create.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md)<p>Resources<br><li>[Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md)<br><li>[Dynamic Groups in Azure AD](../enterprise-users/groups-create-rule.md)<p>                     <p> | +| **AC-2(1)**<br>The organization employs automated mechanisms to support the management of information system accounts.| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Azure AD to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Azure AD Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Azure Active Directory user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<br><li>[What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md)<br><li>[SaaS app integration tutorials for use with Azure AD](../saas-apps/tutorial-list.md)<p>Monitor and audit<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)| | **AC-2(2)**<br>The information system automatically [*FedRAMP Selection: disables*] temporary and emergency accounts after [*FedRAMP Assignment: 24 hours from last use*].<p><p>**AC-02(3)**<br>The information system automatically disables inactive accounts after [*FedRAMP Assignment: thirty-five (35) days for user accounts*].<p><p>**AC-2 (3) Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available. | **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.**<p>Implement account management automation with Microsoft Graph and Microsoft Graph PowerShell. Use Microsoft Graph to monitor sign-in activity and Microsoft Graph PowerShell to take action on accounts in the required time frame. <p>Determine inactivity<br><li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br><li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<p>Remove or disable accounts<br><li>[Working with users in Microsoft Graph](/graph/api/resources/users)<br><li>[Get a user](/graph/api/user-get?tabs=http)<br><li>[Update user](/graph/api/user-update?tabs=http)<br><li>[Delete a user](/graph/api/user-delete?tabs=http)<p>Work with devices in Microsoft Graph<br><li>[Get device](/graph/api/device-get?tabs=http)<br><li>[Update device](/graph/api/device-update?tabs=http)<br><li>[Delete device](/graph/api/device-delete?tabs=http)<p> See, [Microsoft Graph PowerShell documentation](/powershell/microsoftgraph)<br><li>[Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser)<br><li>[Update-MgUser](/powershell/module/microsoft.graph.users/update-mguser)<br><li>[Get-MgDevice](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdevice)<br><li>[Update-MgDevice](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdevice) | | **AC-2(4)**<br>The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [*FedRAMP Assignment: organization and/or service provider system owner*]. | **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Microsoft Sentinel: Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<P>Notification<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |-| **AC-2(5)**<br>The organization requires that users log out when [*FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes*].<p><p>**AC-2 (5) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Should use a shorter timeframe than AC-12 | **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional Access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). | -| **AC-2(7)**<p><p>**The organization:**<br>**(a.)** Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;<br>**(b)** Monitors privileged role assignments; and<br>**(c)** Takes [*FedRAMP Assignment: disables/revokes access within an organization-specified timeframe*] when privileged role assignments are no longer appropriate. | **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) | -| **AC-2(11)**<br>The information system enforces [*Assignment: organization-defined circumstances and/or usage conditions*] for [*Assignment: organization-defined information system accounts*]. | **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create Conditional Access policies to enforce access control decisions across users and devices.<p>Conditional Access<br><li>[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[What is Conditional Access?](../conditional-access/overview.md) | +| **AC-2(5)**<br>The organization requires that users log out when [*FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes*].<p><p>**AC-2 (5) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Should use a shorter timeframe than AC-12 | **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional Access<br><li>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). | +| **AC-2(7)**<p><p>**The organization:**<br>**(a.)** Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;<br>**(b)** Monitors privileged role assignments; and<br>**(c)** Takes [*FedRAMP Assignment: disables/revokes access within an organization-specified timeframe*] when privileged role assignments are no longer appropriate. | **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Azure AD Privileged Identity Management with access reviews for privileged roles in Azure AD to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)<br><li>[View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Azure Active Directory](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Azure Active Directory logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) | +| **AC-2(11)**<br>The information system enforces [*Assignment: organization-defined circumstances and/or usage conditions*] for [*Assignment: organization-defined information system accounts*]. | **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create Conditional Access policies to enforce access control decisions across users and devices.<p>Conditional Access<br><li>[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[What is Conditional Access?](../conditional-access/overview.md) | | **AC-2(12)**<p><p>**The organization:**<br>**(a)** Monitors information system accounts for [*Assignment: organization-defined atypical use*]; and<br>**(b)** Reports atypical usage of information system accounts to [*FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization*].<p><p>**AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance:**<br> Required for privileged accounts. | **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Azure Active Directory Identity Protection notifications](../identity-protection/howto-identity-protection-configure-notifications.md)<p>Monitor accounts<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Audit activity reports in the Azure Active Directory portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Azure Active Directory data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |-| **AC-2(13)**<br>The organization disables accounts of users posing a significant risk in [*FedRAMP Assignment: one (1) hour*] of discovery of the risk.|**Disable customer-controlled accounts of users that pose a significant risk in one hour.**<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<p>Conditional Access<br><li>[What is Conditional Access?](../conditional-access/overview.md)<br><li>[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json)<br><li>[Conditional Access: User risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Conditional Access: Sign-in risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Self-remediation with risk policy](../identity-protection/howto-identity-protection-remediate-unblock.md) | -| **AC-6(7)**<p><p>**The organization:**<br>**(a.)** Reviews [*FedRAMP Assignment: at a minimum, annually*] the privileges assigned to [*FedRAMP Assignment: all users with privileges*] to validate the need for such privileges; and<br>**(b.)** Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. | **Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.**<p>Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access reviews<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md) | +| **AC-2(13)**<br>The organization disables accounts of users posing a significant risk in [*FedRAMP Assignment: one (1) hour*] of discovery of the risk.|**Disable customer-controlled accounts of users that pose a significant risk in one hour.**<p>In Azure AD Identity Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md)<p>Conditional Access<br><li>[What is Conditional Access?](../conditional-access/overview.md)<br><li>[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[Conditional Access: User risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Conditional Access: Sign-in risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Self-remediation with risk policy](../identity-protection/howto-identity-protection-remediate-unblock.md) | +| **AC-6(7)**<p><p>**The organization:**<br>**(a.)** Reviews [*FedRAMP Assignment: at a minimum, annually*] the privileges assigned to [*FedRAMP Assignment: all users with privileges*] to validate the need for such privileges; and<br>**(b.)** Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. | **Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.**<p>Use Azure AD entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access reviews<br><li>[What is Azure AD entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)<br><li>[Review access of an access package in Azure AD entitlement management](../governance/entitlement-management-access-reviews-review-access.md) | | **AC-7 Unsuccessful Login Attempts**<p><p>**The organization:**<br>**(a.)** Enforces a limit of [*FedRAMP Assignment: not more than three (3)*] consecutive invalid logon attempts by a user during a [*FedRAMP Assignment: fifteen (15) minutes*]; and<br>**(b.)** Automatically [Selection: locks the account/node for a [*FedRAMP Assignment: minimum of three (3) hours or until unlocked by an administrator]; delays next logon prompt according to [Assignment: organization-defined delay algorithm*]] when the maximum number of unsuccessful attempts is exceeded. | **Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.**<p>Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. <p>Smart lockout<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<br><li>[Manage Azure AD smart lockout values](../authentication/howto-password-smart-lockout.md) | | **AC-8 System Use Notification**<p><p>**The information system:**<br>**(a.)** Displays to users [*Assignment: organization-defined system use notification message or banner (FedRAMP Assignment: see additional Requirements and Guidance)*] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:<br>(1.) Users are accessing a U.S. Government information system;<br>(2.) Information system usage may be monitored, recorded, and subject to audit;<br>(3.) Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and<br>(4.) Use of the information system indicates consent to monitoring and recording;<p><p>**(b.)** Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and<p><p>**(c.)** For publicly accessible systems:<br>(1.) Displays system use information [*Assignment: organization-defined conditions (FedRAMP Assignment: see additional Requirements and Guidance)*], before granting further access;<br>(2.) Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and<br>(3.) Includes a description of the authorized uses of the system.<p><p>**AC-8 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB/AO.<br>**Requirement:** The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB/AO.<br>**Guidance:** If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided.<br>**Requirement:** If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB/AO. | **Display and require user acknowledgment of privacy and security notices before granting access to information systems.**<p>With Azure AD, you can deliver notification or banner messages for all apps that require and record acknowledgment before granting access. You can granularly target these terms of use policies to specific users (Member or Guest). You can also customize them per application via Conditional Access policies.<p>Terms of use<br><li>[Azure Active Directory terms of use](../conditional-access/terms-of-use.md)<br><li>[View report of who has accepted and declined](../conditional-access/terms-of-use.md) |-| **AC-10 Concurrent Session Control**<br>The information system limits the number of concurrent sessions for each [*Assignment: organization-defined account and/or account type*] to [*FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access*].|**Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.** <p>Currently, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session. <p>In addition, use the following compensating controls. <p>Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.<p> Use Privileged Identity Management to further restrict and control privileged accounts. <p> Configure smart account lockout for invalid sign-in attempts.<p>**Implementation guidance** <p>Zero trust<br><li> [Securing identity with Zero Trust](/security/zero-trust/identity)<br><li>[Continuous access evaluation in Azure AD](../conditional-access/concept-continuous-access-evaluation.md)<p>Conditional Access<br><li>[What is Conditional Access in Azure AD?](../conditional-access/overview.md)<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>Device policies<br><li>[Other smart card Group Policy settings and registry keys](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings)<br><li>[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)<p>Resources<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<p>See AC-12 for more session reevaluation and risk mitigation guidance. | -| **AC-11 Session Lock**<br>**The information system:**<br>**(a)** Prevents further access to the system by initiating a session lock after [*FedRAMP Assignment: fifteen (15) minutes*] of inactivity or upon receiving a request from a user; and<br>**(b)** Retains the session lock until the user reestablishes access using established identification and authentication procedures.<p><p>**AC-11(1)**<br>The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. | **Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.**<p> Implement device lock by using a Conditional Access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<p>Conditional Access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). | +| **AC-10 Concurrent Session Control**<br>The information system limits the number of concurrent sessions for each [*Assignment: organization-defined account and/or account type*] to [*FedRAMP Assignment: three (3) sessions for privileged access and two (2) sessions for non-privileged access*].|**Limit concurrent sessions to three sessions for privileged access and two for nonprivileged access.** <p>Currently, users connect from multiple devices, sometimes simultaneously. Limiting concurrent sessions leads to a degraded user experience and provides limited security value. A better approach to address the intent behind this control is to adopt a zero-trust security posture. Conditions are explicitly validated before a session is created and continually validated throughout the life of a session. <p>In addition, use the following compensating controls. <p>Use Conditional Access policies to restrict access to compliant devices. Configure policy settings on the device to enforce user sign-in restrictions at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments.<p> Use Privileged Identity Management to further restrict and control privileged accounts. <p> Configure smart account lockout for invalid sign-in attempts.<p>**Implementation guidance** <p>Zero trust<br><li> [Securing identity with Zero Trust](/security/zero-trust/identity)<br><li>[Continuous access evaluation in Azure AD](../conditional-access/concept-continuous-access-evaluation.md)<p>Conditional Access<br><li>[What is Conditional Access in Azure AD?](../conditional-access/overview.md)<br><li>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>Device policies<br><li>[Other smart card Group Policy settings and registry keys](/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings)<br><li>[Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)<p>Resources<br><li>[What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md)<p>See AC-12 for more session reevaluation and risk mitigation guidance. | +| **AC-11 Session Lock**<br>**The information system:**<br>**(a)** Prevents further access to the system by initiating a session lock after [*FedRAMP Assignment: fifteen (15) minutes*] of inactivity or upon receiving a request from a user; and<br>**(b)** Retains the session lock until the user reestablishes access using established identification and authentication procedures.<p><p>**AC-11(1)**<br>The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. | **Implement a session lock after a 15-minute period of inactivity or upon receiving a request from a user. Retain the session lock until the user reauthenticates. Conceal previously visible information when a session lock is initiated.**<p> Implement device lock by using a Conditional Access policy to restrict access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with MDM solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<p>Conditional Access<br><li>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). | | **AC-12 Session Termination**<br>The information system automatically terminates a user session after [*Assignment: organization-defined conditions or trigger events requiring session disconnect*].| **Automatically terminate user sessions when organizational defined conditions or trigger events occur.**<p>Implement automatic user session reevaluation with Azure AD features such as risk-based Conditional Access and continuous access evaluation. You can implement inactivity conditions at a device level as described in AC-11.<p>Resources<br><li>[Sign-in risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md)<br><li>[User risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md) | **AC-12(1)**<br>**The information system:**<br>**(a.)** Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and<br>**(b.)** Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.<p><p>**AC-8 Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Testing for logout functionality (OTG-SESS-006) [Testing for logout functionality](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality) | **Provide a logout capability for all sessions and display an explicit logout message.** <p>All Azure AD surfaced web interfaces provide a logout capability for user-initiated communications sessions. When SAML applications are integrated with Azure AD, implement single sign-out. <p>Logout capability<br><li>When the user selects [Sign-out everywhere](https://aka.ms/mysignins), all current issued tokens are revoked. <p>Display message<br>Azure AD automatically displays a message after user-initiated logout.<br><p>![Screenshot that shows an access control message.](medi) |-| **AC-20 Use of External Information Systems**<br>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:<br>**(a.)** Access the information system from external information systems; and<br>**(b.)** Process, store, or transmit organization-controlled information using external information systems.<p><p>**AC-20(1)**<br>The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:<br>**(a.)** Verifies the implementation of required security controls on the external system as specified in the organizationΓÇÖs information security policy and security plan; or<br>**(b.)** Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. | **Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.**<p>Require terms of use acceptance for authorized users who access resources from external systems. Implement Conditional Access policies to restrict access from external systems. Conditional Access policies might be integrated with Defender for Cloud Apps to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.<P>Terms and conditions<br><li>[Terms of use: Azure Active Directory](../conditional-access/terms-of-use.md)<p>Conditional Access<br><li>[Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br><li>[Conditions in Conditional Access policy: Device state (preview)](../conditional-access/concept-conditional-access-conditions.md)<br><li>[Protect with Microsoft Defender for Cloud Apps Conditional Access App Control](/cloud-app-security/proxy-intro-aad)<br><li>[Location condition in Azure Active Directory Conditional Access](../conditional-access/location-condition.md)<p>MDM<br><li>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br><li>[What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security)<br><li>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<p>Resource<br><li>[Integrate on-premises apps with Defender for Cloud Apps](../app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security.md) | +| **AC-20 Use of External Information Systems**<br>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:<br>**(a.)** Access the information system from external information systems; and<br>**(b.)** Process, store, or transmit organization-controlled information using external information systems.<p><p>**AC-20(1)**<br>The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:<br>**(a.)** Verifies the implementation of required security controls on the external system as specified in the organizationΓÇÖs information security policy and security plan; or<br>**(b.)** Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. | **Establish terms and conditions that allow authorized individuals to access the customer-deployed resources from external information systems such as unmanaged devices and external networks.**<p>Require terms of use acceptance for authorized users who access resources from external systems. Implement Conditional Access policies to restrict access from external systems. Conditional Access policies might be integrated with Defender for Cloud Apps to provide controls for cloud and on-premises applications from external systems. Mobile application management in Intune can protect organization data at the application level, including custom apps and store apps, from managed devices that interact with external systems. An example would be accessing cloud services. You can use app management on organization-owned devices and personal devices.<P>Terms and conditions<br><li>[Terms of use: Azure Active Directory](../conditional-access/terms-of-use.md)<p>Conditional Access<br><li>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br><li>[Conditions in Conditional Access policy: Device state (preview)](../conditional-access/concept-conditional-access-conditions.md)<br><li>[Protect with Microsoft Defender for Cloud Apps Conditional Access App Control](/cloud-app-security/proxy-intro-aad)<br><li>[Location condition in Azure Active Directory Conditional Access](../conditional-access/location-condition.md)<p>MDM<br><li>[What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune)<br><li>[What is Defender for Cloud Apps?](/cloud-app-security/what-is-cloud-app-security)<br><li>[What is app management in Microsoft Intune?](/mem/intune/apps/app-management)<p>Resource<br><li>[Integrate on-premises apps with Defender for Cloud Apps](../app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security.md) | ## Next steps Each row in the following table provides prescriptive guidance to help you devel - [FedRAMP compliance overview](configure-for-fedramp-high-impact.md) - [Configure identification and authentication controls to meet FedRAMP High Impact level](fedramp-identification-and-authentication-controls.md) - [Configure additional controls to meet FedRAMP High Impact level](fedramp-other-controls.md)- |
active-directory | Fedramp Identification And Authentication Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-identification-and-authentication-controls.md | Each row in the following table provides prescriptive guidance to help you devel | - | - | | **IA-2 User Identification and Authentication**<br>The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). | **Uniquely identify and authenticate users or processes acting for users.**<p> Azure AD uniquely identifies user and service principal objects directly. Azure AD provides multiple authentication methods, and you can configure methods that adhere to National Institute of Standards and Technology (NIST) authentication assurance level (AAL) 3.<p>Identifiers <br> <li>Users: [Working with users in Microsoft Graph: ID property](/graph/api/resources/users)<br><li>Service principals: [ServicePrincipal resource type : ID property](/graph/api/resources/serviceprincipal)<p>Authentication and multifactor authentication<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) | | **IA-2(1)**<br>The information system implements multifactor authentication for network access to privileged accounts.<br><br>**IA-2(3)**<br>The information system implements multifactor authentication for local access to privileged accounts. | **Multifactor authentication for all access to privileged accounts.** <p>Configure the following elements for a complete solution to ensure all access to privileged accounts requires multifactor authentication.<p>Configure Conditional Access policies to require multifactor authentication for all users.<br> Implement Azure AD Privileged Identity Management to require multifactor authentication for activation of privileged role assignment prior to use.<p>With Privileged Identity Management activation requirement, privilege account activation isn't possible without network access, so local access is never privileged.<p>Multifactor authentication and Privileged Identity Management<br> <li>[Conditional Access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Configure Azure AD role settings in Privileged Identity Management](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new) |-| **IA-2(2)**<br>The information system implements multifactor authentication for network access to non-privileged accounts.<br><br>**IA-2(4)**<br>The information system implements multifactor authentication for local access to nonprivileged accounts. | **Implement multi-factor authentication for all access to nonprivileged accounts**<p>Configure the following elements as an overall solution to ensure all access to nonprivileged accounts requires MFA.<p> Configure Conditional Access policies to require MFA for all users.<br> Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to enforce use of specific authentication methods.<br> Configure Conditional Access policies to enforce device compliance.<p>Microsoft recommends using a multi-factor cryptographic hardware authenticator (for example, FIDO2 security keys, Windows Hello for Business (with hardware TPM), or smart card) to achieve AAL3. If your organization is cloud-based, we recommend using FIDO2 security keys or Windows Hello for Business.<p>Windows Hello for Business hasn't been validated at the required FIPS 140 Security Level and as such federal customers would need to conduct risk assessment and evaluation before accepting it as AAL3. For more information regarding Windows Hello for Business FIPS 140 validation, see [Microsoft NIST AALs](nist-overview.md).<p>See the following guidance regarding MDM policies differ slightly based on authentication methods. <p>Smart Card / Windows Hello for Business<br> [Passwordless Strategy - Require Windows Hello for Business or smart card](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p> Hybrid Only<br> [Passwordless Strategy - Configure user accounts to disallow password authentication](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<p> Smart Card Only<br>[Create a Rule to Send an Authentication Method Claim](/windows-server/identity/ad-fs/operations/create-a-rule-to-send-an-authentication-method-claim)<br>[Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<p>FIDO2 Security Key<br> [Passwordless Strategy - Excluding the password credential provider](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/require-managed-devices.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p>Authentication Methods<br> [Azure Active Directory passwordless sign-in (preview) | FIDO2 security keys](../authentication/concept-authentication-passwordless.md)<br> [Passwordless security key sign-in Windows - Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-windows.md)<br> [ADFS: Certificate Authentication with Azure AD and Office 365](/archive/blogs/samueld/adfs-certauth-aad-o365)<br> [How Smart Card Sign-in Works in Windows (Windows 10)](/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows)<br> [Windows Hello for Business Overview (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-overview)<p>Additional Resources:<br> [Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-configuration-service-provider)<br>[Plan a passwordless authentication deployment with Azure AD](../authentication/howto-authentication-passwordless-deployment.md)<br> | +| **IA-2(2)**<br>The information system implements multifactor authentication for network access to non-privileged accounts.<br><br>**IA-2(4)**<br>The information system implements multifactor authentication for local access to nonprivileged accounts. | **Implement multi-factor authentication for all access to nonprivileged accounts**<p>Configure the following elements as an overall solution to ensure all access to nonprivileged accounts requires MFA.<p> Configure Conditional Access policies to require MFA for all users.<br> Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to enforce use of specific authentication methods.<br> Configure Conditional Access policies to enforce device compliance.<p>Microsoft recommends using a multi-factor cryptographic hardware authenticator (for example, FIDO2 security keys, Windows Hello for Business (with hardware TPM), or smart card) to achieve AAL3. If your organization is cloud-based, we recommend using FIDO2 security keys or Windows Hello for Business.<p>Windows Hello for Business hasn't been validated at the required FIPS 140 Security Level and as such federal customers would need to conduct risk assessment and evaluation before accepting it as AAL3. For more information regarding Windows Hello for Business FIPS 140 validation, see [Microsoft NIST AALs](nist-overview.md).<p>See the following guidance regarding MDM policies differ slightly based on authentication methods. <p>Smart Card / Windows Hello for Business<br> [Passwordless Strategy - Require Windows Hello for Business or smart card](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p> Hybrid Only<br> [Passwordless Strategy - Configure user accounts to disallow password authentication](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<p> Smart Card Only<br>[Create a Rule to Send an Authentication Method Claim](/windows-server/identity/ad-fs/operations/create-a-rule-to-send-an-authentication-method-claim)<br>[Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<p>FIDO2 Security Key<br> [Passwordless Strategy - Excluding the password credential provider](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p>Authentication Methods<br> [Azure Active Directory passwordless sign-in (preview) | FIDO2 security keys](../authentication/concept-authentication-passwordless.md)<br> [Passwordless security key sign-in Windows - Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-windows.md)<br> [ADFS: Certificate Authentication with Azure AD and Office 365](/archive/blogs/samueld/adfs-certauth-aad-o365)<br> [How Smart Card Sign-in Works in Windows (Windows 10)](/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows)<br> [Windows Hello for Business Overview (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-overview)<p>Additional Resources:<br> [Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-configuration-service-provider)<br>[Plan a passwordless authentication deployment with Azure AD](../authentication/howto-authentication-passwordless-deployment.md)<br> | | **IA-2(5)**<br>The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. | **When multiple users have access to a shared or group account password, require each user to first authenticate by using an individual authenticator.**<p>Use an individual account per user. If a shared account is required, Azure AD permits binding of multiple authenticators to an account so that each user has an individual authenticator. <p>Resources<br><li>[How it works: Azure AD multifactor authentication](../authentication/concept-mfa-howitworks.md)<br> <li>[Manage authentication methods for Azure AD multifactor authentication](../authentication/howto-mfa-userdevicesettings.md) | | **IA-2(8)**<br>The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. | **Implement replay-resistant authentication mechanisms for network access to privileged accounts.**<p>Configure Conditional Access policies to require multifactor authentication for all users. All Azure AD authentication methods at authentication assurance level 2 and 3 use either nonce or challenges and are resistant to replay attacks.<p>References<br> <li>[Conditional Access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) | | **IA-2(11)**<br>The information system implements multifactor authentication for remote access to privileged and nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [*FedRAMP Assignment: FIPS 140-2, NIAP* Certification, or NSA approval*].<br><br>*National Information Assurance Partnership (NIAP)<br>**Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** PIV = separate device. Refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. FIPS 140-2 means validated by the Cryptographic Module Validation Program (CMVP). | **Implement Azure AD multifactor authentication to access customer-deployed resources remotely so that one of the factors is provided by a device separate from the system gaining access where the device meets FIPS-140-2, NIAP certification, or NSA approval.**<p>See guidance for IA-02(1-4). Azure AD authentication methods to consider at AAL3 meeting the separate device requirements are:<p> FIDO2 security keys<br> <li>Windows Hello for Business with hardware TPM (TPM is recognized as a valid "something you have" factor by NIST 800-63B Section 5.1.7.1.)<br> <li>Smart card<p>References<br><li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<br> <li>[NIST 800-63B Section 5.1.7.1](https://pages.nist.gov/800-63-3/sp800-63b.html) |-| **IA-2(12)*<br>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.<br><br>**IA-2 (12) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Include Common Access Card (CAC), that is, the DoD technical implementation of PIV/FIPS 201/HSPD-12. | **Accept and verify personal identity verification (PIV) credentials. This control isn't applicable if the customer doesn't deploy PIV credentials.**<p>Configure federated authentication by using Active Directory Federation Services (AD FS) to accept PIV (certificate authentication) as both primary and multifactor authentication methods and issue the multifactor authentication (MultipleAuthN) claim when PIV is used. Configure the federated domain in Azure AD with setting **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` (recommended) or SupportsMfa to `$True` to direct multifactor authentication requests originating at Azure AD to AD FS. Alternatively, you can use PIV for sign-in on Windows devices and later use integrated Windows authentication along with seamless single sign-on. Windows Server and client verify certificates by default when used for authentication. <p>Resources<br><li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> <li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> <li>[Secure resources with Azure AD multifactor authentication and AD FS](../authentication/howto-mfa-adfs.md)<br><li>[New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration)<br> <li>[Azure AD Connect: Seamless single sign-on](../hybrid/how-to-connect-sso.md) | -| **IA-3 Device Identification and Authentication**<br>The information system uniquely identifies and authenticates [*Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network*] connection. | **Implement device identification and authentication prior to establishing a connection.**<p>Configure Azure AD to identify and authenticate Azure AD Registered, Azure AD Joined, and Azure AD Hybrid joined devices.<p> Resources<br><li>[What is a device identity?](../devices/overview.md)<br> <li>[Plan an Azure AD devices deployment](../devices/plan-device-deployment.md)<br><li>[Require managed devices for cloud app access with Conditional Access](../conditional-access/require-managed-devices.md) | +| **IA-2(12)*<br>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.<br><br>**IA-2 (12) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Include Common Access Card (CAC), that is, the DoD technical implementation of PIV/FIPS 201/HSPD-12. | **Accept and verify personal identity verification (PIV) credentials. This control isn't applicable if the customer doesn't deploy PIV credentials.**<p>Configure federated authentication by using Active Directory Federation Services (AD FS) to accept PIV (certificate authentication) as both primary and multifactor authentication methods and issue the multifactor authentication (MultipleAuthN) claim when PIV is used. Configure the federated domain in Azure AD with setting **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` (recommended) or SupportsMfa to `$True` to direct multifactor authentication requests originating at Azure AD to AD FS. Alternatively, you can use PIV for sign-in on Windows devices and later use integrated Windows authentication along with seamless single sign-on. Windows Server and client verify certificates by default when used for authentication. <p>Resources<br><li>[What is federation with Azure AD?](../hybrid/connect/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> <li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> <li>[Secure resources with Azure AD multifactor authentication and AD FS](../authentication/howto-mfa-adfs.md)<br><li>[New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration)<br> <li>[Azure AD Connect: Seamless single sign-on](../hybrid/connect/how-to-connect-sso.md) | +| **IA-3 Device Identification and Authentication**<br>The information system uniquely identifies and authenticates [*Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network*] connection. | **Implement device identification and authentication prior to establishing a connection.**<p>Configure Azure AD to identify and authenticate Azure AD Registered, Azure AD Joined, and Azure AD Hybrid joined devices.<p> Resources<br><li>[What is a device identity?](../devices/overview.md)<br> <li>[Plan an Azure AD devices deployment](../devices/plan-device-deployment.md)<br><li>[Require managed devices for cloud app access with Conditional Access](../conditional-access/concept-conditional-access-grant.md) | | **IA-04 Identifier Management**<br>The organization manages information system identifiers for users and devices by:<br>**(a.)** Receiving authorization from [*FedRAMP Assignment at a minimum, the ISSO (or similar role within the organization)*] to assign an individual, group, role, or device identifier;<br>**(b.)** Selecting an identifier that identifies an individual, group, role, or device;<br>**(c.)** Assigning the identifier to the intended individual, group, role, or device;<br>**(d.)** Preventing reuse of identifiers for [*FedRAMP Assignment: at least two (2) years*]; and<br>**(e.)** Disabling the identifier after [*FedRAMP Assignment: thirty-five (35) days (see requirements and guidance)*]<br>**IA-4e Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period of inactivity for device identifiers.<br>**Guidance:** For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP.<br><br>**IA-4(4)**<br>The organization manages individual identifiers by uniquely identifying each individual as [*FedRAMP Assignment: contractors; foreign nationals*]. | **Disable account identifiers after 35 days of inactivity and prevent their reuse for two years. Manage individual identifiers by uniquely identifying each individual (for example, contractors and foreign nationals).**<p>Assign and manage individual account identifiers and status in Azure AD in accordance with existing organizational policies defined in AC-02. Follow AC-02(3) to automatically disable user and device accounts after 35 days of inactivity. Ensure that organizational policy maintains all accounts that remain in the disabled state for at least two years. After this time, you can remove them. <p>Determine inactivity<br> <li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br> <li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<br> <li>[See AC-02 guidance](fedramp-access-controls.md) | | **IA-5 Authenticator Management**<br>The organization manages information system authenticators by:<br>**(a.)** Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;<br>**(b.)** Establishing initial authenticator content for authenticators defined by the organization;<br>**(c.)** Ensuring that authenticators have sufficient strength of mechanism for their intended use;<br>**(d.)** Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;<br>**(e.)** Changing default content of authenticators prior to information system installation;<br>**(f.)** Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;<br>**(g.)** Changing/refreshing authenticators [*Assignment: organization-defined time period by authenticator type*].<br>**(h.)** Protecting authenticator content from unauthorized disclosure and modification;<br>**(i.)** Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and<br>**(j.)** Changing authenticators for group/role accounts when membership to those accounts changes.<br><br>**IA-5 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3 | **Configure and manage information system authenticators.**<p>Azure AD supports various authentication methods. You can use your existing organizational policies for management. See guidance for authenticator selection in IA-02(1-4). Enable users in combined registration for SSPR and Azure AD multifactor authentication and require users to register a minimum of two acceptable multifactor authentication methods to facilitate self-remediation. You can revoke user-configured authenticators at any time with the authentication methods API. <p>Authenticator strength/protecting authenticator content<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<p>Authentication methods and combined registration<br> <li>[What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md)<br> <li>[Combined registration for SSPR and Azure AD multifactor authentication](../authentication/concept-registration-mfa-sspr-combined.md)<p>Authenticator revokes<br> <li>[Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview) | | **IA-5(1)**<br>The information system, for password-based authentication:<br>**(a.)** Enforces minimum password complexity of [*Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type*];<br>**(b.)** Enforces at least the following number of changed characters when new passwords are created: [*FedRAMP Assignment: at least fifty percent (50%)*];<br>**(c.)** Stores and transmits only cryptographically protected passwords;<br>**(d.) Enforces password minimum and maximum lifetime restrictions of [*Assignment: organization- defined numbers for lifetime minimum, lifetime maximum*];<br>**(e.)** Prohibits password reuse for [*FedRAMP Assignment: twenty-four (24)*] generations; and<br>**(f.)** Allows the use of a temporary password for system logons with an immediate change to a permanent password.<br><br>**IA-5 (1) a and d Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** If password policies are compliant with NIST SP 800-63B Memorized Secret (Section 5.1.1) Guidance, the control may be considered compliant. | **Implement password-based authentication requirements.**<p>Per NIST SP 800-63B Section 5.1.1: Maintain a list of commonly used, expected, or compromised passwords.<p>With Azure AD password protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these banned password lists are checked to enforce the use of strong passwords.<p>We strongly encourage passwordless strategies. This control is only applicable to password authenticators, so removing passwords as an available authenticator renders this control not applicable.<p>NIST reference documents<br><li>[NIST Special Publication 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)<br><li>[NIST Special Publication 800-53 Revision 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - IA-5 - Control enhancement (1)<p>Resource<br><li>[Eliminate bad passwords using Azure AD password protection](../authentication/concept-password-ban-bad.md) |-| **IA-5(2)**<br>The information system, for PKI-based authentication:<br>**(a.)** Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;<br>**(b.)** Enforces authorized access to the corresponding private key;<br>**(c.)** Maps the authenticated identity to the account of the individual or group; and<br>**(d.)** Implements a local cache of revocation data to support path discovery and validation during inability to access revocation information via the network. | **Implement PKI-based authentication requirements.**<p>Federate Azure AD via AD FS to implement PKI-based authentication. By default, AD FS validates certificates, locally caches revocation data, and maps users to the authenticated identity in Active Directory. <p> Resources<br> <li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) | +| **IA-5(2)**<br>The information system, for PKI-based authentication:<br>**(a.)** Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;<br>**(b.)** Enforces authorized access to the corresponding private key;<br>**(c.)** Maps the authenticated identity to the account of the individual or group; and<br>**(d.)** Implements a local cache of revocation data to support path discovery and validation during inability to access revocation information via the network. | **Implement PKI-based authentication requirements.**<p>Federate Azure AD via AD FS to implement PKI-based authentication. By default, AD FS validates certificates, locally caches revocation data, and maps users to the authenticated identity in Active Directory. <p> Resources<br> <li>[What is federation with Azure AD?](../hybrid/connect/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) | | **IA-5(4)**<br>The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [*FedRAMP Assignment: complexity as identified in IA-5 (1) Control Enhancement (H) Part A*].<br><br>**IA-5(4) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** If automated mechanisms that enforce password authenticator strength at creation aren't used, automated mechanisms must be used to audit strength of created password authenticators. | **Employ automated tools to validate password strength requirements.** <p>Azure AD implements automated mechanisms that enforce password authenticator strength at creation. This automated mechanism can also be extended to enforce password authenticator strength for on-premises Active Directory. Revision 5 of NIST 800-53 has withdrawn IA-04(4) and incorporated the requirement into IA-5(1).<p>Resources<br> <li>[Eliminate bad passwords using Azure AD password protection](../authentication/concept-password-ban-bad.md)<br> <li>[Azure AD password protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md)<br><li>[NIST Special Publication 800-53 Revision 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - IA-5 - Control enhancement (4) | | **IA-5(6)**<br>The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. | **Protect authenticators as defined in the FedRAMP High Impact level.**<p>For more information on how Azure AD protects authenticators, see [Azure AD data security considerations](https://aka.ms/aaddatawhitepaper). | | **IA-05(7)**<br>The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. | **Ensure unencrypted static authenticators (for example, a password) aren't embedded in applications or access scripts or stored on function keys.**<p>Implement managed identities or service principal objects (configured with only a certificate).<p>Resources<br><li>[What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)<br><li>[Create an Azure AD app and service principal in the portal](../develop/howto-create-service-principal-portal.md) | Each row in the following table provides prescriptive guidance to help you devel | **IA-6 Authenticator Feedback**<br>The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. | **Obscure authentication feedback information during the authentication process.**<p>By default, Azure AD obscures all authenticator feedback.<p> | **IA-7 Cryptographic Module Authentication**<br>The information system implements mechanisms for authentication to a cryptographic module for requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. | **Implement mechanisms for authentication to a cryptographic module that meets applicable federal laws.**<p>The FedRAMP High Impact level requires the AAL3 authenticator. All authenticators supported by Azure AD at AAL3 provide mechanisms to authenticate operator access to the module as required. For example, in a Windows Hello for Business deployment with hardware TPM, configure the level of TPM owner authorization.<p> Resources<br><li>For more information, see IA-02 (2 and 4).<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) <br> <li>[TPM Group Policy settings](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings) | | **IA-8 Identification and Authentication (Non-Organizational Users)**<br>The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). | **The information system uniquely identifies and authenticates nonorganizational users (or processes acting for nonorganizational users).**<p>Azure AD uniquely identifies and authenticates non-organizational users homed in the organizations tenant or in external directories by using Federal Identity, Credential, and Access Management (FICAM)-approved protocols.<p>Resources<br><li>[What is B2B collaboration in Azure Active Directory?](../external-identities/what-is-b2b.md)<br> <li>[Direct federation with an identity provider for B2B](../external-identities/direct-federation.md)<br> <li>[Properties of a B2B guest user](../external-identities/user-properties.md) |-| **IA-8(1)**<br>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.<br><br>**IA-8(4)**<br>The information system conforms to FICAM-issued profiles. | **Accept and verify PIV credentials issued by other federal agencies. Conform to the profiles issued by the FICAM.**<p>Configure Azure AD to accept PIV credentials via federation (OIDC, SAML) or locally via integrated Windows authentication.<p>Resources<br> <li>[What is federation with Azure AD?](../hybrid/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br><li>[What is B2B collaboration in Azure Active Directory?](../external-identities/what-is-b2b.md)<br> <li>[Direct federation with an identity provider for B2B](../external-identities/direct-federation.md) | +| **IA-8(1)**<br>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.<br><br>**IA-8(4)**<br>The information system conforms to FICAM-issued profiles. | **Accept and verify PIV credentials issued by other federal agencies. Conform to the profiles issued by the FICAM.**<p>Configure Azure AD to accept PIV credentials via federation (OIDC, SAML) or locally via integrated Windows authentication.<p>Resources<br> <li>[What is federation with Azure AD?](../hybrid/connect/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br><li>[What is B2B collaboration in Azure Active Directory?](../external-identities/what-is-b2b.md)<br> <li>[Direct federation with an identity provider for B2B](../external-identities/direct-federation.md) | | **IA-8(2)**<br>The information system accepts only FICAM-approved third-party credentials. | **Accept only FICAM-approved credentials.**<p>Azure AD supports authenticators at NIST AALs 1, 2, and 3. Restrict the use of authenticators commensurate with the security category of the system being accessed. <p>Azure AD supports a wide variety of authentication methods.<p>Resources<br> <li>[What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md)<br> <li>[Azure AD authentication methods policy API overview](/graph/api/resources/authenticationmethodspolicies-overview)<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](https://azure.microsoft.com/resources/microsoft-nist/) | |
active-directory | Memo 22 09 Enterprise Wide Identity Management System | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-enterprise-wide-identity-management-system.md | Use Azure Active Directory (Azure AD) to implement recommendations from memorand ## Single sign-on requirements -The memo requires users sign in once and then access applications. With Microsoft single sign-on (SSO) users sign in once and then access cloud services and applications. See, [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md). +The memo requires users sign in once and then access applications. With Microsoft single sign-on (SSO) users sign in once and then access cloud services and applications. See, [Azure Active Directory Seamless single sign-on](../hybrid/connect/how-to-connect-sso.md). ## Integration across agencies For your application inventory, determine applications that use cloud-ready prot * LDAP * Basic authentication -Learn more [Azure AD integrations with authentication protocols](../fundamentals/auth-sync-overview.md +Learn more [Azure AD integrations with authentication protocols](../architecture/auth-sync-overview.md). #### Application and service discovery tools Microsoft offers the following tools to support application and service discover | Tool| Usage | | - | - |-|Usage Analytics for Active Directory Federation Services (AD FS)| Analyzes federated server authentication traffic. See, [Monitor AD FS using Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md)| +|Usage Analytics for Active Directory Federation Services (AD FS)| Analyzes federated server authentication traffic. See, [Monitor AD FS using Azure AD Connect Health](../hybrid/connect/how-to-connect-health-adfs.md)| | Microsoft Defender for Cloud Apps| Scans firewall logs to detect cloud apps, infrastructure as a service (IaaS) services, and platform as a service (PaaS) services. Integrate Defender for Cloud Apps with Defender for Endpoint to discovery data analyzed from Windows client devices. See, [Microsoft Defender for Cloud Apps overview](/defender-cloud-apps/what-is-defender-for-cloud-apps)| | Application Discovery worksheet| Document the current states of your applications. See, [Application Discovery worksheet](https://download.microsoft.com/download/2/8/3/283F995C-5169-43A0-B81D-B0ED539FB3DD/Application%20Discovery%20worksheet.xlsx)| For apps that use legacy authentication protocols: Learn more -* [Azure AD integrations with authentication protocols](../fundamentals/auth-sync-overview.md) +* [Azure AD integrations with authentication protocols](../architecture/auth-sync-overview.md) * [What is the Microsoft identity platform?](../develop/v2-overview.md) * [Secure hybrid access: Protect legacy apps with Azure AD](../manage-apps/secure-hybrid-access.md) |
active-directory | Memo 22 09 Meet Identity Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-meet-identity-requirements.md | The pillars intersect with: Use the article series to build a plan to meet memo requirements. It assumes use of Microsoft 365 products and an Azure AD tenant. -Learn more: [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md). +Learn more: [Quickstart: Create a new tenant in Azure AD](../fundamentals/create-new-tenant.md). The article series instructions encompass agency investments in Microsoft technologies that align with the memo's identity-related actions. |
active-directory | Memo 22 09 Multi Factor Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-multi-factor-authentication.md | Federated identity providers (IdPs) such as Active Directory Federation Services Learn more: -* [Protecting Microsoft 365 from on-premises attacks](../fundamentals/protect-m365-from-on-premises-attacks.md) +* [Protecting Microsoft 365 from on-premises attacks](../architecture/protect-m365-from-on-premises-attacks.md) * [Deploying AD Federation Services in Azure](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs) * [Configuring AD FS for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) |
active-directory | Memo 22 09 Other Areas Zero Trust | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-other-areas-zero-trust.md | Document your processes for operating the Azure AD environment. Use Azure AD fea Learn more: -* [Azure AD governance operations reference guide](../fundamentals/ops-guide-govern.md) -* [Azure AD security operations guide](../fundamentals/security-operations-introduction.md) +* [Azure AD governance operations reference guide](../architecture/ops-guide-govern.md) +* [Azure AD security operations guide](../architecture/security-operations-introduction.md) * [What is Microsoft Entra Identity Governance?](../governance/identity-governance-overview.md) * [Meet authorization requirements of memorandum 22-09](memo-22-09-authorization.md). |
active-directory | Pci Dss Guidance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-dss-guidance.md | Where applications and resources use Azure AD for identity and access management Learn more -* [Introduction to delegated administration and isolated environments](../fundamentals/secure-introduction.md) +* [Introduction to delegated administration and isolated environments](../architecture/secure-introduction.md) * [How to use the Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) * [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md) * [What are access reviews?](../governance/access-reviews-overview.md) To configure Azure AD to comply with PCI-DSS, see the following articles. * [Requirement 10: Log and Monitor All Access to System Components and Cardholder Data](pci-requirement-10.md) * [Requirement 11: Test Security of Systems and Networks Regularly](pci-requirement-11.md) * [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)- |
active-directory | Pci Requirement 1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-1.md | -|**1.2.1** Configuration standards for NSC rulesets are: </br> Defined </br> Implemented </br> Maintained|Integrate access technologies such as VPN, remote desktop, and network access points with Azure AD for authentication and authorization, if the access technologies support modern authentication. Ensure NSC standards, which pertain to identity-related controls, include definition of Conditional Access policies, application assignment, access reviews, group management, credential policies, etc. [Azure AD operations reference guide](../fundamentals/ops-guide-intro.md)| +|**1.2.1** Configuration standards for NSC rulesets are: </br> Defined </br> Implemented </br> Maintained|Integrate access technologies such as VPN, remote desktop, and network access points with Azure AD for authentication and authorization, if the access technologies support modern authentication. Ensure NSC standards, which pertain to identity-related controls, include definition of Conditional Access policies, application assignment, access reviews, group management, credential policies, etc. [Azure AD operations reference guide](../architecture/ops-guide-intro.md)| |**1.2.2** All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1|Not applicable to Azure AD.| |**1.2.3** An accurate network diagram(s) is maintained that shows all connections between the cardholder data environment (CDE) and other networks, including any wireless networks.|Not applicable to Azure AD.| |**1.2.4** An accurate data-flow diagram(s) is maintained that meets the following: </br> Shows all account data flows across systems and networks. </br> Updated as needed upon changes to the environment.|Not applicable to Azure AD.| To configure Azure AD to comply with PCI-DSS, see the following articles. * [Requirement 10: Log and Monitor All Access to System Components and Cardholder Data](pci-requirement-10.md) * [Requirement 11: Test Security of Systems and Networks Regularly](pci-requirement-11.md) * [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)- |
active-directory | Pci Requirement 10 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-10.md | -|**10.7.2** Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: </br> Network security controls </br> IDS/IP </br> Change-detection mechanisms </br> Anti-malware solutions </br> Physical access controls </br> Logical access controls </br> Audit logging mechanisms </br> Segmentation controls (if used) </br> Audit log review mechanisms </br> Automated security testing tools (if used)|See, [Azure AD security operations guide](../fundamentals/security-operations-introduction.md) | -|**10.7.3** Failures of any critical security controls systems are responded to promptly, including but not limited to: </br> Restoring security functions. </br> Identifying and documenting the duration (date and time from start to end) of the security failure. </br> Identifying and documenting the cause(s) of failure and documenting required remediation. </br> Identifying and addressing any security issues that arose during the failure. </br> Determining whether further actions are required as a result of the security failure. </br> Implementing controls to prevent the cause of failure from reoccurring. </br> Resuming monitoring of security controls.|See, [Azure AD security operations guide](../fundamentals/security-operations-introduction.md)| +|**10.7.2** Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: </br> Network security controls </br> IDS/IP </br> Change-detection mechanisms </br> Anti-malware solutions </br> Physical access controls </br> Logical access controls </br> Audit logging mechanisms </br> Segmentation controls (if used) </br> Audit log review mechanisms </br> Automated security testing tools (if used)|See, [Azure AD security operations guide](../architecture/security-operations-introduction.md) | +|**10.7.3** Failures of any critical security controls systems are responded to promptly, including but not limited to: </br> Restoring security functions. </br> Identifying and documenting the duration (date and time from start to end) of the security failure. </br> Identifying and documenting the cause(s) of failure and documenting required remediation. </br> Identifying and addressing any security issues that arose during the failure. </br> Determining whether further actions are required as a result of the security failure. </br> Implementing controls to prevent the cause of failure from reoccurring. </br> Resuming monitoring of security controls.|See, [Azure AD security operations guide](../architecture/security-operations-introduction.md)| ## Next steps |
active-directory | Pci Requirement 11 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-11.md | -|**11.3.1** Internal vulnerability scans are performed as follows: </br> At least once every three months. </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are performed that confirm all high-risk and critical vulnerabilities (as noted) have been resolved. </br> Scan tool is kept up to date with latest vulnerability information. </br> Scans are performed by qualified personnel and organizational independence of the tester exists.|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../fundamentals/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| -|**11.3.1.1** All other applicable vulnerabilities (those not ranked as high-risk or critical per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: </br> Addressed based on the risk defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. </br> Rescans are conducted as needed.|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../fundamentals/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| -|**11.3.1.2** Internal vulnerability scans are performed via authenticated scanning as follows: </br> Systems that are unable to accept credentials for authenticated scanning are documented. </br> Sufficient privileges are used for those systems that accept credentials for scanning. </br> If accounts used for authenticated scanning can be used for interactive login, they're managed in accordance with Requirement 8.2.2.|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../fundamentals/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| -|**11.3.1.3** Internal vulnerability scans are performed after any significant change as follows: </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are conducted as needed. </br> Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV)).|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../fundamentals/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| +|**11.3.1** Internal vulnerability scans are performed as follows: </br> At least once every three months. </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are performed that confirm all high-risk and critical vulnerabilities (as noted) have been resolved. </br> Scan tool is kept up to date with latest vulnerability information. </br> Scans are performed by qualified personnel and organizational independence of the tester exists.|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| +|**11.3.1.1** All other applicable vulnerabilities (those not ranked as high-risk or critical per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: </br> Addressed based on the risk defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. </br> Rescans are conducted as needed.|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| +|**11.3.1.2** Internal vulnerability scans are performed via authenticated scanning as follows: </br> Systems that are unable to accept credentials for authenticated scanning are documented. </br> Sufficient privileges are used for those systems that accept credentials for scanning. </br> If accounts used for authenticated scanning can be used for interactive login, they're managed in accordance with Requirement 8.2.2.|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| +|**11.3.1.3** Internal vulnerability scans are performed after any significant change as follows: </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are conducted as needed. </br> Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV)).|Include servers that support Azure AD hybrid capabilities. For example, Azure AD Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Azure AD?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Azure AD Identity Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Azure AD assessment tool regularly and address findings. [AzureAD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)| |**11.3.2** External vulnerability scans are performed as follows: </br> At least once every three months. </br> By a PCI SSC ASV. </br> Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met. </br> Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.|Not applicable to Azure AD.| |**11.3.2.1** External vulnerability scans are performed after any significant change as follows: </br> Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved. </br> Rescans are conducted as needed. </br> Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).|Not applicable to Azure AD.| |
active-directory | Pci Requirement 2 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-2.md | -|**2.2.1** Configuration standards are developed, implemented, and maintained to: </br> Cover all system components. </br> Address all known security vulnerabilities.</br> Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. </br> Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. </br> Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.|See, [Azure AD security operations guide](../fundamentals/security-operations-introduction.md)| +|**2.2.1** Configuration standards are developed, implemented, and maintained to: </br> Cover all system components. </br> Address all known security vulnerabilities.</br> Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. </br> Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. </br> Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.|See, [Azure AD security operations guide](../architecture/security-operations-introduction.md)| |**2.2.2** Vendor default accounts are managed as follows: </br> If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6. </br> If the vendor default account(s) will not be used, the account is removed or disabled.|Not applicable to Azure AD.| |**2.2.3** Primary functions requiring different security levels are managed as follows: </br> Only one primary function exists on a system component, </br> OR </br> Primary functions with differing security levels that exist on the same system component are isolated from each other,</br> OR </br> Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.|Learn about determining least-privileged roles. [Least privileged roles by task in Azure AD](../roles/delegate-by-task.md)|-|**2.2.4** Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.|Review Azure AD settings and disable unused features. [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md) </br> [Azure AD security operations guide](../fundamentals/security-operations-introduction.md)| -|**2.2.5** If any insecure services, protocols, or daemons are present: </br> Business justification is documented. </br> Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.|Review Azure AD settings and disable unused features. [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md) </br> [Azure AD security operations guide](../fundamentals/security-operations-introduction.md)| -|**2.2.6** System security parameters are configured to prevent misuse.|Review Azure AD settings and disable unused features. [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md) </br> [Azure AD security operations guide](../fundamentals/security-operations-introduction.md)| +|**2.2.4** Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.|Review Azure AD settings and disable unused features. [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md) </br> [Azure AD security operations guide](../architecture/security-operations-introduction.md)| +|**2.2.5** If any insecure services, protocols, or daemons are present: </br> Business justification is documented. </br> Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.|Review Azure AD settings and disable unused features. [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md) </br> [Azure AD security operations guide](../architecture/security-operations-introduction.md)| +|**2.2.6** System security parameters are configured to prevent misuse.|Review Azure AD settings and disable unused features. [Five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md) </br> [Azure AD security operations guide](../architecture/security-operations-introduction.md)| |**2.2.7** All nonconsole administrative access is encrypted using strong cryptography.|Azure AD interfaces, such the management portal, Microsoft Graph, and PowerShell, are encrypted in transit using TLS. [Enable support for TLS 1.2 in your environment for Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor)| ## 2.3 Wireless environments are configured and managed securely. |
active-directory | Pci Requirement 6 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-6.md | -|**6.5.3** Preproduction environments are separated from production environments and the separation is enforced with access controls.|Approaches to separate preproduction and production environments, based on organizational requirements. [Resource isolation in a single tenant](../fundamentals/secure-single-tenant.md) </br> [Resource isolation with multiple tenants](../fundamentals/secure-multiple-tenants.md)| +|**6.5.3** Preproduction environments are separated from production environments and the separation is enforced with access controls.|Approaches to separate preproduction and production environments, based on organizational requirements. [Resource isolation in a single tenant](../architecture/secure-single-tenant.md) </br> [Resource isolation with multiple tenants](../architecture/secure-multiple-tenants.md)| |**6.5.4** Roles and functions are separated between production and preproduction environments to provide accountability such that only reviewed and approved changes are deployed.|Learn about privileged roles and dedicated preproduction tenants. [Best practices for Azure AD roles](../roles/best-practices.md)| |**6.5.5** Live PANs aren't used in preproduction environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI-DSS requirements.|Not applicable to Azure AD.| |**6.5.6** Test data and test accounts are removed from system components before the system goes into production.|Not applicable to Azure AD.| |
active-directory | Pci Requirement 7 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-7.md | -|**7.1.2** Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.|Integrate access to CDE applications with Azure AD for authentication and authorization. </br> - Assign users roles to applications or with group membership </br> - Use Microsoft Graph to list application assignments </br> - Use Azure AD audit logs to track assignment changes. </br> [List appRoleAssignments granted to a user](/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http&preserve-view=true) </br> [Get-MgServicePrincipalAppRoleAssignedTo](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignedto?view=graph-powershell-1.0&preserve-view=true) </br></br> **Privileged access** </br> Use Azure AD audit logs to track directory role assignments. Administrator roles relevant to this PCI requirement: </br> - Global </br> - Application </br> - Authentication </br> - Authentication Policy </br> - Hybrid Identity </br> To implement least privilege access, use Azure AD to create custom directory roles. </br> If you build portions of CDE in Azure, document privileged role assignments such as Owner, Contributor, user Access Administrator, etc., and subscription custom roles where CDE resources are deployed. </br> Microsoft recommends you enable Just-In-Time (JIT) access to roles using Privileged Identity Management (PIM). PIM enables JIT access to Azure AD security groups for scenarios when group membership represents privileged access to CDE applications or resources. [Azure AD built-in roles](../roles/permissions-reference.md) </br> [Azure AD Identity and access management operations reference guide](../fundamentals/active-directory-ops-guide-iam.md) </br> [Create and assign a custom role in Azure Active Directory](../roles/custom-create.md) </br> [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md) </br> [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md) </br> [Best practices for all isolation architectures]() </br> [PIM for Groups](../fundamentals/secure-best-practices.md)| +|**7.1.2** Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.|Integrate access to CDE applications with Azure AD for authentication and authorization. </br> - Assign users roles to applications or with group membership </br> - Use Microsoft Graph to list application assignments </br> - Use Azure AD audit logs to track assignment changes. </br> [List appRoleAssignments granted to a user](/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http&preserve-view=true) </br> [Get-MgServicePrincipalAppRoleAssignedTo](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignedto?view=graph-powershell-1.0&preserve-view=true) </br></br> **Privileged access** </br> Use Azure AD audit logs to track directory role assignments. Administrator roles relevant to this PCI requirement: </br> - Global </br> - Application </br> - Authentication </br> - Authentication Policy </br> - Hybrid Identity </br> To implement least privilege access, use Azure AD to create custom directory roles. </br> If you build portions of CDE in Azure, document privileged role assignments such as Owner, Contributor, user Access Administrator, etc., and subscription custom roles where CDE resources are deployed. </br> Microsoft recommends you enable Just-In-Time (JIT) access to roles using Privileged Identity Management (PIM). PIM enables JIT access to Azure AD security groups for scenarios when group membership represents privileged access to CDE applications or resources. [Azure AD built-in roles](../roles/permissions-reference.md) </br> [Azure AD Identity and access management operations reference guide](../architecture/ops-guide-iam.md) </br> [Create and assign a custom role in Azure Active Directory](../roles/custom-create.md) </br> [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md) </br> [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md) </br> [Best practices for all isolation architectures]() </br> [PIM for Groups](../architecture/secure-best-practices.md)| ## 7.2 Access to system components and data is appropriately defined and assigned. -|**7.2.3** Required privileges are approved by authorized personnel.|Entitlement management supports approval workflows to grant access to resources, and periodic access reviews. [Approve or deny access requests in entitlement management](../governance/entitlement-management-request-approve.md) </br> [Review access of an access package in entitlement management](../governance/entitlement-management-access-reviews-review-access.md) </br> PIM supports approval workflows to activate Azure AD directory roles, and Azure roles, and cloud groups. [Approve or deny requests for Azure AD roles in PIM](../privileged-identity-management/azure-ad-pim-approval-workflow.md) </br> [Approve activation requests for group members and owners](../privileged-identity-management/groups-approval-workflow.md)| +|**7.2.3** Required privileges are approved by authorized personnel.|Entitlement management supports approval workflows to grant access to resources, and periodic access reviews. [Approve or deny access requests in entitlement management](../governance/entitlement-management-request-approve.md) </br> [Review access of an access package in entitlement management](../governance/entitlement-management-access-reviews-review-access.md) </br> PIM supports approval workflows to activate Azure AD directory roles, and Azure roles, and cloud groups. [Approve or deny requests for Azure AD roles in PIM](../privileged-identity-management/pim-approval-workflow.md) </br> [Approve activation requests for group members and owners](../privileged-identity-management/groups-approval-workflow.md)| |**7.2.4** All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: </br> At least once every six months. </br> To ensure user accounts and access remain appropriate based on job function. </br> Any inappropriate access is addressed. Management acknowledges that access remains appropriate.|If you grant access to applications using direct assignment or with group membership, configure Azure AD access reviews. If you grant access to applications using entitlement management, enable access reviews at the access package level. [Create an access review of an access package in entitlement management](../governance/entitlement-management-access-reviews-create.md) </br> Use Azure AD external identities for third-party and vendor accounts. You can perform access reviews targeting external identities, for instance third-party or vendor accounts. [Manage guest access with access reviews](../governance/manage-guest-access-with-access-reviews.md)| |**7.2.5** All application and system accounts and related access privileges are assigned and managed as follows: </br> Based on the least privileges necessary for the operability of the system or application. </br> Access is limited to the systems, applications, or processes that specifically require their use.|Use Azure AD to assign users to roles in applications directly or through group membership. </br> Organizations with standardized taxonomy implemented as attributes can automate access grants based on user job classification and function. Use Azure AD Groups with dynamic membership, and Azure AD entitlement management access packages with dynamic assignment policies. </br> Use entitlement management to define separation of duties to delineate least privilege. </br> PIM enables JIT access to Azure AD security groups for custom scenarios where group membership represents privileged access to CDE applications or resources. [Dynamic membership rules for groups in Azure AD](../enterprise-users/groups-dynamic-membership.md) </br> [Configure an automatic assignment policy for an access package in entitlement management](../governance/entitlement-management-access-package-auto-assignment-policy.md) </br> [Configure separation of duties for an access package in entitlement management](../governance/entitlement-management-access-package-incompatible.md) </br> [PIM for Groups](../privileged-identity-management/concept-pim-for-groups.md)|-|**7.2.5.1** All access by application and system accounts and related access privileges are reviewed as follows: </br> Periodically (at the frequency defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). </br> The application/system access remains appropriate for the function being performed. </br> Any inappropriate access is addressed. </br> Management acknowledges that access remains appropriate.|Best practices when reviewing service accounts permissions. [Governing Azure AD service accounts](../fundamentals/govern-service-accounts.md) </br> [Govern on-premises service accounts](../fundamentals/service-accounts-govern-on-premises.md)| -|**7.2.6** All user access to query repositories of stored cardholder data is restricted as follows: </br> Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. </br> Only the responsible administrator(s) can directly access or query repositories of stored card-holder data (CHD).|Modern applications enable programmatic methods that restrict access to data repositories.</br> Integrate applications with Azure AD using modern authentication protocols such as OAuth and OpenID connect (OIDC). [OAuth 2.0 and OIDC protocols on the Microsoft identity platform](../develop/active-directory-v2-protocols.md) </br> Define application-specific roles to model privileged and nonprivileged user access. Assign users or groups to roles. [Add app roles to your application and receive them in the token](../develop/howto-add-app-roles-in-azure-ad-apps.md) </br> For APIs exposed by your application, define OAuth scopes to enable user and administrator consent. [Scopes and permissions in the Microsoft identity platform](../develop/scopes-oidc.md) </br> Model privileged and non-privileged access to the repositories with the following approach and avoid direct repository access. If administrators and operators require access, grant it per the underlying platform. For instance, ARM IAM assignments in Azure, Access Control Lists (ACLs) windows, etc. </br> See architecture guidance that includes securing application platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) in Azure. [Azure Architecture Center](/azure/architecture/)| +|**7.2.5.1** All access by application and system accounts and related access privileges are reviewed as follows: </br> Periodically (at the frequency defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1). </br> The application/system access remains appropriate for the function being performed. </br> Any inappropriate access is addressed. </br> Management acknowledges that access remains appropriate.|Best practices when reviewing service accounts permissions. [Governing Azure AD service accounts](../architecture/govern-service-accounts.md) </br> [Govern on-premises service accounts](../architecture/service-accounts-govern-on-premises.md)| +|**7.2.6** All user access to query repositories of stored cardholder data is restricted as follows: </br> Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. </br> Only the responsible administrator(s) can directly access or query repositories of stored card-holder data (CHD).|Modern applications enable programmatic methods that restrict access to data repositories.</br> Integrate applications with Azure AD using modern authentication protocols such as OAuth and OpenID connect (OIDC). [OAuth 2.0 and OIDC protocols on the Microsoft identity platform](../develop/v2-protocols.md) </br> Define application-specific roles to model privileged and nonprivileged user access. Assign users or groups to roles. [Add app roles to your application and receive them in the token](../develop/howto-add-app-roles-in-apps.md) </br> For APIs exposed by your application, define OAuth scopes to enable user and administrator consent. [Scopes and permissions in the Microsoft identity platform](../develop/scopes-oidc.md) </br> Model privileged and non-privileged access to the repositories with the following approach and avoid direct repository access. If administrators and operators require access, grant it per the underlying platform. For instance, ARM IAM assignments in Azure, Access Control Lists (ACLs) windows, etc. </br> See architecture guidance that includes securing application platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) in Azure. [Azure Architecture Center](/azure/architecture/)| ## 7.3 Access to system components and data is managed via an access control system(s). |
active-directory | Pci Requirement 8 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-8.md | -|**8.2.1** All users are assigned a unique ID before access to system components or cardholder data is allowed.|For CDE applications that rely on Azure AD, the unique user ID is the user principal name (UPN) attribute. [Azure AD UserPrincipalName population](../hybrid/plan-connect-userprincipalname.md)| +|**8.2.1** All users are assigned a unique ID before access to system components or cardholder data is allowed.|For CDE applications that rely on Azure AD, the unique user ID is the user principal name (UPN) attribute. [Azure AD UserPrincipalName population](../hybrid/connect/plan-connect-userprincipalname.md)| |**8.2.2** Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows: </br> Account use is prevented unless needed for an exceptional circumstance. </br> Use is limited to the time needed for the exceptional circumstance. </br> Business justification for use is documented. </br> Use is explicitly approved by management </br> Individual user identity is confirmed before access to an account is granted. </br> Every action taken is attributable to an individual user.|Ensure CDEs using Azure AD for application access have processes to prevent shared accounts. Create them as an exception that requires approval. </br> For CDE resources deployed in Azure, use Azure AD managed identities to represent the workload identity, instead of creating a shared service account. [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md) </br> If you canΓÇÖt use managed identities and the resources accessed are using the OAuth protocol, use service principals to represent workload identities. Grant identities least privileged access through OAuth scopes. Administrators can restrict access and define approval workflows to create them. [What are workload identities?](../workload-identities/workload-identities-overview.md)|-|**8.2.3** *Additional requirement for service providers only*: Service providers with remote access to customer premises use unique authentication factors for each customer premises.|Azure AD has on-premises connectors to enable hybrid capabilities. Connectors are identifiable and use uniquely generated credentials. [Azure AD Connect sync: Understand and customize synchronization](../hybrid/how-to-connect-sync-whatis.md) </br> [Cloud sync deep dive](../cloud-sync/concept-how-it-works.md) </br> [Azure AD on-premises application provisioning architecture](../app-provisioning/on-premises-application-provisioning-architecture.md) </br> [Plan cloud HR application to Azure AD user provisioning](../app-provisioning/plan-cloud-hr-provision.md) </br> [Install the Azure AD Connect Health agents](../hybrid/how-to-connect-health-agent-install.md)| +|**8.2.3** *Additional requirement for service providers only*: Service providers with remote access to customer premises use unique authentication factors for each customer premises.|Azure AD has on-premises connectors to enable hybrid capabilities. Connectors are identifiable and use uniquely generated credentials. [Azure AD Connect sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md) </br> [Cloud sync deep dive](../hybrid/cloud-sync/concept-how-it-works.md) </br> [Azure AD on-premises application provisioning architecture](../app-provisioning/on-premises-application-provisioning-architecture.md) </br> [Plan cloud HR application to Azure AD user provisioning](../app-provisioning/plan-cloud-hr-provision.md) </br> [Install the Azure AD Connect Health agents](../hybrid/connect/how-to-connect-health-agent-install.md)| |**8.2.4** Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows: </br> Authorized with the appropriate approval. </br> Implemented with only the privileges specified on the documented approval.|Azure AD has automated user account provisioning from HR systems. Use this feature to create a lifecycle. [What is HR driven provisioning?](../app-provisioning/what-is-hr-driven-provisioning.md) </br> Azure AD has lifecycle workflows to enable customized logic for joiner, mover, and leaver processes. [What are Lifecycle Workflows?](../governance/what-are-lifecycle-workflows.md) </br> Azure AD has a programmatic interface to manage authentication methods with Microsoft Graph. Some authentication methods such as Windows Hello for Business and FIDO2 keys, require user intervention to register. [Get started with the Graph authentication methods API](/graph/authenticationmethods-get-started) </br> Administrators and/or automation generates the Temporary Access Pass credential using Graph API. Use this credential for passwordless onboarding. [Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md)| |**8.2.5** Access for terminated users is immediately revoked.|To revoke access to an account, disable on-premises accounts for hybrid accounts synchronized from Azure AD, disable accounts in Azure AD, and revoke tokens. [Revoke user access in Azure AD](../enterprise-users/users-revoke-access.md) </br> Use Continuous Access Evaluation (CAE) for compatible applications to have a two-way conversation with Azure AD. Apps can be notified of events, such as account termination and reject tokens. [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md)| |**8.2.6** Inactive user accounts are removed or disabled within 90 days of inactivity.|For hybrid accounts, administrators check activity in Active Directory and Azure AD every 90 days. For Azure AD, use Microsoft Graph to find the last sign-in date. [How to: Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)| For more information about Azure AD authentication methods that meet PCI require |PCI-DSS Defined approach requirements|Azure AD guidance and recommendations| |-|-|-|**8.6.1** If accounts used by systems or applications can be used for interactive login, they're managed as follows: </br> Interactive use is prevented unless needed for an exceptional circumstance. </br> Interactive use is limited to the time needed for the exceptional circumstance. </br> Business justification for interactive use is documented. </br> Interactive use is explicitly approved by management. </br> Individual user identity is confirmed before access to account is granted. </br> Every action taken is attributable to an individual user.|For CDE applications with modern authentication, and for CDE resources deployed in Azure that use modern authentication, Azure AD has two service account types for applications: Managed Identities and service principals. </br> Learn about Azure AD service account governance: planning, provisioning, lifecycle, monitoring, access reviews, etc. [Governing Azure AD service accounts](../fundamentals/govern-service-accounts.md) </br> To secure Azure AD service accounts. [Securing managed identities in Azure AD](../fundamentals/service-accounts-managed-identities.md) </br> [Securing service principals in Azure AD](../fundamentals/service-accounts-principal.md) </br> For CDEs with resources outside Azure that require access, configure workload identity federations without managing secrets or interactive sign in. [Workload identity federation](../develop/workload-identity-federation.md) </br> To enable approval and tracking processes to fulfill requirements, orchestrate workflows using IT Service Management (ITSM) and configuration management databases (CMDB) These tools use MS Graph API to interact with Azure AD and manage the service account. </br> For CDEs that require service accounts compatible with on-premises Active Directory, use Group Managed Service Accounts (GMSAs), and standalone managed service accounts (sMSA), computer accounts, or user accounts. [Securing on-premises service accounts](../fundamentals/service-accounts-on-premises.md)| +|**8.6.1** If accounts used by systems or applications can be used for interactive login, they're managed as follows: </br> Interactive use is prevented unless needed for an exceptional circumstance. </br> Interactive use is limited to the time needed for the exceptional circumstance. </br> Business justification for interactive use is documented. </br> Interactive use is explicitly approved by management. </br> Individual user identity is confirmed before access to account is granted. </br> Every action taken is attributable to an individual user.|For CDE applications with modern authentication, and for CDE resources deployed in Azure that use modern authentication, Azure AD has two service account types for applications: Managed Identities and service principals. </br> Learn about Azure AD service account governance: planning, provisioning, lifecycle, monitoring, access reviews, etc. [Governing Azure AD service accounts](../architecture/govern-service-accounts.md) </br> To secure Azure AD service accounts. [Securing managed identities in Azure AD](../architecture/service-accounts-managed-identities.md) </br> [Securing service principals in Azure AD](../architecture/service-accounts-principal.md) </br> For CDEs with resources outside Azure that require access, configure workload identity federations without managing secrets or interactive sign in. [Workload identity federation](../workload-identities/workload-identity-federation.md) </br> To enable approval and tracking processes to fulfill requirements, orchestrate workflows using IT Service Management (ITSM) and configuration management databases (CMDB) These tools use MS Graph API to interact with Azure AD and manage the service account. </br> For CDEs that require service accounts compatible with on-premises Active Directory, use Group Managed Service Accounts (GMSAs), and standalone managed service accounts (sMSA), computer accounts, or user accounts. [Securing on-premises service accounts](../architecture/service-accounts-on-premises.md)| |**8.6.2** Passwords/passphrases for any application and system accounts that can be used for interactive login aren't hard coded in scripts, configuration/property files, or bespoke and custom source code.|Use modern service accounts such as Azure Managed Identities and service principals that donΓÇÖt require passwords. </br> Azure AD Managed Identities credentials are provisioned, and rotated in the cloud, which prevents using shared secrets such as passwords and passphrases. When using system-assigned managed identities, the lifecycle is tied to the underlying Azure resource lifecycle. </br> Use service principals to use certificates as credentials, which prevents use of shared secrets such as passwords and passphrases. If certificates are not feasible, use Azure Key Vault to store service principal client secrets. [Best practices for using Azure Key Vault](/azure/key-vault/general/best-practices#using-service-principals-with-key-vault) </br> For CDEs with resources outside Azure that require access, configure workload identity federations without managing secrets or interactive sign-in. [Workload identity federation](../workload-identities/workload-identity-federation.md) </br> Deploy Conditional Access for workload identities to control authorization based on location and/or risk level. [Conditional Access for workload identities](../conditional-access/workload-identity.md) </br> In addition to the previous guidance, use code analysis tools to detect hard-coded secrets in code and configuration files. [Detect exposed secrets in code](/azure/defender-for-cloud/detect-exposed-secrets) </br> [Security rules](/dotnet/fundamentals/code-analysis/quality-rules/security-warnings)| |**8.6.3** Passwords/passphrases for any application and system accounts are protected against misuse as follows: </br> Passwords/passphrases are changed periodically (at the frequency defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise. </br> Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.|Use modern service accounts such as Azure Managed Identities and service principals that donΓÇÖt require passwords. </br> For exceptions that require service principals with secrets, abstract secret lifecycle with workflows and automations that sets random passwords to service principals, rotates them regularly, and reacts to risk events. </br> Security operations teams can review and remediate reports generated by Azure AD such as Risky workload identities. [Securing workload identities with Identity Protection](../identity-protection/concept-workload-identity-risk.md) | |
active-directory | How To Create A Free Developer Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-create-a-free-developer-account.md | For your convenience, you could add your own work account as [guest](../external ## Next steps -Now that you have a developer account, try our [first tutorial](get-started-verifiable-credentials.md) to learn more about verifiable credentials. +Now that you have a developer account, try our [first tutorial](./verifiable-credentials-configure-tenant.md) to learn more about verifiable credentials. |
active-directory | How To Dnsbind | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-dnsbind.md | +- Complete the [Getting Started](./verifiable-credentials-configure-tenant.md) and subsequent [tutorial set](./verifiable-credentials-configure-tenant.md). ## Verify domain ownership and distribute did-configuration.json file |
active-directory | How To Use Quickstart Idtoken | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-use-quickstart-idtoken.md | Claims must exist in the returned identity provider so that they can successfull If the claims don't exist, there's no value in the issued verifiable credential. Most OIDC identity providers don't issue a claim in an ID token if the claim has a null value in your profile. Be sure to include the claim in the ID token definition, and ensure that you've entered a value for the claim in your user profile. -**For Azure Active Directory**: To configure the claims to include in your token, see [Provide optional claims to your app](../../active-directory/develop/active-directory-optional-claims.md). The configuration is per application, so this configuration should be for the app that has the application ID specified in the client ID in the rules definition. +**For Azure Active Directory**: To configure the claims to include in your token, see [Provide optional claims to your app](../develop/optional-claims.md). The configuration is per application, so this configuration should be for the app that has the application ID specified in the client ID in the rules definition. To match the display and rules definitions, you should make your application's optionalClaims JSON look like the following: |
active-directory | How To Use Quickstart Selfissued | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-use-quickstart-selfissued.md | The JSON attestation definition should contain the **selfIssued** name and the c During issuance, Authenticator prompts you to enter values for the specified claims. User input isn't validated. -![Screenshot of selfIssued claims input.](media/how-to-use-quickstart-selfissued\selfIssued-claims-input.png) +![Screenshot of selfIssued claims input.](./media/how-to-use-quickstart-selfissued/selfIssued-claims-input.png) ## Configure the samples to issue and verify your custom credential The easiest way to find this information for a custom credential is to go to you ## Next steps -See the [Rules and display definitions reference](rules-and-display-definitions-model.md). +See the [Rules and display definitions reference](rules-and-display-definitions-model.md). |
active-directory | How Use Vcnetwork | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-use-vcnetwork.md | +- Complete the [Getting Started](./verifiable-credentials-configure-tenant.md) and subsequent [tutorial set](./verifiable-credentials-configure-tenant.md). ## What is the Entra Verified ID Network? When you make a credential type available in the Entra Verified ID Network, only For more information, see: - [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).-- [Presentation API specification](presentation-request-api.md)+- [Presentation API specification](presentation-request-api.md) |
active-directory | Introduction To Verifiable Credentials Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/introduction-to-verifiable-credentials-architecture.md | -ItΓÇÖs important to plan your verifiable credential solution so that in addition to issuing and or validating credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt reviewed them already, we recommend you review [Introduction to Microsoft Entra Verified ID](decentralized-identifier-overview.md) and the [FAQs](verifiable-credentials-faq.md), and then complete the [Getting Started](get-started-verifiable-credentials.md) tutorial. +ItΓÇÖs important to plan your verifiable credential solution so that in addition to issuing and or validating credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt reviewed them already, we recommend you review [Introduction to Microsoft Entra Verified ID](decentralized-identifier-overview.md) and the [FAQs](verifiable-credentials-faq.md), and then complete the [Getting Started](./verifiable-credentials-configure-tenant.md) tutorial. This architectural overview introduces the capabilities and components of the Microsoft Entra Verified ID service. For more detailed information on issuance and validation, see |
active-directory | Plan Issuance Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-issuance-solution.md | These services provide supporting roles that don't necessarily need to integrate * **Additional middle-tier services** that contain business rules for lookups, validating, billing, and any other runtime checks and workflows needed to issue credentials. -For more information on setting up your web front end, see the tutorial [Configure your Azure AD to issue verifiable credentials](../verifiable-credentials/enable-your-tenant-verifiable-credentials.md). +For more information on setting up your web front end, see the tutorial [Configure your Azure AD to issue verifiable credentials](./verifiable-credentials-configure-tenant.md). ## Credential Design Considerations For more information on Key Vault implementation and operation, refer to [Best p [Plan your verification solution](plan-verification-solution.md) -[Get started with verifiable credentials](get-started-verifiable-credentials.md) +[Get started with verifiable credentials](./verifiable-credentials-configure-tenant.md) |
active-directory | Plan Verification Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-verification-solution.md | Implement Verifiable Credentials * [Introduction to Microsoft Entra Verified ID](decentralized-identifier-overview.md) - * [Get started with Verifiable Credentials](get-started-verifiable-credentials.md) + * [Get started with Verifiable Credentials](./verifiable-credentials-configure-tenant.md) [FAQs](verifiable-credentials-faq.md) |
active-directory | Workload Identities Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identities-overview.md | Simplify lifecycle management: - Access Azure AD protected resources without needing to manage secrets for workloads that run on Azure using [managed identities](../managed-identities-azure-resources/overview.md?toc=/azure/active-directory/workload-identities?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json). - Access Azure AD protected resources without needing to manage secrets using [workload identity federation](workload-identity-federation.md) for supported scenarios such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure.-- Review service principals and applications that are assigned to privileged directory roles in Azure AD using [access reviews for service principals](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json).+- Review service principals and applications that are assigned to privileged directory roles in Azure AD using [access reviews for service principals](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json). ## Next steps |
ai-services | Cognitive Services Virtual Networks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/cognitive-services-virtual-networks.md | When creating the private endpoint, you must specify the Azure AI services resou ### Connecting to private endpoints > [!NOTE]-> Azure OpenAI Service uses a different private DNS zone and public DNS zone forwarder than other Azure AI services. Refer to the [Azure services DNS zone configuration article](../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration) for the correct zone and forwader names. +> Azure OpenAI Service uses a different private DNS zone and public DNS zone forwarder than other Azure AI services. Refer to the [Azure services DNS zone configuration article](../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration) for the correct zone and forwarder names. Clients on a VNet using the private endpoint should use the same connection string for the Azure AI services resource as clients connecting to the public endpoint. The exception is the Speech Services, which require a separate endpoint. See the section on [Private endpoints with the Speech Services](#private-endpoints-with-the-speech-services). We rely upon DNS resolution to automatically route the connections from the VNet to the Azure AI services resource over a private link. |
ai-services | Concept Query Fields | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/concept-query-fields.md | Document Intelligence now supports query field extractions using Azure OpenAI ca > [!NOTE] >-> Document Intelligence Studio query field extraction is currently available with the general document model for the `2023-02-28-preview` release. +> Document Intelligence Studio query field extraction is currently available with the general document model starting with the `2023-02-28-preview` and later releases. ## Select query fields For query field extraction, specify the fields you want to extract and Document Intelligence analyzes the document accordingly. Here's an example: -* If you're processing a contract in the [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/document). Use the `2023-02-28-preview` version: +* If you're processing a contract in the [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio/document), use the `2023-07-31` version: :::image type="content" source="media/studio/query-fields.png" alt-text="Screenshot of the query fields button in Document Intelligence Studio."::: For query field extraction, specify the fields you want to extract and Document Use the query fields feature with the [general document model](concept-general-document.md), to add fields to the extraction process without having to train a custom model: ```http-POST https://*.cognitiveservices.azure.com/formrecognizer/documentModels/prebuilt-document:analyze?api-version=2023-02-28-preview&queryFields=Party1, Party2, PaymentDate HTTP/1.1 +POST https://{endpoint}/formrecognizer/documentModels/prebuilt-document:analyze?api-version=2023-07-31&queryFields=Party1, Party2, PaymentDate HTTP/1.1 Host: *.cognitiveservices.azure.com Content-Type: application/json Ocp-Apim-Subscription-Key: |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/overview.md | You can use Document Intelligence to automate document processing in application | About | Development options | |-|--|-|Extract contract agreement and party details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=contract)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/AnalyzeDocument) +|Extract contract agreement and party details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=contract)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-07-31/operations/AnalyzeDocument) > [!div class="nextstepaction"] > [Return to model types](#prebuilt-models) You can use Document Intelligence to automate document processing in application | About | Development options | |-|--|-|Extract mortgage interest information and details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/AnalyzeDocument) +|Extract mortgage interest information and details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-07-31/operations/AnalyzeDocument) > [!div class="nextstepaction"] > [Return to model types](#prebuilt-models) You can use Document Intelligence to automate document processing in application | About | Development options | |-|--|-|Extract student loan information and details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098E)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/AnalyzeDocument) +|Extract student loan information and details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098E)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-07-31/operations/AnalyzeDocument) > [!div class="nextstepaction"] > [Return to model types](#prebuilt-models) You can use Document Intelligence to automate document processing in application | About | Development options | |-|--|-|Extract tuition information and details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098T)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/AnalyzeDocument) +|Extract tuition information and details.|● [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.1098T)</br>● [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-07-31/operations/AnalyzeDocument) > [!div class="nextstepaction"] > [Return to model types](#prebuilt-models) |
ai-services | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/document-intelligence/whats-new.md | The v3.1 API introduces new and updated capabilities: * New option `pages` supported by all document intelligence methods (custom forms and all prebuilt models). The argument allows you to select individual or a range of pages for multi-page PDF and TIFF documents. For individual pages, enter the page number, for example, `3`. For a range of pages (like page 2 and pages 5-7) enter the page numbers and ranges separated by commas: `2, 5-7`. -* Added support for a **[ReadingOrder](/javascript/api/@azure/ai-form-recognizer/formreadingorder?view=azure-node-latest&preserve-view=true to the URL)** type to the content recognition methods. This option enables you to control the algorithm that the service uses to determine how recognized lines of text should be ordered. You can specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`. +* Added support for a [ReadingOrder](/javascript/api/@azure/ai-form-recognizer/formreadingorder?view=azure-node-latest&preserve-view=true) type to the content recognition methods. This option enables you to control the algorithm that the service uses to determine how recognized lines of text should be ordered. You can specify which reading order algorithmΓÇö`basic` or `natural`ΓÇöshould be applied to order the extraction of text elements. If not specified, the default value is `basic`. * Split **FormField** type into several different interfaces. This update shouldn't cause any API compatibility issues except in certain edge cases (undefined valueType). |
ai-services | Ga Preview Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/named-entity-recognition/concepts/ga-preview-mapping.md | Entity tags are used to further identify an entity where a detected entity is ta The changes introduce better flexibility for named entity recognition, including: * More granular entity recognition through introducing the tags list where an entity could be tagged by more than one entity tag. * Overlapping entities where entities could be recognized as more than one entity type and if so, this entity would be returned twice. If an entity was recognized to belong to two entity tags under the same entity type, both entity tags are returned in the tags list.-* Filtering entities using entity tags, you can learn more about this by navigating to [this article](../how-to-call#select-which-entities-to-be-returned-(Preview API only).md). +* Filtering entities using entity tags, you can learn more about this by navigating to [this article](../how-to-call.md#select-which-entities-to-be-returned-preview-api-only). * Metadata Objects which contain additional information about the entity but currently only act as a wrapper for the existing entity resolution feature. You can learn more about this new feature [here](entity-metadata.md). ## Generally available to preview API entity mappings |
ai-services | Network Isolation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/language-service/question-answering/how-to/network-isolation.md | After restricting access to an Azure AI services resource based on VNet, To brow - Grant access to your [local browser/machine](../../../cognitive-services-virtual-networks.md?tabs=portal#managing-ip-network-rules). - Add the **public IP address of the machine under the Firewall** section of the **Networking** tab. By default `portal.azure.com` shows the current browsing machine's public IP (select this entry) and then select **Save**. - > [!div class="mx-imgBorder"] - > [ ![Screenshot of firewall and virtual networks configuration UI]( ../../../qnamaker/media/network-isolation/firewall.png) ]( ../../../qnamaker/media/network-isolation/firewall.png#lightbox) + > [!div class="mx-imgBorder"] + > [![Screenshot of firewall and virtual networks configuration UI](../../../qnamaker/media/network-isolation/firewall.png)](../../../qnamaker/media/network-isolation/firewall.png#lightbox) |
ai-services | Use Your Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/concepts/use-your-data.md | recommendations: false Azure OpenAI on your data enables you to run supported chat models such as GPT-35-Turbo and GPT-4 on your data without needing to train or fine-tune models. Running models on your data enables you to chat on top of, and analyze your data with greater accuracy and speed. By doing so, you can unlock valuable insights that can help you make better business decisions, identify trends and patterns, and optimize your operations. One of the key benefits of Azure OpenAI on your data is its ability to tailor the content of conversational AI. -To get started, [connect your data source](../use-your-data-quickstart.md) using [Azure OpenAI Studio](https://oai.azure.com/) and start asking questions and chatting on your data. - Because the model has access to, and can reference specific sources to support its responses, answers are not only based on its pretrained knowledge but also on the latest information available in the designated data source. This grounding data also helps the model avoid generating responses based on outdated or incorrect information. -> [!NOTE] -> To get started, you need to already have been approved for [Azure OpenAI access](../overview.md#how-do-i-get-access-to-azure-openai) and have an [Azure OpenAI Service resource](../how-to/create-resource.md) with either the gpt-35-turbo or the gpt-4 models deployed. - ## What is Azure OpenAI on your data Azure OpenAI on your data works with OpenAI's powerful GPT-35-Turbo and GPT-4 language models, enabling them to provide responses based on your data. You can access Azure OpenAI on your data using a REST API or the web-based interface in the [Azure OpenAI Studio](https://oai.azure.com/) to create a solution that connects to your data to enable an enhanced chat experience. One of the key features of Azure OpenAI on your data is its ability to retrieve and utilize data in a way that enhances the model's output. Azure OpenAI on your data, together with Azure Cognitive Search, determines what data to retrieve from the designated data source based on the user input and provided conversation history. This data is then augmented and resubmitted as a prompt to the OpenAI model, with retrieved information being appended to the original prompt. Although retrieved data is being appended to the prompt, the resulting input is still processed by the model like any other prompt. Once the data has been retrieved and the prompt has been submitted to the model, the model uses this information to provide a completion. See the [Data, privacy, and security for Azure OpenAI Service](/legal/cognitive-services/openai/data-privacy?context=/azure/ai-services/openai/context/context) article for more information. +## Get started ++To get started, [connect your data source](../use-your-data-quickstart.md) using Azure OpenAI Studio and start asking questions and chatting on your data. ++> [!NOTE] +> To get started, you need to already have been approved for [Azure OpenAI access](../overview.md#how-do-i-get-access-to-azure-openai) and have an [Azure OpenAI Service resource](../how-to/create-resource.md) with either the gpt-35-turbo or the gpt-4 models deployed. + ## Data source options Azure OpenAI on your data uses an [Azure Cognitive Search](/azure/search/search-what-is-azure-search) index to determine what data to retrieve based on user inputs and provided conversation history. We recommend using Azure OpenAI Studio to create your index from a blob storage or local files. See the [quickstart article](../use-your-data-quickstart.md?pivots=programming-language-studio) for more information. ## Ingesting your data into Azure Cognitive Search -For documents and datasets with long text, you should use the available [data preparation script](https://github.com/microsoft/sample-app-aoai-chatGPT/tree/main/scripts) to ingest the data into cognitive search. The script chunks the data so that your response with the service will be more accurate. This script also supports scanned PDF file and images and ingests the data using [Document Intelligence](../../../ai-services/document-intelligence/overview.md). +For documents and datasets with long text, you should use the available [data preparation script](https://go.microsoft.com/fwlink/?linkid=2244395) to ingest the data into cognitive search. The script chunks the data so that your response with the service will be more accurate. This script also supports scanned PDF file and images and ingests the data using [Document Intelligence](../../../ai-services/document-intelligence/overview.md). ## Data formats and file types When customizing the app, we recommend: - Publishing creates an Azure App Service in your subscription. It may incur costs depending on the [pricing plan](https://azure.microsoft.com/pricing/details/app-service/windows/) you select. When you're done with your app, you can delete it from the Azure portal.-- You can [customize](../concepts/use-your-data.md#using-the-web-app) the frontend and backend logic of the web app.+- You can customize the frontend and backend logic of the web app. - By default, the app will only be accessible to you. To add authentication (for example, restrict access to the app to members of your Azure tenant): 1. Go to the [Azure portal](https://portal.azure.com/#home) and search for the app name you specified during publishing. Select the web app, and go to the **Authentication** tab on the left navigation menu. Then select **Add an identity provider**. |
ai-services | Create Resource | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/how-to/create-resource.md | Title: 'How-to - Create a resource and deploy a model using Azure OpenAI Service' + Title: 'How-to: Create and deploy an Azure OpenAI Service resource' -description: Walkthrough on how to get started with Azure OpenAI and make your first resource and deploy your first model. +description: Learn how to get started with Azure OpenAI Service and create your first resource and deploy your first model in the Azure CLI or the Azure portal. Previously updated : 02/02/2023 Last updated : 08/14/2023 zone_pivot_groups: openai-create-resource recommendations: false -# Create a resource and deploy a model using Azure OpenAI +# Create and deploy an Azure OpenAI Service resource -Use this article to get started with Azure OpenAI with step-by-step instructions to create a resource and deploy a model. While the steps for resource creation and model deployment can be completed in a few minutes, the actual deployment process itself can take more than hour. You can create your resource, start your deployment, and then check back in on your deployment later rather than actively waiting for the deployment to complete. +This article describes how to get started with Azure OpenAI Service and provides step-by-step instructions to create a resource and deploy a model. You can create resources in Azure in several different ways: ++- The [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=microsoft_openai_tip#create/Microsoft.CognitiveServicesOpenAI) +- The REST APIs, the Azure CLI, PowerShell, or client libraries +- Azure Resource Manager (ARM) templates ++In this article, you review examples for creating and deploying resources in the Azure portal and with the Azure CLI. ::: zone pivot="web-portal" ::: zone-end Use this article to get started with Azure OpenAI with step-by-step instructions ## Next steps -* Now that you have a resource and your first model deployed get started making API calls and generating text with our [quickstarts](../quickstart.md). -* Learn more about the [underlying models that power Azure OpenAI](../concepts/models.md). +- Make API calls and generate text with [Azure OpenAI Service quickstarts](../quickstart.md). +- Learn more about the [Azure OpenAI Service models](../concepts/models.md). |
ai-services | Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/reference.md | In the example response, `finish_reason` equals `stop`. If `finish_reason` equal Get a vector representation of a given input that can be easily consumed by machine learning models and other algorithms. > [!NOTE]-> We currently do not support batching of embeddings into a single API call. If you receive the error `InvalidRequestError: Too many inputs. The max number of inputs is 1. We hope to increase the number of inputs per request soon.`, this typically occurs when an array of embeddings is attempted to be passed as a batch rather than a single string. The string can be up to 8191 tokens in length when using the text-embedding-ada-002 (Version 2) model. +> OpenAI currently allows a larger number of array inputs with `text-embedding-ada-002`. Azure OpenAI currently supports input arrays up to 16 for `text-embedding-ada-002 (Version 2)`. Both require the max input token limit per API request to remain under 8191 for this model. **Create an embedding** POST https://{your-resource-name}.openai.azure.com/openai/deployments/{deploymen | Parameter | Type | Required? | Default | Description | |--|--|--|--|--|-| ```input```| string | Yes | N/A | Input text to get embeddings for, encoded as a string. The number of input tokens varies depending on what [model you are using](./concepts/models.md). <br> Unless you're embedding code, we suggest replacing newlines (\n) in your input with a single space, as we have observed inferior results when newlines are present.| -| ```user``` | string | No | Null | A unique identifier representing for your end-user. This will help Azure OpenAI monitor and detect abuse. **Do not pass PII identifiers instead use pseudoanonymized values such as GUIDs** | +| ```input```| string or array | Yes | N/A | Input text to get embeddings for, encoded as an array or string. The number of input tokens varies depending on what [model you are using](./concepts/models.md). Only `text-embedding-ada-002 (Version 2)` supports array input.| +| ```user``` | string | No | Null | A unique identifier representing your end-user. This will help Azure OpenAI monitor and detect abuse. **Do not pass PII identifiers instead use pseudoanonymized values such as GUIDs** | #### Example request curl -i -X POST YOUR_RESOURCE_NAME/openai/deployments/YOUR_DEPLOYMENT_NAME/exten -d \ ' {+ "temperature": 0, + "max_tokens": 1000, + "top_p": 1.0, "dataSources": [ { "type": "AzureCognitiveSearch", |
ai-services | Use Your Data Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/use-your-data-quickstart.md | In this quickstart you can use your own data with Azure OpenAI models. Using Azu Azure OpenAI requires registration and is currently only available to approved enterprise customers and partners. [See Limited access to Azure OpenAI Service](/legal/cognitive-services/openai/limited-access?context=/azure/ai-services/openai/context/context) for more information. You can apply for access to Azure OpenAI by completing the form at <a href="https://aka.ms/oai/access" target="_blank">https://aka.ms/oai/access</a>. Open an issue on this repo to contact us if you have an issue. - An Azure OpenAI resource with a chat model deployed (for example, GPT-3 or GPT-4). For more information about model deployment, see the [resource deployment guide](./how-to/create-resource.md).++ - Your chat model must use version `0301`. You can view or change your model version in [Azure OpenAI Studio](./concepts/models.md#model-updates). + - Be sure that you are assigned at least the [Cognitive Services OpenAI Contributor](/azure/role-based-access-control/built-in-roles#cognitive-services-openai-contributor) role for the Azure OpenAI resource. If you want to clean up and remove an OpenAI or Azure Cognitive Search resource, ## Next steps - Learn more about [using your data in Azure OpenAI Service](./concepts/use-your-data.md)-- [Chat app sample code on GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT/tree/main).+- [Chat app sample code on GitHub](https://go.microsoft.com/fwlink/?linkid=2244395). |
ai-services | Network Isolation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/qnamaker/How-To/network-isolation.md | Add-AzWebAppAccessRestrictionRule -ResourceGroupName "<resource group name>" -We 3. Verify the added access rule is present in the **Access Restrictions** section of the **Networking** tab: > [!div class="mx-imgBorder"]- > [ ![Screenshot of access restriction rule]( ../media/network-isolation/access-restrictions.png) ]( ../media/network-isolation/access-restrictions.png#lightbox) + > [ ![Screenshot of access restriction rule](../media/network-isolation/access-restrictions.png) ](../media/network-isolation/access-restrictions.png#lightbox) 4. To access the **Test pane** on the https://qnamaker.ai portal, add the **Public IP address of the machine** from where you want to access the portal. From the **Access Restrictions** page select **Add Rule**, and allow access to your client IP. > [!div class="mx-imgBorder"]- > [ ![Screenshot of access restriction rule with the addition of public IP address]( ../media/network-isolation/public-address.png) ]( ../media/network-isolation/public-address.png#lightbox) + > [ ![Screenshot of access restriction rule with the addition of public IP address](../media/network-isolation/public-address.png) ](../media/network-isolation/public-address.png#lightbox) ### Outbound access from App Service The App Service Environment (ASE) can be used to host the QnA Maker App Service 4. Add CORS origin "*" on the App Service to allow access to https://qnamaker.ai portal Test pane. **CORS** is located under the API header in the App Service pane. > [!div class="mx-imgBorder"]- > [ ![Screenshot of CORS interface within App Service UI]( ../media/network-isolation/cross-orgin-resource-sharing.png) ]( ../media/network-isolation/cross-orgin-resource-sharing.png#lightbox) + > [ ![Screenshot of CORS interface within App Service UI](../media/network-isolation/cross-orgin-resource-sharing.png) ](../media/network-isolation/cross-orgin-resource-sharing.png#lightbox) 5. Create a QnA Maker Azure AI services instance (Microsoft.CognitiveServices/accounts) using Azure Resource Manager. The QnA Maker endpoint should be set to the App Service Endpoint created above (`https:// mywebsite.myase.p.azurewebsite.net`). Here is a [sample Azure Resource Manager template you can use for reference](https://github.com/pchoudhari/QnAMakerBackupRestore/tree/master/QnAMakerASEArmTemplate). The Cognitive Search instance can be isolated via a private endpoint after the Q 2. Open the VNet resource, then under the **Subnets** tab create two subnets. One for the App Service **(appservicesubnet)** and another subnet **(searchservicesubnet)** for the Cognitive Search resource without delegation. > [!div class="mx-imgBorder"]- > [ ![Screenshot of virtual networks subnets UI interface]( ../media/network-isolation/subnets.png) ]( ../media/network-isolation/subnets.png#lightbox) + > [ ![Screenshot of virtual networks subnets UI interface](../media/network-isolation/subnets.png) ](../media/network-isolation/subnets.png#lightbox) 3. In the **Networking** tab in the Cognitive Search service instance switch endpoint connectivity data from public to private. This operation is a long running process and **can take up to 30 minutes** to complete. > [!div class="mx-imgBorder"]- > [ ![Screenshot of networking UI with public/private toggle button]( ../media/network-isolation/private.png) ]( ../media/network-isolation/private.png#lightbox) + > [ ![Screenshot of networking UI with public/private toggle button](../media/network-isolation/private.png) ](../media/network-isolation/private.png#lightbox) 4. Once the Search resource is switched to private, select add **private endpoint**. - **Basics tab**: make sure you are creating your endpoint in the same region as search resource. - **Resource tab**: select the required search resource of type `Microsoft.Search/searchServices`. > [!div class="mx-imgBorder"]- > [ ![Screenshot of create a private endpoint UI window]( ../media/network-isolation/private-endpoint.png) ]( ../media/network-isolation/private-endpoint.png#lightbox) + > [ ![Screenshot of create a private endpoint UI window](../media/network-isolation/private-endpoint.png) ](../media/network-isolation/private-endpoint.png#lightbox) - **Configuration tab**: use the VNet, subnet (searchservicesubnet) created in step 2. After that, in section **Private DNS integration** select the corresponding subscription and create a new private DNS zone called **privatelink.search.windows.net**. > [!div class="mx-imgBorder"]- > [ ![Screenshot of create private endpoint UI window with subnet field populated]( ../media/network-isolation/subnet.png) ]( ../media/network-isolation/subnet.png#lightbox) + > [ ![Screenshot of create private endpoint UI window with subnet field populated](../media/network-isolation/subnet.png) ](../media/network-isolation/subnet.png#lightbox) 5. Enable VNET integration for the regular App Service. You can skip this step for ASE, as that already has access to the VNET. - Go to App Service **Networking** section, and open **VNet Integration**. - Link to the dedicated App Service VNet, Subnet (appservicevnet) created in step 2. > [!div class="mx-imgBorder"]- > [ ![Screenshot of VNET integration UI]( ../media/network-isolation/integration.png) ]( ../media/network-isolation/integration.png#lightbox) + > [ ![Screenshot of VNET integration UI](../media/network-isolation/integration.png) ](../media/network-isolation/integration.png#lightbox) [Create Private endpoints](../reference-private-endpoint.md) to the Azure Search resource. |
ai-services | Get Started Stt Diarization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-stt-diarization.md | zone_pivot_groups: programming-languages-set-twenty-two keywords: speech to text, speech to text software -# Quickstart: Real-time diarization (preview) +# Quickstart: Real-time diarization (Preview) ::: zone pivot="programming-language-csharp" [!INCLUDE [C# include](includes/quickstarts/stt-diarization/csharp.md)] |
ai-services | Speech To Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-to-text.md | For a full list of available speech to text languages, see [Language and voice s With real-time speech to text, the audio is transcribed as speech is recognized from a microphone or file. Use real-time speech to text for applications that need to transcribe audio in real-time such as: - Transcriptions, captions, or subtitles for live meetings+- [Diarization](get-started-stt-diarization.md) +- [Pronunciation assessment](how-to-pronunciation-assessment.md) - Contact center agent assist - Dictation - Voice agents-- Pronunciation assessment Real-time speech to text is available via the [Speech SDK](speech-sdk.md) and the [Speech CLI](spx-overview.md). ## Batch transcription -Batch transcription is used to transcribe a large amount of audio in storage. You can point to audio files with a shared access signature (SAS) URI and asynchronously receive transcription results. Use batch transcription for applications that need to transcribe audio in bulk such as: +[Batch transcription](batch-transcription.md) is used to transcribe a large amount of audio in storage. You can point to audio files with a shared access signature (SAS) URI and asynchronously receive transcription results. Use batch transcription for applications that need to transcribe audio in bulk such as: - Transcriptions, captions, or subtitles for pre-recorded audio - Contact center post-call analytics - Diarization |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/document-translation/overview.md | Document Translation is a cloud-based feature of the [Azure AI Translator](../tr > [!NOTE] > When translating documents with content in multiple languages, the feature is intended for complete sentences in a single language. If sentences are composed of more than one language, the content may not all translate into the target language.-> For more information on input requirements, *see* [Document Transaltion request limits](../service-limits.md#document-translation) +> For more information on input requirements, *see* [Document Translation request limits](../service-limits.md#document-translation) ## Development options |
aks | Csi Secrets Store Driver | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-driver.md | Title: Use the Azure Key Vault Provider for Secrets Store CSI Driver for Azure Kubernetes Service secrets + Title: Use the Azure Key Vault Provider for Secrets Store CSI Driver for Azure Kubernetes Service (AKS) secrets description: Learn how to use the Azure Key Vault Provider for Secrets Store CSI Driver to integrate secrets stores with Azure Kubernetes Service (AKS). Previously updated : 02/10/2023 Last updated : 07/31/2023 -# Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster +# Use the Azure Key Vault Provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of an Azure key vault as a secret store with an Azure Kubernetes Service (AKS) cluster via a [CSI volume][kube-csi]. ## Features -* Mounts secrets, keys, and certificates to a pod by using a CSI volume -* Supports CSI inline volumes -* Supports mounting multiple secrets store objects as a single volume -* Supports pod portability with the `SecretProviderClass` CRD -* Supports Windows containers -* Syncs with Kubernetes secrets -* Supports autorotation of mounted contents and synced Kubernetes secrets +* Mounts secrets, keys, and certificates to a pod using a CSI volume. +* Supports CSI inline volumes. +* Supports mounting multiple secrets store objects as a single volume. +* Supports pod portability with the `SecretProviderClass` CRD. +* Supports Windows containers. +* Syncs with Kubernetes secrets. +* Supports autorotation of mounted contents and synced Kubernetes secrets. ## Limitations -A container using subPath volume mount won't receive secret updates when it's rotated. For more information, see [Secrets Store CSI Driver known limitations](https://secrets-store-csi-driver.sigs.k8s.io/known-limitations.html#secrets-not-rotated-when-using-subpath-volume-mount). +A container using *subPath volume mount* won't receive secret updates when it's rotated. For more information, see [Secrets Store CSI Driver known limitations](https://secrets-store-csi-driver.sigs.k8s.io/known-limitations.html#secrets-not-rotated-when-using-subpath-volume-mount). ## Prerequisites * If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. * Check that your version of the Azure CLI is 2.30.0 or later. If it's an earlier version, [install the latest version](/cli/azure/install-azure-cli). * If you're restricting Ingress to the cluster, make sure ports **9808** and **8095** are open.-* The minimum recommended Kubernetes version is based on the [rolling Kubernetes version support window][kubernetes-version-support]. Make sure you're running version N-2 or later. +* The minimum recommended Kubernetes version is based on the [rolling Kubernetes version support window][kubernetes-version-support]. Make sure you're running version *N-2* or later. ## Create an AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver support -1. Create an Azure resource group. +1. Create an Azure resource group using the [`az group create`][az-group-create] command. ```azurecli-interactive az group create -n myResourceGroup -l eastus2 ``` -2. Create an AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks create`][az-aks-create] command with the `azure-keyvault-secrets-provider` add-on. +2. Create an AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks create`][az-aks-create] command and enable the `azure-keyvault-secrets-provider` add-on. ++ > [!NOTE] + > If you want to use Azure AD workload identity, you must also use the `--enable-oidc-issuer` and `--enable-workload-identity` parameters, such as in the following example: + > + > ```azurecli-interactive + > az aks create -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-oidc-issuer --enable-workload-identity + > ``` ```azurecli-interactive az aks create -n myAKSCluster -g myResourceGroup --enable-addons azure-keyvault-secrets-provider ``` -3. A user-assigned managed identity, named `azureKeyvaultSecretsProvider`, is created by the add-on to access Azure resources. The following example uses this identity to connect to the Azure key vault where the secrets will be stored, but you can also use other [identity access methods][identity-access-methods]. Take note of the identity's `clientId` in the output. +3. The add-on creates a user-assigned managed identity, `azureKeyvaultSecretsProvider`, to access Azure resources. The following example uses this identity to connect to the Azure key vault that stores the secrets, but you can also use other [identity access methods][identity-access-methods]. Take note of the identity's `clientId` in the output. ```json ..., A container using subPath volume mount won't receive secret updates when it's ro ## Upgrade an existing AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver support -* Upgrade an existing AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks enable-addons`][az-aks-enable-addons] command with the `azure-keyvault-secrets-provider` add-on. The add-on creates a user-assigned managed identity you can use to authenticate to your Azure key vault. +* Upgrade an existing AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability using the [`az aks enable-addons`][az-aks-enable-addons] command and enable the `azure-keyvault-secrets-provider` add-on. The add-on creates a user-assigned managed identity you can use to authenticate to your Azure key vault. ```azurecli-interactive az aks enable-addons --addons azure-keyvault-secrets-provider --name myAKSCluster --resource-group myResourceGroup A container using subPath volume mount won't receive secret updates when it's ro ## Verify the Azure Key Vault Provider for Secrets Store CSI Driver installation -1. Verify the installation is finished using the `kubectl get pods` command to list all pods that have the `secrets-store-csi-driver` and `secrets-store-provider-azure` labels in the kube-system namespace, and ensure that your output looks similar to the following output: +1. Verify the installation is finished using the `kubectl get pods` command, which lists all pods with the `secrets-store-csi-driver` and `secrets-store-provider-azure` labels in the kube-system namespace. ```bash kubectl get pods -n kube-system -l 'app in (secrets-store-csi-driver,secrets-store-provider-azure)' ``` + Your output should look similar to the following example output: + ```output NAME READY STATUS RESTARTS AGE aks-secrets-store-csi-driver-4vpkj 3/3 Running 2 4m25s A container using subPath volume mount won't receive secret updates when it's ro ## Create or use an existing Azure key vault -In addition to an AKS cluster, you'll need an Azure key vault resource that stores the secret content. - 1. Create an Azure key vault using the [`az keyvault create`][az-keyvault-create] command. The name of the key vault must be globally unique. ```azurecli In addition to an AKS cluster, you'll need an Azure key vault resource that stor * The name of the secret object in the key vault * The object type (secret, key, or certificate) * The name of your Azure key vault resource- * The Azure tenant ID that the subscription belongs to + * The Azure tenant ID of the subscription ## Provide an identity to access the Azure key vault The Secrets Store CSI Driver allows for the following methods to access an Azure key vault: -* An [Azure Active Directory pod identity][aad-pod-identity] (preview) * An [Azure Active Directory workload identity][aad-workload-identity] * A user-assigned or system-assigned managed identity Follow the instructions in [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods] for your chosen method. > [!IMPORTANT]-> The rest of the examples on this page require that you've followed the instructions in [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods], chosen one of the identity methods, and configured a SecretProviderClass. Come back to this page after completing those steps. +> The rest of the examples on this page require that you followed the instructions in [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods], chose one of the identity methods, and configured a `SecretProviderClass`. Come back to this page after completing those steps. ## Validate the secrets -After the pod starts, the mounted content at the volume path that you specified in your deployment YAML is available. +After the pod starts, the mounted content at the volume path that you specified in your deployment YAML is available. Use the following commands to validate your secrets and print a test secret. -* Use the following commands to validate your secrets and print a test secret. +1. Show secrets held in the secrets store using the following command. -To show secrets held in the secrets store: ```bash kubectl exec busybox-secrets-store-inline -- ls /mnt/secrets-store/ ``` -To display a secret in the store, for example this command shows the test secret `ExampleSecret`: +2. Display a secret in the store using the following command. This example command shows the test secret `ExampleSecret`. -``` -kubectl exec busybox-secrets-store-inline -- cat /mnt/secrets-store/ExampleSecret -``` + ```bash + kubectl exec busybox-secrets-store-inline -- cat /mnt/secrets-store/ExampleSecret + ``` ## Obtain certificates and keys -The Azure Key Vault design makes sharp distinctions between keys, secrets, and certificates. The Key Vault serviceΓÇÖs certificates features were designed to make use of its key and secret capabilities. When a key vault certificate is created, an addressable key and secret are also created with the same name. The key allows key operations, and the secret allows the retrieval of the certificate value as a secret. +The Azure Key Vault design makes sharp distinctions between keys, secrets, and certificates. The certificate features of the Key Vault service were designed to make use of key and secret capabilities. When you create a key vault certificate, it creates an addressable key and secret with the same name. The key allows key operations, and the secret allows the retrieval of the certificate value as a secret. A key vault certificate also contains public x509 certificate metadata. The key vault stores both the public and private components of your certificate in a secret. You can obtain each individual component by specifying the `objectType` in `SecretProviderClass`. The following table shows which objects map to the various resources associated with your certificate: | Object | Return value | Returns entire certificate chain | ||||-|`key`|The public key, in Privacy Enhanced Mail (PEM) format|N/A| -|`cert`|The certificate, in PEM format|No| -|`secret`|The private key and certificate, in PEM format|Yes| +|`key`|The public key, in Privacy Enhanced Mail (PEM) format.|N/A| +|`cert`|The certificate, in PEM format.|No| +|`secret`|The private key and certificate, in PEM format.|Yes| ## Disable the Azure Key Vault Provider for Secrets Store CSI Driver on an existing AKS cluster > [!NOTE]-> Before you disable the add-on, ensure that no `SecretProviderClass` is in use. Trying to disable the add-on while `SecretProviderClass` exists will result in an error. +> Before you disable the add-on, ensure that *no* `SecretProviderClass` is in use. Trying to disable the add-on while a `SecretProviderClass` exists results in an error. * Disable the Azure Key Vault Provider for Secrets Store CSI Driver capability in an existing cluster using the [`az aks disable-addons`][az-aks-disable-addons] command with the `azure-keyvault-secrets-provider` add-on. A key vault certificate also contains public x509 certificate metadata. The key ``` > [!NOTE]-> If the add-on is disabled, existing workloads will have no issues and will not see any updates in the mounted secrets. If the pod restarts or a new pod is created as part of scale-up event, the pod will fail to start because the driver is no longer running. +> When you disable the add-on, existing workloads should have no issues or see any updates in the mounted secrets. If the pod restarts or a new pod is created as part of scale-up event, the pod fails to start because the driver is no longer running. ## More configuration options ### Enable and disable autorotation > [!NOTE]-> When the Azure Key Vault Provider for Secrets Store CSI Driver is enabled, it updates the pod mount and the Kubernetes secret that's defined in the `secretObjects` field of `SecretProviderClass`. It does so by polling for changes periodically, based on the rotation poll interval you've defined. The default rotation poll interval is 2 minutes. +> When the Azure Key Vault Provider for Secrets Store CSI Driver is enabled, it updates the pod mount and the Kubernetes secret defined in the `secretObjects` field of `SecretProviderClass`. It does so by polling for changes periodically, based on the rotation poll interval you defined. The default rotation poll interval is *two minutes*. >[!NOTE]-> When a secret is updated in an external secrets store after initial pod deployment, the Kubernetes Secret and the pod mount will be periodically updated depending on how the application consumes the secret data. +> When a secret updates in an external secrets store after initial pod deployment, the Kubernetes Secret and the pod mount periodically update depending on how the application consumes the secret data. >-> **Mount the Kubernetes Secret as a volume**: Use the autorotation and Sync K8s secrets features of Secrets Store CSI Driver. The application will need to watch for changes from the mounted Kubernetes Secret volume. When the Kubernetes Secret is updated by the CSI Driver, the corresponding volume contents are automatically updated. +> **Mount the Kubernetes Secret as a volume**: Use the autorotation and Sync K8s secrets features of Secrets Store CSI Driver. The application needs to watch for changes from the mounted Kubernetes Secret volume. When the CSI Driver updates the Kubernetes Secret, the corresponding volume contents automatically update as well. >-> **Application reads the data from the containerΓÇÖs filesystem**: Use the rotation feature of Secrets Store CSI Driver. The application will need to watch for the file change from the volume mounted by the CSI driver. +> **Application reads the data from the containerΓÇÖs filesystem**: Use the rotation feature of Secrets Store CSI Driver. The application needs to watch for the file change from the volume mounted by the CSI driver. >-> **Use the Kubernetes Secret for an environment variable**: Restart the pod to get the latest secret as an environment variable. -> Use a tool such as [Reloader][reloader] to watch for changes on the synced Kubernetes Secret and perform rolling upgrades on pods. +> **Use the Kubernetes Secret for an environment variable**: Restart the pod to get the latest secret as an environment variable. Use a tool such as [Reloader][reloader] to watch for changes on the synced Kubernetes Secret and perform rolling upgrades on pods. #### Enable autorotation on a new AKS cluster -* Enable autorotation of secrets using the `enable-secret-rotation` parameter when you create your cluster. +* Enable autorotation of secrets on a new cluster using the [`az aks create`][az-aks-create] command and enable the `enable-secret-rotation` add-on. ```azurecli-interactive az aks create -n myAKSCluster2 -g myResourceGroup --enable-addons azure-keyvault-secrets-provider --enable-secret-rotation A key vault certificate also contains public x509 certificate metadata. The key #### Specify a custom rotation interval -* Specify a custom rotation interval using the `rotation-poll-interval` parameter. +* Specify a custom rotation interval using the [`az aks addon update`][az-aks-addon-update] command with the `rotation-poll-interval` parameter. ```azurecli-interactive az aks addon update -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider --enable-secret-rotation --rotation-poll-interval 5m A key vault certificate also contains public x509 certificate metadata. The key #### Disable autorotation -* To disable autorotation, first disable the addon. Then, re-enable the addon without the `enable-secret-rotation` parameter. +To disable autorotation, you first need to disable the add-on. Then, you can re-enable the add-on without the `enable-secret-rotation` parameter. -Disable the secrets provider addon: +1. Disable the secrets provider add-on using the [`az aks addon disable`][az-aks-addon-disable] command. -```azurecli-interactive -az aks addon disable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider -``` + ```azurecli-interactive + az aks addon disable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider + ``` -Re-enable the secrets provider addon, but without the `enable-secret-rotation` parameter: +2. Re-enable the secrets provider add-on without the `enable-secret-rotation` parameter using the [`az aks addon enable`][az-aks-addon-enable] command. -```bash -az aks addon enable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider -``` + ```azurecli-interactive + az aks addon enable -g myResourceGroup -n myAKSCluster2 -a azure-keyvault-secrets-provider + ``` ### Sync mounted content with a Kubernetes secret > [!NOTE]-> The YAML examples here are incomplete. You'll need to modify them to support your chosen method of access to your key vault identity. For details, see [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods]. --You might want to create a Kubernetes secret to mirror your mounted secrets content. Your secrets will sync after you start a pod to mount them. When you delete the pods that consume the secrets, your Kubernetes secret will also be deleted. --To sync mounted content with a Kubernetes secret, use the `secretObjects` field when creating a `SecretProviderClass` to define the desired state of the Kubernetes secret, as shown in the following example. --```yml -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: azure-sync -spec: - provider: azure - secretObjects: # [OPTIONAL] SecretObjects defines the desired state of synced Kubernetes secret objects - - data: - - key: username # data field to populate - objectName: foo1 # name of the mounted content to sync; this could be the object name or the object alias - secretName: foosecret # name of the Kubernetes secret object - type: Opaque # type of Kubernetes secret object (for example, Opaque, kubernetes.io/tls) -``` +> The YAML examples in this section are incomplete. You need to modify them to support your chosen method of access to your key vault identity. For details, see [Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver][identity-access-methods]. ++You might want to create a Kubernetes secret to mirror your mounted secrets content. Your secrets sync after you start a pod to mount them. When you delete the pods that consume the secrets, your Kubernetes secret is also deleted. ++* Sync mounted content with a Kubernetes secret using the `secretObjects` field when creating a `SecretProviderClass` to define the desired state of the Kubernetes secret, as shown in the following example YAML. ++ ```yml + apiVersion: secrets-store.csi.x-k8s.io/v1 + kind: SecretProviderClass + metadata: + name: azure-sync + spec: + provider: azure + secretObjects: # [OPTIONAL] SecretObjects defines the desired state of synced Kubernetes secret objects + - data: + - key: username # data field to populate + objectName: foo1 # name of the mounted content to sync; this could be the object name or the object alias + secretName: foosecret # name of the Kubernetes secret object + type: Opaque # type of Kubernetes secret object (for example, Opaque, kubernetes.io/tls) + ``` -> [!NOTE] -> Make sure the `objectName` in the `secretObjects` field matches the file name of the mounted content. If you use `objectAlias` instead, it should match the object alias. + > [!NOTE] + > Make sure the `objectName` in the `secretObjects` field matches the file name of the mounted content. If you use `objectAlias` instead, it should match the object alias. #### Set an environment variable to reference Kubernetes secrets -After creating the Kubernetes secret, you can reference it by setting an environment variable in your pod, as shown in the following example code. - > [!NOTE]-> The example YAML demonstrates access to a secret through env variables and through volume/volumeMount. This is for illustrative purposes; a typical application would use one method or the other. However, be aware that in order for a secret to be available through env variables, it first must be mounted by at least one pod. --```yml -kind: Pod -apiVersion: v1 -metadata: - name: busybox-secrets-store-inline -spec: - containers: - - name: busybox - image: registry.k8s.io/e2e-test-images/busybox:1.29-1 - command: - - "/bin/sleep" - - "10000" - volumeMounts: - - name: secrets-store01-inline - mountPath: "/mnt/secrets-store" - readOnly: true - env: - - name: SECRET_USERNAME - valueFrom: - secretKeyRef: - name: foosecret - key: username - volumes: - - name: secrets-store01-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: "azure-sync" -``` +> The example YAML demonstrates access to a secret through env variables and volume/volumeMount. This is for illustrative purposes. A typical application would use one method or the other. However, be aware that in order for a secret to be available through env variables, it first must be mounted by at least one pod. ++* Reference your newly created Kubernetes secret by setting an environment variable in your pod, as shown in the following example YAML. ++ ```yml + kind: Pod + apiVersion: v1 + metadata: + name: busybox-secrets-store-inline + spec: + containers: + - name: busybox + image: registry.k8s.io/e2e-test-images/busybox:1.29-1 + command: + - "/bin/sleep" + - "10000" + volumeMounts: + - name: secrets-store01-inline + mountPath: "/mnt/secrets-store" + readOnly: true + env: + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: foosecret + key: username + volumes: + - name: secrets-store01-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "azure-sync" + ``` ## Access metrics Metrics are served via Prometheus from port 8898, but this port isn't exposed ou |Metric|Description|Tags| |-|-|-|-|keyvault_request|The distribution of how long it took to get from the key vault|`os_type=<runtime os>`, `provider=azure`, `object_name=<keyvault object name>`, `object_type=<keyvault object type>`, `error=<error if failed>`| -|grpc_request|The distribution of how long it took for the gRPC requests|`os_type=<runtime os>`, `provider=azure`, `grpc_method=<rpc full method>`, `grpc_code=<grpc status code>`, `grpc_message=<grpc status message>`| +|keyvault_request|The distribution of how long it took to get from the key vault.|`os_type=<runtime os>`, `provider=azure`, `object_name=<keyvault object name>`, `object_type=<keyvault object type>`, `error=<error if failed>`| +|grpc_request|The distribution of how long it took for the gRPC requests.|`os_type=<runtime os>`, `provider=azure`, `grpc_method=<rpc full method>`, `grpc_code=<grpc status code>`, `grpc_message=<grpc status message>`| ### The Secrets Store CSI Driver Metrics are served from port 8095, but this port isn't exposed outside the pod b |Metric|Description|Tags| |-|-|-|-|total_node_publish|The total number of successful volume mount requests|`os_type=<runtime os>`, `provider=<provider name>`| -|total_node_unpublish|The total number of successful volume unmount requests|`os_type=<runtime os>`| -|total_node_publish_error|The total number of errors with volume mount requests|`os_type=<runtime os>`, `provider=<provider name>`, `error_type=<error code>`| -|total_node_unpublish_error|The total number of errors with volume unmount requests|`os_type=<runtime os>`| -|total_sync_k8s_secret|The total number of Kubernetes secrets synced|`os_type=<runtime os`, `provider=<provider name>`| -|sync_k8s_secret_duration_sec|The distribution of how long it took to sync the Kubernetes secret|`os_type=<runtime os>`| -|total_rotation_reconcile|The total number of rotation reconciles|`os_type=<runtime os>`, `rotated=<true or false>`| -|total_rotation_reconcile_error|The total number of rotation reconciles with error|`os_type=<runtime os>`, `rotated=<true or false>`, `error_type=<error code>`| -|total_rotation_reconcile_error|The distribution of how long it took to rotate secrets-store content for pods|`os_type=<runtime os>`| +|total_node_publish|The total number of successful volume mount requests.|`os_type=<runtime os>`, `provider=<provider name>`| +|total_node_unpublish|The total number of successful volume unmount requests.|`os_type=<runtime os>`| +|total_node_publish_error|The total number of errors with volume mount requests.|`os_type=<runtime os>`, `provider=<provider name>`, `error_type=<error code>`| +|total_node_unpublish_error|The total number of errors with volume unmount requests.|`os_type=<runtime os>`| +|total_sync_k8s_secret|The total number of Kubernetes secrets synced.|`os_type=<runtime os`, `provider=<provider name>`| +|sync_k8s_secret_duration_sec|The distribution of how long it took to sync the Kubernetes secret.|`os_type=<runtime os>`| +|total_rotation_reconcile|The total number of rotation reconciles.|`os_type=<runtime os>`, `rotated=<true or false>`| +|total_rotation_reconcile_error|The total number of rotation reconciles with error.|`os_type=<runtime os>`, `rotated=<true or false>`, `error_type=<error code>`| +|total_rotation_reconcile_error|The distribution of how long it took to rotate secrets-store content for pods.|`os_type=<runtime os>`| ## Troubleshooting For generic troubleshooting steps, see [Azure Key Vault Provider for Secrets Sto ## Next steps -In this article, you learned how to use the Azure Key Vault Provider for Secrets Store CSI Driver with an AKS cluster. To learn more about the Azure Key Vault Provider for Secrets Store CSI Driver, see: +In this article, you learned how to use the Azure Key Vault Provider for Secrets Store CSI Driver with an AKS cluster. To learn more about the Azure Key Vault Provider for Secrets Store CSI Driver, see the following articles: * [Using the Azure Key Vault Provider](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/getting-started/usage/) * [Upgrading the Azure Key Vault Provider](https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/upgrading/) In this article, you learned how to use the Azure Key Vault Provider for Secrets <!-- LINKS INTERNAL --> [az-aks-create]: /cli/azure/aks#az-aks-create- [az-aks-enable-addons]: /cli/azure/aks#az-aks-enable-addons- [az-aks-disable-addons]: /cli/azure/aks#az-aks-disable-addons--[csi-storage-drivers]: ./csi-storage-drivers.md - [identity-access-methods]: ./csi-secrets-store-identity-access.md--[aad-pod-identity]: ./use-azure-ad-pod-identity.md - [aad-workload-identity]: workload-identity-overview.md- [az-keyvault-create]: /cli/azure/keyvault#az-keyvault-create.md- [az-keyvault-secret-set]: /cli/azure/keyvault#az-keyvault-secret-set.md- [az-aks-addon-update]: /cli/azure/aks#addon-update.md+[az-aks-addon-disable]: /cli/azure/aks#az-aks-addon-disable +[az-aks-addon-enable]: /cli/azure/aks#az-aks-addon-enable <!-- LINKS EXTERNAL --> [kube-csi]: https://kubernetes-csi.github.io/docs/- [reloader]: https://github.com/stakater/Reloader- [kubernetes-version-support]: ./supported-kubernetes-versions.md?tabs=azure-cli#kubernetes-version-support-policy-- |
aks | Csi Secrets Store Identity Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/csi-secrets-store-identity-access.md | Title: Provide an access identity to the Azure Key Vault Provider for Secrets Store CSI Driver for Azure Kubernetes Service (AKS) secrets -description: Learn about the various methods that you can use to allow the Azure Key Vault Provider for Secrets Store CSI Driver to integrate with your Azure key vault. +description: Learn how to integrate the Azure Key Vault Provider for Secrets Store CSI Driver with your Azure key vault. Previously updated : 02/27/2023 Last updated : 07/25/2023 -# Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver +# Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver in Azure Kubernetes Service (AKS) The Secrets Store CSI Driver on Azure Kubernetes Service (AKS) provides various methods of identity-based access to your Azure key vault. This article outlines these methods and how to use them to access your key vault and its contents from your AKS cluster. For more information, see [Use the Secrets Store CSI Driver][csi-secrets-store-driver]. -Currently, the following methods of access are available: +The following access methods are available: -- Azure AD Workload identity+- Azure Active Directory (Azure AD) workload identity - User-assigned managed identity ## Access with an Azure AD workload identity -An [Azure AD workload identity][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Azure Active Directory (Azure AD) then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL). +An [Azure AD workload identity][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Azure AD then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for an Azure AD token. Your workload can exchange a service account token projected to its volume for an Azure AD token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL). > [!NOTE] > This authentication method replaces Azure AD pod-managed identity (preview). The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. ### Prerequisites -Before you begin, you must have the following prerequisites in place: +Before you begin, you must have the following prerequisites: -- An existing Key Vault.-- An active Azure Subscription.-- An existing AKS cluster with `enable-oidc-issuer` and `enable-workload-identity` enabled+- An existing key vault with Azure role-based access control (Azure RBAC) configured. For more information, see [Azure Key Vault data plane access control recommendation](../key-vault/general/rbac-access-policy.md#data-plane-access-control-recommendation). +- An active Azure subscription. +- An existing AKS cluster with `--enable-oidc-issuer` and `--enable-workload-identity` enabled. -Azure AD workload identity is supported on both Windows and Linux clusters. +> [!NOTE] +> Azure AD workload identity is supported on both Windows and Linux clusters. ### Configure workload identity Azure AD workload identity is supported on both Windows and Linux clusters. ```azurecli-interactive az identity create --name $UAMI --resource-group $RESOURCE_GROUP+ export USER_ASSIGNED_CLIENT_ID="$(az identity show -g $RESOURCE_GROUP --name $UAMI --query 'clientId' -o tsv)" export IDENTITY_TENANT=$(az aks show --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --query identity.tenantId -o tsv) ``` -3. You need to set an access policy that grants the workload identity permission to access the Key Vault secrets, access keys, and certificates. Assign these rights using the [`az keyvault set-policy`][az-keyvault-set-policy] command. +3. Create a role assignment that grants the workload identity permission to access the key vault secrets, access keys, and certificates using the [`az role assignment create`][az-role-assignment-create] command. ```azurecli-interactive- az keyvault set-policy -n $KEYVAULT_NAME --key-permissions get --spn $USER_ASSIGNED_CLIENT_ID - az keyvault set-policy -n $KEYVAULT_NAME --secret-permissions get --spn $USER_ASSIGNED_CLIENT_ID - az keyvault set-policy -n $KEYVAULT_NAME --certificate-permissions get --spn $USER_ASSIGNED_CLIENT_ID + export KEYVAULT_SCOPE=$(az keyvault show --name $KEYVAULT_NAME --query id -o tsv) ++ az role assignment create --role "Key Vault Administrator" --assignee $USER_ASSIGNED_CLIENT_ID --scope $KEYVAULT_SCOPE ``` 4. Get the AKS cluster OIDC Issuer URL using the [`az aks show`][az-aks-show] command. Azure AD workload identity is supported on both Windows and Linux clusters. echo $AKS_OIDC_ISSUER ``` -5. You need to establish a federated identity credential between the Azure AD application and the service account issuer and subject. Get the object ID of the Azure AD application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace. +5. Establish a federated identity credential between the Azure AD application and the service account issuer and subject. Get the object ID of the Azure AD application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace. ```bash export SERVICE_ACCOUNT_NAME="workload-identity-sa" # sample name; can be changed Azure AD workload identity is supported on both Windows and Linux clusters. ```bash export FEDERATED_IDENTITY_NAME="aksfederatedidentity" # can be changed as needed+ az identity federated-credential create --name $FEDERATED_IDENTITY_NAME --identity-name $UAMI --resource-group $RESOURCE_GROUP --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME} ``` Azure AD workload identity is supported on both Windows and Linux clusters. apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata:- name: azure-kvname-workload-identity # needs to be unique per namespace + name: azure-kvname-wi # needs to be unique per namespace spec: provider: azure parameters:- usePodIdentity: "false" - useVMManagedIdentity: "false" + usePodIdentity: "false" clientID: "${USER_ASSIGNED_CLIENT_ID}" # Setting this to use workload identity keyvaultName: ${KEYVAULT_NAME} # Set to the name of your key vault cloudName: "" # [OPTIONAL for Azure] if not provided, the Azure environment defaults to AzurePublicCloud Azure AD workload identity is supported on both Windows and Linux clusters. ```bash cat <<EOF | kubectl apply -f -- # This is a sample pod definition for using SecretProviderClass and the user-assigned identity to access your key vault + # This is a sample pod definition for using SecretProviderClass and workload identity to access your key vault kind: Pod apiVersion: v1 metadata:- name: busybox-secrets-store-inline-user-msi - labels: - azure.workload.identity/use: true + name: busybox-secrets-store-inline-wi spec:- serviceAccountName: ${SERVICE_ACCOUNT_NAME} containers: - name: busybox- image: registry.k8s.io/e2e-test-images/busybox:1.29-1 + image: registry.k8s.io/e2e-test-images/busybox:1.29-4 command: - "/bin/sleep" - "10000" Azure AD workload identity is supported on both Windows and Linux clusters. driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes:- secretProviderClass: "azure-kvname-workload-identity" + secretProviderClass: "azure-kvname-wi" EOF ``` Azure AD workload identity is supported on both Windows and Linux clusters. az vm identity assign -g <resource-group> -n <agent-pool-vm> --identities <identity-resource-id> ``` -2. Grant your identity the permissions that enable it to read and view the contents of your key vault using the following [`az keyvault set-policy`][az-keyvault-set-policy] commands for each object type. +2. Create a role assignment that grants the identity permission to access the key vault secrets, access keys, and certificates using the [`az role assignment create`][az-role-assignment-create] command. ```azurecli-interactive- # Set policy to access keys in your key vault - az keyvault set-policy -n <keyvault-name> --key-permissions get --spn <identity-client-id> -- # Set policy to access secrets in your key vault - az keyvault set-policy -n <keyvault-name> --secret-permissions get --spn <identity-client-id> + export IDENTITY_CLIENT_ID="$(az identity show -g <resource-group> --name <identity-name> --query 'clientId' -o tsv)" + export KEYVAULT_SCOPE=$(az keyvault show --name <key-vault-name> --query id -o tsv) - # Set policy to access certs in your key vault - az keyvault set-policy -n <keyvault-name> --certificate-permissions get --spn <identity-client-id> + az role assignment create --role Key Vault Administrator --assignee <identity-client-id> --scope $KEYVAULT_SCOPE ``` 3. Create a `SecretProviderClass` using the following YAML. Make sure to use your own values for `userAssignedIdentityID`, `keyvaultName`, `tenantId`, and the objects to retrieve from your key vault. Azure AD workload identity is supported on both Windows and Linux clusters. spec: containers: - name: busybox- image: registry.k8s.io/e2e-test-images/busybox:1.29-1 + image: registry.k8s.io/e2e-test-images/busybox:1.29-4 command: - "/bin/sleep" - "10000" To validate the secrets are mounted at the volume path specified in your pod's Y [workload-identity]: ./workload-identity-overview.md [az-account-set]: /cli/azure/account#az-account-set [az-identity-create]: /cli/azure/identity#az-identity-create-[az-keyvault-set-policy]: /cli/azure/keyvault#az-keyvault-set-policy +[az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create |
aks | Limit Egress Traffic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/limit-egress-traffic.md | For information on how to override Azure's default system routes or add addition This section covers three network rules and an application rule you can use to configure on your firewall. You may need to adapt these rules based on your deployment. * The first network rule allows access to port 9000 via TCP.-* The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US. +* The second network rule allows access to port 1194 and 123 via UDP. If you're deploying to Microsoft Azure operated by 21Vianet, see the [Azure operated by 21Vianet required network rules](./outbound-rules-control-egress.md#microsoft-azure-operated-by-21vianet-required-network-rules). Both these rules will only allow traffic destined to the Azure Region CIDR in this article, which is East US. * The third network rule opens port 123 to `ntp.ubuntu.com` FQDN via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, so you'll need to adapt it when using your own options. * The application rule covers all needed FQDNs accessible through TCP port 443 and port 80. |
aks | Nat Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/nat-gateway.md | This article shows you how to create an Azure Kubernetes Service (AKS) cluster w ``` > [!IMPORTANT]- > Zonal configuration for your NAT gateway resource can be done with user-assigned NAT gateway resources. See [Create an AKS cluster with a user-assigned NAT gateway](#create-an-aks-cluster-with-a-user-assigned-nat-gateway] for more details. + > Zonal configuration for your NAT gateway resource can be done with user-assigned NAT gateway resources. See [Create an AKS cluster with a user-assigned NAT gateway](#create-an-aks-cluster-with-a-user-assigned-nat-gateway) for more details. > If no value for the outbound IP address is specified, the default value is one. ### Update the number of outbound IP addresses |
app-service | Tutorial Java Tomcat Connect Managed Identity Postgresql Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-java-tomcat-connect-managed-identity-postgresql-database.md | Title: 'Tutorial: Access data with managed identity in Java' description: Secure Azure Database for PostgreSQL connectivity with managed identity from a sample Java Tomcat app, and apply it to other Azure services. ms.devlang: java Previously updated : 09/26/2022 Last updated : 08/14/2023 -[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service in Azure. It also provides a [managed identity](overview-managed-identity.md) for your app, which is a turn-key solution for securing access to [Azure Database for PostgreSQL](../postgresql/index.yml) and other Azure services. Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the environment variables. In this tutorial, you will learn how to: +[Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service in Azure. It also provides a [managed identity](overview-managed-identity.md) for your app, which is a turn-key solution for securing access to [Azure Database for PostgreSQL](../postgresql/index.yml) and other Azure services. Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the environment variables. In this tutorial, you learn how to: > [!div class="checklist"] > * Create a PostgreSQL database. cd Passwordless-Connections-for-Java-Apps/Tomcat/ ## Create an Azure Database for PostgreSQL -Follow these steps to create an Azure Database for Postgres in your subscription. The Spring Boot app will connect to this database and store its data when running, persisting the application state no matter where you run the application. +Follow these steps to create an Azure Database for Postgres in your subscription. The Spring Boot app connects to this database and store its data when running, persisting the application state no matter where you run the application. 1. Sign into the Azure CLI, and optionally set your subscription if you have more than one connected to your login credentials. Follow these steps to create an Azure Database for Postgres in your subscription 1. Create an Azure Resource Group, noting the resource group name. ```azurecli-interactive- RESOURCE_GROUP=<resource-group-name> - LOCATION=eastus + export RESOURCE_GROUP=<resource-group-name> + export LOCATION=eastus az group create --name $RESOURCE_GROUP --location $LOCATION ``` -1. Create an Azure Database for PostgreSQL server. The server is created with an administrator account, but it won't be used because we'll use the Azure Active Directory (Azure AD) admin account to perform administrative tasks. +1. Create an Azure Database for PostgreSQL server. The server is created with an administrator account, but it isn't used because we're going to use the Azure Active Directory (Azure AD) admin account to perform administrative tasks. ### [Flexible Server](#tab/flexible) ```azurecli-interactive- POSTGRESQL_ADMIN_USER=azureuser + export POSTGRESQL_ADMIN_USER=azureuser # PostgreSQL admin access rights won't be used because Azure AD authentication is leveraged to administer the database.- POSTGRESQL_ADMIN_PASSWORD=<admin-password> - POSTGRESQL_HOST=<postgresql-host-name> + export POSTGRESQL_ADMIN_PASSWORD=<admin-password> + export POSTGRESQL_HOST=<postgresql-host-name> # Create a PostgreSQL server. az postgres flexible-server create \ Follow these steps to create an Azure Database for Postgres in your subscription --admin-user $POSTGRESQL_ADMIN_USER \ --admin-password $POSTGRESQL_ADMIN_PASSWORD \ --public-access 0.0.0.0 \- --sku-name Standard_D2s_v3 + --sku-name Standard_D2s_v3 ``` ### [Single Server](#tab/single) ```azurecli-interactive- POSTGRESQL_ADMIN_USER=azureuser + export POSTGRESQL_ADMIN_USER=azureuser # PostgreSQL admin access rights won't be used because Azure AD authentication is leveraged to administer the database.- POSTGRESQL_ADMIN_PASSWORD=<admin-password> - POSTGRESQL_HOST=<postgresql-host-name> + export POSTGRESQL_ADMIN_PASSWORD=<admin-password> + export POSTGRESQL_HOST=<postgresql-host-name> # Create a PostgreSQL server. az postgres server create \ Follow these steps to create an Azure Database for Postgres in your subscription --location $LOCATION \ --admin-user $POSTGRESQL_ADMIN_USER \ --admin-password $POSTGRESQL_ADMIN_PASSWORD \- --public-network-access 0.0.0.0 \ - --sku-name B_Gen5_1 + --public-access 0.0.0.0 \ + --sku-name B_Gen5_1 ``` 1. Create a database for the application. Follow these steps to create an Azure Database for Postgres in your subscription ### [Flexible Server](#tab/flexible) ```azurecli-interactive- DATABASE_NAME=checklist + export DATABASE_NAME=checklist az postgres flexible-server db create \ --resource-group $RESOURCE_GROUP \ Follow these steps to create an Azure Database for Postgres in your subscription ### [Single Server](#tab/single) ```azurecli-interactive- DATABASE_NAME=checklist + export DATABASE_NAME=checklist az postgres db create \ --resource-group $RESOURCE_GROUP \ Follow these steps to build a WAR file and deploy to Azure App Service on Tomcat 1. Create an Azure App Service resource on Linux using Tomcat 9.0. ```azurecli-interactive- APPSERVICE_PLAN=<app-service-plan> - APPSERVICE_NAME=<app-service-name> + export APPSERVICE_PLAN=<app-service-plan> + export APPSERVICE_NAME=<app-service-name> # Create an App Service plan az appservice plan create \ --resource-group $RESOURCE_GROUP \ Follow these steps to build a WAR file and deploy to Azure App Service on Tomcat --resource-group $RESOURCE_GROUP \ --name $APPSERVICE_NAME \ --plan $APPSERVICE_PLAN \- --runtime "TOMCAT:9.0-jre8" + --runtime "TOMCAT:10.0-java11" ``` 1. Deploy the WAR package to App Service. Then, connect your app to a Postgres database with a system-assigned managed ide ### [Flexible Server](#tab/flexible) -To do this, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres-flexible) command. +To make this connection, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres-flexible) command. ```azurecli-interactive az webapp connection create postgres-flexible \ az webapp connection create postgres-flexible \ --target-resource-group $RESOURCE_GROUP \ --server $POSTGRESQL_HOST \ --database $DATABASE_NAME \- --system-identity + --system-identity \ + --client-type java ``` ### [Single Server](#tab/single) -To do this, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres) command. +To make this connection, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-postgres) command. ```azurecli-interactive az webapp connection create postgres \ az webapp connection create postgres \ --target-resource-group $RESOURCE_GROUP \ --server $POSTGRESQL_HOST \ --database $DATABASE_NAME \- --system-identity + --system-identity \ + --client-type java ``` -This command creates a connection between your web app and your PostgreSQL server, and manages authentication through a system-assigned managed identity. -## View sample web app +This command creates a connection between your web app and your PostgreSQL server, and manages authentication through a system-assigned managed identity. -Run the following command to open the deployed web app in your browser. +Next, update App Settings and add plugin in connection string ```azurecli-interactive-az webapp browse \ +export AZURE_POSTGRESQL_CONNECTIONSTRING=$(\ + az webapp config appsettings list \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + | jq -c -r '.[] \ + | select ( .name == "AZURE_POSTGRESQL_CONNECTIONSTRING" ) \ + | .value') ++az webapp config appsettings set \ --resource-group $RESOURCE_GROUP \- --name MyWebapp \ - --name $APPSERVICE_NAME + --name $APPSERVICE_NAME \ + --settings 'CATALINA_OPTS=-DdbUrl="'"${AZURE_POSTGRESQL_CONNECTIONSTRING}"'&authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin"' +``` ++## Test the sample web app ++Run the following command to test the application. ++```bash +export WEBAPP_URL=$(az webapp show \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + --query defaultHostName \ + --output tsv) ++# Create a list +curl -X POST -H "Content-Type: application/json" -d '{"name": "list1","date": "2022-03-21T00:00:00","description": "Sample checklist"}' https://${WEBAPP_URL}/checklist ++# Create few items on the list 1 +curl -X POST -H "Content-Type: application/json" -d '{"description": "item 1"}' https://${WEBAPP_URL}/checklist/1/item +curl -X POST -H "Content-Type: application/json" -d '{"description": "item 2"}' https://${WEBAPP_URL}/checklist/1/item +curl -X POST -H "Content-Type: application/json" -d '{"description": "item 3"}' https://${WEBAPP_URL}/checklist/1/item ++# Get all lists +curl https://${WEBAPP_URL}/checklist ++# Get list 1 +curl https://${WEBAPP_URL}/checklist/1 ``` [!INCLUDE [cli-samples-clean-up](../../includes/cli-samples-clean-up.md)] |
application-gateway | How To Backend Mtls Gateway Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/how-to-backend-mtls-gateway-api.md | RESOURCE_NAME='alb-test' RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv) FRONTEND_NAME='frontend'+az network alb frontend create -g $RESOURCE_GROUP -n $FRONTEND_NAME --alb-name $AGFC_NAME ``` 2. Create a Gateway |
application-gateway | Quickstart Deploy Application Gateway For Containers Alb Controller | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller.md | You need to complete the following tasks prior to deploying Application Gateway ## Install the ALB Controller -1. Create a user managed identity for ALB controller and federate the identity as Pod Identity to use in the AKS cluster. +1. Create a user managed identity for ALB controller and federate the identity as Workload Identity to use in the AKS cluster. ```azurecli-interactive RESOURCE_GROUP='<your resource group name>' |
automation | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/change-tracking/overview.md | The following table shows the tracked item limits per machine for Change Trackin |Services|250| |Daemons|250| -The average Log Analytics data usage for a machine using Change Tracking and Inventory is approximately 40 MB per month, depending on your environment. With the Usage and Estimated Costs feature of the Log Analytics workspace, you can view the data ingested by Change Tracking and Inventory in a usage chart. Use this data view to evaluate your data usage and determine how it affects your bill. See [Understand your usage and estimate costs](../../azure-monitor/logs/usage-estimated-costs.md#Understand your usage and optimize your pricing tier). +The average Log Analytics data usage for a machine using Change Tracking and Inventory is approximately 40 MB per month, depending on your environment. With the Usage and Estimated Costs feature of the Log Analytics workspace, you can view the data ingested by Change Tracking and Inventory in a usage chart. Use this data view to evaluate your data usage and determine how it affects your bill. See [Understand your usage and estimate costs](../../azure-monitor/usage-estimated-costs.md). ### Windows services data |
azure-arc | Extensions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/extensions.md | The following parameters are required when using `az k8s-extension create` to cr | `--cluster-type` | The cluster type on which the extension instance has to be created. For most scenarios, use `connectedClusters`, which corresponds to Azure Arc-enabled Kubernetes clusters. | > [!NOTE]-> When working with [AKS hybrid clusters provisioned from Azure](#aks-hybrid-clusters-provisioned-from-azure-preview, you must set `--cluster-type` to use `provisionedClusters` and also add `--cluster-resource-provider microsoft.hybridcontainerservice` to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview. +> When working with [AKS hybrid clusters provisioned from Azure](#aks-hybrid-clusters-provisioned-from-azure-preview), you must set `--cluster-type` to use `provisionedClusters` and also add `--cluster-resource-provider microsoft.hybridcontainerservice` to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview. ### Optional parameters |
azure-arc | Onboard Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-powershell.md | If you don't have an Azure subscription, create a [free account](https://azure.m - A machine with Azure PowerShell. For instructions, see [Install and configure Azure PowerShell](/powershell/azure/). -You use PowerShell to manage VM extensions on your hybrid servers managed by Azure Arc-enabled servers. Before using PowerShell, install the `Az.ConnectedMachine` module. Run the following command on your server enabled with Azure Arc: +You use PowerShell to manage VM extensions on your hybrid servers managed by Azure Arc-enabled servers. Before using PowerShell, install the `Az.ConnectedMachine` module on the server you want to Arc-enable. Run the following command on your server enabled with Azure Arc: ```powershell Install-Module -Name Az.ConnectedMachine |
azure-functions | Dotnet Isolated In Process Differences | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/dotnet-isolated-in-process-differences.md | Use the following table to compare feature and functional differences between th | Dependency injection | [Supported](functions-dotnet-dependency-injection.md) | [Supported](dotnet-isolated-process-guide.md#dependency-injection) (improved model consistent with .NET ecosystem) | | Middleware | Not supported | [Supported](dotnet-isolated-process-guide.md#middleware) | | Logging | [ILogger] passed to the function<br/>[ILogger<T>] via [dependency injection](functions-dotnet-dependency-injection.md) | [ILogger<T>]/[ILogger] obtained from [FunctionContext](/dotnet/api/microsoft.azure.functions.worker.functioncontext) or via [dependency injection](dotnet-isolated-process-guide.md#dependency-injection)|-| Application Insights dependencies | [Supported](functions-monitoring.md#dependencies) | [Supported (public preview)](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.ApplicationInsights) | +| Application Insights dependencies | [Supported](functions-monitoring.md#dependencies) | [Supported](./dotnet-isolated-process-guide.md#application-insights) | | Cancellation tokens | [Supported](functions-dotnet-class-library.md#cancellation-tokens) | [Supported](dotnet-isolated-process-guide.md#cancellation-tokens) | | Cold start times<sup>2</sup> | (Baseline) | Additionally includes process launch | | ReadyToRun | [Supported](functions-dotnet-class-library.md#readytorun) | [Supported](dotnet-isolated-process-guide.md#readytorun) | |
azure-functions | Dotnet Isolated Process Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/dotnet-isolated-process-guide.md | var host = new HostBuilder() ### Application Insights -You can configure your isolated process application to emit logs directly [Application Insights](../azure-monitor/app/app-insights-overview.md?tabs=net), giving you control over how those logs are emitted. This replaces the default behavior of [relaying custom logs through the host](./configure-monitoring.md#custom-application-logs). To work with Application Insights directly, you will need to add a reference to [Microsoft.Azure.Functions.Worker.ApplicationInsights, version 1.0.0-preview5 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.ApplicationInsights/). You will also need to reference [Microsoft.ApplicationInsights.WorkerService](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService). Add these packages to your isolated process project: +You can configure your isolated process application to emit logs directly [Application Insights](../azure-monitor/app/app-insights-overview.md?tabs=net), giving you control over how those logs are emitted. This replaces the default behavior of [relaying custom logs through the host](./configure-monitoring.md#custom-application-logs). To work with Application Insights directly, you will need to add a reference to [Microsoft.Azure.Functions.Worker.ApplicationInsights, version 1.0.0 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.ApplicationInsights/). You will also need to reference [Microsoft.ApplicationInsights.WorkerService](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService). Add these packages to your isolated process project: ```dotnetcli dotnet add package Microsoft.ApplicationInsights.WorkerService |
azure-functions | Functions Bindings Event Grid Output | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-bindings-event-grid-output.md | Title: Azure Event Grid output binding for Azure Functions description: Learn to send an Event Grid event in Azure Functions. Previously updated : 03/04/2022 Last updated : 08/10/2023 ms.devlang: csharp, java, javascript, powershell, python zone_pivot_groups: programming-languages-set-functions-lang-workers When using the Connection property, the `topicEndpointUri` must be specified as ``` When deployed, use the application settings to store this information. +## Authenticating the Event Grid output binding + [!INCLUDE [functions-event-grid-connections](../../includes/functions-event-grid-connections.md)] # [Isolated process](#tab/isolated-process) |
azure-functions | Functions Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/functions-reference.md | Title: Guidance for developing Azure Functions description: Learn the Azure Functions concepts and techniques that you need to develop functions in Azure, across all programming languages and bindings. ms.assetid: d8efe41a-bef8-4167-ba97-f3e016fcd39e Previously updated : 11/11/2022 Last updated : 08/10/2023 ms.devlang: csharp The following components support identity-based connections: | Azure SQL Database | All | [Connect a function app to Azure SQL with managed identity and SQL bindings][azuresql-identity] | Azure Event Hubs triggers and bindings | All | [Azure Event Hubs extension version 5.0.0 or later][eventhubv5],<br/>[Extension bundle 3.3.0 or later][eventhubv5] | | Azure Service Bus triggers and bindings | All | [Azure Service Bus extension version 5.0.0 or later][servicebusv5],<br/>[Extension bundle 3.3.0 or later][servicebusv5] |+| Azure Event Grid output binding | All | [Azure Event Grid extension version 3.3.0 or later][eventgrid],<br/>[Extension bundle 3.3.0 or later][eventgrid] | | Azure Cosmos DB triggers and bindings | All | [Azure Cosmos DB extension version 4.0.0 or later][cosmosv4],<br/> [Extension bundle 4.0.2 or later][cosmosv4]| | Azure SignalR triggers and bindings | All | [Azure SignalR extension version 1.7.0 or later][signalr] <br/>[Extension bundle 3.6.1 or later][signalr] | | Durable Functions storage provider (Azure Storage) | All | [Durable Functions extension version 2.7.0 or later][durable-identity],<br/>[Extension bundle 3.3.0 or later][durable-identity] | The following components support identity-based connections: [queuev5]: ./functions-bindings-storage-queue.md#storage-extension-5x-and-higher [eventhubv5]: ./functions-bindings-event-hubs.md?tabs=extensionv5 [servicebusv5]: ./functions-bindings-service-bus.md+[eventgrid]: ./functions-bindings-event-grid.md?tabs=extensionv3 [cosmosv4]: ./functions-bindings-cosmosdb-v2.md?tabs=extensionv4 [tablesv1]: ./functions-bindings-storage-table.md#table-api-extension [signalr]: ./functions-bindings-signalr-service.md#install-extension Choose a tab below to learn about permissions for each component: [!INCLUDE [functions-service-bus-permissions](../../includes/functions-service-bus-permissions.md)] +# [Event Grid extension](#tab/eventgrid) ++ # [Azure Cosmos DB extension](#tab/cosmos) [!INCLUDE [functions-cosmos-permissions](../../includes/functions-cosmos-permissions.md)] |
azure-functions | Security Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/security-concepts.md | By default, keys are stored in a Blob storage container in the account provided |||| |Second storage account | `blob` | Stores keys in Blob storage of a different storage account, based on the SAS URL in [AzureWebJobsSecretStorageSas](functions-app-settings.md#azurewebjobssecretstoragesas). | |File system | `files` | Keys are persisted on the file system, which is the default in Functions v1.x. |-|Azure Key Vault | `keyvault` | The key vault set in [AzureWebJobsSecretStorageKeyVaultUri](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) is used to store keys. To learn more, see [Use Key Vault references for Azure Functions](../app-service/app-service-key-vault-references.md?toc=/azure/azure-functions/toc.json). | +|Azure Key Vault | `keyvault` | The key vault set in [AzureWebJobsSecretStorageKeyVaultUri](functions-app-settings.md#azurewebjobssecretstoragekeyvaulturi) is used to store keys. | |Kubernetes Secrets |`kubernetes` | The resource set in [AzureWebJobsKubernetesSecretName](functions-app-settings.md#azurewebjobskubernetessecretname) is used to store keys. Supported only when running the Functions runtime in Kubernetes. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.| When using Key Vault for key storage, the app settings you need depend on the managed identity type. Functions runtime version 3.x only supports system-assigned managed identities. |
azure-functions | Storage Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/storage-considerations.md | Azure Functions requires an Azure Storage account when you create a function app ||| | [Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md) | Maintain bindings state and function keys<sup>1</sup>. <br/>Used by default for [task hubs in Durable Functions](durable/durable-functions-task-hubs.md). <br/>May be used to store function app code for [Linux Consumption remote build](functions-deployment-technologies.md#remote-build) or as part of [external package URL deployments](functions-deployment-technologies.md#external-package-url). | | [Azure Files](../storage/files/storage-files-introduction.md)<sup>2</sup> | File share used to store and run your function app code in a [Consumption Plan](consumption-plan.md) and [Premium Plan](functions-premium-plan.md). <br/> |-| [Azure Queue Storage](../storage/queues/storage-queues-introduction.md) | Used by default for [task hubs in Durable Functions](durable/durable-functions-task-hubs.md). Used for failure and retry handling in [specific Azure Functions triggers](./functions-bindings-storage-blob-trigger.md). | +| [Azure Queue Storage](../storage/queues/storage-queues-introduction.md) | Used by default for [task hubs in Durable Functions](durable/durable-functions-task-hubs.md). Used for failure and retry handling in [specific Azure Functions triggers](./functions-bindings-storage-blob-trigger.md). Used for object tracking by the [Blob Storage trigger](functions-bindings-storage-blob-trigger.md). | | [Azure Table Storage](../storage/tables/table-storage-overview.md) | Used by default for [task hubs in Durable Functions](durable/durable-functions-task-hubs.md). | <sup>1</sup> Blob storage is the default store for function keys, but you can [configure an alternate store](./security-concepts.md#secret-repositories). Learn more about Azure Functions hosting options. > [!div class="nextstepaction"] > [Azure Functions scale and hosting](functions-scale.md) -[listKeys operation]: /rest/api/storagerp/storage-accounts/list-keys +[listKeys operation]: /rest/api/storagerp/storage-accounts/list-keys |
azure-maps | Azure Maps Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/azure-maps-authentication.md | Shared access signature (SAS) tokens are authentication tokens created using the Functional key differences of SAS token from Azure AD Access tokens: -- Lifetime of a token for a max expiration of one year (365 days).+- Lifetime of a token for a max expiration of one day (24 hours). - Azure location and geography access control per token. - Rate limits per token for an approximate of 1 to 500 requests per second. - Private keys of the token are the primary and secondary keys of an Azure Maps account resource. SAS token parameters: | regions | `[ "eastus", "westus2", "westcentralus" ]` | Optional, the default value is `null`. The regions control which regions the SAS token can be used in the Azure Maps REST [data-plane] API. Omitting regions parameter allows the SAS token to be used without any constraints. When used in combination with an Azure Maps data-plane geographic endpoint like `us.atlas.microsoft.com` and `eu.atlas.microsoft.com` allows the application to control usage with-in the specified geography. This allows prevention of usage in other geographies. | | maxRatePerSecond | 500 | Required, the specified approximate maximum request per second which the SAS token is granted. Once the limit is reached, more throughput is rate limited with HTTP status code `429 (TooManyRequests)`. | | start | `2021-05-24T10:42:03.1567373Z` | Required, a UTC date that specifies the date and time the token becomes active. |-| expiry | `2021-05-24T11:42:03.1567373Z` | Required, a UTC date that specifies the date and time the token expires. The duration between start and expiry can't be more than 365 days. | +| expiry | `2021-05-24T11:42:03.1567373Z` | Required, a UTC date that specifies the date and time the token expires. The duration between start and expiry can't be more than 24 hours. | ### Configuring application with SAS token |
azure-maps | Creator Onboarding Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/creator-onboarding-tool.md | + + Title: Create indoor map with onboarding tool ++description: This article describes how to create an indoor map using the onboarding tool ++ Last updated : 08/15/2023+++++++# Create indoor map with the onboarding tool ++This article demonstrates how to create an indoor map using the Azure Maps Creator onboarding tool. ++## Prerequisites ++- A basic understanding of Creator. For an overview, see [What is Azure Maps Creator?] +- A drawing package. For more information, see [Drawing package requirements]. ++> [!NOTE] +> The drawing package used in this article is the [Sample - Contoso Drawing Package]. ++## Get started ++The following steps demonstrate how to create an indoor map in your Azure Maps account using the [Azure Maps Creator onboarding tool]. The `MapConfigurationId` property is created during the onboarding process and is used to reference the map in your application. For more information, see [The Map Configuration ID]. ++1. Import the drawing package into your Azure Maps account using the [Azure Maps Creator onboarding tool]. ++ :::image type="content" source="./media/creator-indoor-maps/onboarding-tool/create-manifest.png" alt-text="Screenshot showing the process file screen of the Azure Maps Creator onboarding tool."::: ++ > [!TIP] + > If your drawing package doesn't contain a manifest, [The Drawing Package Guide] describes how to create one. ++1. Once your drawing package has been processed, select the **Create + Download** button to begin creating the indoor map. ++ :::image type="content" source="./media/creator-indoor-maps/onboarding-tool/select-review-create.png" alt-text="Screenshot showing the Review + Create screen of the Azure Maps Creator onboarding tool, with the Create + Download button highlighted."::: ++1. The first step in this process uploads the package into the Azure Maps account. ++ :::image type="content" source="./media/creator-indoor-maps/onboarding-tool/package-upload.png" alt-text="Screenshot showing the package upload screen of the Azure Maps Creator onboarding tool."::: ++<!-- + > [!NOTE] + > If the manifest included in the drawing package is incomplete or contains errors, the onboarding tool will not go directly to the **Review + Create** tab, but instead goes to the tab where you are best able to address the issue. +--> ++1. Once the package is uploaded, the onboarding tool uses the [Conversion service] to validate the data then convert the geometry and data from the drawing package into a digital indoor map. For more information about the conversion process, see [Convert a drawing package] in the Creator concepts article. ++ :::image type="content" source="./media/creator-indoor-maps/onboarding-tool/package-conversion.png" alt-text="Screenshot showing the package conversion screen of the Azure Maps Creator onboarding tool, including the Conversion ID value."::: ++1. The next step in the process is to create the [dataset]. Datasets contain a collection of [features] within the facility. ++ :::image type="content" source="./media/creator-indoor-maps/onboarding-tool/dataset-creation.png" alt-text="Screenshot showing the dataset-creation screen of the Azure Maps Creator onboarding tool, including the dataset ID value."::: ++1. The dataset is used to create a [tileset]. Tilesets are a lightweight storage format used by Azure Maps when rendering map data. ++ :::image type="content" source="./media/creator-indoor-maps/onboarding-tool/tileset-creation.png" alt-text="Screenshot showing the tileset creation screen of the Azure Maps Creator onboarding tool, including the Map Configuration ID value."::: ++ > [!IMPORTANT] + > The `MapConfigurationId` is created as a part of the tileset creation process and is required to reference the indoor map in your applications. Make sure to make a copy of it for future reference. ++1. The indoor map is created and displayed as a preview. ++ :::image type="content" source="./media/creator-indoor-maps/onboarding-tool/map.png" alt-text="Screenshot showing the map screen of the Azure Maps Creator onboarding tool."::: ++Your indoor map is created and stored in your Azure Maps account and is now ready to be used in your applications. ++### The Map Configuration ID ++ The `MapConfigurationId` property created as a part of the tileset creation process in step 6. This property is required to reference the indoor map in your application code. Make sure to make a copy of it for future reference. ++## Next steps ++Integrate the indoor map into your applications using the Web SDK. ++> [!div class="nextstepaction"] +> [Use the Azure Maps Indoor Maps module] ++[Azure Maps Creator onboarding tool]: https://azure.github.io/azure-maps-creator-onboarding-tool +[Conversion service]: /rest/api/maps/v2/conversion +[Convert a drawing package]: creator-indoor-maps.md#convert-a-drawing-package +[dataset]: creator-indoor-maps.md#datasets +[Drawing package requirements]: drawing-requirements.md?pivots=drawing-package-v2 +[features]: glossary.md#feature +[Sample - Contoso Drawing Package]: https://github.com/Azure-Samples/am-creator-indoor-data-examples/blob/master/Drawing%20Package%202.0/Sample%20-%20Contoso%20Drawing%20Package.zip +[The Drawing Package Guide]: drawing-package-guide.md?pivots=drawing-package-v2#the-azure-maps-creator-onboarding-tool +[The Map Configuration ID]: #the-map-configuration-id +[tileset]: creator-indoor-maps.md#tilesets +[Use the Azure Maps Indoor Maps module]: how-to-use-indoor-module.md +[What is Azure Maps Creator?]: about-creator.md |
azure-maps | Drawing Requirements | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/drawing-requirements.md | You can see an example of the ZoneLabel layer in the [sample drawing package]. The zip folder must contain a manifest file at the root level of the directory, and the file must be named **manifest.json**. It describes the DWG files to allow the [Conversion service] to parse their content. Only the files identified by the manifest are ingested. Files that are in the zip folder, but aren't properly listed in the manifest, are ignored. -The file paths in the `buildingLevels` object of the manifest file must be relative to the root of the zip folder. The DWG file name must exactly match the name of the facility level. For example, a DWG file for the "Basement" level is "Basement.dwg." A DWG file for level 2 is named as "level_2.dwg." Use an underscore, if your level name has a space. - Although there are requirements when you use the manifest objects, not all objects are required. The following table shows the required and optional objects for version 1.1 of the [Conversion service]. >[!NOTE] |
azure-monitor | Data Security | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/data-security.md | To ensure the security of data in transit to Azure Monitor, we strongly encourag The [PCI Security Standards Council](https://www.pcisecuritystandards.org/) has set a [deadline of June 30, 2018](https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Migrating_from_SSL_and_Early_TLS_Resource_Guide.pdf) to disable older versions of TLS/SSL and upgrade to more secure protocols. Once Azure drops legacy support, if your agents can't communicate over at least TLS 1.2 you won't be able to send data to Azure Monitor Logs. -We recommend you do NOT explicit set your agent to only use TLS 1.2 unless absolutely necessary. Allowing the agent to automatically detect, negotiate, and take advantage of future security standards is preferable. Otherwise you may miss the added security of the newer standards and possibly experience problems if TLS 1.2 is ever deprecated in favor of those newer standards. +We recommend you do NOT explicit set your agent to only use TLS 1.2 unless necessary. Allowing the agent to automatically detect, negotiate, and take advantage of future security standards is preferable. Otherwise you may miss the added security of the newer standards and possibly experience problems if TLS 1.2 is ever deprecated in favor of those newer standards. ### Platform-specific guidance After your data is ingested by Azure Monitor, the data is kept logically separat ## Data retention Indexed log search data is stored and retained according to your pricing plan. For more information, see [Log Analytics Pricing](https://azure.microsoft.com/pricing/details/log-analytics/). -As part of your [subscription agreement](https://azure.microsoft.com/support/legal/subscription-agreement/), Microsoft will retain your data per the terms of the agreement. When customer data is removed, no physical drives are destroyed. +As part of your [subscription agreement](https://azure.microsoft.com/support/legal/subscription-agreement/), Microsoft retains your data per the terms of the agreement. When customer data is removed, no physical drives are destroyed. The following table lists some of the available solutions and provides examples of the type of data they collect. Azure Monitor has an incident management process that all Microsoft services adh * Manage Azure security incidents: * Start an investigation upon detection of an incident * Assess the impact and severity of an incident by an on-call incident response team member. Based on evidence, the assessment may or may not result in further escalation to the security response team.- * Diagnose an incident by security response experts to conduct the technical or forensic investigation, identify containment, mitigation, and workaround strategies. If the security team believes that customer data may have become exposed to an unlawful or unauthorized individual, parallel execution of the Customer Incident Notification process begins in parallel. + * Diagnose an incident by security response experts to conduct the technical or forensic investigation, identify containment, mitigation, and work around strategies. If the security team believes that customer data may have become exposed to an unlawful or unauthorized individual, parallel execution of the Customer Incident Notification process begins in parallel. * Stabilize and recover from the incident. The incident response team creates a recovery plan to mitigate the issue. Crisis containment steps such as quarantining impacted systems may occur immediately and in parallel with diagnosis. Longer term mitigations may be planned which occur after the immediate risk has passed. * Close the incident and conduct a post-mortem. The incident response team creates a post-mortem that outlines the details of the incident, with the intention to revise policies, procedures, and processes to prevent a recurrence of the event. * Notify customers of security incidents: Azure Monitor has an incident management process that all Microsoft services adh * Operators working on the Microsoft Azure service have addition training obligations surrounding their access to sensitive systems hosting customer data. * Microsoft security response personnel receive specialized training for their roles -While very rare, Microsoft will notify each customer within one day if significant loss of any customer data occurs. +While rare, Microsoft notifies each customer within one day if significant loss of any customer data occurs. For more information about how Microsoft responds to security incidents, see [Microsoft Azure Security Response in the Cloud](https://gallery.technet.microsoft.com/Azure-Security-Response-in-dd18c678/file/150826/4/Microsoft%20Azure%20Security%20Response%20in%20the%20cloud.pdf). The Windows or management server agent cached data is protected by the operating As described above, data from the management server or direct-connected agents is sent over TLS to Microsoft Azure datacenters. Optionally, you can use ExpressRoute to provide extra security for the data. ExpressRoute is a way to directly connect to Azure from your existing WAN network, such as a multi-protocol label switching (MPLS) VPN, provided by a network service provider. For more information, see [ExpressRoute](https://azure.microsoft.com/services/expressroute/). ### 3. The Azure Monitor service receives and processes data-The Azure Monitor service ensures that incoming data is from a trusted source by validating certificates and the data integrity with Azure authentication. The unprocessed raw data is then stored in an Azure Event Hub in the region the data will eventually be stored at rest. The type of data that is stored depends on the types of solutions that were imported and used to collect data. Then, the Azure Monitor service processes the raw data and ingests it into the database. +The Azure Monitor service ensures that incoming data is from a trusted source by validating certificates and the data integrity with Azure authentication. The unprocessed raw data is then stored in an Azure Event Hubs in the region the data will eventually be stored at rest. The type of data that is stored depends on the types of solutions that were imported and used to collect data. Then, the Azure Monitor service processes the raw data and ingests it into the database. The retention period of collected data stored in the database depends on the selected pricing plan. For the *Free* tier, collected data is available for seven days. For the *Paid* tier, collected data is available for 31 days by default, but can be extended to 730 days. Data is stored encrypted at rest in Azure storage, to ensure data confidentiality, and the data is replicated within the local region using locally redundant storage (LRS), or zone-redundant storage (ZRS) in [supported regions](../logs/availability-zones.md). The last two weeks of data are also stored in SSD-based cache and this cache is encrypted. You can use these additional security features to further secure your Azure Moni - [Customer-managed (security) keys](../logs/customer-managed-keys.md) - You can use customer-managed keys to encrypt data sent to your Log Analytics workspaces. It requires use of Azure Key Vault. - [Private/customer-managed storage](./private-storage.md) - Manage your personally encrypted storage account and tell Azure Monitor to use it to store monitoring data - [Private Link networking](./private-link-security.md) - Azure Private Link allows you to securely link Azure PaaS services (including Azure Monitor) to your virtual network using private endpoints. -- [Azure customer Lockbox](../../security/fundamentals/customer-lockbox-overview.md#supported-services-and-scenarios-in-preview) - Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data during a support request.+- [Azure Customer Lockbox](../../security/fundamentals/customer-lockbox-overview.md#supported-services-and-scenarios) - Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data during a support request. ## Tamper-proofing and immutability |
azure-resource-manager | Extension Resource Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/extension-resource-types.md | Title: Extension resource types description: Lists the Azure resource types are used to extend the capabilities of other resource types. Previously updated : 10/20/2022 Last updated : 08/15/2023 # Resource types that extend capabilities of other resources An extension resource is a resource that adds to another resource's capabilities ## Microsoft.AlertsManagement +* alertRuleRecommendations * alerts+* investigations +* tenantActivityLogAlerts ## Microsoft.Authorization An extension resource is a resource that adds to another resource's capabilities * roleEligibilityScheduleInstances * roleEligibilityScheduleRequests * roleEligibilitySchedules+* roleManagementAlertConfigurations +* roleManagementAlertDefinitions +* roleManagementAlerts * roleManagementPolicies * roleManagementPolicyAssignments ## Microsoft.Automanage -* configurationProfileAssignmentIntents * configurationProfileAssignments +## Microsoft.AwsConnector ++* ec2Instances ++## Microsoft.AzureCIS ++* plannedQuotas ++## Microsoft.AzureStackHCI ++* virtualMachineInstances + ## Microsoft.Billing * billingPeriods An extension resource is a resource that adds to another resource's capabilities * artifactSetSnapshots * targets +## Microsoft.ConnectedVMwarevSphere ++* virtualmachineinstances + ## Microsoft.Consumption * AggregatedCost An extension resource is a resource that adds to another resource's capabilities * BenefitRecommendations * BenefitUtilizationSummaries * Budgets+* CalculateCost * Dimensions * Exports * ExternalSubscriptions * Forecast+* GenerateBenefitUtilizationSummariesReport * GenerateCostDetailsReport * GenerateDetailedCostReport * Insights+* MarkupRules * Pricesheets * Publish * Query * Reportconfigs * Reports * ScheduledActions+* SendMessage * Settings+* StartConversation * Views ## Microsoft.CustomProviders An extension resource is a resource that adds to another resource's capabilities * guestConfigurationAssignments +## Microsoft.Help ++* diagnostics +* discoverySolutions +* solutions +* troubleshooters + ## Microsoft.HybridConnectivity * endpoints+* solutionConfigurations ## microsoft.insights An extension resource is a resource that adds to another resource's capabilities * metricNamespaces * metrics * myWorkbooks+* tenantactiongroups * topology * transactions An extension resource is a resource that adds to another resource's capabilities ## Microsoft.Network +* cloudServiceNetworkInterfaces +* cloudServicePublicIPAddresses * cloudServiceSlots-* networkManagerConnections ## Microsoft.OperationalInsights An extension resource is a resource that adds to another resource's capabilities * policyTrackedResources * remediations +## Microsoft.Purview ++* consents +* policies + ## Microsoft.Quota * quotaRequests An extension resource is a resource that adds to another resource's capabilities ## Microsoft.Resources -* deploymentStacks * links * snapshots * tags +## Microsoft.ScVmm ++* VirtualMachineInstances + ## Microsoft.Security * adaptiveNetworkHardenings * advancedThreatProtectionSettings * antiMalwareSettings+* apiCollections * applications * assessmentMetadata * assessments * Compliances+* customRecommendations * dataCollectionAgents * dataSensitivitySettings+* defenderForStorageSettings * deviceSecurityGroups * governanceRules+* healthReports * InformationProtectionPolicies-* insights +* integrations * jitPolicies * secureScoreControls * secureScores+* securityStandards * serverVulnerabilityAssessments * sqlVulnerabilityAssessments+* standardAssignments ## Microsoft.SecurityInsights An extension resource is a resource that adds to another resource's capabilities * alertRules * alertRuleTemplates * automationRules+* billingStatistics * bookmarks * cases * contentPackages+* contentProductPackages +* contentProductTemplates * contentTemplates * dataConnectorDefinitions * dataConnectors+* dynamicSummaries * enrichment * entities * entityQueryTemplates+* exportConnections * fileImports+* hunts * huntsessions * incidents * metadata An extension resource is a resource that adds to another resource's capabilities * settings * sourceControls * threatIntelligence+* triggeredAnalyticsRuleRuns +* workspaceManagerAssignments +* workspaceManagerConfigurations +* workspaceManagerGroups +* workspaceManagerMembers ## Microsoft.SerialConsole An extension resource is a resource that adds to another resource's capabilities ## Microsoft.ServiceLinker +* daprConfigurations * dryruns * linkers An extension resource is a resource that adds to another resource's capabilities * supporttickets -## Microsoft.WorkloadMonitor --* monitors - ## Next steps - To get the resource ID for an extension resource in an Azure Resource Manager template, use the [extensionResourceId](../templates/template-functions-resource.md#extensionresourceid). |
azure-video-indexer | Face Redaction With Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/face-redaction-with-api.md | Title: Redact faces with Azure Video Indexer API -description: This article shows how to use Azure Video Indexer face redaction feature using API. + Title: Redact faces with Azure Video Indexer API +description: This article shows how to use the Azure Video Indexer face redaction feature by using an API. Previously updated : 07/03/2023 Last updated : 08/11/2023 # Redact faces with Azure Video Indexer API Azure Video Indexer enables customers to detect and identify faces. Face redaction enables you to modify your video in order to blur faces of selected individuals. A few minutes of footage that contains multiple faces can take hours to redact manually, but with this preset the face redaction process requires just a few simple steps. -This article shows how to do the face redaction with an API. The face redaction API includes a **Face Redaction** preset that offers scalable face detection and redaction (blurring) in the cloud. +This article shows how to do the face redaction with an API. The face redaction API includes a **Face Redaction** preset that offers scalable face detection and redaction (blurring) in the cloud. The following video shows how to redact a video with Azure Video Indexer API. The following video shows how to redact a video with Azure Video Indexer API. The article demonstrates each step of how to redact faces with the API in detail. -## Compliance, privacy, and security +## Compliance, privacy, and security -As an important [reminder](limited-access-features.md), you must comply with all applicable laws in your use of analytics in Azure Video Indexer. +As an important [reminder](limited-access-features.md), you must comply with all applicable laws in your use of analytics in Azure Video Indexer. -Face service access is limited based on eligibility and usage criteria in order to support our Responsible AI principles. Face service is only available to Microsoft managed customers and partners. Use the [Face Recognition intake form](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUQjA5SkYzNDM4TkcwQzNEOE1NVEdKUUlRRCQlQCN0PWcu) to apply for access. For more information, see the [Face limited access page](https://learn.microsoft.com/legal/cognitive-services/computer-vision/limited-access-identity?context=%2Fazure%2Fcognitive-services%2Fcomputer-vision%2Fcontext%2Fcontext). +Face service access is limited based on eligibility and usage criteria in order to support our Responsible AI principles. Face service is only available to Microsoft managed customers and partners. Use the [Face Recognition intake form](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xUQjA5SkYzNDM4TkcwQzNEOE1NVEdKUUlRRCQlQCN0PWcu) to apply for access. For more information, see the [Face limited access page](/legal/cognitive-services/computer-vision/limited-access-identity?context=%2Fazure%2Fcognitive-services%2Fcomputer-vision%2Fcontext%2Fcontext). -## Redactor terminology and hierarchy +## Redactor terminology and hierarchy -The Face Redactor in Video Indexer relies on the output of the existing Video Indexer Face Detection results provided in our Video Standard and Advanced Analysis presets. In order to redact a video, you must first upload a video to Video Indexer and perform an analysis using the **standard** or **Advanced** video presets. This can be done using the [Azure Video Indexer website](https://www.videoindexer.ai/media/library) or [API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video). You can then use the Redactor API to reference this video using the `videoId` and we create a new video with the redacted faces. Both the Video Analysis and Face Redaction are separate billable jobs. See our [pricing page](https://azure.microsoft.com/pricing/details/video-indexer/) for more information. +The Face Redactor in Video Indexer relies on the output of the existing Video Indexer Face Detection results provided in our Video Standard and Advanced Analysis presets. In order to redact a video, you must first upload a video to Video Indexer and perform an analysis using the **standard** or **Advanced** video presets. Upload a video by using the [Azure Video Indexer website](https://www.videoindexer.ai/media/library) or [API](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video). You can then use the Redactor API to reference this video using the `videoId` and we create a new video with the redacted faces. Both the Video Analysis and Face Redaction are separate billable jobs. For more information, see our [pricing page](https://azure.microsoft.com/pricing/details/video-indexer/). ## Blurring kinds -The Face Redaction comes with several options, which can be provided in the request body. +The Face Redaction comes with several options, which can be provided in the request body. -|Blurring Kind number |Blurring Kind name |Example| -|||| -|0| MediumBlur|:::image type="content" source="./media/face-redaction-with-api/medium-blur.png" alt-text="Picture of the Azure Video Indexer medium blur kind.":::| -|1| HighBlur|:::image type="content" source="./media/face-redaction-with-api/high-blur.png" alt-text="Picture of the Azure Video Indexer high blur kind.":::| -|2| LowBlur|:::image type="content" source="./media/face-redaction-with-api/low-blur.png" alt-text="Picture of the Azure Video Indexer low blur kind.":::| -|3| BoundingBox|:::image type="content" source="./media/face-redaction-with-api/bounding-boxes.png" alt-text="Picture of the Azure Video Indexer bounding boxes kind.":::| -|4| Black|:::image type="content" source="./media/face-redaction-with-api/black-boxes.png" alt-text="Picture of the Azure Video Indexer black boxes kind.":::| +| Blurring Kind number | Blurring Kind name | Example | +|--|--|--| +| 0 | MediumBlur | :::image type="content" source="./media/face-redaction-with-api/medium-blur.png" alt-text="Picture of the Azure Video Indexer medium blur kind."::: | +| 1 | HighBlur | :::image type="content" source="./media/face-redaction-with-api/high-blur.png" alt-text="Picture of the Azure Video Indexer high blur kind."::: | +| 2 | LowBlur | :::image type="content" source="./media/face-redaction-with-api/low-blur.png" alt-text="Picture of the Azure Video Indexer low blur kind."::: | +| 3 | BoundingBox | :::image type="content" source="./media/face-redaction-with-api/bounding-boxes.png" alt-text="Picture of the Azure Video Indexer bounding boxes kind."::: | +| 4 | Black | :::image type="content" source="./media/face-redaction-with-api/black-boxes.png" alt-text="Picture of the Azure Video Indexer black boxes kind."::: | You can specify the blurring kind in the request body using the `blurringKind`. For example: ```json-{ - "faces": { - "blurringKind": "HighBlur" - } -} +{ + "faces": { + "blurringKind": "HighBlur" + } +} ``` -Or when using the BlurringKind number: +Or when using the BlurringKind number: ```json-{ - "faces": { - "blurringKind": 1 - } -} +{ + "faces": { + "blurringKind": 1 + } +} ``` -## Filters +## Filters -You can apply filters to instruct which face IDs should be blurred. You can specify the IDs of the faces in a comma separated array in the json body. Additionally using the scope you can instruct to exclude or include these faces for redaction. This way you have the option to achieve a behavior of “redact all faces except these IDs” or “redact only these IDs” by specifying the least number of IDs. See examples below. +You can apply filters to instruct which face IDs should be blurred. You can specify the IDs of the faces in a comma separated array in the json body. Use the scope to exclude or include these faces for redaction. This way you can achieve a behavior of "redact all faces except these IDs" or "redact only these IDs" by specifying the least number of IDs. See the following examples. ### Exclude scope Redact all faces except 1001 and 1016, use the `Exclude` scope. ```json-{ - "faces": { - "blurringKind": "HighBlur", - "filter": { - "ids": [1001, 1016], - "scope": "Exclude" - } - } -} +{ + "faces": { + "blurringKind": "HighBlur", + "filter": { + "ids": [1001, 1016], + "scope": "Exclude" + } + } +} ``` ### Include scope Redact all faces except 1001 and 1016, use the `Exclude` scope. Redact only face IDs 1001 and 1016, use the `Include` scope. ```json-{ - "faces": { - "blurringKind": "HighBlur", - "filter": { - "ids": [1001, 1016], - "scope": "Include" - } - } -} +{ + "faces": { + "blurringKind": "HighBlur", + "filter": { + "ids": [1001, 1016], + "scope": "Include" + } + } +} ``` ### Redact all faces Redact only face IDs 1001 and 1016, use the `Include` scope. To redact all faces, remove the filter entirely. ```json-{ - "faces": { - "blurringKind": "HighBlur", - } -} +{ + "faces": { + "blurringKind": "HighBlur", + } +} ``` -To retrieve the Face ID, you can go to the indexed video and retrieve the [artifact file](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Get-Video-Artifact-Download-Url). This artifact contains a faces.json and a thumbnail zip file with all the faces. You can match the face to the ID and decide which face IDs need to be redacted. +To retrieve the Face ID, you can go to the indexed video and retrieve the [artifact file](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Get-Video-Artifact-Download-Url). This artifact contains a faces.json and a thumbnail zip file with all the faces. You can match the face to the ID and decide which face IDs need to be redacted. -## Create a redactor job +## Create a redactor job -To create a Redactor job, you can invoke the following API call: +To create a Redactor job, you can invoke the following API call: ```json POST https://api.videoindexer.ai/{location}/Accounts/{accountId}/Videos/{videoId}/redact[?name][&priority][&privacy][&externalId][&streamingPreset][&callbackUrl][&accessToken] ``` -The following values are mandatory: +The following values are mandatory: -|Name |Value |Description | -|||| -|**Accountid** |`{accountId}`| The ID of your Video Indexer account.| -|**Location** |`{location}`| The location of your Video Indexer account that is, Westus.| -|**AccessToken** |`{token}`|The token with Account Contributor rights generated through the [Azure Resource Manager](https://learn.microsoft.com/rest/api/videoindexer/stable/generate/access-token?tabs=HTTP) REST API.| -|**Videoid** |`{videoId}`|The video ID of the source video to redact. You can retrieve the video ID using the [List Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=List-Videos) API.| -|**Name** |`{name}`|The name of the new redacted video.| +| Name | Value | Description | +|--|--|--| +| **Accountid** | `{accountId}` | The ID of your Video Indexer account. | +| **Location** | `{location}` | The location of your Video Indexer account that is, Westus. | +| **AccessToken** | `{token}` | The token with Account Contributor rights generated through the [Azure Resource Manager](/rest/api/videoindexer/stable/generate/access-token?tabs=HTTP) REST API. | +| **Videoid** | `{videoId}` | The video ID of the source video to redact. You can retrieve the video ID using the [List Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=List-Videos) API. | +| **Name** | `{name}` | The name of the new redacted video. | -A sample request would be: +A sample request would be: ```-https://api.videoindexer.ai/westeurope/Accounts/<id>/Videos/<id>/redact?priority=Low&name=testredaction&privacy=Private&streamingPreset=Default +https://api.videoindexer.ai/westeurope/Accounts/<id>/Videos/<id>/redact?priority=Low&name=testredaction&privacy=Private&streamingPreset=Default ``` -We can specify the token as authorization header with a key value type of bearertoken:{token} or you can provide it as query param using `?token={token}` +We can specify the token as authorization header with a key value type of `bearertoken:{token}` or you can provide it as query param using `?token={token}` -Additionally we need to add a request body in json format with the redaction job options that is: +Additionally we need to add a request body in json format with the redaction job options that is: ```json-{ - "faces": { - "blurringKind": "HighBlur" - } -} +{ + "faces": { + "blurringKind": "HighBlur" + } +} ``` -When successful you receive an HTTP 202 ACCEPTED. +When successful you receive an HTTP 202 ACCEPTED. -## Monitor job status +## Monitor job status -In the response of the job creation request you receive an HTTP header `Location` with a URL to the job. You can perform a GET request to this url with the same token to see the status of the redaction job. An example url would be: +In the response of the job creation request, you receive an HTTP header `Location` with a URL to the job. You can perform a GET request to this URL with the same token to see the status of the redaction job. An example URL would be: ``` https://api.videoindexer.ai/westeurope/Accounts/<id>/Jobs/<id>-``` +``` -Response +Response ```json-{ - "creationTime": "2023-05-11T11:22:57.6114155Z", - "lastUpdateTime": "2023-05-11T11:23:01.7993563Z", - "progress": 20, - "jobType": "Redaction", - "state": "Processing" -} +{ + "creationTime": "2023-05-11T11:22:57.6114155Z", + "lastUpdateTime": "2023-05-11T11:23:01.7993563Z", + "progress": 20, + "jobType": "Redaction", + "state": "Processing" +} ``` -Calling the same url once the redaction job has completed you get a Storage SAS url to the redacted video again in the `Location` header. For instance: +Calling the same URL once the redaction job has completed, you get a Storage SAS URL to the redacted video again in the `Location` header. For instance: ```-https://api.videoindexer.ai/westeurope/Accounts/<id>/Videos/<id>/SourceFile/DownloadUrl +https://api.videoindexer.ai/westeurope/Accounts/<id>/Videos/<id>/SourceFile/DownloadUrl ``` -This will redirect to the mp4 stored on the Azure Storage Account. --## FAQ --|Question|Answer| -||| -|Can I upload a video and redact in one operation? |No, you need to first upload and analyze a video using the Index Video API and reference the indexed video in your redaction job.| -|Can I use the [Azure Video Indexer website](https://www.videoindexer.ai/) to redact a video? |No, Currently you can only use the API to create redaction jobs.| -|Can I play back the redacted video using the Video Indexer [website](https://www.videoindexer.ai/)?|Yes, the redacted video is visible in the Video Indexer like any other indexed video, however it doesn't contain any insights. | -|How do I delete a redacted video? |You can use the [Delete Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Delete-Video) API and provide the `Videoid` of the redacted video. | -|Do I need to pass Facial Identification gating to use Redactor? |Unless you're a US Police Department, no, even when you’re gated we continue to offer Face Detection. We don't offer Face Identification when gated. You can however redact all faces in a video with just the Face Detection. | -|Will the Face Redaction overwrite my original video? |No, the Redaction job will create a new video output file. | -|Not all faces are properly redacted. What can I do? |Redaction relies on the initial Face Detection and tracking output of the Analysis pipeline. While we detect all faces most of the time there can be circumstances where we haven't detected a face. This can have several reasons like face angle, number of frames the face was present and quality of the source video. See our [Face insights](face-detection.md) documentation for more information. | -|Can I redact other objects than faces? |No, currently we only have face redaction. If you have the need for other objects, provide feedback to our product in the [Azure User Voice](https://feedback.azure.com/d365community/forum/8952b9e3-e03b-ec11-8c62-00224825aadf) channel. | -|How Long is a SAS URL valid to download the redacted video? |<!--The SAS URL is valid for xxxx. -->To download the redacted video after the SAS url expired, you need to call the initial Job status URL. It's best to keep these `Jobstatus` URLs in a database in your backend for future reference. | --## Error codes --### Response: 404 Not Found --Account not found or video not found. --Response headers -Name -Required -Type -Description -x-ms-request-id -false -string --A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. --application/json -ErrorResponse --Name -Required -Type -Description -ErrorType -false -ErrorType -Message -false -string -*default* +This URL will redirect to the mp4 stored on the Azure Storage Account. ++## FAQ ++| Question | Answer | +|--|--| +| Can I upload a video and redact in one operation? | No, you need to first upload and analyze a video using the Index Video API and reference the indexed video in your redaction job. | +| Can I use the [Azure Video Indexer website](https://www.videoindexer.ai/) to redact a video? | No, Currently you can only use the API to create redaction jobs. | +| Can I play back the redacted video using the Video Indexer [website](https://www.videoindexer.ai/)? | Yes, the redacted video is visible in the Video Indexer like any other indexed video, however it doesn't contain any insights. | +| How do I delete a redacted video? | You can use the [Delete Video](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Delete-Video) API and provide the `Videoid` of the redacted video. | +| Do I need to pass Facial Identification gating to use Redactor? | Unless you're a US Police Department, no, even when you’re gated we continue to offer Face Detection. We don't offer Face Identification when gated. You can however redact all faces in a video with just the Face Detection. | +| Will the Face Redaction overwrite my original video? | No, the Redaction job creates a new video output file. | +| Not all faces are properly redacted. What can I do? | Redaction relies on the initial Face Detection and tracking output of the Analysis pipeline. While we detect all faces most of the time, there can be circumstances where we haven't detected a face. There can be several reasons like face angle, number of frames the face was present, and quality of the source video. For more information, see our [Face insights](face-detection.md) documentation. | +| Can I redact other objects than faces? | No, currently we only have face redaction. If you have the need for other objects, provide feedback to our product in the [Azure User Voice](https://feedback.azure.com/d365community/forum/8952b9e3-e03b-ec11-8c62-00224825aadf) channel. | +| How Long is a SAS URL valid to download the redacted video? | <!--The SAS URL is valid for xxxx. -->To download the redacted video after the SAS URL expired, you need to call the initial Job status URL. It's best to keep these `Jobstatus` URLs in a database in your backend for future reference. | ++## Error codes ++### Response: 404 Not Found ++Account not found or video not found. ++**Response headers** ++| Name | Required | Type | Description | +|--|--|--|--| +| x-ms-request-id | false | string | A globally unique identifier (GUID) for the request, assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request ID. A client can provide this request ID in support tickets so support engineers can find the logs linked to this particular request. The server makes sure this request ID never repeats itself. | ++**ErrorResponse** ++| Name | Required | Type | +|--|--|--| +| ErrorType | false | ErrorType | +| Message | false | string | +++*default* ```json-{ - "ErrorType": "GENERAL", - "Message": "string" -} +{ + "ErrorType": "GENERAL", + "Message": "string" +} ``` -### Response: 400 Bad Request +### Response: 400 Bad Request ++Invalid input or can't redact the video since its original upload failed. Please upload the video again. -Invalid input or cannot redact the video since its original upload failed. Please upload the video again. +**Response headers** -Response headers -Name -Required -Type -Description -x-ms-request-id -false -string +| Name | Required | Type | Description | +|--|--|--|--| +| x-ms-request-id | false | string | A globally unique identifier (GUID) for the request, assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request ID. A client can provide this request ID in support tickets so support engineers can find the logs linked to this particular request. The server makes sure this request ID never repeats itself. | -A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. +**ErrorResponse** -application/json -ErrorResponse +| Name | Required | Type | +|--|--|--| +| ErrorType | false | ErrorType | +| Message | false | string | -Name -Required -Type -Description -ErrorType -false -ErrorType -Message -false -string -*default* +*default* ```json-{ - "ErrorType": "GENERAL", - "Message": "string" -} +{ + "ErrorType": "GENERAL", + "Message": "string" +} ``` -### Response: 409 Conflict --Video is already being indexed. --Response headers -Name -Required -Type -Description -x-ms-request-id -false -string --A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. --application/json -ErrorResponse --Name -Required -Type -Description -ErrorType -false -ErrorType -Message -false -string +### Response: 409 Conflict ++Video is already being indexed. ++**Response headers** ++| Name | Required | Type | Description | +|--|--|--|--| +| x-ms-request-id | false | string | A globally unique identifier (GUID) for the request, assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request ID. A client can provide this request ID in support tickets so support engineers can find the logs linked to this particular request. The server makes sure this request ID never repeats itself. | ++**ErrorResponse** ++| Name | Required | Type | +|--|--|--| +| ErrorType | false | ErrorType | +| Message | false | string | + *default* ```json-{ - "ErrorType": "GENERAL", - "Message": "string" -} +{ + "ErrorType": "GENERAL", + "Message": "string" +} ``` -### Response: 401 Unauthorized +### Response: 401 Unauthorized -Response headers +**Response headers** -Name -Required -Type -Description -x-ms-request-id -false -string +| Name | Required | Type | Description | +|--|--|--|--| +| x-ms-request-id | false | string | A globally unique identifier (GUID) for the request, assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request ID. A client can provide this request ID in support tickets so support engineers can find the logs linked to this particular request. The server makes sure this request ID never repeats itself. | -A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. +**ErrorResponse** -application/json -ErrorResponse +| Name | Required | Type | +|--|--|--| +| ErrorType | false | ErrorType | +| Message | false | string | -Name -Required -Type -Description -ErrorType -false -ErrorType -Message -false -string -*default* +*default* ```json-{ - "ErrorType": "USER_NOT_ALLOWED", - "Message": "Access token is not authorized to access account 'SampleAccountId'." -} +{ + "ErrorType": "USER_NOT_ALLOWED", + "Message": "Access token is not authorized to access account 'SampleAccountId'." +} ``` -### Response: 500 Internal Server Error --Response headers -Name -Required -Type -Description -x-ms-request-id -false -string --A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. --application/json -ErrorResponse - -Name -Required -Type -Description -ErrorType -false -ErrorType -Message -false -string -*default* +### Response: 500 Internal Server Error ++**Response headers** ++| Name | Required | Type | Description | +|--|--|--|--| +| x-ms-request-id | false | string | A globally unique identifier (GUID) for the request, assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request ID. A client can provide this request ID in support tickets so support engineers can find the logs linked to this particular request. The server makes sure this request ID never repeats itself. | ++**ErrorResponse** ++| Name | Required | Type | +|--|--|--| +| ErrorType | false | ErrorType | +| Message | false | string | ++*default* ```json-{ - "ErrorType": "GENERAL", - "Message": "There was an error." -} +{ + "ErrorType": "GENERAL", + "Message": "There was an error." +} ``` -### Response: 429 Too many requests --Too many requests were sent, use Retry-After response header to decide when to send the next request. +### Response: 429 Too many requests -Response headers +Too many requests were sent, use Retry-After response header to decide when to send the next request. -Name -Required -Type -Description -Retry-After -false -integer -A non-negative decimal integer indicating the seconds to delay after the response is received -x-ms-request-id -false -string +**Response headers** -A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. +| Name | Required | Type | Description | +|--|--|--|--| +| Retry-After | false | integer | A non-negative decimal integer indicating the seconds to delay after the response is received. | +| x-ms-request-id | false | string | A globally unique identifier (GUID) for the request, assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request ID. A client can provide this request ID in support tickets so support engineers can find the logs linked to this particular request. The server makes sure this request ID never repeats itself. | -### Response: 504 Gateway Timeout +### Response: 504 Gateway Timeout -Server didn't respond to gateway within expected time. +Server didn't respond to gateway within expected time. -Response headers -Name -Required -Type -Description -x-ms-request-id -false -string +**Response headers** -A globally unique identifier (GUID) for the request which is assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request id so a client can provide this request id in support tickets so support engineers could find the logs linked to this particular request. The server makes sure this request id never repeats itself. +| Name | Required | Type | Description | +|--|--|--|--| +| x-ms-request-id | false | string | A globally unique identifier (GUID) for the request, assigned by the server for instrumentation purposes. The server makes sure all logs associated with handling the request can be linked to the server request ID. A client can provide this request ID in support tickets so support engineers can find the logs linked to this particular request. The server makes sure this request ID never repeats itself. | -application/json -*default* +*default* ```json-{ - "ErrorType": "SERVER_TIMEOUT", - "Message": "Server did not respond to gateway within expected time" -} +{ + "ErrorType": "SERVER_TIMEOUT", + "Message": "Server did not respond to gateway within expected time" +} ``` ## Next steps |
azure-video-indexer | Observed People Featured Clothing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/observed-people-featured-clothing.md | Title: Enable featured clothing of an observed person description: When indexing a video using Azure AI Video Indexer advanced video settings, you can view the featured clothing of an observed person. Previously updated : 10/10/2022 Last updated : 08/14/2023 # Enable featured clothing of an observed person (preview) -When indexing a video using Azure AI Video Indexer advanced video settings, you can view the featured clothing of an observed person. The insight provides information of key items worn by individuals within a video and the timestamp in which the clothing appears. This allows high-quality in-video contextual advertising, where relevant clothing ads are matched with the specific time within the video in which they are viewed. +When indexing a video using Azure AI Video Indexer advanced video settings, you can view the featured clothing of an observed person. The insight provides moments within the video where key people are prominently featured and clearly visible, including the coordinates of the people, timestamp, and the frame of the shot. This insight allows high-quality in-video contextual advertising, where relevant clothing ads are matched with the specific time within the video in which they're viewed. This article discusses how to view the featured clothing insight and how the featured clothing images are ranked. You can view the following short video that discusses how to view and use the fe ## Viewing featured clothing -The featured clothing insight is available when indexing your file by choosing the Advanced option -> Advanced video or Advanced video + audio preset (under Video + audio indexing). Standard indexing will not include this insight. +The featured clothing insight is available when indexing your file by choosing the Advanced option -> Advanced video or Advanced video + audio preset (under Video + audio indexing). Standard indexing doesn't include this insight. :::image type="content" source="./media/detected-clothing/index-video.png" alt-text="This screenshot represents an indexing video option."::: -The featured clothing images are ranked based on some of the following factors: key moments of the video, general emotions from text or audio. The `id` property indicates the ranking index. For example, `"id": 1` signifies the most important featured clothing. +The featured clothing images are ranked based on some of the following factors: key moments of the video, duration the person appears, text-based emotions, and audio events. The insights privates the highest ranking frame per scene, which enables you to produce contextual advertisements per scene throughout the video. The JSON file is ranked by the sequence of scenes in the video, with each scene having the top rated frame as the result. > [!NOTE]-> The featured clothing currently can only be viewed from the artifact file. +> The featured clothing insight can only be viewed from the artifact file, and the insight is not in the Azure AI Video Indexer website. 1. In the right-upper corner, select to download the artifact zip file: **Download** -> **Artifact (ZIP)** 1. Open `featuredclothing.zip`. The .zip file contains two objects: - `timestamp` ΓÇô corresponding to the frameIndex. - `opBoundingBox` ΓÇô bounding box of the person. - `faceBoundingBox` ΓÇô bounding box of the person's face, if detected. - - `fileName` ΓÇô where the best frame of the clothing is saved. + - `fileName` ΓÇô where the best frame of the clothing is saved. + - `sceneID` - the scene where the scene appears. - An example of the featured clothing with `"id": 1`. + An example of the featured clothing with `"sceneID": 1`. - ``` + ```json "instances": [ {- "confidence": 0.98, - "faceBoundingBox": { - "x": 0.50158, - "y": 0.10508, - "width": 0.13589, - "height": 0.45372 - }, - "fileName": "frame_12147.jpg", - "frameIndex": 12147, - "id": 1, - "opBoundingBox": { - "x": 0.34141, - "y": 0.16667, - "width": 0.28125, - "height": 0.82083 - }, - "timestamp": "00:08:26.6311250" - }, + "confidence": 0.07, + "faceBoundingBox": {}, + "fileName": "frame_100.jpg", + "frameIndex": 100, + "opBoundingBox": { + "x": 0.09062, + "y": 0.4, + "width": 0.11302, + "height": 0.59722 + }, + "timestamp": "0:00:04", + "personName": "Observed Person #1", + "sceneId": 1 + } ``` - `featuredclothing.frames.map` ΓÇô this folder contains images of the best frames that the featured clothing appeared in, corresponding to the `fileName` property in each instance in `featuredclothing.map.json`. The .zip file contains two objects: It's important to note the limitations of featured clothing to avoid or mitigate the effects of false detections of images with low quality or low relevancy.ΓÇ» -- Pre-condition for the featured clothing is that the person wearing the clothes can be found in the observed people insight. -- If the face of a person wearing the featured clothing wasn't detected, the results won't include the faces bounding box.+- Precondition for the featured clothing is that the person wearing the clothes can be found in the observed people insight. +- If the face of a person wearing the featured clothing isn't detected, the results don't include the faces bounding box. - If a person in a video wears more than one outfit, the algorithm selects its best outfit as a single featured clothing image. - When posed, the tracks are optimized to handle observed people who most often appear on the front. - Wrong detections may occur when people are overlapping. |
azure-web-pubsub | Concept Disaster Recovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-web-pubsub/concept-disaster-recovery.md | Your service instance is a regional service and the instance is running in one r ## High available architecture for Web PubSub service There are two typical patterns using Web PubSub service:-* One is client-server pattern that [clients send events the the server](./quickstarts-event-notifications-from-clients.md] and [server pushes messages to the clients](./quickstarts-push-messages-from-server.md) -* Another is client-client pattern that [clients pub/sub messages through the Web PubSub service to other clients](./quickstarts-pubsub-among-clients.md) +* One is client-server pattern that [clients send events the the server](./quickstarts-event-notifications-from-clients.md) and [server pushes messages to the clients](./quickstarts-push-messages-from-server.md). +* Another is client-client pattern that [clients pub/sub messages through the Web PubSub service to other clients](./quickstarts-pubsub-among-clients.md). Below sections describe different ways for these two patterns to do disaster recovery |
cdn | Cdn Query String | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cdn/cdn-query-string.md | Title: Control Azure CDN caching behavior with query strings - standard tier description: Azure CDN query string caching controls how files are cached when a web request contains a query string. This article describes query string caching in Azure CDN standard products. - ms.assetid: 17410e4f-130e-489c-834e-7ca6d6f9778d - Previously updated : 06/11/2018 Last updated : 08/14/2023 - + # Control Azure CDN caching behavior with query strings - standard tier > [!div class="op_single_selector"] > * [Standard tier](cdn-query-string.md) -With Azure Content Delivery Network (CDN), you can control how files are cached for a web request that contains a query string. In a web request with a query string, the query string is that portion of the request that occurs after a question mark (?). A query string can contain one or more key-value pairs, in which the field name and its value are separated by an equals sign (=). Each key-value pair is separated by an ampersand (&). For example, http:\//www.contoso.com/content.mov?field1=value1&field2=value2. If there is more than one key-value pair in a query string of a request, their order does not matter. ++With Azure Content Delivery Network (CDN), you can control how files are cached for a web request that contains a query string. In a web request with a query string, the query string is that portion of the request that occurs after a question mark (?). A query string can contain one or more key-value pairs, in which the field name and its value are separated by an equals sign (=). Each key-value pair is separated by an ampersand (&). For example, http:\//www.contoso.com/content.mov?field1=value1&field2=value2. If there's more than one key-value pair in a query string of a request, their order doesn't matter. > [!IMPORTANT] > The Azure CDN standard and premium products provide the same query string caching functionality, but the user interface is different. This article describes the interface for **Azure CDN Standard from Microsoft**, **Azure CDN Standard from Akamai** and **Azure CDN Standard from Verizon**. For query string caching with **Azure CDN Premium from Verizon**, see [Control Azure CDN caching behavior with query strings - premium tier](cdn-query-string-premium.md). Three query string modes are available: - **Ignore query strings**: Default mode. In this mode, the CDN point-of-presence (POP) node passes the query strings from the requestor to the origin server on the first request and caches the asset. All subsequent requests for the asset that are served from the POP ignore the query strings until the cached asset expires. -- **Bypass caching for query strings**: In this mode, requests with query strings are not cached at the CDN POP node. The POP node retrieves the asset directly from the origin server and passes it to the requestor with each request.+- **Bypass caching for query strings**: In this mode, requests with query strings aren't cached at the CDN POP node. The POP node retrieves the asset directly from the origin server and passes it to the requestor with each request. - **Cache every unique URL**: In this mode, each request with a unique URL, including the query string, is treated as a unique asset with its own cache. For example, the response from the origin server for a request for example.ashx?q=test1 is cached at the POP node and returned for subsequent caches with the same query string. A request for example.ashx?q=test2 is cached as a separate asset with its own time-to-live setting. Three query string modes are available: > Do not use this mode when the query string contains parameters that will change with every request, such as a session ID or a user name, because it will result in a low cache-hit ratio. ## Changing query string caching settings for standard CDN profiles+ 1. Open a CDN profile, then select the CDN endpoint you want to manage. ![CDN profile endpoints](./media/cdn-query-string/cdn-endpoints.png) -2. In the left pane under Settings, click **Caching rules**. +2. In the left pane under Settings, select **Caching rules**. ![CDN Caching rules button](./media/cdn-query-string/cdn-caching-rules-btn.png) -3. In the **Query string caching behavior** list, select a query string mode, then click **Save**. +3. In the **Query string caching behavior** list, select a query string mode, then select **Save**. ![CDN query string caching options](./media/cdn-query-string/cdn-query-string.png) Three query string modes are available: > - For **Azure CDN Standard from Akamai** profiles, propagation usually completes within one minute. > - For **Azure CDN Standard from Verizon** and **Azure CDN Premium from Verizon** profiles, propagation usually completes in 10 minutes. +## Next step -+- Learn how to [purge cached content](cdn-purge-endpoint.md) from Azure CDN endpoint. |
confidential-computing | How To Leverage Virtual Tpms In Azure Confidential Vms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/how-to-leverage-virtual-tpms-in-azure-confidential-vms.md | + + Title: How to leverage virtual TPMs in Azure confidential VMs +description: Learn how to use the vTPM benefits after building trust in a confidential VM. +++m ++ Last updated : 08/02/2023+++++# How to leverage virtual TPMs in Azure confidential VMs ++**Applies to:** :heavy_check_mark: Linux VMs ++This "how to" shows you how to use some benefits provided by a virtual Trusted Platform Module (TPM) in a confidential VM. ++## Prerequisites ++To see how vTPMs work in confidential VMs, read the [concept page](virtual-tpms-in-azure-confidential-vm.md). ++Some of the steps mentioned use the tpm2-tools library that is source repository for the [Trusted Platform Module (TPM2.0)](https://github.com/tpm2-software/tpm2-tools). Follow the steps [here](https://github.com/tpm2-software/tpm2-tss/blob/master/INSTALL.md) to build and install the library. ++## How to get the direct AMD SEV-SNP hardware report ++The guest attestation feature helps you to confirm that a confidential VM runs on a hardware-based trusted execution environment (TEE) with security features enabled for isolation and integrity. When a confidential VM boots it generates a SEV-SNP hardware report containing a signed report issued by AMD SEV-SNP, platform boot settings, and platform measurements. This report is stored in a predefined nonvolatile index (NVIndex) of the vTPM, where data can be securely and persistently stored. Today our [guest attestation library](https://github.com/Azure/confidential-computing-cvm-guest-attestation) can be used to access and retrieve the SEV-SNP hardware report. Customers can use Microsoft Azure Attestation to verify the reports or verify the raw AMD SEV-SNP report on their own by following steps [here](https://github.com/Azure/confidential-computing-cvm-guest-attestation/blob/main/cvm-guest-attestation.md#linux). ++## How to extend a measurement to a PCR and validate it through the vTPM ++Currently confidential VMs generate a SEV-SNP report at boot that is accessible through the virtual trusted platform module (vTPM). This report also includes the vTPMΓÇÖs public attestation key (AKPub). The AKPub can be used to generate an attestation of the vTPM runtime state including the platform configuration register (PCR) state. Therefore, the AKPub can be used to link the vTPM PCR measurements that are signed by the private attestation key (AKPri), to SEV-SNP attestation. +++These steps list out which artifacts you need and how to get them: ++1. Extend a measurement to a PCR. ++ There are multiple ways to extend a measurement to a PCR using the [tpm2-tools library](https://github.com/tpm2-software/tpm2-tools). + This command shows how to hash a file using sha256 bank and then extend it to a PCR. + ```bash + sha256sum <any file> + tpm2_pcrextend <pcr_number>:sha256=<result from first command> + ``` +2. Retrieve the AMDΓÇÖs VCEK certificate. ++ The AMD Versioned Chip Endorsement Key (VCEK) is used to sign the AMD SEV-SNP report. The VCEK certificate allows you to verify that the report was signed by a genuine AMD CPU key. There are two ways retrieve the certificate: ++ a. Obtain the VCEK certificate by running the following command ΓÇô it obtains the cert from a well-known IMDS endpoint: + ```bash + curl -H Metadata:true http://169.254.169.254/metadat/certification > vcek + cat ./vcek | jq -r '.vcekCert , .certificateChain' > ./vcek.pem + ``` + b. To retrieve the certificate, use the [AMD VCEK Certificate tool](https://kdsintf.amd.com/vcek/) and the steps mentioned in the [specification](https://www.amd.com/system/files/TechDocs/57230.pdf). ++3. Retrieve the public attestation key (AKpub) from the attestation report. ++ AMD's SEV-SNP guest attestation report is signed using the VCEK. The report data JSON in the guest attestation report is measured and the hash is reflected in the [SEV-SNP report](https://www.amd.com/system/files/TechDocs/56860.pdf). The report data JSON includes a VM configuration section that contains attestation claims supplied to the AMD processor by the guest firmware. The claims in this section relate to the state of the Microsoft boot loader and operating system i.e whether the secure boot is enabled, whether Windows serial console is enabled etc. These claims also include the "HCLAkPub" signing key that is the attestation key (AKPub) for the TPM. ++ These steps extract the SNP report from a set NVIndex and dump the report data JSON. The guest_report.bin file is used in the following step. ++ ```bash + tpm2_nvread -C o 0x01400001 > ./snp_report.bin + dd skip=32 bs=1 count=1184 if=./snp_report.bin of=./guest_report.bin + ``` + Here's an example of how the report data JSON looks like: ++ ```JSON + "keys": [ + { + "kid": "HCLAkPub", + "key_ops": [ + "encrypt" + ], + "kty": "RSA", + "e": "AQAB", + "n": "2I-ayAABWYhQU-D81quVW4i1sH14-Offul2U2LwsgtihxykIzXY_5YzQAY4e56GMZSpm5r6telRr5rnFJa8iklzol7ecYZEX1nc1WK51a68E2kZNyomFVSIlDPJCn14NpRoxuipIfhe16zWVYZ8dpYbpelyzHZZpskdBLnUKldffUYliWSXLBpjPb89VV0FYxKPi_bSGviBXWOiRtcITRcXfpjlfD3DgZqlK4gj11RChqaEYG_GAPlxceu5h1pusgLuPEULWzvkKuGw7j8ZrxdYEUNB-uHU0nxuQvYxtksPs3zX6ELcV2GjwJupzYUUAu95OQUGI-soDWKvIXM4epw" + } + ], + "vm-configuration": { + "console-enabled": true, + "secure-boot": true, + "tpm-enabled": true, + "vmUniqueId": "A80B7FE7-5B93-4027-9971-6CCEE468C2B3" + } + ``` +4. Validate the VCEK certificate and guest attestation report. ++ Once we have retrieved the VCEK certificate and guest attestation report, we can check that the VCEK has signed the guest attestation report. This step ensures the vTPM is properly measured by the AMD SEV-SNP hardware and that we can trust the vTPM. There are multiple ways to do verification, the following example uses the [open-source AMD SEV Tool](https://github.com/AMDESE/sev-tool). ++ ```bash + sudo ./sevtool ΓÇô-ofolder <location of vcek.pem & guest_report.bin> --validate_guest_report + ``` +5. Use vTPM tools to get PCR measurements. ++ After you have established trust in the vTPM, then you can go get a [quote](https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_quote.1/) using the AKpub and reflect PCR measurements. ++ a. Retrieve the public attestation key. 0x81000003 is the location of the AKpub. + ```bash + tpm2_readpublic -c 0x81000003 -f pem -o <outputfile.pem> + ``` + b. Generate a TPM quote using the options mentioned [here](https://tpm2-tools.readthedocs.io/en/latest/man/tpm2_quote.1/#options). This example shows how to get the quote and reflect PCRs 15, 16 and 22. The nonce is added to protect against replay attacks. The message output file records the quote message that makes up the data that is signed by the TPM. Finally the PCR values are stored in the PCR_output_file. Refer to the tpm2_quote link to learn more about the options used. + ```bash + tpm2_quote -c 0x81000003 -l sha256:15,16,22 -q <nonce> -m <message_output_file.msg> -s <signature_output_file.sig> -o <PCR_output_file.pcrs> -g sha256 + ``` + c. The following command can be used on a remote machine to verify the confidential VM generated quote in the previous step. Use the AKpub retrieved from step a as an input here. + ```bash + tpm2_checkquote -u <outputfile.pem> -m <message_output_file.msg> -s <signature_output_file.sig> -f <PCR_output_file.pcrs> -g sha256 -q <nonce> + ``` ++Using the tpm2_checkquote command, a relying party can cryptographically verify the entire chain including all boot time and runtime extended PCRs. We recommend you use PCR23 to extend measurements of user mode components or runtime data. ++Using the steps mentioned in this document allows you to extend any arbitrary runtime attestation data, configuration, or application into vTPM PCRs. Therefore, you can have a chain of measurements of all components (per your choice) provided by the vTPM that is rooted to the AMD SEV-SNP report. ++## Next steps ++> [!div class="nextstepaction"] +> [Create a custom image for Azure confidential VMs](how-to-create-custom-image-confidential-vm.md) |
confidential-computing | Virtual Tpms In Azure Confidential Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/virtual-tpms-in-azure-confidential-vm.md | + + Title: Virtual TPMs in Azure confidential VMs +description: Learn about how we use virtual Trusted Platform Modules in our confidential VMs. +++++ Last updated : 07/20/2023++++# Virtual TPMs in Azure confidential VMs ++A [Trust Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-overview) is designed to provide hardware based security functions. These functions include secret storage for cryptographic keys, storage for measurements of the boot process and an external hardware root-of-trust. ++Azure confidential VMs each have their own dedicated virtual TPM (vTPM). The vTPM is a virtualized version of a hardware TPM, and complies with the [TPM2.0 spec](/windows/security/information-protection/tpm/tpm-recommendations#why-tpm-20). In a confidential VM, the vTPM runs inside the VM in a hardware-based protected memory region. With this architecture, each confidential VM has its own unique vTPM instance that is isolated and encrypted by AMD SEV-SNP. Thus, an Azure confidential VM's vTPM instance is isolated from the hosting environment and all other VMs on the system. +++For more information on the technology, see our blog on [confidential VMs](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/confidential-vms-on-azure/ba-p/3836282). ++Since the vTPM runs within the Confidential VM, it's measured by the AMD SEV-SNP hardware. Customers can retrieve the hardware report generated by the Platform Security Processor (PSP) to attest the identity and integrity of the vTPM that guarantees that the TPM is authentic. ++The hardware report can be used to verify that the Confidential VM is running as an isolated, secure machine with an isolated, integrity protected and measured vTPM. The vTPM can in-turn be used to measure and securely the boot the OS components in the confidential VM. By using usual TPM based primitives such as Measured Boot and [Secured Boot](/windows-hardware/design/device-experiences/oem-secure-boot), you can ensure and prove that your confidential VM is launched as intended. ++TPMs have platform configuration registers (PCRs) that can be used to cryptographically measure the software state to ensure that nothing has been tampered with or misused. The [PCR values](/windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices) are one-way hashes to ensure that the measurements can't be removed or altered. PCRs are used to store the measurements of various boot artifacts to help with the [measured boot process](/azure/security/fundamentals/measured-boot-host-attestation). PCRs can also be used to measure applications, disk integrity measurements and other components. Additionally, PCRs can be used to enforce security policies such as application and code integrity (CI) policies to ensure the system remains compliant with the desired policies. ++To utilize vTPMs in confidential VMs further, see [How to leverage vTPMs in confidential VMs](how-to-leverage-virtual-tpms-in-azure-confidential-vms.md). |
container-registry | Manual Regional Move | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/manual-regional-move.md | Inspect the registry properties in the template JSON file you downloaded, and ma "apiVersion": "2020-11-01-preview", "name": "[parameters('myregistry_name')]", "location": "centralus",-[...] + ... + } + ] +} ``` For more information, see [Use exported template from the Azure portal](../azure-resource-manager/templates/template-tutorial-export-template.md) and the [template reference](/azure/templates/microsoft.containerregistry/registries). For more information, see [Use exported template from the Azure portal](../azure > [!IMPORTANT] > If you want to encrypt the target registry using a customer-managed key, make sure to update the template with settings for the required managed identity, key vault, and key. You can only enable the customer-managed key when you deploy the registry. > -> For more information, see [Encrypt registry using customer-managed key](./tutorial-enable-customer-managed-keys.md## Enable a customer-managed key by using a Resource Manager template). +> For more information, see [Encrypt registry using customer-managed key](./tutorial-enable-customer-managed-keys.md#enable-a-customer-managed-key-by-using-a-resource-manager-template). -### Create resource group +### Create resource group Create a resource group for the target registry using the [az group create](/cli/azure/group#az-group-create). The following example creates a resource group named *myResourceGroup* in the *eastus* location. |
cosmos-db | Concepts Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/concepts-limits.md | Azure Cosmos DB uses HMAC for authorization. You can use either a primary key, o ## Limits for autoscale provisioned throughput -See the [Autoscale](provision-throughput-autoscale.md#autoscale-limits) article and [FAQ](autoscale-faq.yml#how-do-i-lower-the maximum-ru-s) for more detailed explanation of the throughput and storage limits with autoscale. +See the [Autoscale](./provision-throughput-autoscale.md#autoscale-limits) article and [FAQ](./autoscale-faq.yml#how-do-i-lower-the-maximum-ru-s-) for more detailed explanation of the throughput and storage limits with autoscale. | Resource | Limit | | | | |
cosmos-db | Scaling Provisioned Throughput Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/scaling-provisioned-throughput-best-practices.md | Increase your RU/s to: `10,000 * P * (2 ^ (ROUNDUP(LOG_2 (S/(10,000 * P))))`. Th For example, suppose we have five physical partitions, 50,000 RU/s and want to scale to 150,000 RU/s. We should first set: `10,000 * 5 * (2 ^ (ROUND(LOG_2(150,000/(10,000 * 5))))` = 200,000 RU/s, and then lower to 150,000 RU/s. -When we scaled up to 200,000 RU/s, the lowest manual RU/s we can now set in the future is 2000 RU/s. The [lowest autoscale max RU/s](autoscale-faq.yml#how-do-i-lower-the maximum-ru-s) we can set is 20,000 RU/s (scales between 2000 - 20,000 RU/s). Since our target RU/s is 150,000 RU/s, we are not affected by the minimum RU/s. +When we scaled up to 200,000 RU/s, the lowest manual RU/s we can now set in the future is 2000 RU/s. The [lowest autoscale max RU/s](./autoscale-faq.yml#how-do-i-lower-the-maximum-ru-s-) we can set is 20,000 RU/s (scales between 2000 - 20,000 RU/s). Since our target RU/s is 150,000 RU/s, we are not affected by the minimum RU/s. ## How to optimize RU/s for large data ingestion |
cost-management-billing | Reservation Discount Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/reservation-discount-application.md | If the virtual machines are running in different subscriptions within your enrol A reservation discount only applies to resources associated with Enterprise, Microsoft Customer Agreement, CSP, or subscriptions with pay-as-you go rates. Resources that run in a subscription with other offer types don't receive the reservation discount. +The savings that are presented as part of [reservation recommendations](reserved-instance-purchase-recommendations.md) are the savings that are calculated in addition to your negotiated, or discounted (if applicable) prices. + ## When the reservation term expires At the end of the reservation term, the billing discount expires, and the resources are billed at the pay-as-you go price. By default, the reservations are not set to renew automatically. You can choose to enable automatic renewal of a reservation by selecting the option in the renewal settings. With automatic renewal, a replacement reservation will be purchased upon expiry of the existing reservation. By default, the replacement reservation has the same attributes as the expiring reservation, optionally you change the billing frequency, term, or quantity in the renewal settings. Any user with owner access on the reservation and the subscription used for billing can set up renewal. |
cost-management-billing | Reserved Instance Purchase Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/reserved-instance-purchase-recommendations.md | +The savings that are presented as part of reservation recommendations are the savings that are calculated in addition to your negotiated, or discounted (if applicable) prices. + The following steps define how recommendations are calculated: 1. The recommendation engine evaluates the hourly usage for your resources in the given scope over the past 7, 30, and 60 days. |
defender-for-cloud | Adaptive Application Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/adaptive-application-controls.md | description: This document helps you use adaptive application control in Microso Previously updated : 06/14/2023 Last updated : 08/09/2023 # Use adaptive application controls to reduce your machines' attack surfaces To edit the rules for a group of machines: ![Add a custom rule.](./media/adaptive-application/adaptive-application-add-custom-rule.png) - 1. If you're defining a known safe path, change the **Rule type** to 'Path' and enter a single path. You can include wildcards in the path. -+ 1. If you're defining a known safe path, change the **Rule type** to 'Path' and enter a single path. You can include wildcards in the path. The following screens show some examples of how to use wildcards. + + :::image type="content" source="media/adaptive-application/wildcard-examples.png" alt-text="Screenshot that shows examples of using wildcards." lightbox="media/adaptive-application/wildcard-examples.png"::: + > [!TIP] > Some scenarios for which wildcards in a path might be useful: > > - Using a wildcard at the end of a path to allow all executables within this folder and sub-folders. > - Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (for example, personal user folders containing a known executable, automatically generated folder names, etc).- + 1. Define the allowed users and protected file types. 1. When you've finished defining the rule, select **Add**. |
defender-for-cloud | Advanced Configurations For Malware Scanning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/advanced-configurations-for-malware-scanning.md | + + Title: Microsoft Defender for Storage - advanced configurations for malware scanning +description: Learn about the advanced configurations of Microsoft Defender for Storage malware scanning Last updated : 08/08/2023++++++# Advanced configurations for malware scanning ++Malware Scanning can be configured to send scanning results to the following: ++- **Event Grid custom topic** - for near-real time automatic response based on every scanning result. +- **Log Analytics workspace** - for storing every scan result in a centralized log repository for compliance and audit. ++Learn more on how to [set up response for malware scanning](/azure/defender-for-cloud/defender-for-storage-configure-malware-scan) results. ++> [!TIP] +> We recommend you try the [Ninja training instructions](https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/main/Labs/Modules/Module%2019%20-%20Defender%20for%20Storage.md), a hands-on lab, to try out malware scanning in Defender for Storage, using detailed step-by-step instructions on how to test malware scanning end-to-end with setting up responses to scanning results. This is part of the 'labs' project that helps customers get ramped up with Microsoft Defender for Cloud and provides hands-on practical experience with its capabilities. ++## Setting up logging for malware scanning ++For each storage account enabled with malware scanning, you can define a Log Analytics workspace destination to store every scan result in a centralized log repository that is easy to query. +++Before sending scan results to Log Analytics, [create a Log Analytics workspace](/azure/azure-monitor/logs/quick-create-workspace) or use an existing one. ++To configure the Log Analytics destination, navigate to the relevant storage account, open the **Microsoft Defender for Cloud** tab, and select the settings to configure. ++This configuration can be performed using REST API as well: ++Request URL: ++``` +PUT +https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/DefenderForStorageSettings/current/providers/Microsoft.Insights/diagnosticSettings/service?api-version=2021-05-01-preview +``` +Request Body: ++``` +{ + "properties": { + "workspaceId": "/subscriptions/{subscriptionId}/resourcegroups/{resourceGroup}/providers/microsoft.operationalinsights/workspaces/{workspaceName}", + "logs": [ + { + "category": "ScanResults", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": 180 + } + } + ] + } +} +``` ++## Setting up Event Grid for malware scanning ++For each storage account enabled with malware scanning, you can configure to send every scan result using an Event Grid event for automation purposes. ++1. To configure Event Grid for sending scan results, you'll first need to create a custom topic in advance. Refer to the Event Grid documentation on creating custom topics for guidance. Ensure that the destination Event Grid custom topic is created in the same region as the storage account from which you want to send scan results. ++1. To configure the Event Grid custom topic destination, go to the relevant storage account, open the **Microsoft Defender for Cloud** tab, and select the settings to configure. ++> [!NOTE] +> When you set an Event Grid custom topic, you should set **Override Defender for Storage subscription-level settings” to **On** to make sure it overrides the subscription-level settings. +++This configuration can be performed using REST API as well: ++Request URL: ++``` +PUT +https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/DefenderForStorageSettings/current?api-version=2022-12-01-preview +``` ++Request Body: ++``` +{ + "properties": { + "isEnabled": true, + "malwareScanning": { + "onUpload": { + "isEnabled": true, + "capGBPerMonth": 5000 + }, + "scanResultsEventGridTopicResourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.EventGrid/topics/{EventGridTopicName}" + }, + "sensitiveDataDiscovery": { + "isEnabled": true + }, + "overrideSubscriptionLevelSettings": true + } +} +``` +## Override Defender for Storage subscription-level settings ++The subscription-level settings inherit Defender for Storage settings on each storage account in the subscription. Use Override Defender for Storage subscription-level settings to configure settings for individual storage accounts different from those configured on the subscription level. ++Overriding the settings of the subscriptions are usually used for the following scenarios: ++- Enable/disable the Malware Scanning or the Data sensitivity threat detection features. +- Configure custom settings for Malware Scanning. +- Disable Microsoft Defender for Storage on specific storage accounts. ++> [!NOTE] +> We recommend that you enable Defender for Storage on the entire subscription to protect all existing and future storage accounts in it. However, there are some cases where you would want to exclude specific storage accounts from Defender protection. If you've decided to exclude, follow the steps below to use the override setting and then disable the relevant storage account. If you are using Defender for Storage (classic), you can also [exclude storage accounts](defender-for-storage-classic-enable.md). ++### Azure portal ++To configure the settings of individual storage accounts different from those configured on the subscription level using the Azure portal: ++1. Sign in to the Azure portal. ++1. Navigate to your storage account that you want to configure custom settings. ++1. In the storage account menu, in the **Security + networking** section, select **Microsoft Defender for Cloud**. ++1. Select **Settings** in Microsoft Defender for Storage. ++1. Set the status of **Override Defender for Storage subscription-level settings** (under Advanced settings) to **On**. This ensures that the settings are saved only for this storage account and will not be overrun by the subscription settings. ++1. Configure the settings you want to change: ++ 1. To enable malware scanning or sensitive data threat detection, set the status to **On**. ++ 1. To modify the settings of malware scanning: ++ 1. Switch the **On-upload malware scanning** to **On** if it’s not already enabled. ++ 1. To adjust the monthly threshold for malware scanning in your storage accounts, you can modify the parameter called **Set limit of GB scanned per month** to your desired value. This parameter determines the maximum amount of data that can be scanned for malware each month, specifically for each storage account. If you wish to allow unlimited scanning, you can uncheck this parameter. By default, the limit is set at 5,000 GB. +++1. To disable Defender for Storage on this storage account, set the status of Microsoft Defender for Storage to **Off**. ++ :::image type="content" source="media/azure-defender-storage-configure/defender-for-storage-settings.png" alt-text="Screenshot that shows where to turn off Defender for Storage in the Azure portal." lightbox="media/azure-defender-storage-configure/defender-for-storage-settings.png"::: ++ Select **Save**. ++### REST API ++To configure the settings of individual storage accounts different from those configured on the subscription level using REST API: ++Create a PUT request with this endpoint. Replace the subscriptionId, resourceGroupName, and accountName in the endpoint URL with your own Azure subscription ID, resource group and storage account names accordingly. ++Request URL: ++``` +PUT +https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/DefenderForStorageSettings/current?api-version=2022-12-01-preview +``` ++Request Body: ++``` +{ + "properties": { + "isEnabled": true, + "malwareScanning": { + "onUpload": { + "isEnabled": true, + "capGBPerMonth": 5000 + } + }, + "sensitiveDataDiscovery": { + "isEnabled": true + }, + "overrideSubscriptionLevelSettings": true + } +} +``` ++1. To enable malware scanning or sensitive data threat detection, set the value of isEnabled to **true** under the relevant features. ++1. To modify the settings of malware scanning, edit the relevant fields under onUpload, make sure the value of isEnabled is **true**. If you want to permit unlimited scanning, assign the value -1 to the capGBPerMonth parameter. ++1. To disable Defender for Storage on this storage accounts, use the following request body: ++ ``` + { + "properties": { + "isEnabled": false, + "overrideSubscriptionLevelSettings": true + } + } + ``` ++Make sure you add the parameter `overrideSubscriptionLevelSettings` and its value is set to **true**. This ensures that the settings are saved only for this storage account and will not be overrun by the subscription settings. ++## Next steps ++Learn more about [malware scanning settings](defender-for-storage-malware-scan.md). |
defender-for-cloud | Defender For Storage Azure Portal Enablement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-azure-portal-enablement.md | + + Title: Enable and configure the Defender for Storage plan at scale using the Azure portal +description: Learn how to enable the Defender for Storage on your Azure subscription for Microsoft Defender for Cloud using the Azure portal. +++ Last updated : 08/15/2023+++# Enable and configure with the Azure portal ++We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all current and future storage accounts in the subscription are protected. ++> [!TIP] +> You can always [configure specific storage accounts](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#override-defender-for-storage-subscription-level-settings) with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings). ++## [Enable on a subscription (recommended)](#tab/enable-subscription/) ++To enable Defender for Storage at the subscription level using the Azure portal: ++1. Sign in to the Azure portal. +1. Navigate to **Microsoft Defender for Cloud** > **Environment settings**. +1. Select the subscription for which you want to enable Defender for Storage. ++ :::image type="content" source="media/defender-for-storage-malware-scan/azure-portal-enablement-subscription.png" alt-text="Screenshot that shows where to select the subscription." lightbox="media/defender-for-storage-malware-scan/azure-portal-enablement-subscription.png"::: ++1. On the Defender plans page, locate **Storage** in the list and select **On** and **Save**. If you currently have Defender for Storage enabled with per-transaction pricing, select the **New pricing plan available** link and confirm the pricing change. ++ :::image type="content" source="media/defender-for-storage-malware-scan/azure-portal-enablement-turn-on.png" alt-text="Screenshot that shows where to turn on Storage plan." lightbox="media/defender-for-storage-malware-scan/azure-portal-enablement-turn-on.png"::: ++Microsoft Defender for Storage is now enabled for this subscription, and is fully protected, including on-upload malware scanning and sensitive data threat detection. ++If you want to turn off the on-upload malware scanning or sensitive data threat detection, you can select **Settings** and change the status of the relevant feature to **Off** and save the changes. ++If you want to change the malware scanning size capping per storage account per month for malware, change the settings in **Edit configuration** and save the changes. ++If you want to disable the plan, turn status button to **Off** for the Storage plan on the Defender plans page and save the changes. ++## [Enable on a storage account](#tab/enable-storage-account/) ++To enable and configure Microsoft Defender for Storage for a specific account using the Azure portal: ++1. Sign in to the Azure portal. +1. Navigate to your storage account. +In the storage account menu, in the **Security + networking** section, select **Microsoft Defender for Cloud**. +1. On-upload Malware Scanning and Sensitive data threat detection are enabled by default. You can disable the features by unselecting them. +1. Select  **Enable on storage account**. Microsoft Defender for Storage is now enabled on this storage account. ++ :::image type="content" source="media/defender-for-storage-malware-scan/azure-portal-enablement-on-storage-account.png" alt-text="Screenshot that shows where to enable the storage account." lightbox="media/defender-for-storage-malware-scan/azure-portal-enablement-on-storage-account.png"::: ++ > [!TIP] + > To configure On-upload malware scanning settings, such as monthly capping, select Settings after Defender for Storage was enabled. ++If you want to disable Defender for Storage on the storage account or disable one of the features (on-upload malware scanning or Sensitive data threat detection), select **Settings**, edit the settings, and select **Save**. ++++> [!TIP] +> Malware Scanning can be configured to send scanning results to the following: <br> **Event Grid custom topic** - for near-real time automatic response based on every scanning result. Learn more how to [configure malware scanning to send scanning events to an Event Grid custom topic](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-event-grid-for-malware-scanning). <br> **Log Analytics workspace** - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to [configure malware scanning to send scanning results to a Log Analytics workspace](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-logging-for-malware-scanning). ++## Next steps ++- Learn how to [enable and Configure the Defender for Storage plan at scale with an Azure built-in policy](defender-for-storage-policy-enablement.md). +- Learn more on how to [set up response for malware scanning](defender-for-storage-configure-malware-scan.md) results. |
defender-for-cloud | Defender For Storage Configure Malware Scan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-configure-malware-scan.md | Title: Setting up response to Malware Scanning + Title: Setting up response to Malware Scanning | Microsoft Defender for Storage description: Learn about how to configure response to malware scanning to prevent harmful files from being uploaded to Azure Storage. Previously updated : 03/16/2023 Last updated : 08/09/2023 -Set up automated responses to move or remove malicious files or to move/ingest clean files to another destination. Select the preferred response option that fits your scenario architecture. +Set up automated responses to move or remove malicious files or to move/ingest clean files to another destination. Select the preferred response option that fits your scenario architecture. -With Malware Scanning, you can build your automation response using the following scan result option: +With Malware Scanning, you can build your automation response using the following scan result options: - Defender for Cloud security alerts - Event Grid events - Blob index tags +> [!TIP] +> We recommend you try the Ninja training instructions, a hands-on lab with detailed step-by-step instructions on how to try out and test malware scanning end-to-end with setting up responses to scanning results. This is part of the 'labs' project that helps customers get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience with its capabilities. + Here are some response options that you can use to automate your response: -## Delete or move a malicious blob +### Block access to unscanned or malicious files using ABAC (attribute-based access control) ++You can block access to malicious and unscanned files with Entra ID (Azure AD) Attribute-based access control (ABAC) authorization. It allows you to set conditional access to blobs based on the scanning results, and allow applications and users to access only scanned files that are clean. ++Follow the instructions in the following [video](https://www.microsoft.com/videoplayer/embed/RW193F2) to set it up. +++### Delete or move a malicious blob You can use code or workflow automation to delete or move malicious files to quarantine. -### Prepare your environment for delete or move. +#### Prepare your environment for delete or move - **Delete the malicious file** - Before setting up automated deletion, enabling [soft delete](../storage/blobs/soft-delete-blob-overview.md) on the storage account is recommended. It allows to ΓÇ£undeleteΓÇ¥ files if there are false positives or in cases where security professionals want to investigate the malicious files. Logic App based responses are a simple, no-code approach to setting up response. 1. Deploy the [DeleteBlobLogicApp](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fstorageantimalwareprev.blob.core.windows.net%2Fworkflows%2FDeleteBlobLogicApp-template.json) Azure Resource Manager (ARM) template using the Azure portal. -1. Add role assignment to the Logic App to allow it to delete blobs from your storage account: - 1. Go to **Identity** in the side menu and select on **Azure role assignments**. - :::image type="content" source="media/defender-for-storage-configure-malware-scan/storage-account-malware-response-1.png" alt-text="Screenshot showing how to set up a role assignment for workflow automation to respond to scan results."::: - 1. Add role assignment in the subscription level with the **Storage Blob Data Contributor** role. - :::image type="content" source="media/defender-for-storage-configure-malware-scan/storage-account-malware-response-2.png" alt-text="Screenshot showing how to set up the required role assignment for workflow automation to respond to scan results."::: +1. Select the Logic App you deployed. ++1. Add a role assignment to the Logic App to allow it to delete blobs from your storage account: + + 1. Go to **Identity** in the side menu and select **Azure role assignments**. + + :::image type="content" source="media/defender-for-storage-malware-scan/system-assigned-managed-identity.png" alt-text="Screenshot that shows how to set up a role assignment for workflow automation to respond to scan results." lightbox="media/defender-for-storage-malware-scan/system-assigned-managed-identity.png"::: + + 1. Add a role assignment in the subscription level with the **Storage Blob Data Contributor** role. + :::image type="content" source="media/defender-for-storage-malware-scan/role-assignment.png" alt-text="Screenshot that shows how to set up the required role assignment for workflow automation to respond to scan results." lightbox="../active-directory/privileged-identity-management/media/pim-configure/role-assignment.png"::: + 1. Create workflow automation for Microsoft Defender for Cloud alerts: 1. Go to **Microsoft Defender for Cloud** in the Azure portal. 1. Go to **Workflow automation** in the side menu.- 1. Add a new workflow. In the **Alert name contains** field, fill in **Malicious file uploaded to storage account** and choose your Logic app in the **Actions** section. + 1. Add a new workflow: In the **Alert name contains** field, fill in **Malicious file uploaded to storage account** and choose your Logic app in the **Actions** section. + 1. Select **Create**. - :::image type="content" source="media/defender-for-storage-configure-malware-scan/storage-account-malware-response-3.png" alt-text="Screenshot showing how to set up workflow automation to respond to scan results."::: + :::image type="content" source="media/defender-for-storage-malware-scan/workflow-automation.png" alt-text="Screenshot that shows how to set up workflow automation to respond to scan results." lightbox="media/defender-for-storage-malware-scan/workflow-automation.png"::: #### Option 2: Function App based on Event Grid events A Function App provides high performance with a low latency response time. 1. Create a [Function App](../azure-functions/functions-overview.md) in the same resource group as your protected storage account. -1. Add role assignment for the Function app identity. +1. Add a role assignment for the Function app identity. - 1. Go to **Identity** in the side menu, make sure the **System assigned** identity status is **ON**, and select on **Azure role assignments**. + 1. Go to **Identity** in the side menu, make sure the **System assigned** identity status is **On**, and select **Azure role assignments**. - 1. Add role assignment in the subscription or storage account levels with the **Storage Blob Data Contributor** role. + 1. Add a role assignment in the subscription or storage account levels with the **Storage Blob Data Contributor** role. 1. Consume Event Grid events and connect an Azure Function as the endpoint type. 1. When writing the Azure Function code, you can use our premade function sample - [MoveMaliciousBlobEventTrigger](https://storageantimalwareprev.blob.core.windows.net/samples/MoveMaliciousBlobEventTrigger.cs), or [write your own code](../storage/blobs/storage-blob-copy.md) to copy the blob elsewhere, then delete it from the source. -## Make your applications and data flows aware of Malware Scanning scan results +For each scan result, an event is sent according to the following schema. ++#### Event message structure ++The event message is a JSON object that contains key-value pairs that provide detailed information about a malware scanning result. Here's a breakdown of each key in the event message: ++- **id**: A unique identifier for the event. ++- **subject**: A string that describes the resource path of the scanned blob (file) in the storage account. ++- **data**: A JSON object that contains additional information about the event: ++ - **correlationId**: A unique identifier that can be used to correlate multiple events related to the same scan. ++ - **blobUri**: The URI of the scanned blob (file) in the storage account. ++ - **eTag**: The ETag of the scanned blob (file). ++ - **scanFinishedTimeUtc**: The UTC timestamp when the scan was completed. ++ - **scanResultType**: The result of the scan, for example, "Malicious" or "No threats found". ++ - **scanResultDetails**: A JSON object containing details about the scan result: ++ 1. **malwareNamesFound**: An array of malware names found in the scanned file. ++ 1. **sha256**: The SHA-256 hash of the scanned file. ++- **eventType**: A string that indicates the type of event, in this case, "Microsoft.Security.MalwareScanningResult". ++- **dataVersion**: The version number of the data schema. ++- **metadataVersion**: The version number of the metadata schema. ++- **eventTime**: The UTC timestamp when the event was generated. ++- **topic**: The resource path of the Event Grid topic that the event belongs to. ++Here's an example of an event message: ++``` +{ + "id": "52d00da0-8f1a-4c3c-aa2c-24831967356b", + "subject": "storageAccounts/<storage_account_name>/containers/app-logs-storage/blobs/EICAR - simulating malware.txt", + "data": { + "correlationId": "52d00da0-8f1a-4c3c-aa2c-24831967356b", + "blobUri": "https://<storage_account_name>.blob.core.windows.net/app-logs-storage/EICAR - simulating malware.txt", + "eTag": "0x8DB4C9327B08CBF", + "scanFinishedTimeUtc": "2023-05-04T11:31:54.0481279Z", + "scanResultType": "Malicious", + "scanResultDetails": { + "malwareNamesFound": [ + "DOS/EICAR_Test_File" + ], + "sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" + } + }, + "eventType": "Microsoft.Security.MalwareScanningResult", + "dataVersion": "1.0", + "metadataVersion": "1", + "eventTime": "2023-05-04T11:31:54.048375Z", + "topic": "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.EventGrid/topics/<event_grid_topic_name>" +} +``` ++By understanding the structure of the event message, you can extract relevant information about the Malware Scanning result and process it accordingly. ++## Make your applications and data flows aware of malware scanning scan results -Malware Scanning is near real-time, and usually, there's a small time window between the time of the upload and the time of the scan. -Because storage is noncompute, there's no risk that malicious files are executed in your storage. The risk is users or applications accessing malicious files and spreading them throughout the organization. +Malware scanning is near real-time, and usually, there's a small time window between the time of the upload and the time of the scan. Because storage is noncompute, there's no risk that malicious files are executed in your storage. The risk is users or applications accessing malicious files and spreading them throughout the organization. -There are a few methods to make your applications and data flows aware of Malware Scanning scan results and ensure there's no way to access/process a file before it has been scanned and its result has been consumed and acted on. +There are a few methods to make your applications and data flows aware of Malware Scanning scan results and ensure there's no way to access/process a file before it has been scanned and its result has been consumed and acted upon. ### Applications ingest data based on the scan result #### Option 1: Apps checking ΓÇ£Index tagΓÇ¥ before processing -One way to get ingest data is to update all the applications that access the storage account. Each application checks the scan result for each file, and if the blob **Index tag** scan result is **no threats found**, the application reads the blob. +One way to get ingested data is to update all the applications that access the storage account. Each application checks the scan result for each file, and if the blob **Index tag** scan result is **no threats found**, the application reads the blob. #### Option 2: Connect your application to a Webhook in Event Grid events Learn more about using [Webhook event delivery and validating your endpoint](../ ### Use an intermediary storage account as a DMZ -You can set up an intermediary storage account for untrusted content (DMZ) and direct uploading traffic to the DMZ. -On the untrusted storage account, enable Malware Scanning and connect Event Grid and Function App to move only blobs scanned with the ΓÇ£no threat foundΓÇ¥ result to the destination storage account. +You can set up an intermediary storage account for untrusted content (DMZ) and direct uploading traffic to the DMZ. On the untrusted storage account, enable Malware Scanning and connect Event Grid and Function App to move only blobs scanned with the ΓÇ£no threat foundΓÇ¥ result to the destination storage account. ## Next steps |
defender-for-cloud | Defender For Storage Infrastructure As Code Enablement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-infrastructure-as-code-enablement.md | + + Title: Infrastructure as Code enablement | Microsoft Defender for Storage +description: Learn how to enable and configure Microsoft Defender for Storage with IaC templates. Last updated : 08/08/2023+++++++# Enable and configure with Infrastructure as Code templates ++We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts in the subscription will be protected, including future ones. ++> [!TIP] +> You can always [configure specific storage accounts](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#override-defender-for-storage-subscription-level-settings) with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings). ++## [Enable on a subscription](#tab/enable-subscription/) ++### Bicep template ++To enable and configure Microsoft Defender for Storage at the subscription level using [Bicep](/azure/azure-resource-manager/bicep/overview?tabs=bicep), make sure your [target scope is set to subscription](/azure/azure-resource-manager/bicep/deploy-to-subscription?tabs=azure-cli#scope-to-subscription), and add the following to your Bicep template: ++``` +resource StorageAccounts 'Microsoft.Security/pricings@2023-01-01' = { + name: 'StorageAccounts' + properties: { + pricingTier: 'Standard' + subPlan: 'DefenderForStorageV2' + extensions: [ + { + name: 'OnUploadMalwareScanning' + isEnabled: 'True' + additionalExtensionProperties: { + CapGBPerMonthPerStorageAccount: '5000' + } + } + { + name: 'SensitiveDataDiscovery' + isEnabled: 'True' + } + ] + } +} +``` ++To modify the monthly cap for malware scanning per storage account, adjust the `CapGBPerMonthPerStorageAccount` parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB. ++If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the `isEnabled` value to **False** under Sensitive data discovery. ++To disable the entire Defender for Storage plan, set the `pricingTier` property value to **Free** and remove the subPlan and extensions properties. ++Learn more about the [Bicep template in the Microsoft security/pricings documentation](/azure/templates/microsoft.security/pricings?pivots=deployment-language-bicep&source=docs). ++### Azure Resource Manager template ++To enable and configure Microsoft Defender for Storage at the subscription level using an ARM (Azure Resource Manager) template, add this JSON snippet to the resources section of your ARM template: ++``` +{ + "type": "Microsoft.Security/pricings", + "apiVersion": "2023-01-01", + "name": "StorageAccounts", + "properties": { + "pricingTier": "Standard", + "subPlan": "DefenderForStorageV2", + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ] + } +} +``` ++To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the `CapGBPerMonthPerStorageAccount` parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB. ++If you want to turn off the on-upload malware scanning or Sensitive data threat detection features, you can change the `isEnabled` value to **False** under Sensitive data discovery. ++To disable the entire Defender plan, set the `pricingTier` property value to **Free** and remove the subPlan and extensions properties. ++Learn more about the ARM template in the Microsoft.Security/Pricings documentation. ++## [Enable on a storage account](#tab/enable-storage-account/) ++### Bicep template - storage account ++To enable and configure Microsoft Defender for Storage at the storage account level using Bicep, add the following to your Bicep template: ++``` +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' ... ++resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = { + name: 'current' + scope: storageAccount +ΓÇ» properties: { +ΓÇ» ΓÇ» isEnabled: true +ΓÇ» ΓÇ» malwareScanning: { +ΓÇ» ΓÇ» ΓÇ» onUpload: { +ΓÇ» ΓÇ» ΓÇ» ΓÇ» isEnabled: true +ΓÇ» ΓÇ» ΓÇ» ΓÇ» capGBPerMonth: 5000 +ΓÇ» ΓÇ» ΓÇ» } +ΓÇ» ΓÇ» } +ΓÇ» ΓÇ» sensitiveDataDiscovery: { +ΓÇ» ΓÇ» ΓÇ» isEnabled: true +ΓÇ» ΓÇ» } +ΓÇ» ΓÇ» overrideSubscriptionLevelSettings: true +ΓÇ» } +} +``` ++To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the capGBPerMonth parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB. ++If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the `isEnabled` value to **false** under the `malwareScanning` or `sensitiveDataDiscovery` properties sections. ++To disable the entire Defender plan for the storage account, set the `isEnabled` property value to **false** and remove the `malwareScanning` and `sensitiveDataDiscovery` sections from the properties. ++Learn more about the [Microsoft.Security/DefenderForStorageSettings API](/rest/api/defenderforcloud/defender-for-storage/create) documentation. ++> [!TIP] +> Malware Scanning can be configured to send scanning results to the following: <br> **Event Grid custom topic** - for near-real time automatic response based on every scanning result. Learn more how to [configure malware scanning to send scanning events to an Event Grid custom topic](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-event-grid-for-malware-scanning). <br> **Log Analytics workspace** - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to [configure malware scanning to send scanning results to a Log Analytics workspace](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-logging-for-malware-scanning). ++Learn more on how to set up response for malware scanning results. ++### ARM template - storage account ++To enable and configure Microsoft Defender for Storage at the storage account level using an ARM template, add this JSON snippet to the resources section of your ARM template: ++``` +{ + "type": "Microsoft.Security/DefenderForStorageSettings", + "apiVersion": "2022-12-01-preview", + "name": "current", + "properties": { + "isEnabled": true, + "malwareScanning": { + "onUpload": { + "isEnabled": true, + "capGBPerMonth": 5000 + } + }, + "sensitiveDataDiscovery": { + "isEnabled": true + }, + "overrideSubscriptionLevelSettings": true + }, + "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]" +} +``` ++To modify the monthly threshold for malware scanning in your storage accounts, simply adjust the capGBPerMonth parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB. ++If you want to turn off the On-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to false under the malwareScanning or sensitiveDataDiscovery properties sections. ++To disable the entire Defender plan for the storage account, set the isEnabled property value to false and remove the malwareScanning and sensitiveDataDiscovery sections from the properties. ++++## Next steps ++Learn more about the [Microsoft.Security/DefenderForStorageSettings](/rest/api/defenderforcloud/defender-for-storage/create) API documentation. |
defender-for-cloud | Defender For Storage Malware Scan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-malware-scan.md | Title: Malware Scanning in Defender for Storage + Title: Malware scanning in Microsoft Defender for Storage description: Learn about the benefits and features of malware scanning in Microsoft Defender for Storage. Previously updated : 03/16/2023 Last updated : 08/15/2023 -# Malware Scanning in Defender for Storage +# Malware scanning in Defender for Storage Malware Scanning in Defender for Storage helps protect your storage accounts from malicious content by performing a full malware scan on uploaded content in near real time, using Microsoft Defender Antivirus capabilities. It's designed to help fulfill security and compliance requirements for handling untrusted content. The Malware Scanning capability is an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and supports automating response at scale. ## Malware upload is a top threat on cloud storage Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed. -## Malware Scanning in Defender for Storage helps protect storage accounts from malicious content +## Malware scanning in Defender for Storage helps protect storage accounts from malicious content - A built-in SaaS solution that allows simple enabling at scale with zero maintenance.- - Comprehensive antimalware capabilities using Microsoft Defender Antivirus (MDAV), catching polymorphic and metamorphic malware.- - Every file type is scanned (including archives like zip files) and a result is returned for every scan. The file size limit is 2 GB.- - Supports response at scale – deleting or quarantining suspicious files, based on the blobs’ index tags or Event Grid events.- - When the malware scan identifies a malicious file, detailed Microsoft Defender for Cloud security alerts are generated. - Designed to help fulfill security and compliance requirements to scan untrusted content uploaded to storage, including an option to log every scan result. ## Common use-cases and scenarios -Some common use-cases and scenarios for Malware Scanning in Defender for Storage include: +Some common use-cases and scenarios for malware scanning in Defender for Storage include: -- To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)+- **Web applications:** many cloud web applications allow users to upload content to storage. This allows low maintenance and scalable storage for applications like tax apps, CV upload HR sites, and receipts upload. -- To comply with compliance standards that require on-upload malware scanning for noncompute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.+- **Content protection:** assets like videos and photos are commonly shared and distributed at scale both internally and to external parties. CDNs (Content Delivery Network) and content hubs are a classic malware distribution opportunity. -## Prerequisites +- **Compliance requirements:** resources that adhere to compliance standards like [NIST](defender-for-cloud-glossary.md#nist), SWIFT, GDPR, and others require robust security practices, which include malware scanning. It's critical for organizations operating in regulated industries or regions. -You can [enable and configure Malware Scanning at scale](../storage/common/azure-defender-storage-configure.md#configure-malware-scanning) for your subscriptions while maintaining granular control over configuring the feature for individual storage accounts. To set up and customize Malware Scanning in Defender for Storage, you can choose from various methods, including the Azure portal, Azure policy, ARM or Bicep templates, and REST API. +- **Third-party integration:** third-party data can come from a wide variety of sources, and not all of them may have robust security practices, such as business partners, developers, and contractors. Scanning for malware helps to ensure that this data doesn't introduce security risks to your system. -To enable and configure Malware Scanning, you must have Owner roles (such as Subscription Owner or Storage Account Owner) or specific roles with the necessary data actions. Learn more about the [required permissions](support-matrix-defender-for-storage.md). +- **Collaborative platforms:** similar to file sharing, teams use cloud storage for continuously sharing content and collaborating across teams and organizations. Scanning for malware ensures safe collaboration. -## How does Malware Scanning work? +- **Data pipelines:** data moving through ETL (Extract, Transfer, Load) processes can come from multiple sources and may include malware. Scanning for malware can help to ensure the integrity of these pipelines. -### Set up of Malware Scanning +- **Machine learning training data:** the quality and security of the training data are critical for effective machine learning models. It's important to ensure these data sets are clean and safe, especially if they include user-generated content or data from external sources. -When Malware Scanning is enabled, the following actions automatically take place in your environment: --- For each storage account you enable Malware Scanning on, an Event Grid System Topic resource is created in the same resource group of the storage account - used by the Malware Scanning service to listen on blob upload triggers. Removing this resource breaks the Malware Scanning functionality.+## Prerequisites -- To scan your data, the Malware Scanning service requires access to your data. During service enablement, a new Data Scanner resource called **StorageDataScanner** is created in your Azure subscription and assigned with a system-assigned managed identity. This resource is granted with the **Storage** **Blob Data Owner** role assignment permitting it to access your data for purposes of Malware Scanning and Sensitive Data Discovery.+To enable and configure Malware Scanning, you must have Owner roles (such as Subscription Owner or Storage Account Owner) or specific roles with the necessary data actions. Learn more about the [required permissions](support-matrix-defender-for-storage.md). -In case your storage account **Networking configuration** is set to **Enable Public network access from selected virtual networks and IP addressed**, the **StorageDataScanner** resource is added to the **Resource instances** section under storage account **Networking** configuration to allow access to scan your data. +You can [enable and configure Malware Scanning at scale](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription) for your subscriptions while maintaining granular control over configuring the feature for individual storage accounts. There are several ways to enable and configure Malware Scanning: [Azure built-in policy](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#enable-and-configure-at-scale-with-an-azure-built-in-policy) (recommended method), programmatically using Infrastructure as Code templates, including [Bicep](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#bicep-template) and [ARM template](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#arm-template), using the [Azure portal](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#azure-portal), or directly with [REST API](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#enable-and-configure-with-rest-api). -In case you're enabling Malware Scanning on the subscription level, a new Security Operator resource called **StorageAccounts/securityOperators/DefenderForStorageSecurityOperator** is created in your Azure subscription and assigned with a system-managed identity. This resource is used to enable and repair Defender for Storage and Malware Scanning configuration on existing storage accounts and check for new storage accounts created in the subscription to be enabled. This resource has role assignments that include the [specific permissions](#prerequisites) needed to enable Malware Scanning. +To enable and configure Malware Scanning, you must have Owner roles (such as Subscription Owner or Storage Account Owner) or specific roles with the necessary data actions. Learn more about the [required permissions](support-matrix-defender-for-storage.md). -> [!NOTE] -> Malware Scanning depends on certain resources, identities, and networking settings to function properly. If you modify or delete any of these, Malware Scanning will stop working. To restore its normal operation, you can turn it off and on again. +## How does malware scanning work? ### On-upload malware scanning #### On-upload triggers- When a blob is uploaded to a protected storage account - a malware scan is triggered. All upload methods trigger the scan. Modifying a blob is an upload operation and therefore the modified content is scanned after the update. #### Scan regions and data retention -The blob is read by the Malware Scanning service that uses Microsoft Defender Antivirus technologies. -The malware scanning is regional, the scanned content stays within the same region. The content isn't saved by the service, it's scanned "in-memory" and immediately deleted afterward. +The malware scanning service that uses Microsoft Defender Antivirus technologies reads the blob. Malware Scanning scans the content "in-memory" and deletes scanned files immediately after scanning. The content isn't retained. The scanning occurs within the same region of the storage account. In some cases, when a file is suspicious, and more data is required, Malware Scanning may share file metadata outside the scanning region, including metadata classified as customer data (for example, SHA-256 hash), with Microsoft Defender for Endpoint. #### Access customer data -The Malware Scanning service requires access to your data to scan your data for malware. During service enablement, a new Data Scanner resource called **StorageDataScanner** is created in your Azure subscription. This resource is granted with a **Storage Blob Data Owner** role assignment to access and change your data for Malware Scanning and Sensitive Data Discovery. +The Malware Scanning service requires access to your data to scan your data for malware. During service enablement, a new Data Scanner resource called StorageDataScanner is created in your Azure subscription. This resource is granted with a Storage Blob Data Owner role assignment to access and change your data for malware scanning and sensitive data discovery. #### Private Endpoint is supported out-of-the-box-Malware Scanning in Defender for Storage is supported in storage accounts that use private endpoints while maintaining data privacy. -[Private endpoints](../private-link/private-endpoint-overview.md) provide secure connectivity to your Azure storage services, eliminating public internet exposure, and are considered a best practice. +Malware scanning in Defender for Storage is supported in storage accounts that use private endpoints while maintaining data privacy. -## Providing scan results +[Private endpoints](/azure/storage/common/storage-private-endpoints) provide secure connectivity to your Azure storage services, eliminating public internet exposure, and are considered a best practice. -Malware Scanning scan results are available through four methods. After setup, you'll see scan results as **blob index tags** for every uploaded and scanned file in the storage account, and as **Microsoft Defender for Cloud security alerts** when a file is identified as malicious. +### Set up of malware scanning -You may choose to configure extra scan result methods, such as **Event Grid** and **Log Analytics**, which require extra configuration. In the next section, you'll learn about the different scan result methods. +When malware scanning is enabled, the following actions automatically take place in your environment: -## Scan results +- For each storage account you enable malware scanning on, an Event Grid System Topic resource is created in the same resource group of the storage account - used by the malware scanning service to listen on blob upload triggers. Removing this resource breaks the malware scanning functionality. -### Blob index tags +- To scan your data, the Malware Scanning service requires access to your data. During service enablement, a new Data Scanner resource called ``StorageDataScanner`` is created in your Azure subscription and assigned with a system-assigned managed identity. This resource is granted with the Storage Blob Data Owner role assignment permitting it to access your data for purposes of Malware Scanning and Sensitive Data Discovery. ++If your storage account Networking configuration is set to Enable Public network access from selected virtual networks and IP addressed, the ``StorageDataScanner`` resource is added to the Resource instances section under storage account Networking configuration to allow access to scan your data. ++If you're enabling malware scanning on the subscription level, a new Security Operator resource called ``StorageAccounts/securityOperators/DefenderForStorageSecurityOperator`` is created in your Azure subscription and assigned with a system-managed identity. This resource is used to enable and repair Defender for Storage and Malware Scanning configuration on existing storage accounts and check for new storage accounts created in the subscription to be enabled. This resource has role assignments that include the specific permissions needed to enable malware scanning. ++> [!NOTE] +> Malware scanning depends on certain resources, identities, and networking settings to function properly. If you modify or delete any of these, malware scanning will stop working. To restore its normal operation, you can turn it off and on again. ++## Providing scan results -[Blob index tags](../storage/blobs/storage-blob-index-how-to.md) are metadata fields on a blob. They categorize data in your storage account using key-value tag attributes. These tags are automatically indexed and exposed as a searchable multi-dimensional index to easily find data. The scan results are concise, displaying **Malware Scanning scan result** and **Malware Scanning scan time UTC** in the blob metadata. Other result types (alerts, events, logs) provide more information on the malware type and file upload operation. +Malware scanning scan results are available through four methods. After setup, you'll see scan results as **blob index tags** for every uploaded and scanned file in the storage account, and as **Microsoft Defender for Cloud security alerts** when a file is identified as malicious. -Malware Scanning Index Tags Keys added: +You may choose to configure extra scan result methods, such as **Event Grid** and **Log Analytics**; these methods require extra configuration. In the next section, you'll learn about the different scan result methods. -- Malware Scanning scan result possible values: - - `No threats found` - - `Malicious` - - `SAM259210: Scan aborted - <message> Correlation Id: <correlation-id-guid>` - - `SAM259210: Scan failed - <message> Correlation Id: <correlation-id-guid>` - - `SAM259210: Scan timed out - <message> Correlation Id: <correlation-id-guid>` - If there are issues, you can provide this `<correlation-id-guid>` to Microsoft support for troubleshooting. +## Scan results ++### Blob index tags -- Malware Scanning scan time UTC possible values:+[Blob index tags](../storage/blobs/storage-blob-index-how-to.md) are metadata fields on a blob. They categorize data in your storage account using key-value tag attributes. These tags are automatically indexed and exposed as a searchable multi-dimensional index to easily find data. The scan results are concise, displaying Malware Scanning scan result and malware scanning scan time UTC in the blob metadata. Other result types (alerts, events, logs) provide more information on the malware type and file upload operation. - - The time and date of the scan. Format: yyyy-MM-dd HH:mm:ssZ -Blob index tags can be used by applications to automate workflows. Read more on [setting up response](defender-for-storage-configure-malware-scan.md). +Blob index tags can be used by applications to automate workflows, but are not tamper-resistant. Read more on [setting up response](defender-for-storage-configure-malware-scan.md#setting-up-response-to-malware-scanning). ### Defender for Cloud security alerts When a malicious file is detected, Microsoft Defender for Cloud generates a [Microsoft Defender for Cloud security alert](alerts-overview.md#what-are-security-alerts). To see the alert, go to **Microsoft Defender for Cloud** security alerts. The security alert contains details and context on the file, the malware type, and recommended investigation and remediation steps. To use these alerts for remediation, you can: -1. View [security alerts](https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/7) in the Azure portal by navigating to Microsoft Defender for Cloud -> Security alerts +1. View [security alerts](https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/7) in the Azure portal by navigating to **Microsoft Defender for Cloud** > **Security alerts**. 1. [Configure automations](workflow-automation.md) based on these alerts. 1. [Export security alerts](alerts-overview.md#exporting-alerts) to a SIEM. You can continuously export security alerts Microsoft Sentinel (Microsoft’s SIEM) using [Microsoft Sentinel connector](../sentinel/connect-defender-for-cloud.md), or another SIEM of your choice. Learn more about [responding to security alerts](../event-grid/custom-event-quic Event Grid is useful for event-driven automation. It's the fastest method to get results with minimum latency in a form of events that you can use for automating response. -Events from Event Grid custom topics can be consumed by multiple endpoint types. -The most useful for Malware Scanning scenarios are: --- Function App (previously called Azure Function) – use a serverless function to run code for automated response like move, delete or quarantine.-- Web Hook – to connect an application.-- Event Hubs & Service Bus Queue – to notify downstream consumers.--For each scan result, an event is sent using the schema below. --__Event Message Structure__ --The event message is a JSON object that contains key-value pairs that provide detailed information about a malware scanning result. Here's a breakdown of each key in the event message: --- __id__: A unique identifier for the event.--- __subject__: A string that describes the resource path of the scanned blob (file) in the storage account.--- __data__: A JSON object that contains additional information about the event:-- - __correlationId__: A unique identifier that can be used to correlate multiple events related to the same scan. -- - __blobUri__: The URI of the scanned blob (file) in the storage account. -- - __eTag__: The ETag of the scanned blob (file). -- - __scanFinishedTimeUtc__: The UTC timestamp when the scan was completed. -- - __scanResultType__: The result of the scan, e.g., "Malicious" or "No threats found". -- - __scanResultDetails__: A JSON object containing details about the scan result: -- 1. __malwareNamesFound__: An array of malware names found in the scanned file. -- 1. __sha256__: The SHA-256 hash of the scanned file. --- __eventType__: A string that indicates the type of event, in this case, "Microsoft.Security.MalwareScanningResult".--- __dataVersion__: The version number of the data schema.--- __metadataVersion__: The version number of the metadata schema.+Events from Event Grid custom topics can be consumed by multiple endpoint types. The most useful for Malware Scanning scenarios are: -- __eventTime__: The UTC timestamp when the event was generated.+- **Function App** (previously called Azure Function) – use a serverless function to run code for automated response like move, delete or quarantine. +- **Webhook** – to connect an application. +- **Event Hubs & Service Bus Queue** – to notify downstream consumers. -- __topic__: The resource path of the Event Grid topic that the event belongs to.+Learn how to configure Malware Scanning so that [every scan result is sent automatically to an Event Grid topic](advanced-configurations-for-malware-scanning.md#setting-up-event-grid-for-malware-scanning) for automation purposes. -Here's an example of an event message: +### Logs analytics +You may want to log your scan results for compliance evidence or investigating scan results. By setting up a Log Analytics Workspace destination, you can store every scan result in a centralized log repository that is easy to query. You can view the results by navigating to the Log Analytics destination workspace and looking for the `StorageMalwareScanningResults` table. -```json +Learn more about [setting up Log Analytics results](../azure-monitor/logs/quick-create-workspace.md). -{ - "id": "52d00da0-8f1a-4c3c-aa2c-24831967356b", - "subject": "storageAccounts/<storage_account_name>/containers/app-logs-storage/blobs/EICAR - simulating malware.txt", - "data": { - "correlationId": "52d00da0-8f1a-4c3c-aa2c-24831967356b", - "blobUri": "https://<storage_account_name>.blob.core.windows.net/app-logs-storage/EICAR - simulating malware.txt", - "eTag": "0x8DB4C9327B08CBF", - "scanFinishedTimeUtc": "2023-05-04T11:31:54.0481279Z", - "scanResultType": "Malicious", - "scanResultDetails": { - "malwareNamesFound": [ - "DOS/EICAR_Test_File" - ], - "sha256": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F" - } - }, - "eventType": "Microsoft.Security.MalwareScanningResult", - "dataVersion": "1.0", - "metadataVersion": "1", - "eventTime": "2023-05-04T11:31:54.048375Z", - "topic": "/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.EventGrid/topics/<event_grid_topic_name>" -} -``` +> [!TIP] +> We recommend you try a hands-on lab to try out Malware Scanning in Defender for Storage: the [Ninja](https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/main/Labs/Modules/Module%2019%20-%20Defender%20for%20Storage.md) training instructions for detailed step-by-step instructions on how to test Malware Scanning end-to-end with setting up responses to scanning results. This is part of the 'labs' project that helps customers get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience with its capabilities. -By understanding the structure of the event message, you can extract relevant information about the malware scanning result and process it accordingly. +## Cost control -Learn how to configure Malware Scanning so that [every scan result is sent automatically to an Event Grid topic](../storage/common/azure-defender-storage-configure.md#setting-up-event-grid-for-malware-scanning) for automation purposes. +Malware scanning is billed per GB scanned. To provide cost predictability, Malware Scanning supports setting a cap on the amount of GB scanned in a single month per storage account. -### Logs Analytics +The "capping" mechanism is designed to set a monthly scanning limit, measured in gigabytes (GB), for each storage account, serving as an effective costs control. If a predefined scanning limit is established for a storage account in a single calendar month, the scanning operation would automatically halt once this threshold is reached (with up to 20-GB deviation) and files won't be scanned for malware. -You may want to log your scan results for compliance evidence or investigating scan results. By setting up a Log Analytics Workspace destination, you can store every scan result in a centralized log repository that is easy to query. You can view the results by navigating to the Log Analytics destination workspace and looking for the `StorageMalwareScanningResults` table. +By default, a limit of 5 TB (5,000 GB) is established if no specific capping mechanism is defined. -Learn more about [setting up Log Analytics results](../azure-monitor/logs/quick-create-workspace.md). +> [!TIP] +> You can set the capping mechanism on either individual storage accounts or across an entire subscription (every storage account on the subscription will be allocated the limit defined on the subscription level). -## Cost control --Malware Scanning is billed per GB scanned. To provide cost predictability, Malware Scanning supports setting a cap on the amount of GB scanned in a single month per storage account. This setting can be set at the subscription level to apply to each storage account in the subscription, or you can set it for a specific storage account. The default value for each storage account is 5000GB per month, and after crossing this limit, blobs won't be scanned (with up to a 20-GB confidence interval). Learn about how to [configure scan limits](../storage/common/azure-defender-storage-configure.md#configure-malware-scanning). +Follow [these steps](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#azure-portal) to configure the capping mechanism. ## Handling possible false positives -If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for analysis through [the sample submission portal](https://aka.ms/submitfile). Select “Microsoft Defender for Storage” as the source. +If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for analysis through the [sample submission portal](/microsoft-365/security/intelligence/submission-guide). Select “Microsoft Defender for Storage” as the source. Malware Scanning doesn't block access or change permissions to the uploaded blob, even if it's malicious. Malware Scanning doesn't block access or change permissions to the uploaded blob ### Unsupported features and services -1. **Unsupported storage accounts:** Legacy v1 storage accounts aren't supported by Malware Scanning. --1. **Unsupported service:** Azure Files isn't supported by Malware Scanning. --1. **Unsupported blob types:** [Append and Page blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) aren't supported for Malware Scanning. --1. **Unsupported encryption:** Client-side encrypted blobs aren't supported as they can't be decrypted before scanning by the service. However, data encrypted at rest by Customer Managed Key (CMK) is supported. --1. **Unsupported index tag results:** Index tag scan result isn't supported in storage accounts with Hierarchical namespace enabled (Azure Data Lake Storage Gen2). +- Unsupported storage accounts: Legacy v1 storage accounts aren't supported by malware scanning. +- Unsupported service: Azure Files isn't supported by malware scanning. +- Unsupported blob types: [Append and Page blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs) aren't supported for Malware Scanning. +- Unsupported encryption: Client-side encrypted blobs aren't supported as they can't be decrypted before scanning by the service. However, data encrypted at rest by Customer Managed Key (CMK) is supported. +- Unsupported index tag results: Index tag scan result isn't supported in storage accounts with Hierarchical namespace enabled (Azure Data Lake Storage Gen2). ### Throughput capacity and blob size limit -1. **Scan throughput rate limit:** Malware Scanning can process up to 2GB per minute for each storage account. If the rate of file upload momentarily exceeds this threshold for a storage account, the system will attempt to scan the files in excess of the rate limit. If the rate of file upload consistently exceeds this threshold, some blobs will not be scanned. +- **Scan throughput rate limit:** Malware Scanning can process up to 2 GB per minute for each storage account. If the rate of file upload momentarily exceeds this threshold for a storage account, the system attempts to scan the files in excess of the rate limit. If the rate of file upload consistently exceeds this threshold, some blobs won't be scanned. -1. **Blob scan limit:** Malware Scanning can process up to 2,000 files per minute for each storage account. If the rate of file upload momentarily exceeds this threshold for a storage account, the system will attempt to scan the files in excess of the rate limit. If the rate of file upload consistently exceeds this threshold, some blobs will not be scanned. +- **Blob scan limit:** Malware Scanning can process up to 2,000 files per minute for each storage account. If the rate of file upload momentarily exceeds this threshold for a storage account, the system attempts to scan the files in excess of the rate limit. If the rate of file upload consistently exceeds this threshold, some blobs won't be scanned. -1. **Blob size limit:** The maximum size limit for a single blob to be scanned is 2 GB. Blobs that are larger than the limit will not be scanned. +- **Blob size limit:** The maximum size limit for a single blob to be scanned is 2 GB. Blobs that are larger than the limit won't be scanned. ### Blob uploads and index tag updates -Upon uploading a blob to the storage account, the Malware Scanning will initiate an additional read operation and update the index tag. In most cases, these operations do not generate significant load. +Upon uploading a blob to the storage account, the malware scanning initiates an extra read operation and updates the index tag. In most cases, these operations don't generate significant load. ### Impact on access and storage IOPS Despite the scanning process, access to uploaded data remains unaffected, and th ## Next steps -In this article, you learned about Microsoft Defender for Storage. --> [!div class="nextstepaction"] -> [Enable Defender for Storage](enable-enhanced-security.md) ------------------------------+Learn more on how to [set up response for malware scanning](defender-for-storage-configure-malware-scan.md#setting-up-response-to-malware-scanning) results. |
defender-for-cloud | Defender For Storage Policy Enablement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-policy-enablement.md | + + Title: Enable and configure the Defender for Storage plan at scale with an Azure built-in policy +description: Learn how to enable the Microsoft Defender for Storage plan at scale with an Azure built-in policy. +++ Last updated : 08/15/2023+++# Enable and configure at scale with an Azure built-in policy ++Enabling Defender for Storage via a policy is recommended because it facilitates enablement at scale and ensures that a consistent security policy is applied across all existing and future storage accounts within the defined scope (such as entire management groups). This keeps the storage accounts protected with Defender for Storage according to the organization's defined configuration. ++> [!TIP] +> You can always [configure specific storage accounts](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#override-defender-for-storage-subscription-level-settings) with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings). ++## Azure built-in policy ++To enable and configure Defender for Storage at scale with an Azure built-in policy, follow these steps: ++1. Sign in to the Azure portal and navigate to the **Policy** dashboard. +1. In the Policy dashboard, select **Definitions** from the left-side menu. +1. In the ΓÇ£Security CenterΓÇ¥ category, search for and then select **Configure Microsoft Defender for Storage to be enabled**. This policy enables all Defender for Storage capabilities: Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. You can also get it here: [List of built-in policy definitions](/azure/governance/policy/samples/built-in-policies#security-center). If you want to enable a policy without the configurable features, use **Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only)**. + + :::image type="content" source="media/defender-for-storage-malware-scan/policy-definitions.png" alt-text="Screenshot that shows where to select policy definitions." lightbox="media/defender-for-storage-malware-scan/policy-definitions.png"::: ++1. Select the policy and review it. +1. Select **Assign** and edit the policy details. You can fine-tune, edit, and add custom rules to the policy. ++ :::image type="content" source="media/defender-for-storage-malware-scan/policy-assign.png" alt-text="Screenshot that shows where to assign the policy." lightbox="media/defender-for-storage-malware-scan/policy-assign.png"::: ++1. Once you have completed reviewing, select **Review + create**. +1. Select **Create** to assign the policy. ++> [!TIP] +> Malware Scanning can be configured to send scanning results to the following: <br> **Event Grid custom topic** - for near-real time automatic response based on every scanning result. Learn more how to [configure malware scanning to send scanning events to an Event Grid custom topic](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-event-grid-for-malware-scanning). <br> **Log Analytics workspace** - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to [configure malware scanning to send scanning results to a Log Analytics workspace](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-logging-for-malware-scanning). ++Learn more on how to [set up response for malware scanning](defender-for-storage-configure-malware-scan.md) results. ++## Next steps ++Learn how to [enable and configure Microsoft Defender for Storage with IaC templates](defender-for-storage-infrastructure-as-code-enablement.md). |
defender-for-cloud | Defender For Storage Rest Api Enablement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-rest-api-enablement.md | + + Title: Enable and configure the Microsoft Defender for Storage plan at scale using REST API +description: Learn how to enable the Defender for Storage on your Azure subscription for Microsoft Defender for Cloud using REST API. +++ Last updated : 08/08/2023+++# Enable and configure with REST API ++We recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts in the subscription will be protected, including future ones. ++> [!TIP] +> You can always [configure specific storage accounts](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#override-defender-for-storage-subscription-level-settings) with custom configurations that differ from the settings configured at the subscription level (override subscription-level settings). ++## [Enable on a subscription](#tab/enable-subscription/) ++To enable and configure Microsoft Defender for Storage at the subscription level using REST API, create a PUT request with this endpoint (replace the `subscriptionId` in the endpoint URL with your own Azure subscription ID): ++**PUT** https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/StorageAccounts?api-version=2023-01-01 +And add the following request body: ++``` +{ + "properties": { + "extensions": [ + { + "name": "OnUploadMalwareScanning", + "isEnabled": "True", + "additionalExtensionProperties": { + "CapGBPerMonthPerStorageAccount": "5000" + } + }, + { + "name": "SensitiveDataDiscovery", + "isEnabled": "True" + } + ], + "subPlan": "DefenderForStorageV2", + "pricingTier": "Standard" + } +} +``` +To modify the monthly threshold for malware scanning in your storage accounts, adjust the `CapGBPerMonthPerStorageAccount` parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB. ++If you want to turn off the on-upload malware scanning or Sensitive data threat detection features, you can change the isEnabled value to **False** under Sensitive data discovery. ++To disable the entire Defender plan, set the pricingTier property value to **Free** and remove the `subPlan` and extensions properties. ++Learn more about [updating Defender plans with the REST API](/rest/api/defenderforcloud/pricings/update) in HTTP, Java, Go and JavaScript. ++## [Enable on a storage account](#tab/enable-storage-account/) ++To enable and configure Microsoft Defender for Storage at the storage account level using REST API, create a PUT request with this endpoint. Replace the `subscriptionId`, `resourceGroupName`, and `accountName` in the endpoint URL with your own Azure subscription ID, resource group and storage account names accordingly. ++``` +PUT +https://management.azure.com/{resourceId}/providers/Microsoft.Security/defenderForStorageSettings/current?api-version=2022-12-01-preview ++``` +And add the following request body: ++``` +{ + "properties": { + "isEnabled": true, + "malwareScanning": { + "onUpload": { + "isEnabled": true, + "capGBPerMonth": 5000 + } + "scanResultsEventGridTopicResourceId": "/subscriptions/<Subscription>/resourceGroups/<resourceGroup>/providers/Microsoft.EventGrid/topics/<topicName>" + }, + "sensitiveDataDiscovery": { + "isEnabled": true + }, + "overrideSubscriptionLevelSettings": true + }, + "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]" +} +``` ++To modify the monthly threshold for malware scanning in your storage accounts, adjust the `capGBPerMonth` parameter to your preferred value. This parameter sets a cap on the maximum data that can be scanned for malware each month, per storage account. If you want to permit unlimited scanning, assign the value -1. The default limit is set at 5,000 GB. ++If you want to turn off the on-upload malware scanning or sensitive data threat detection features, you can change the `isEnabled` value to **False** under the `malwareScanning` or `sensitiveDataDiscovery` properties sections. ++To disable the entire Defender plan for the storage account, set the `isEnabled` property value to **False** and remove the `malwareScanning` and `sensitiveDataDiscovery` sections from the properties. ++Learn more about the [Microsoft.Security/DefenderForStorageSettings API](/rest/api/defenderforcloud/defender-for-storage/create) documentation. ++++> [!TIP] +> Malware Scanning can be configured to send scanning results to the following: <br> **Event Grid custom topic** - for near-real time automatic response based on every scanning result. Learn more how to [configure malware scanning to send scanning events to an Event Grid custom topic](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-event-grid-for-malware-scanning). <br> **Log Analytics workspace** - for storing every scan result in a centralized log repository for compliance and audit. Learn more how to [configure malware scanning to send scanning results to a Log Analytics workspace](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-storage-account#setting-up-logging-for-malware-scanning). ++Learn more on how to [set up response for malware scanning](defender-for-storage-configure-malware-scan.md) results. ++## Next steps ++- Learn how to [enable and Configure the Defender for Storage plan at scale with an Azure built-in policy](defender-for-storage-policy-enablement.md). |
defender-for-cloud | Plan Defender For Servers Scale | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/plan-defender-for-servers-scale.md | description: Scale protection of Azure, AWS, GCP, and on-premises servers by usi Previously updated : 11/06/2022 Last updated : 08/14/2023 # Scale a Defender for Servers deployment You can get the *Azure Security Benchmark* policy definition on [GitHub](https:/ You can use a policy definition to enable Defender for Servers at scale: -- To get the built-in *Configure Defender for Servers to be enabled* policy definition, in the Azure portal for your deployment, go to **Azure Policy** > **Policy Definitions**.+- To get the built-in *Configure Azure Defender for Servers to be enabled* policy definition, in the Azure portal for your deployment, go to **Azure Policy** > **Policy Definitions**. ++ :::image type="content" source="media/plan-defender-for-servers-scale/select-policy-definition.png" alt-text="Screenshot that shows the Configure Azure Defender for Servers to be enabled policy definition." lightbox="media/plan-defender-for-servers-scale/select-policy-definition.png"::: + - Alternatively, you can use a [custom policy](https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Policy/Enable%20Defender%20for%20Servers%20plans) to enable Defender for Servers and select the plan at the same time.-- You can enable only one Defender for Servers plan on each subscription. You can't enable both Defender for Servers Plan 1 and Plan 2 at the same time.+- You can enable only one Defender for Servers plan on each subscription. You can't enable both Defender for Servers Plan 1 and Plan 2 at the same subscription. - If you want to use both plans in your environment, divide your subscriptions into two management groups. On each management group, assign a policy to enable the respective plan on each underlying subscription. ## Scale auto provisioning |
defender-for-cloud | Secret Scanning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/secret-scanning.md | Title: Manage secrets with agentless secret scanning + Title: Manage secrets with agentless secret scanning (preview) description: Learn how to scan your servers for secrets with Defender for Server's agentless secret scanning. Previously updated : 07/18/2023 Last updated : 08/15/2023 -# Manage secrets with agentless secret scanning +# Manage secrets with agentless secret scanning (preview) Attackers can move laterally across networks, find sensitive data, and exploit vulnerabilities to damage critical information systems by accessing internet-facing workloads and exploiting exposed credentials and secrets. Defender for Cloud's agentless secret scanning for Virtual Machines (VM) locates By using agentless secret scanning, you can proactively discover the following types of secrets across your environments: -- **Insecure SSH private keys** - supports RSA algorithm for PuTTy files, PKCS#8 and PKCS#1 standards-- **Plaintext Azure SQL connection strings** - supports SQL PAAS-- **Plaintext Azure storage account connection strings**-- **Plaintext Azure storage account SAS tokens**-- **Plaintext AWS access keys**-- **Plaintext AWS RDS SQL connection string** -supports SQL PAAS+- **Insecure SSH private keys (Azure, AWS, GCP)** - supports RSA algorithm for PuTTy files, PKCS#8 and PKCS#1 standards +- **Plaintext Azure SQL connection strings (Azure, AWS)** - supports SQL PAAS +- **Plaintext Azure storage account connection strings (Azure, AWS)** +- **Plaintext Azure storage account SAS tokens (Azure, AWS)** +- **Plaintext AWS access keys (Azure, AWS)** +- **Plaintext AWS RDS SQL connection string (Azure, AWS)** -supports SQL PAAS In addition to detecting SSH private keys, the agentless scanner verifies whether they can be used to move laterally in the network. Keys that we didn't successfully verify are categorized as **unverified** in the **Recommendation** pane. Agentless secret scanning for AWS instances supports the following attack path s - `Vulnerable EC2 instance has insecure secrets that are used to authenticate to an AWS RDS server`. +### GCP instances supported attack path scenarios ++Agentless secret scanning for GCP VM instances supports the following attack path scenarios: ++- `Exposed Vulnerable GCP VM instance has an insecure SSH private key that is used to authenticate to a GCP VM instance`. + **To investigate secrets with Attack path**: 1. Sign in to the [Azure portal](https://portal.azure.com). If a secret is found on your resource, that resource triggers an affiliated reco - **AWS resources**: `EC2 instances should have secret findings resolved` +- **GCP resources**: `VM instances should have secret findings resolved` + **To remediate secrets from the recommendations page**: 1. Sign in to the [Azure portal](https://portal.azure.com). If a secret is found on your resource, that resource triggers an affiliated reco - **Azure resources**: `Machines should have secrets findings resolved` - **AWS resources**: `EC2 instances should have secret findings resolved`+ - **GCP resources**: `VM instances should have secret findings resolved` :::image type="content" source="media/secret-scanning/recommendation-findings.png" alt-text="Screenshot that shows either of the two results under the Remediate vulnerabilities security control." lightbox="media/secret-scanning/recommendation-findings.png"::: The [cloud security explorer](concept-attack-path.md#what-is-cloud-security-expl 1. Select one of the following templates: - - **VM with plaintext secret that can authenticate to another VM** - Returns all Azure VMs or AWS EC2 instances with plaintext secret that can access other VMs or EC2s. - - **VM with plaintext secret that can authenticate to a storage account** - Returns all Azure VMs or AWS EC2 instances with plaintext secret that can access storage accounts. - - **VM with plaintext secret that can authenticate to a SQL database** - Returns all Azure VMs or AWS EC2 instances with plaintext secret that can access SQL databases. + - **VM with plaintext secret that can authenticate to another VM** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access other VMs or EC2s. + - **VM with plaintext secret that can authenticate to a storage account** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access storage accounts. + - **VM with plaintext secret that can authenticate to a SQL database** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access SQL databases. If you don't want to use any of the available templates, you can also [build your own query](how-to-manage-cloud-security-explorer.md) on the cloud security explorer. |
defender-for-cloud | Support Matrix Defender For Storage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/support-matrix-defender-for-storage.md | description: Learn about the permissions required to enable Defender for Storage Previously updated : 03/26/2023 Last updated : 08/14/2023 -# Permissions required to enable Defender for Storage and its features +# Required permissions for enabling Defender for Storage and its features This article lists the permissions required to [enable Defender for Storage](../storage/common/azure-defender-storage-configure.md) and its features. -To enable Defender for Storage and its features - Malware Scanning and Sensitive data threat detection, various permission levels are required. Below is a breakdown of the required permissions for each scenario. --## Subscription level enablement and configuration (action set 1) --* Microsoft.Security/pricings/write -* Microsoft.Security/pricings/read -* Microsoft.Security/pricings/SecurityOperators/read -* Microsoft.Security/pricings/SecurityOperators/write -* Microsoft.Authorization/roleAssignments/read -* Microsoft.Authorization/roleAssignments/write -* Microsoft.Authorization/roleAssignments/delete --## Storage account level enablement and configuration (action set 2) --* Microsoft.Storage/storageAccounts/write -* Microsoft.Storage/storageAccounts/read -* Microsoft.Security/defenderforstoragesettings/read -* Microsoft.Security/defenderforstoragesettings/write -* Microsoft.EventGrid/eventSubscriptions/read -* Microsoft.EventGrid/eventSubscriptions/write -* Microsoft.EventGrid/eventSubscriptions/delete -* Microsoft.Authorization/roleAssignments/read -* Microsoft.Authorization/roleAssignments/write -* Microsoft.Authorization/roleAssignments/delete --## Permissions for enabling scenarios --| Scenario | Activity monitoring | Malware Scanning | Sensitive data threat detection | Required Permissions<br>(role / action set) | -|--|--|--|--|--| -| Subscription level | Yes | No | No | Security Admin or Pricings/read, Pricings/write on the subscription | -| Subscription level | Yes | Yes | No | Subscription Owner or action set 1 | -| Subscription level | Yes | No | Yes | Subscription Owner or action set 1 | -| Subscription level | Yes | Yes | Yes | Subscription Owner or action set 1 | -| Storage account level | Yes | No | No | Security Admin or Microsoft.Security/defenderforstoragesettings/read, Microsoft.Security/defenderforstoragesettings/write | -| Storage account level | Yes | Yes | No | Storage Account Owner or action set 2 | -| Storage account level | Yes | No | Yes | Storage Account Owner or action set 2 | -| Storage account level | Yes | Yes | Yes | Storage Account Owner or action set 2 | -| Built-in Azure policy<br>(activity monitoring only) | Yes | No | No | Security Admin or action set 1 | -| Built-in Azure policy<br>(all features) | Yes | Yes | Yes | Subscription Owner or action set 1 | +Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. ++- **Activity monitoring:** Detects suspicious activities in storage accounts by analyzing data plane and control plane activities and using Microsoft Threat Intelligence, behavioral modeling, and machine-learning. ++- **Malware Scanning:** Scans all uploaded blobs in near-real time using Microsoft Defender Antivirus to protect storage accounts from malicious content. ++- **Sensitive data threat detection:** Prioritizes security alerts based on data sensitivity discovered by the Sensitive Data Discovery Engine, detects exposure events and suspicious activities, enhancing protection against data breaches. ++Depending on the scenario, you need different levels of permissions to enable Defender for Storage and its features. You can enable and configure Defender for Storage at the subscription level or at the storage account level. You can also use built-in Azure policies to enable Defender for Storage and enforce its enablement on a desired scope. ++The following table summarizes the permissions you need for each scenario. The permissions are either built-in Azure roles or action sets that you can assign to custom roles. ++| Capability | Subscription level | Storage account level | +|||| +| Activity monitoring | Security Admin or Pricings/read, Pricings/write | Security Admin or Microsoft.Security/defenderforstoragesettings/read, Microsoft.Security/defenderforstoragesettings/write | +| Malware scanning | Subscription Owner or action set 1 | Storage Account Owner or action set 2 | +| Sensitive data threat detection | Subscription Owner or action set 1 | Storage Account Owner or action set 2 | ++> [!NOTE] +> Activity monitoring is always enabled when you enable Defender for Storage. ++The action sets are collections of Azure resource provider operations that you can use to create custom roles. The action sets for enabling Defender for Storage and its features are: ++## Action set 1: Subscription level enablement and configuration ++- Microsoft.Security/pricings/write +- Microsoft.Security/pricings/read +- Microsoft.Security/pricings/SecurityOperators/read +- Microsoft.Security/pricings/SecurityOperators/write +- Microsoft.Authorization/roleAssignments/read +- Microsoft.Authorization/roleAssignments/write +- Microsoft.Authorization/roleAssignments/delete ++## Action set 2: Storage account level enablement and configuration ++- Microsoft.Storage/storageAccounts/write +- Microsoft.Storage/storageAccounts/read +- Microsoft.Security/defenderforstoragesettings/read +- Microsoft.Security/defenderforstoragesettings/write +- Microsoft.EventGrid/eventSubscriptions/read +- Microsoft.EventGrid/eventSubscriptions/write +- Microsoft.EventGrid/eventSubscriptions/delete +- Microsoft.Authorization/roleAssignments/read +- Microsoft.Authorization/roleAssignments/write +- Microsoft.Authorization/roleAssignments/delete |
defender-for-cloud | Tutorial Enable Storage Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tutorial-enable-storage-plan.md | Title: Protect your storage accounts with the Defender for Storage plan + Title: Protect your storage accounts with the Microsoft Defender for Storage plan description: Learn how to enable the Defender for Storage on your Azure subscription for Microsoft Defender for Cloud. Previously updated : 06/29/2023 Last updated : 08/01/2023 -# Protect your storage accounts with Defender for Storage +# Deploy Microsoft Defender for Storage -Defender for Storage in Microsoft Defender for Cloud is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks. +Microsoft Defender for Storage is an Azure-native solution offering an advanced layer of intelligence for threat detection and mitigation in storage accounts, powered by Microsoft Threat Intelligence, Microsoft Defender Antimalware technologies, and Sensitive Data Discovery. With protection for Azure Blob Storage, Azure Files, and Azure Data Lake Storage services, it provides a comprehensive alert suite, near real-time Malware Scanning (add-on), and sensitive data threat detection (no extra cost), allowing quick detection, triage, and response to potential security threats with contextual information. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. -Learn more about the [Defender for Storage plan](defender-for-storage-introduction.md). +With Microsoft Defender for Storage, organizations can customize their protection and enforce consistent security policies by enabling it on subscriptions and storage accounts with granular control and flexibility. -You can learn more about Defender for Storage's pricing on [the pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/). +Defender for Storage in Microsoft Defender for Cloud is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your storage accounts. It uses advanced threat detection capabilities and [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks. -## Prerequisites + > [!TIP] + > If you're currently using Microsoft Defender for Storage classic, consider [migrating to the new plan](defender-for-storage-classic-migrate.md), which offers several benefits over the classic plan. -- You need a Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free subscription](https://azure.microsoft.com/pricing/free-trial/).+## Availability -- You must [enable Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) on your Azure subscription.+| Aspect | Details | +||| +|Release state: | General Availability (GA) | +| Feature availability: | - Activity monitoring (security alerts) - General availability (GA)<br>- Malware Scanning - Preview, General Availability (GA) on September 1, 2023<br>- Sensitive data threat detection (Sensitive Data Discovery) ΓÇô Preview<br>- Malware Scanning(add-on) - free during public preview**<br><br> Above pricing applies to commercial clouds. Visit the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud) to learn more. | +|Required roles and permissions: | For Malware Scanning and sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions. To enable Activity Monitoring, you need 'Security Admin' permissions. Read more about the required permissions. | +| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Azure Commercial clouds*<br> :::image type="icon" source="./media/icons/no-icon.png"::: Azure Government (only activity monitoring support on the classic plan)<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet<br>:::image type="icon" source="./media/icons/no-icon.png"::: Connected AWS accounts | -## Enable the Storage plan +*Azure DNS Zone is not supported for Malware Scanning and sensitive data threat detection. -Defender for Storage continually analyzes the telemetry stream generated by the [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs/) and Azure Files services. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud, together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations. +## Prerequisites for Malware scanning +To enable and configure Malware Scanning, you must have Owner roles (such as Subscription Owner or Storage Account Owner) or specific roles with the necessary data actions. Learn more about the [required permissions](support-matrix-defender-for-storage.md). -**To enable Defender for Storage on your subscription**: +## Set up and configure Microsoft Defender for Storage -1. Sign in to the [Azure portal](https://portal.azure.com). +To enable and configure Microsoft Defender for Storage and ensure maximum protection and cost optimization, the following configuration options are available: -1. Search for and select **Microsoft Defender for Cloud**. +- Enable/disable Microsoft Defender for Storage at the subscription and storage account levels. +- Enable/disable the Malware Scanning or sensitive data threat detection configurable features. +- Set a monthly cap ("capping") on the Malware Scanning per storage account per month to control costs (default value is 5,000GB). +- Configure methods to set up response to malware scanning results. +- Configure methods for saving malware scanning results logging. -1. In the Defender for Cloud menu, select **Environment settings**. +> [!TIP] +> The Malware Scanning feature has advanced configurations to help security teams support different workflows and requirements. -1. Select the relevant subscription. +- [Override subscription-level settings to configure specific storage accounts](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#override-defender-for-storage-subscription-level-settings) with custom configurations that differ from the settings configured at the subscription level. -1. On the Defender plans page, toggle the Storage plan to **On**. +There are several ways to enable and configure Defender for Storage: [Azure built-in policy](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#enable-and-configure-at-scale-with-an-azure-built-in-policy) (recommended method), programmatically using Infrastructure as Code templates, including [Bicep](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#bicep-template) and [ARM template](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#arm-template), using the [Azure portal](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#azure-portal), or directly with [REST API](/azure/storage/common/azure-defender-storage-configure?toc=%2Fazure%2Fdefender-for-cloud%2Ftoc.json&tabs=enable-subscription#enable-and-configure-with-rest-api). - :::image type="content" source="media/tutorial-enable-storage-plan/enable-storage.png" alt-text="Screenshot that shows where to toggle the switch for the storage plan to on is located." lightbox="media/tutorial-enable-storage-plan/enable-storage.png"::: +Enabling Defender for Storage via a policy is recommended because it facilitates enablement at scale and ensures that a consistent security policy is applied across all existing and future storage accounts within the defined scope (such as entire management groups). This keeps the storage accounts protected with Defender for Storage according to the organization's defined configuration. -1. Select **Save**. +> [!NOTE] +> To prevent migrating back to the legacy classic plan, make sure to disable the old Defender for Storage policies. Look for and disable policies named ``Configure Azure Defender for Storage to be enabled``, ``Azure Defender for Storage should be enabled``, or ``Configure Microsoft Defender for Storage to be enabled (per-storage account plan)`` or deny policies that prevent the disablement of the classic plan. ## Next steps -- [Overview of Microsoft Defender for Storage](defender-for-storage-introduction.md)--- [Additional configurations for Defender for Storage](../storage/common/azure-defender-storage-configure.md?toc=/azure/defender-for-cloud/toc.json)+- Learn how to [enable and Configure the Defender for Storage plan at scale with an Azure built-in policy](defender-for-storage-policy-enablement.md). |
dev-box | Quickstart Configure Dev Box Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dev-box/quickstart-configure-dev-box-service.md | To complete this quickstart, you need: - Microsoft 365 A3, Microsoft 365 A5 - Microsoft 365 Business Premium - Microsoft 365 Education Student Use Benefit-- [Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/), which allows you to use your Windows licenses on Azure with Dev Box. - If your organization routes egress traffic through a firewall, open the appropriate ports. For more information, see [Network requirements](/windows-365/enterprise/requirements-network). ## 1. Create a dev center |
event-grid | Event Grid Namespace Managed Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/event-grid-namespace-managed-identity.md | + + Title: Managed identity for Event Grid namespace +description: Describes how to enable managed identity for an Event Grid namespace + Last updated : 8/14/2023+++++# Enabling managed identity for Event Grid namespace +In this article, you learn how to assign a system-assigned or a user-assigned identity to an Event Grid namespace. To learn about managed identities in general, see [What are managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). ++> [!NOTE] +> - You can assign one system-assigned identity and up to two user-assigned identities to a namespace. ++## Enable managed identity for an existing namespace +This section shows you how to enable a managed identity for an existing system topic. ++1. Go to the [Azure portal](https://portal.azure.com). +2. Search for **event grid namespace** in the search bar at the top. +3. Select the Event Grid namespace for which you want to enable the managed identity. +4. Select **Identity** under Settings on the left menu. ++### Enable system-assigned identity +1. Turn **on** the switch to enable the identity. +1. Select **Save** on the toolbar to save the setting. ++ :::image type="content" source="./media/event-grid-namespace-managed-identity/event-grid-enable-managed-identity.png" alt-text="System-assigned identity page for an Event Grid namespace."::: ++1. Select **Yes** on the confirmation message. ++1. Confirm that you see the object ID of the system-assigned managed identity and see a link to assign roles. ++ :::image type="content" source="./media/event-grid-namespace-managed-identity/event-grid-enable-managed-identity-confirmation.png" alt-text="Assigning identity to a namespace is completed."::: ++### Enable user-assigned identity ++1. First, create a user-assigned identity by following instructions in the [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) article. ++1. On the **Identity** page, switch to the **User assigned** tab in the right pane, and then select **+ Add** on the toolbar. ++ :::image type="content" source="./media/event-grid-namespace-managed-identity/event-grid-enable-user-assigned-managed-identity.png" alt-text="Image showing the Add button selected in the User assigned tab of the Identity page."::: ++1. In the **Add user managed identity** window, follow these steps: + 1. Select the **Azure subscription** that has the user-assigned identity. + 1. Select the **user-assigned identity**. + 1. Select **Add**. +1. Refresh the list in the **User assigned** tab to see the added user-assigned identity. ++## Enable managed identity when creating an Event Grid namespace ++1. In the Azure portal, in the search bar, search for and select **Event Grid namespace**. +1. On the **Event Grid Namespaces** page, select **Create** on the toolbar. +1. On the **Basics** page of the creation wizard, follow these steps: + 1. Select values for subscription, resource group, location as per your preference. + 1. Specify a name for the namespace. + 1. In the security tab, you can enable managed identity: + 1. To enable system-assigned identity, select **Enable system assigned identity**. + 1. To enable user assigned identity: + 1. Select **User assigned identity**, and then select **Add user identity**. + 1. In the **Add user managed identity** window, follow these steps: + 1. Select the **Azure subscription** that has the user-assigned identity. + 1. Select the **user-assigned identity**. + 1. Select **Add**. ++ :::image type="content" source="./media/event-grid-namespace-managed-identity/event-grid-enable-managed-identity-create-flow.png" alt-text="Image showing the screenshot of namespace creation wizard with system assigned identity and user assigned identity options selected."::: ++## Next steps +See [Publish and subscribe to MQTT message using Event Grid](mqtt-publish-and-subscribe-portal.md) |
event-grid | Mqtt Client Authorization Use Rbac | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/mqtt-client-authorization-use-rbac.md | + + Title: RBAC authorization for clients with Azure AD identity +description: Describes RBAC roles to authorize clients with Azure AD identity to publish or subscribe MQTT messages + Last updated : 8/11/2023+++++# Authorizing access to publish or subscribe to MQTT messages in Event Grid namespace +You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Azure Active Directory identity, to publish or subscribe access to specific topic spaces. ++## Prerequisites +- You need an Event Grid namespace with MQTT enabled. [Learn about creating Event Grid namespace](/azure/event-grid/create-view-manage-namespaces#create-a-namespace) +- Review the process to [create a custom role](/azure/role-based-access-control/custom-roles-portal) ++## Operation types +You can use following two data actions to provide publish or subscribe permissions to clients with Azure AD identities on specific topic spaces. ++**Topic spaces publish** data action +Microsoft.EventGrid/topicSpaces/publish/action ++**Topic spaces subscribe** data action +Microsoft.EventGrid/topicSpaces/subscribe/action ++> [!NOTE] +> Currently, we recommend using custom roles with the actions provided. ++## Custom roles ++You can create custom roles using the publish and subscribe actions. ++The following are sample role definitions that allow you to publish and subscribe to MQTT messages. These custom roles give permissions at topic space scope. You can also create roles to provide permissions at subscription, resource group scope. ++**EventGridMQTTPublisherRole.json**: MQTT messages publish operation. ++```json +{ + "roleName": "Event Grid namespace MQTT publisher", + "description": "Event Grid namespace MQTT message publisher role", + "assignableScopes": [ + "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/Microsoft.EventGrid/namespaces/<namespace name>/topicSpaces/<topicspace name>" + ], + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.EventGrid/topicSpaces/publish/action" + ], + "notDataActions": [] + } + ] +} +``` ++**EventGridMQTTSubscriberRole.json**: MQTT messages subscribe operation. ++```json +{ + "roleName": "Event Grid namespace MQTT subscriber", + "description": "Event Grid namespace MQTT message subscriber role", + "assignableScopes": [ + "/subscriptions/<subscription ID>/resourceGroups/<resource group name>/Microsoft.EventGrid/namespaces/<namespace name>/topicSpaces/<topicspace name>" + ] + "permissions": [ + { + "actions": [], + "notActions": [], + "dataActions": [ + "Microsoft.EventGrid/topicSpaces/subscribe/action" + ], + "notDataActions": [] + } + ] +} +``` ++## Create custom roles in Event Grid namespace +1. Navigate to topic spaces page in Event Grid namespace +1. Select the topic space for which the custom RBAC role needs to be created +1. Navigate to the Access control (IAM) page within the topic space +1. In the Roles tab, right select any of the roles to clone a new custom role. Provide the custom role name. +1. Switch the Baseline permissions to **Start from scratch** +1. On the Permissions tab, select **Add permissions** +1. In the selection page, find and select Microsoft Event Grid + :::image type="content" source="./media/mqtt-rbac-authorization-aad-clients/event-grid-custom-role-permissions.png" lightbox="./media/mqtt-rbac-authorization-aad-clients/event-grid-custom-role-permissions.png" alt-text="Screenshot showing the Microsoft Event Grid option to find the permissions."::: +1. Navigate to Data Actions +1. Select **Topic spaces publish** data action and select **Add** + :::image type="content" source="./media/mqtt-rbac-authorization-aad-clients/event-grid-custom-role-permissions-data-actions.png" lightbox="./media/mqtt-rbac-authorization-aad-clients/event-grid-custom-role-permissions-data-actions.png" alt-text="Screenshot showing the data action selection."::: +1. Select Next to see the topic space in the Assignable scopes tab. You can add other assignable scopes if needed. +1. Select **Create** in Review + create tab to create the custom role. +1. Once the custom role is created, you can assign the role to an identity to provide the publish permission on the topic space. You can learn how to assign roles [here](/azure/role-based-access-control/role-assignments-portal). ++> [!NOTE] +> You can follow similar steps to create and assign a custom Event Grid MQTT subscriber permission to a topic space. ++## Next steps +See [Publish and subscribe to MQTT message using Event Grid](mqtt-publish-and-subscribe-portal.md) |
global-secure-access | How To Configure Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/global-secure-access/how-to-configure-connectors.md | To use Application Proxy, you need a Windows server running Windows Server 2012 - For high availability in your environment, we recommend having more than one Windows server. - The minimum .NET version required for the connector is v4.7.1+.-- For more information, see [App Proxy connectors](../active-directory/app-proxy/application-proxy-connectors.md#requirements-and-deployment).+- For more information, see [App Proxy connectors](/azure/active-directory/app-proxy/application-proxy-connectors#requirements-and-deployment). - For more information, see [Determine which .NET framework versions are installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). ### Prepare your on-premises environment |
hdinsight | Hdinsight Release Notes Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-release-notes-archive.md | For workload specific versions, see 1. **Enhanced Autoscale for HDInsight** - Azure HDInsight has made notable improvements stability and latency on Autoscale, The essential changes include improved feedback loop for scaling decisions, significant improvement on latency for scaling and support for recommissioning the decommissioned nodes, Learn [more](https://techcommunity.microsoft.com/t5/analytics-on-azure-blog/enhanced-autoscale-capabilities-in-hdinsight-clusters/ba-p/3811271) about the enhancements, how to custom configure and migrate your cluster to enhanced autoscale. The enhanced Autoscale capability is available effective 17 May, 2023 across all supported regions. + Azure HDInsight has made notable improvements stability and latency on Autoscale, The essential changes include improved feedback loop for scaling decisions, significant improvement on latency for scaling and support for recommissioning the decommissioned nodes, Learn [more](https://techcommunity.microsoft.com/t5/analytics-on-azure-blog/enhanced-autoscale-capabilities-in-hdinsight-clusters/ba-p/3811271) about the enhancements, how to custom configure and migrate your cluster to enhanced autoscale. The enhanced Autoscale capability is available effective 17 May 2023 across all supported regions. 1. **Azure HDInsight ESP for Apache Kafka 2.4.1 is now Generally Available**. For workload specific versions, see ## Release date: February 28, 2023 -This release applies to HDInsight 4.0. and 5.0, 5.1. HDInsight release is be available to all regions over several days. This release is applicable for image number **2302250400**. [How to check the image number?](./view-hindsight-cluster-image-version.md) +This release applies to HDInsight 4.0. and 5.0, 5.1. HDInsight release is available to all regions over several days. This release is applicable for image number **2302250400**. [How to check the image number?](./view-hindsight-cluster-image-version.md) HDInsight uses safe deployment practices, which involve gradual region deployment. it may take up to 10 business days for a new release or a new version to be available in all regions. End of support for Azure HDInsight clusters on Spark 2.4 February 10, 2024. For * Autoscale * Autoscale with improved latency and several improvements * Cluster name change limitation - * The max length of cluster name changes to 45 from 59 in Public, Mooncake and Fairfax. + * The max length of cluster name changes to 45 from 59 in Public, Mooncake and Azure Government. * Cluster permissions for secure storage * Customers can specify (during cluster creation) whether a secure channel should be used for HDInsight cluster nodes to contact the storage account. * Non-ESP ABFS clusters [Cluster Permissions for World Readable] For workload specific versions, see [here.](./hdinsight-40-component-versioning. ![Icon showing new features with text.](media/hdinsight-release-notes/new-icon-for-new-feature.png) * **Log Analytics** - Customers can enable classic monitoring to get the latest OMS version 14.19. To remove old versions, disable and enable classic monitoring.-* **Ambari** user auto UI logout due to inactivity. For more information, see [here](./ambari-web-ui-auto-logout.md) +* **Ambari** user auto UI sign out due to inactivity. For more information, see [here](./ambari-web-ui-auto-logout.md) * **Spark** - A new and optimized version of Spark 3.1.3 is included in this release. We tested Apache Spark 3.1.2(previous version) and Apache Spark 3.1.3(current version) using the TPC-DS benchmark. The test was carried out using E8 V3  SKU, for Apache Spark on 1-TB workload. Apache Spark 3.1.3 (current version) outperformed Apache Spark 3.1.2 (previous version) by over 40% in total query runtime for TPC-DS queries using the same hardware specs. The Microsoft Spark team added optimizations available in Azure Synapse with Azure HDInsight. For more information, please refer to [ Speed up your data workloads with performance updates to Apache Spark 3.1.2 in Azure Synapse](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/speed-up-your-data-workloads-with-performance-updates-to-apache/ba-p/2769467) ![Icon showing new regions added with text.](media/hdinsight-release-notes/new-icon-for-new-regions-added.png) HDInsight uses safe deployment practices, which involve gradual region deploymen **1. Attach external disks in HDI Hadoop/Spark clusters** -HDInsight cluster comes with pre-defined disk space based on SKU. This space may not be sufficient in large job scenarios. +HDInsight cluster comes with predefined disk space based on SKU. This space may not be sufficient in large job scenarios. This new feature allows you to add more disks in cluster, which used as node manager local directory. Add number of disks to worker nodes during HIVE and Spark cluster creation, while the selected disks are part of node manager’s local directories. Customers using older version of cluster with OMS version 13 need to install OMS **How to check your current OMS version** -1. Log in to the cluster using SSH. +1. Sign in to the cluster using SSH. 1. Run the following command in your SSH Client. ``` sudo /opt/omi/bin/ominiserver/ --version **How to upgrade your OMS version from 13 to 14** -1. Log in to the [Azure portal](https://portal.azure.com/) +1. Sign in to the [Azure portal](https://portal.azure.com/) 1. From the resource group, select the HDInsight cluster resource -1. Click **Script actions** +1. Select **Script actions** 1. From **Submit script action** panel, choose **Script type** as custom 1. Paste the following link in the Bash script URL box https://hdiconfigactions.blob.core.windows.net/log-analytics-patch/OMSUPGRADE14.1/omsagent-vulnerability-fix-1.14.12-0.sh 1. Select **Node type(s)**-1. Click **Create** +1. Select **Create** ![Screenshot showing how to do OMS Upgrade](media/hdinsight-release-notes/oms-upgrade.png) 1. Verify the successful installation of the patch using the following steps: - 1. Log in to the cluster using SSH. + 1. Sign in to the cluster using SSH. 1. Run the following command in your SSH Client. ``` HDInsight uses safe deployment practices, which involve gradual region deploymen **1. Attach external disks in HDI Hadoop/Spark clusters** -HDInsight cluster comes with pre-defined disk space based on SKU. This space may not be sufficient in large job scenarios. +HDInsight cluster comes with predefined disk space based on SKU. This space may not be sufficient in large job scenarios. -This new feature allows you to add more disks in cluster, which will be used as node manager local directory. Add number of disks to worker nodes during HIVE and Spark cluster creation, while the selected disks are be part of node manager’s local directories. +This new feature allows you to add more disks in cluster, which will be used as node manager local directory. Add number of disks to worker nodes during HIVE and Spark cluster creation, while the selected disks are part of node manager’s local directories. > [!NOTE] > The added disks are only configured for node manager local directories. sudo /opt/omi/bin/ominiserver/ --version **How to upgrade your OMS version from 13 to 14** -1. Log in to the [Azure portal](https://portal.azure.com/) +1. Sign in to the [Azure portal](https://portal.azure.com/) 1. From the resource group, select the HDInsight cluster resource -1. Click **Script actions** +1. Select **Script actions** 1. From **Submit script action** panel, choose **Script type** as custom 1. Paste the following link in the Bash script URL box https://hdiconfigactions.blob.core.windows.net/log-analytics-patch/OMSUPGRADE14.1/omsagent-vulnerability-fix-1.14.12-0.sh 1. Select **Node type(s)**-1. Click **Create** +1. Select **Create** ![Screenshot showing how to do OMS Upgrade](media/hdinsight-release-notes/oms-upgrade.png) 1. Verify the successful installation of the patch using the following steps: - 1. Log in to the cluster using SSH. + 1. Sign in to the cluster using SSH. 1. Run the following command in your SSH Client. ``` HDI Hive 3.1 version is upgraded to OSS Hive 3.1.2. This version has all fixes a | Schema tool enhancements to support mergeCatalog|[HIVE-22498](https://issues.apache.org/jira/browse/HIVE-22498)| | Hive with TEZ UNION ALL and UDTF results in data loss|[HIVE-21915](https://issues.apache.org/jira/browse/HIVE-21915)| | Split text files even if header/footer exists|[HIVE-21924](https://issues.apache.org/jira/browse/HIVE-21924)|-| MultiDelimitSerDe returns wrong results in last column when the loaded file has more columns than the onc is present in table schema|[HIVE-22360](https://issues.apache.org/jira/browse/HIVE-22360)| +| MultiDelimitSerDe returns wrong results in last column when the loaded file has more columns than the one is present in table schema|[HIVE-22360](https://issues.apache.org/jira/browse/HIVE-22360)| | LLAP external client - Need to reduce LlapBaseInputFormat#getSplits() footprint|[HIVE-22221](https://issues.apache.org/jira/browse/HIVE-22221)| | Column name with reserved keyword is unescaped when query including join on table with mask column is rewritten (Zoltan Matyus via Zoltan Haindrich)|[HIVE-22208](https://issues.apache.org/jira/browse/HIVE-22208)| |Prevent LLAP shutdown on AMReporter related RuntimeException|[HIVE-22113](https://issues.apache.org/jira/browse/HIVE-22113)| The OS versions for this release are: ### New features #### OS version upgrade-As referenced in [Ubuntu's release cycle](https://ubuntu.com/about/release-cycle), the Ubuntu 16.04 kernel reaches End of Life (EOL) in April 2021. We started rolling out the new HDInsight 4.0 cluster image running on Ubuntu 18.04 with this release. Newly created HDInsight 4.0 clusters runs on Ubuntu 18.04 by default once available. Existing clusters on Ubuntu 16.04 runs as is with full support. +As referenced in [Ubuntu's release cycle](https://ubuntu.com/about/release-cycle), the Ubuntu 16.04 kernel reaches End of Life (EOL) in April 2021. We started rolling out the new HDInsight 4.0 cluster image running on Ubuntu 18.04 with this release. Newly created HDInsight 4.0 clusters run on Ubuntu 18.04 by default once available. Existing clusters on Ubuntu 16.04 runs as is with full support. HDInsight 3.6 will continue to run on Ubuntu 16.04. It will change to Basic support (from Standard support) beginning 1 July 2021. For more information about dates and support options, see [Azure HDInsight versions](./hdinsight-component-versioning.md#supported-hdinsight-versions). Ubuntu 18.04 won't be supported for HDInsight 3.6. If you'd like to use Ubuntu 18.04, you'll need to migrate your clusters to HDInsight 4.0. No component version change for this release. You can find the current component ### Known issues -An issue has been fixed in the Azure portal, where users were experiencing an error when they were creating an Azure HDInsight cluster using an SSH authentication type of public key. When users clicked **Review + Create**, they would receive the error "Must not contain any three consecutive characters from SSH username." This issue has been fixed, but it may require that you refresh your browser cache by hitting CTRL + F5 to load the corrected view. The workaround to this issue was to create a cluster with an ARM template. +An issue has been fixed in the Azure portal, where users were experiencing an error when they were creating an Azure HDInsight cluster using an SSH authentication type of public key. When users clicked **Review + Create**, they would receive the error "Must not contain any three consecutive characters from SSH username." This issue has been fixed, but it may require that you refresh your browser cache by hitting CTRL + F5 to load the corrected view. The workaround to this issue was to create a cluster with an ARM template. ## Release date: 07/13/2020 This release applies both for HDInsight 3.6 and 4.0. HDInsight release is made a ### New features #### Support for Customer Lockbox for Microsoft Azure-Azure HDInsight now supports Azure Customer Lockbox. It provides an interface for customers to review and approve, or reject customer data access requests. It is used when Microsoft engineer needs to access customer data during a support request. For more information, see [Customer Lockbox for Microsoft Azure](../security/fundamentals/customer-lockbox-overview.md#supported-services-and-scenarios-in-preview). +Azure HDInsight now supports Azure Customer Lockbox. It provides an interface for customers to review and approve, or reject customer data access requests. It's used when Microsoft engineer needs to access customer data during a support request. For more information, see [Customer Lockbox for Microsoft Azure](../security/fundamentals/customer-lockbox-overview.md#supported-services-and-scenarios). #### Service endpoint policies for storage Customers can now use Service Endpoint Policies (SEP) on the HDInsight cluster subnet. Learn more about [Azure service endpoint policy](../virtual-network/virtual-network-service-endpoint-policies-overview.md). A minimum 4-core VM is required for Head Node to ensure the high availability an #### Cluster worker node provisioning change When 80% of the worker nodes are ready, the cluster enters **operational** stage. At this stage, customers can do all the data plane operations like running scripts and jobs. But customers can't do any control plane operation like scaling up/down. Only deletion is supported. -After the **operational** stage, the cluster waits another 60 minutes for the remaining 20% worker nodes. At the end of this 60 minute, the cluster moves to the **running** stage, even if all of worker nodes are still not available. Once a cluster enters the **running** stage, you can use it as normal. Both control plan operations like scaling up/down, and data plan operations like running scripts and jobs are accepted. If some of the requested worker nodes are not available, the cluster will be marked as partial success. You are charged for the nodes that were deployed successfully. +After the **operational** stage, the cluster waits another 60 minutes for the remaining 20% worker nodes. At the end of this 60 minutes, the cluster moves to the **running** stage, even if all of worker nodes are still not available. Once a cluster enters the **running** stage, you can use it as normal. Both control plan operations like scaling up/down, and data plan operations like running scripts and jobs are accepted. If some of the requested worker nodes aren't available, the cluster will be marked as partial success. You are charged for the nodes that were deployed successfully. #### Create new service principal through HDInsight Previously, with cluster creation, customers can create a new service principal to access the connected ADLS Gen 1 account in Azure portal. Starting June 15 2020, customers can't create new service principal in HDInsight creation workflow, only existing service principal is supported. See [Create Service Principal and Certificates using Azure Active Directory](../active-directory/develop/howto-create-service-principal-portal.md). #### Time out for script actions with cluster creation-HDInsight supports running script actions with cluster creation. From this release, all script actions with cluster creation must finish within **60 minutes**, or they time out. Script actions submitted to running clusters are not impacted. Learn more details [here](./hdinsight-hadoop-customize-cluster-linux.md#script-action-in-the-cluster-creation-process). +HDInsight supports running script actions with cluster creation. From this release, all script actions with cluster creation must finish within **60 minutes**, or they time out. Script actions submitted to running clusters aren't impacted. Learn more details [here](./hdinsight-hadoop-customize-cluster-linux.md#script-action-in-the-cluster-creation-process). ### Upcoming changes No upcoming breaking changes that you need to pay attention to. You can find the current component versions for HDInsight 4.0 ad HDInsight 3.6 i ### Known issues #### Hive Warehouse Connector issue-There's an issue for Hive Warehouse Connector in this release. The fix will be included in the next release. Existing clusters created before this release are not impacted. Avoid dropping and recreating the cluster if possible. Open support ticket if you need further help on this. +There's an issue for Hive Warehouse Connector in this release. The fix will be included in the next release. Existing clusters created before this release aren't impacted. Avoid dropping and recreating the cluster if possible. Open support ticket if you need further help on this. ## Release date: 01/09/2020 HDP 2.6.4 provided Hadoop Common 2.7.3 and the following Apache patches: - [YARN-5641](https://issues.apache.org/jira/browse/YARN-5641): Localizer leaves behind tarballs after container is complete. -- [YARN-6004](https://issues.apache.org/jira/browse/YARN-6004): Refactor TestResourceLocalizationService\#testDownloadingResourcesOnContainer so that it is fewer than 150 lines.+- [YARN-6004](https://issues.apache.org/jira/browse/YARN-6004): Refactor TestResourceLocalizationService\#testDownloadingResourcesOnContainer so that it's fewer than 150 lines. - [YARN-6078](https://issues.apache.org/jira/browse/YARN-6078): Containers stuck in Localizing state. This section covers all Common Vulnerabilities and Exposures (CVE) that are addr | **Vendor:** Hortonworks | | **Versions Affected:** HDP 2.4.0, HDP-2.5.0, HDP-2.6.0 | | **Users affected:** Users who use Storm in secure mode and are using blobstore to distribute topology based artifacts or using the blobstore to distribute any topology resources. |-| **Impact:** Under some situations and configurations of storm it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case, this could lead to secure credentials of the other user being compromised. This vulnerability only applies to Apache Storm installations with security enabled. | +| **Impact:** Under some situations and configurations of storm it's theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case, this could lead to secure credentials of the other user being compromised. This vulnerability only applies to Apache Storm installations with security enabled. | | **Mitigation:** Upgrade to HDP-2.6.2.1 as there are currently no workarounds. | #### **​CVE-2016-4970** Fixed issues represent selected issues that were previously logged via Hortonwor | BUG-94928 | [HDFS-11078](https://issues.apache.org/jira/browse/HDFS-11078) | Fix NPE in LazyPersistFileScrubber | | BUG-94964 | [HIVE-18269](https://issues.apache.org/jira/browse/HIVE-18269), [HIVE-18318](https://issues.apache.org/jira/browse/HIVE-18318), [HIVE-18326](https://issues.apache.org/jira/browse/HIVE-18326) | Multiple LLAP fixes | | BUG-95669 | [HIVE-18577](https://issues.apache.org/jira/browse/HIVE-18577), [HIVE-18643](https://issues.apache.org/jira/browse/HIVE-18643) | When run update/delete query on ACID partitioned table, HS2 read all each partitions. |-| BUG-96390 | [HDFS-10453](https://issues.apache.org/jira/browse/HDFS-10453) | ReplicationMonitor thread could stuck for long time due to the race between replication and delete the same file in a large cluster. | +| BUG-96390 | [HDFS-10453](https://issues.apache.org/jira/browse/HDFS-10453) | ReplicationMonitor thread could be stuck for long time due to the race between replication and delete the same file in a large cluster. | | BUG-96625 | [HIVE-16110](https://issues.apache.org/jira/browse/HIVE-16110) | Revert of "Vectorization: Support 2 Value CASE WHEN instead of fallback to VectorUDFAdaptor" | | BUG-97109 | [HIVE-16757](https://issues.apache.org/jira/browse/HIVE-16757) | Use of deprecated getRows() instead of new estimateRowCount(RelMetadataQuery...) has serious performance impact | | BUG-97110 | [PHOENIX-3789](https://issues.apache.org/jira/browse/PHOENIX-3789) | Execute cross region index maintenance calls in postBatchMutateIndispensably | Fixed issues represent selected issues that were previously logged via Hortonwor |**Kafka 1.0**|**N/A**|**Changes as documented in the Apache Spark release notes** |https://kafka.apache.org/10/documentation.html#upgrade_100_notable| |**Hive/ Ranger** | |Another ranger hive policies required for INSERT OVERWRITE |**Scenario:** Another ranger hive policies required for **INSERT OVERWRITE**<br /><br />**Previous behavior:** Hive **INSERT OVERWRITE** queries succeed as usual.<br /><br />**New behavior:** Hive **INSERT OVERWRITE** queries are unexpectedly failing after upgrading to HDP-2.6.x with the error:<br /><br />Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user jdoe does not have WRITE privilege on /tmp/\*(state=42000,code=40000)<br /><br />As of HDP-2.6.0, Hive **INSERT OVERWRITE** queries require a Ranger URI policy to allow write operations, even if the user has write privilege granted through HDFS policy.<br /><br />**Workaround/Expected Customer Action:**<br /><br />1. Create a new policy under the Hive repository.<br />2. In the dropdown where you see Database, select URI.<br />3. Update the path (Example: /tmp/*)<br />4. Add the users and group and save.<br />5. Retry the insert query.| |**HDFS**|**N/A** |HDFS should support for multiple KMS Uris |**Previous Behavior:** dfs.encryption.key.provider.uri property was used to configure the KMS provider path.<br /><br />**New Behavior:** dfs.encryption.key.provider.uri is now deprecated in favor of hadoop.security.key.provider.path to configure the KMS provider path.|-|**Zeppelin**|[**ZEPPELIN-3271**](https://issues.apache.org/jira/browse/ZEPPELIN-3271)|Option for disabling scheduler |**Component Affected:** Zeppelin-Server<br /><br />**Previous Behavior:** In previous releases of Zeppelin, there was no option for disabling scheduler.<br /><br />**New Behavior:** By default, users will no longer see scheduler, as it is disabled by default.<br /><br />**Workaround/Expected Customer Action:** If you want to enable scheduler, you will need to add azeppelin.notebook.cron.enable with value of true under custom zeppelin site in Zeppelin settings from Ambari.| +|**Zeppelin**|[**ZEPPELIN-3271**](https://issues.apache.org/jira/browse/ZEPPELIN-3271)|Option for disabling scheduler |**Component Affected:** Zeppelin-Server<br /><br />**Previous Behavior:** In previous releases of Zeppelin, there was no option for disabling scheduler.<br /><br />**New Behavior:** By default, users will no longer see scheduler, as it's disabled by default.<br /><br />**Workaround/Expected Customer Action:** If you want to enable scheduler, you will need to add azeppelin.notebook.cron.enable with value of true under custom zeppelin site in Zeppelin settings from Ambari.| ### Known issues - **HDInsight integration with ADLS Gen 2** There are two issues on HDInsight ESP clusters using Azure Data Lake Storage Gen 2 with user directories and permissions: - 1. Home directories for users are not getting created on Head Node 1. As a workaround, create the directories manually and change ownership to the respective user’s UPN. + 1. Home directories for users aren't getting created on Head Node 1. As a workaround, create the directories manually and change ownership to the respective user’s UPN. 2. Permissions on /hdp directory are currently not set to 751. This needs to be set to ```bash Fixed issues represent selected issues that were previously logged via Hortonwor After removing the above line, the Ranger UI will allow you to create policies with policy condition that can contain special characters and policy evaluation will be successful for the same policy. **HDInsight Integration with ADLS Gen 2: User directories and permissions issue with ESP clusters**- 1. Home directories for users are not getting created on Head Node 1. Workaround is to create these manually and change ownership to the respective user’s UPN. + 1. Home directories for users aren't getting created on Head Node 1. Workaround is to create these manually and change ownership to the respective user’s UPN. 2. Permissions on /hdp are currently not set to 751. This needs to be set to a. chmod 751 /hdp b. chmod –R 755 /hdp/apps |
iot-hub | Iot Hub Devguide Query Language | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-devguide-query-language.md | For example: Currently, the GROUP BY clause is only supported when querying device twins. -> [!IMPORTANT] +> [!CAUTION] > The term `group` is currently treated as a special keyword in queries. In case, you use `group` as your property name, consider surrounding it with double brackets to avoid errors, e.g., `SELECT * FROM devices WHERE tags.[[group]].name = 'some_value'`. The formal syntax for GROUP BY is: GROUP BY <group_by_element> **Attribute_name** refers to any property of the JSON document in the FROM collection. +### Query results pagination ++A query object is instantiated with a max page size of **less than** or **equal to** 100 records. To obtain multiple pages, call the [nextAsTwin](device-twins-node.md#create-a-service-app-that-updates-desired-properties-and-queries-twins) on Node.js SDK or [GetNextAsTwinAsync](device-twins-dotnet.md#create-a-service-app-that-updates-desired-properties-and-queries-twins) on .Net SDK method multiple times. +A query object can expose multiple Next values, depending on the deserialization option required by the query. For example, a query object can return device twin or job objects, or plain JSON when using projections. + ## Expressions and conditions At a high level, an *expression*: while (query.HasMoreResults) } ``` -The **query** object is instantiated with a page size (up to 100). Then multiple pages are retrieved by calling the **GetNextAsTwinAsync** methods multiple times. --The query object exposes multiple **Next** values, depending on the deserialization option required by the query. For example, device twin or job objects, or plain JSON when using projections. +The query object is instantiated with the parameters mentioned in the [query results pagination](#query-results-pagination) section. Multiple pages are retrieved by calling the **GetNextAsTwinAsync** methods multiple times. ### Node.js example var onResults = function(err, results) { query.nextAsTwin(onResults); ``` -The **query** object is instantiated with a page size (up to 100). Then multiple pages are retrieved by calling the **nextAsTwin** method multiple times. --The query object exposes multiple **Next** values, depending on the deserialization option required by the query. For example, device twin or job objects, or plain JSON when using projections. +The query object is instantiated with the parameters mentioned in the [query results pagination](#query-results-pagination) section. Multiple pages are retrieved by calling the **nextAsTwin** method multiple times. ## Next steps * Learn about routing messages based on message properties or message body with the [IoT Hub message routing query syntax](iot-hub-devguide-routing-query-syntax.md). * Get specific examples of [Queries for device and module twins](query-twins.md) or [Queries for jobs](query-jobs.md).++ |
iot-hub | Iot Hub Troubleshoot Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-troubleshoot-connectivity.md | Connectivity issues for IoT devices can be difficult to troubleshoot because the ## Event Grid vs. Azure Monitor -Event Grid provides a low-latency, per-device monitoring solution that you can use to track device connections for critical devices and infrastructure. Azure Monitor provides a metric, *Connected devices*, that you can use to monitor the number of devices connected to your IoT Hub and trigger an alert when that number drops below a static threshold. +Event Grid provides a low-latency, per-device monitoring solution that you can use to track device connections for critical devices and infrastructure. Azure Monitor provides a metric called *Connected devices* that you can use to monitor the number of devices connected to your IoT Hub and trigger an alert when that number drops below a static threshold. Consider the following when deciding whether to use Event Grid or Azure Monitor for a particular scenario: Consider the following when deciding whether to use Event Grid or Azure Monitor ## Event Grid: Monitor connect and disconnect events -To monitor device connect and disconnect events in production, we recommend subscribing to the [**DeviceConnected** and **DeviceDisconnected** events](iot-hub-event-grid.md#event-types) in Event Grid to trigger alerts and monitor device connection state. Event Grid provides much lower event latency than Azure Monitor, and you can monitor on a per-device basis. These factors make Event Grid the preferred method for monitoring critical devices and infrastructure. +To monitor device connect and disconnect events in production, we recommend subscribing to the [**DeviceConnected** and **DeviceDisconnected** events](iot-hub-event-grid.md#event-types) in Event Grid to trigger alerts and monitor device connection state. Event Grid provides lower event latency than Azure Monitor, and you can monitor on a per-device basis. These factors make Event Grid the preferred method for monitoring critical devices and infrastructure. When you use Event Grid to monitor or trigger alerts on device disconnects, make sure you build in a way of filtering out the periodic disconnects due to SAS token renewal on devices that use the Azure IoT SDKs. To learn more, see [MQTT device disconnect behavior with Azure IoT SDKs](#mqtt-device-disconnect-behavior-with-azure-iot-sdks). -Explore the following topics to learn more about monitoring device connection events with Event Grid: +Explore the following articles to learn more about monitoring device connection events with Event Grid: * For an overview of using Event Grid with IoT Hub, see [React to IoT Hub events with Event Grid](iot-hub-event-grid.md). Pay particular attention to the [Limitations for device connection state events](iot-hub-event-grid.md#limitations-for-device-connection-state-events) section. After you've created a diagnostic setting to route IoT Hub resource logs to Azur Use the following problem resolution guides for help with the most common errors: -* [400027 ConnectionForcefullyClosedOnNewConnection](troubleshoot-error-codes.md#400027-connectionforcefullyclosedonnewconnection) +* [400027 ConnectionForcefullyClosedOnNewConnection](troubleshoot-error-codes.md#400027-connection-forcefully-closed-on-new-connection) * [404104 DeviceConnectionClosedRemotely](iot-hub-troubleshoot-error-404104-deviceconnectionclosedremotely.md) AzureDiagnostics As an IoT solutions developer or operator, you need to be aware of this behavior in order to interpret connect/disconnect events and related errors in logs. If you want to change the token lifespan or renewal behavior for devices, check to see whether the device implements a device twin setting or a device method that makes this possible. -If you're monitoring device connections with Event Hubs, make sure you build in a way of filtering out the periodic disconnects due to SAS token renewal. For example, do not trigger actions based on disconnects as long as the disconnect event is followed by a connect event within a certain time span. +If you're monitoring device connections with Event Hubs, make sure you build in a way of filtering out the periodic disconnects due to SAS token renewal. For example, don't trigger actions based on disconnects as long as the disconnect event is followed by a connect event within a certain time span. > [!NOTE] > IoT Hub only supports one active MQTT connection per device. Any new MQTT connection on behalf of the same device ID causes IoT Hub to drop the existing connection. If the previous steps didn't help, try: * Get help from [Microsoft Q&A question page for Azure IoT Hub](/answers/topics/azure-iot-hub.html), [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-iot-hub), or [Azure support](https://azure.microsoft.com/support/options/). -To help improve the documentation for everyone, leave a comment in the feedback section below if this guide didn't help you. - ## Next steps * To learn more about resolving transient issues, see [Transient fault handling](/azure/architecture/best-practices/transient-faults). |
iot-hub | Troubleshoot Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/troubleshoot-error-codes.md | Title: Troubleshooting Azure IoT Hub error codes -description: Understand how to fix errors reported by Azure IoT Hub +description: Understand specific error codes and how to fix errors reported by Azure IoT Hub -## 400027 ConnectionForcefullyClosedOnNewConnection +## 400027 Connection forcefully closed on new connection -You may see the **40027** error if your device disconnects and reports **Communication_Error** as the **ConnectionStatusChangeReason** using .NET SDK and MQTT transport type. Or, your device-to-cloud twin operation (such as read or patch reported properties) or direct method invocation fails with the error code **400027**. +You may see the **400027 ConnectionForcefullyClosedOnNewConnection** error if your device disconnects and reports **Communication_Error** as the **ConnectionStatusChangeReason** using .NET SDK and MQTT transport type. Or, your device-to-cloud twin operation (such as read or patch reported properties) or direct method invocation fails with the error code **400027**. This error occurs when another client creates a new connection to IoT Hub using the same identity, so IoT Hub closes the previous connection. IoT Hub doesn't allow more than one client to connect using the same identity. To resolve this error, ensure that each client connects to IoT Hub using its own identity. -## 401003 IoTHubUnauthorized +## 401003 IoT Hub unauthorized In logs, you may see a pattern of devices disconnecting with **401003 IoTHubUnauthorized**, followed by **404104 DeviceConnectionClosedRemotely**, and then successfully connecting shortly after. In general, the error message presented should explain how to fix the error. If > > Often, performing a time sync using NTP or rebooting the device (which can automatically perform a time sync during the boot sequence) fixes the issue and allows the device to connect again. To avoid this error, configure the device to perform a periodic time sync using NTP. You can schedule the sync for daily, weekly or monthly depending on the amount of drift the device experiences. If you can't configure a periodic NTP sync on your device, then schedule a periodic reboot. -## 403002 IoTHubQuotaExceeded +## 403002 IoT Hub quota exceeded You may see requests to IoT Hub fail with the error **403002 IoTHubQuotaExceeded**. And in Azure portal, the IoT hub device list doesn't load. This error typically occurs when the daily message quota for the IoT hub is exce This error may also be returned by a bulk import job when the number of devices registered to your IoT hub approaches or exceeds the quota limit for an IoT hub. To learn more, see [Troubleshoot import jobs](iot-hub-bulk-identity-mgmt.md#import-troubleshooting). -## 403004 DeviceMaximumQueueDepthExceeded +## 403004 Device maximum queue depth exceeded When trying to send a cloud-to-device message, you may see that the request fails with the error **403004** or **DeviceMaximumQueueDepthExceeded**. Alternatively, enhance device side logic to complete, reject, or abandon queued Lastly, consider using the [Purge Queue API](/rest/api/iothub/service/cloud-to-device-messages/purge-cloud-to-device-message-queue) to periodically clean up pending messages before the limit is reached. -## 403006 DeviceMaximumActiveFileUploadLimitExceeded +## 403006 Device maximum active file upload limit exceeded -You may see that your file upload request fails with the error code **403006** and a message "Number of active file upload requests cannot exceed 10". +You may see that your file upload request fails with the error code **403006 DeviceMaximumActiveFileUploadLimitExceeded** and a message "Number of active file upload requests cannot exceed 10". This error occurs because each device client is limited for [concurrent file uploads](iot-hub-devguide-quotas-throttling.md#other-limits). You can easily exceed the limit if your device doesn't notify IoT Hub when file uploads are completed. This problem is commonly caused by an unreliable device side network. To resolve this error, ensure that the device can promptly [notify IoT Hub file upload completion](iot-hub-devguide-file-upload.md#device-notify-iot-hub-of-a-completed-file-upload). Then, try [reducing the SAS token TTL for file upload configuration](iot-hub-configure-file-upload.md). -## 404001 DeviceNotFound +## 404001 Device not found During a cloud-to-device (C2D) communication, such as C2D message, twin update, or direct method, you may see that the operation fails with error **404001 DeviceNotFound**. -The operation failed because the device cannot be found by IoT Hub. The device either is not registered or is disabled. +The operation failed because IoT Hub can't find the device. The device either isn't registered or is disabled. To resolve this error, register the device ID that you used, then try again. -## 404103 DeviceNotOnline +## 404103 Device not online You may see that a direct method to a device fails with the error **404103 DeviceNotOnline** even if the device is online. If you know that the device is online and still get the error, then the error li To configure your device properly for direct method callbacks, see [Handle a direct method on a device](iot-hub-devguide-direct-methods.md#handle-a-direct-method-on-a-device). -## 404104 DeviceConnectionClosedRemotely +## 404104 Device connection closed remotely You may see that devices disconnect at a regular interval (every 65 minutes, for example) and you see **404104 DeviceConnectionClosedRemotely** in IoT Hub resource logs. Sometimes, you also see **401003 IoTHubUnauthorized** and a successful device connection event less than a minute later. Or, devices disconnect randomly, and you see **404104 DeviceConnectionClosedRemo Or, many devices disconnect at once, you see a dip in the [Connected devices (connectedDeviceCount) metric](monitor-iot-hub-reference.md), and there are more **404104 DeviceConnectionClosedRemotely** and [500xxx Internal errors](#500xxx-internal-errors) in Azure Monitor Logs than usual. -This error can occur because the [SAS token used to connect to IoT Hub](iot-hub-dev-guide-sas.md#sas-tokens) expired, which causes IoT Hub to disconnect the device. The connection is re-established when the token is refreshed by the device. For example, [the SAS token expires every hour by default for C SDK](https://github.com/Azure/azure-iot-sdk-c/blob/master/doc/connection_and_messaging_reliability.md#connection-authentication), which can lead to regular disconnects. To learn more, see [401003 IoTHubUnauthorized](#401003-iothubunauthorized). +This error can occur because the [SAS token used to connect to IoT Hub](iot-hub-dev-guide-sas.md#sas-tokens) expired, which causes IoT Hub to disconnect the device. The connection is re-established when the token is refreshed by the device. For example, [the SAS token expires every hour by default for C SDK](https://github.com/Azure/azure-iot-sdk-c/blob/master/doc/connection_and_messaging_reliability.md#connection-authentication), which can lead to regular disconnects. To learn more, see [401003 IoTHubUnauthorized](#401003-iot-hub-unauthorized). Some other possibilities include: Or, IoT Hub might be experiencing a transient issue. See [IoT Hub internal serve To resolve this error: -* See the guidance for [error 401003 IoTHubUnauthorized](#401003-iothubunauthorized). +* See the guidance for [error 401003 IoTHubUnauthorized](#401003-iot-hub-unauthorized). * Make sure the device has good connectivity to IoT Hub by [testing the connection](tutorial-connectivity.md). If the network is unreliable or intermittent, we don't recommend increasing the keep-alive value because it could result in detection (via Azure Monitor alerts, for example) taking longer. * Use the latest versions of the [IoT SDKs](iot-hub-devguide-sdks.md). * See the guidance for [IoT Hub internal server errors](#500xxx-internal-errors). We recommend using Azure IoT device SDKs to manage connections reliably. To learn more, see [Manage connectivity and reliable messaging by using Azure IoT Hub device SDKs](../iot-develop/concepts-manage-device-reconnections.md) -## 409001 DeviceAlreadyExists +## 409001 Device already exists When trying to register a device in IoT Hub, you may see that the request fails with the error **409001 DeviceAlreadyExists**. This error occurs because there's already a device with the same device ID in th To resolve this error, use a different device ID and try again. -## 409002 LinkCreationConflict +## 409002 Link creation conflict You may see the error **409002 LinkCreationConflict** in logs along with device disconnection or cloud-to-device message failure. You may see the error **409002 LinkCreationConflict** in logs along with device Generally, this error happens when IoT Hub detects a client has more than one connection. In fact, when a new connection request arrives for a device with an existing connection, IoT Hub closes the existing connection with this error. -In the most common case, a separate issue (such as [404104 DeviceConnectionClosedRemotely](#404104-deviceconnectionclosedremotely)) causes the device to disconnect. The device tries to reestablish the connection immediately, but IoT Hub still considers the device connected. IoT Hub closes the previous connection and logs this error. +In the most common case, a separate issue (such as [404104 DeviceConnectionClosedRemotely](#404104-device-connection-closed-remotely)) causes the device to disconnect. The device tries to reestablish the connection immediately, but IoT Hub still considers the device connected. IoT Hub closes the previous connection and logs this error. Or, faulty device-side logic causes the device to establish the connection when one is already open. To resolve this error, look for other errors in the logs that you can troubleshoot because this error usually appears as a side effect of a different, transient issue. Otherwise, make sure to issue a new connection request only if the connection drops. -## 412002 DeviceMessageLockLost +## 412002 Device message lock lost When trying to send a cloud-to-device message, you may see that the request fails with the error **412002 DeviceMessageLockLost**. This error occurs because when a device receives a cloud-to-device message from If IoT Hub doesn't get the notification within the one-minute lock timeout duration, it sets the message back to *Enqueued* state. The device can attempt to receive the message again. To prevent the error from happening in the future, implement device side logic to complete the message within one minute of receiving the message. This one-minute time-out can't be changed. -## 429001 ThrottlingException +## 429001 Throttling exception You may see that your requests to IoT Hub fail with the error **429001 ThrottlingException**. Consider [scaling up your IoT Hub](iot-hub-scaling.md) if you're running into qu ## 500xxx Internal errors -You may see that your request to IoT Hub fails with an error that begins with 500 and/or some sort of "server error". Some possibilities are: +You may see that your request to IoT Hub fails with an error that begins with 500 and/or some sort of "server error." Some possibilities are: * **500001 ServerError**: IoT Hub ran into a server-side issue. You may see that your request to IoT Hub fails with an error that begins with 50 * **InternalServerError (no error code)**: IoT Hub encountered an internal error. -There can be a number of causes for a 500xxx error response. In all cases, the issue is most likely transient. While the IoT Hub team works hard to maintain [the SLA](https://azure.microsoft.com/support/legal/sla/iot-hub/), small subsets of IoT Hub nodes can occasionally experience transient faults. When your device tries to connect to a node that's having issues, you receive this error. +There can be many causes for a 500xxx error response. In all cases, the issue is most likely transient. While the IoT Hub team works hard to maintain [the SLA](https://azure.microsoft.com/support/legal/sla/iot-hub/), small subsets of IoT Hub nodes can occasionally experience transient faults. When your device tries to connect to a node that's having issues, you receive this error. To mitigate 500xxx errors, issue a retry from the device. To [automatically manage retries](../iot-develop/concepts-manage-device-reconnections.md#connection-and-retry), make sure you use the latest version of the [Azure IoT SDKs](iot-hub-devguide-sdks.md). For best practice on transient fault handling and retries, see [Transient fault handling](/azure/architecture/best-practices/transient-faults). If the problem persists, check [Resource Health](iot-hub-azure-service-health-in If there are no known problems and the issue continues, [contact support](https://azure.microsoft.com/support/options/) for further investigation. -## 503003 PartitionNotFound +## 503003 Partition not found You may see that requests to IoT Hub fail with the error **503003 PartitionNotFound**. This error is internal to IoT Hub and is likely transient. See [IoT Hub internal To resolve this error, see [IoT Hub internal server errors](#500xxx-internal-errors). -## 504101 GatewayTimeout +## 504101 Gateway timeout When trying to invoke a direct method from IoT Hub to a device, you may see that the request fails with the error **504101 GatewayTimeout**. |
key-vault | Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/versions.md | Private endpoints now available in preview. Azure Private Link Service enables y - Release of the next-generation Azure Key Vault SDKs. For examples of their use, see the Azure Key Vault secret quickstarts for [Python](../secrets/quick-create-python.md), [.NET](../secrets/quick-create-net.md), [Java](../secrets/quick-create-java.md), and [Node.js](../secrets/quick-create-node.md) - New Azure policies to manage key vault certificates. See the [Azure Policy built-in definitions for Key Vault](../policy-reference.md). - Azure Key Vault Virtual Machine extension now generally available. See [Key Vault virtual machine extension for Linux](../../virtual-machines/extensions/key-vault-linux.md) and [Key Vault virtual machine extension for Windows](../../virtual-machines/extensions/key-vault-windows.md).-- Event-driven secrets management for Azure Key Vault now available in Azure Event Grid. For more information, see [the Event Grid schema for events in Azure Key Vault](../../event-grid/event-schema-key-vault.md], and learn how to [Receive and respond to key vault notifications with Azure Event Grid](event-grid-tutorial.md).+- Event-driven secrets management for Azure Key Vault now available in Azure Event Grid. For more information, see [the Event Grid schema for events in Azure Key Vault](../../event-grid/event-schema-key-vault.md), and learn how to [Receive and respond to key vault notifications with Azure Event Grid](event-grid-tutorial.md). ## 2018 |
key-vault | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/whats-new.md | Private endpoints now available in preview. Azure Private Link Service enables y - Release of the next-generation Azure Key Vault SDKs. For examples of their use, see the Azure Key Vault secret quickstarts for [Python](../secrets/quick-create-python.md), [.NET](../secrets/quick-create-net.md), [Java](../secrets/quick-create-java.md), and [Node.js](../secrets/quick-create-node.md) - New Azure policies to manage key vault certificates. See the [Azure Policy built-in definitions for Key Vault](../policy-reference.md). - Azure Key Vault Virtual Machine extension now generally available. See [Key Vault virtual machine extension for Linux](../../virtual-machines/extensions/key-vault-linux.md) and [Key Vault virtual machine extension for Windows](../../virtual-machines/extensions/key-vault-windows.md).-- Event-driven secrets management for Azure Key Vault now available in Azure Event Grid. For more information, see [the Event Grid schema for events in Azure Key Vault](../../event-grid/event-schema-key-vault.md], and learn how to [Receive and respond to key vault notifications with Azure Event Grid](event-grid-tutorial.md).+- Event-driven secrets management for Azure Key Vault now available in Azure Event Grid. For more information, see [the Event Grid schema for events in Azure Key Vault](../../event-grid/event-schema-key-vault.md), and learn how to [Receive and respond to key vault notifications with Azure Event Grid](event-grid-tutorial.md). ## 2018 |
logic-apps | Logic Apps Schema 2016 04 01 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-schema-2016-04-01.md | - Title: Schema updates June-1-2016 -description: Updated schema version 2016-06-01 for logic app definitions in Azure Logic Apps. --- Previously updated : 08/20/2022---# Schema updates for Azure Logic Apps - June 1, 2016 ---The [updated schema](https://schema.management.azure.com/schemas/2016-06-01/Microsoft.Logic.json) -and API version for Azure Logic Apps includes key improvements that make logic apps more reliable and easier to use: --* [Scopes](#scopes) let you group or nest actions as a collection of actions. -* [Conditions and loops](#conditions-loops) are now first-class actions. -* More precise ordering for running actions with the `runAfter` property, replacing `dependsOn` --To upgrade your logic apps from the August 1, 2015 preview schema to the June 1, 2016 schema, -[check out the upgrade section](#upgrade-your-schema). --<a name="scopes"></a> --## Scopes --This schema includes scopes, which let you group actions together, -or nest actions inside each other. For example, a condition can contain another condition. -Learn more about [scope syntax](./logic-apps-control-flow-loops.md), -or review this basic scope example: --```json -{ - "actions": { - "Scope": { - "type": "Scope", - "actions": { - "Http": { - "inputs": { - "method": "GET", - "uri": "https://www.bing.com" - }, - "runAfter": {}, - "type": "Http" - } - } - } - } -} -``` --<a name="conditions-loops"></a> --## Conditions and loops changes --In previous schema versions, conditions and loops were parameters -associated with a single action. This schema lifts this limitation, -so conditions and loops are now available as action types. -Learn more about [loops and scopes](./logic-apps-control-flow-loops.md), -[conditions](../logic-apps/logic-apps-control-flow-conditional-statement.md), -or review this basic example that shows a condition action: --```json -{ - "Condition - If trigger is some trigger": { - "type": "If", - "expression": "@equals(triggerBody(), '<trigger-name>')", - "runAfter": {}, - "actions": { - "Http_2": { - "inputs": { - "method": "GET", - "uri": "https://www.bing.com" - }, - "runAfter": {}, - "type": "Http" - } - }, - "else": - { - "Condition - If trigger is another trigger": {} - } - } -} -``` --<a name="run-after"></a> --## 'runAfter' property --The `runAfter` property replaces `dependsOn`, providing more -precision when you specify the run order for actions based -on the status of previous actions. The `dependsOn` property -indicated whether "the action ran and was successful", -based on whether the previous action succeeded, failed, -or as skipped - not the number of times you wanted to run the action. -The `runAfter` property provides flexibility as an object -that specifies all the action names after which the object runs. -This property also defines an array of statuses that are acceptable as triggers. -For example, if you want an action to run after action A succeeds and -also after action B succeeds or fails, set up this `runAfter` property: --```json -{ - // Other parts in action definition - "runAfter": { - "A": ["Succeeded"], - "B": ["Succeeded", "Failed"] - } -} -``` --## Upgrade your schema --To upgrade to the [most recent schema](https://schema.management.azure.com/schemas/2016-06-01/Microsoft.Logic.json), -you need only take a few steps. The upgrade process includes running the upgrade script, -saving as a new logic app, and if you want, possibly overwriting the previous logic app. --1. In the Azure portal, open your logic app. --2. Go to **Overview**. On the logic app toolbar, choose **Update Schema**. - - ![Choose Update Schema][1] - - The upgraded definition is returned, which you can copy - and paste into a resource definition if necessary. -- > [!IMPORTANT] - > *Make sure* you choose **Save As** - > so all the connection references remain valid - > in the upgraded logic app. --3. In the upgrade blade toolbar, choose **Save As**. --4. Enter the logic name and status. -To deploy your upgraded logic app, choose **Create**. --5. Confirm that your upgraded logic app works as expected. - - > [!NOTE] - > If you are using a manual or request trigger, - > the callback URL changes in your new logic app. - > Test the new URL to make sure the end-to-end experience works. - > To preserve previous URLs, you can clone over your existing logic app. --6. *Optional* To overwrite your previous logic app with the new schema version, -on the toolbar, choose **Clone**, next to **Update Schema**. -This step is necessary only if you want to keep the same resource ID -or request trigger URL of your logic app. --## Upgrade tool notes --### Mapping conditions --In the upgraded definition, the tool makes the best effort at -grouping true and false branch actions together as a scope. -Specifically, the designer pattern of `@equals(actions('a').status, 'Skipped')` -appears as an `else` action. However, if the tool detects unrecognizable patterns, -the tool might create separate conditions for both the true and the false branch. -You can remap actions after upgrading, if necessary. --#### 'foreach' loop with condition --In the new schema, you can use the filter action to replicate -the pattern that uses a **For each** loop with one condition per item. -However, the change automatically happens when you upgrade. -The condition becomes a filter action that appears prior to -the **For each** loop, returning only an array of items -that match the condition, and passing that array to **For each** action. -For an example, see [Loops and scopes](./logic-apps-control-flow-loops.md). --### Resource tags --After you upgrade, resource tags are removed, so you must reset them for the upgraded workflow. --## Other changes --### Renamed 'manual' trigger to 'request' trigger --The `manual` trigger type was deprecated and renamed to `request` with type `http`. -This change creates more consistency for the kind of pattern that the trigger is used to build. --### New 'filter' action --To filter a large array down to a smaller set of items, -the new `filter` type accepts an array and a condition, -evaluates the condition for each item, and returns an array -with items meeting the condition. --### Restrictions for 'foreach' and 'until' actions --The `foreach` and `until` loop are restricted to a single action. --### New 'trackedProperties' for actions --Actions can now have an additional property called -`trackedProperties`, which is sibling to the `runAfter` and `type` properties. -This object specifies certain action inputs or outputs that you want to include in -the Azure Diagnostic telemetry, emitted as part of a workflow. For example: --``` json -{ - "Http": { - "inputs": { - "method": "GET", - "uri": "https://www.bing.com" - }, - "runAfter": {}, - "type": "Http", - "trackedProperties": { - "responseCode": "@action().outputs.statusCode", - "uri": "@action().inputs.uri" - } - } -} -``` --## Next steps --* [Create workflow definitions for logic apps](../logic-apps/logic-apps-author-definitions.md) -* [Automate logic app deployment](logic-apps-azure-resource-manager-templates-overview.md) --<!-- Image references --> -[1]: ./media/logic-apps-schema-2016-04-01/upgradeButton.png |
logic-apps | Update Consumption Workflow Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/update-consumption-workflow-schema.md | - Title: Update Consumption workflows to latest workflow schema -description: Update Consumption logic app workflows to the latest Workflow Definition Language schema in Azure Logic Apps. --- Previously updated : 08/15/2022---# Update Consumption logic app workflows to latest Workflow Definition Language schema version in Azure Logic Apps ---If you have a Consumption logic app workflow that uses an older Workflow Definition Language schema, you can update your workflow to use the newest schema. This capability applies only to Consumption logic app workflows. --## Best practices --The following list includes some best practices for updating your logic app workflows to the latest schema: --* Don't overwrite your original workflow until after you finish your testing and confirm that your updated workflow works as expected. --* Copy the updated script to a new logic app workflow. --* Test your workflow *before* you deploy to production. --* After you finish and confirm a successful migration, update your logic app workflows to use the latest [managed connectors for Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors) where possible. For example, replace older versions of the Dropbox connector with the latest version. --## Update workflow schema --When you select the option to update the schema, Azure Logic Apps automatically runs the migration steps and provides the code output for you. You can use this output to update your workflow definition. However, before you update your workflow definition using this output, make sure that you review and follow the best practices as described in the [Best practices](#best-practices) section. --1. In the [Azure portal](https://portal.azure.com), open your logic app resource. --1. On your logic app's navigation menu, select **Overview**. On the toolbar, select **Update Schema**. -- > [!NOTE] - > - > If the **Update Schema** command is unavailable, your workflow already uses the current schema. -- ![Screenshot showing Azure portal, Consumption logic app resource with "Overview" pane open, and "Update Schema" selected.](./media/update-consumption-workflow-schema/update-schema.png) -- The **Update Schema** pane opens to show a link to a document that describes the improvements in the new schema. --## Next steps --* [Review Workflow Definition Language schema updates - June 1, 2016](../logic-apps/logic-apps-schema-2016-04-01.md) |
logic-apps | Update Workflow Definition Language Schema | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/update-workflow-definition-language-schema.md | + + Title: Update schema for Workflow Definition Language +description: Learn how to update the schema for the Workflow Definition Language in Azure Logic Apps. ++ms.suite: integration ++ Last updated : 08/15/2023+++# Update schema for Workflow Definition Language in Azure Logic Apps - June 1, 2016 +++The [latest Workflow Definition Language schema version June-01-2016](https://schema.management.azure.com/schemas/2016-06-01/Microsoft.Logic.json) and API version for Azure Logic Apps includes key improvements that make Consumption logic app workflows more reliable and easier to use: ++* [Scopes](#scopes) let you group or nest actions as a collection of actions. +* [Conditions and loops](#conditions-loops) are first-class actions. +* More precise ordering for running actions with the `runAfter` property, replacing `dependsOn` ++To upgrade older workflow definitions to the current schema, see [Upgrade your schema](#upgrade-your-schema). ++<a name="scopes"></a> ++## Scopes ++This schema includes scopes, which let you group actions together, or nest actions inside each other. For example, a condition can contain another condition. Learn more about [scope syntax](./logic-apps-control-flow-loops.md), +or review this basic scope example: ++```json +{ + "actions": { + "Scope": { + "type": "Scope", + "actions": { + "Http": { + "inputs": { + "method": "GET", + "uri": "https://www.bing.com" + }, + "runAfter": {}, + "type": "Http" + } + } + } + } +} +``` ++<a name="conditions-loops"></a> ++## Conditions and loops changes ++In previous schema versions, conditions and loops were parameters associated with a single action. This schema lifts this limitation, so conditions and loops are now available as action types. Learn more about [loops and scopes](./logic-apps-control-flow-loops.md), [conditions](../logic-apps/logic-apps-control-flow-conditional-statement.md), or review this basic example that shows a condition action: ++```json +{ + "Condition - If trigger is some trigger": { + "type": "If", + "expression": "@equals(triggerBody(), '<trigger-name>')", + "runAfter": {}, + "actions": { + "Http_2": { + "inputs": { + "method": "GET", + "uri": "https://www.bing.com" + }, + "runAfter": {}, + "type": "Http" + } + }, + "else": + { + "Condition - If trigger is another trigger": {} + } + } +} +``` ++<a name="run-after"></a> ++## 'runAfter' property ++The `runAfter` property replaces `dependsOn`, providing more precision when you specify the run order for actions based on the status of previous actions. The `dependsOn` property indicated whether "the action ran and was successful", based on whether the previous action succeeded, failed, or as skipped - not the number of times you wanted to run the action. The `runAfter` property provides flexibility as an object that specifies all the action names after which the object runs. This property also defines an array of statuses that are acceptable as triggers. For example, if you want an action to run after action A succeeds and also after action B succeeds or fails, set up this `runAfter` property: ++```json +{ + // Other parts in action definition + "runAfter": { + "A": ["Succeeded"], + "B": ["Succeeded", "Failed"] + } +} +``` ++## Other changes ++### Renamed 'manual' trigger to 'request' trigger ++The `manual` trigger type was deprecated and renamed to `request` with type `http`. This change creates more consistency for the kind of pattern that the trigger is used to build. ++### New 'filter' action ++To filter a large array down to a smaller set of items, the `filter` type accepts an array and a condition, evaluates the condition for each item, and returns an array with items that meet the condition. ++### Restrictions for 'foreach' and 'until' actions ++The `foreach` and `until` loop are restricted to a single action. ++### 'trackedProperties' for actions ++Actions have an additional property called `trackedProperties`, which is a sibling to the `runAfter` and `type` properties. This object specifies certain action inputs or outputs that you want to include in the Azure Diagnostic telemetry, emitted as part of a workflow, for example: ++``` json +{ + "Http": { + "inputs": { + "method": "GET", + "uri": "https://www.bing.com" + }, + "runAfter": {}, + "type": "Http", + "trackedProperties": { + "responseCode": "@action().outputs.statusCode", + "uri": "@action().inputs.uri" + } + } +} +``` ++<a name="upgrade-your-schema"></a> ++## Upgrade your schema ++If you have a Consumption logic app workflow that uses an older Workflow Definition Language schema, you can update your workflow to use the newest schema. This capability applies only to Consumption logic app workflows. To upgrade to the [most recent schema](https://schema.management.azure.com/schemas/2016-06-01/Microsoft.Logic.json), you need only take a few steps. The upgrade process includes running the upgrade script, saving your original logic app workflow as a new Consumption logic app workflow, and if you want, possibly overwriting the original logic app workflow. ++<a name="best-practices"></a> ++### Best practices ++The following list includes some best practices for updating your logic app workflow to the latest schema: ++* Don't overwrite your original workflow until after you finish your testing and confirm that your updated workflow works as expected. ++* Copy the updated script to a new logic app workflow. ++* Test your workflow *before* you deploy to production. ++* After you finish and confirm a successful migration, update your logic app workflows to use the latest versions for the [managed connectors in Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors) where possible. For example, replace older versions of the Dropbox connector with the latest version. ++### Update workflow schema ++When you select the option to update the schema, Azure Logic Apps automatically runs the migration steps and provides the code output for you. You can use this output to update your workflow definition. However, before you update your workflow definition using this output, make sure that you review and follow the best practices as described in the [Best practices](#best-practices) section. ++1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app resource. ++1. On your logic app resource menu, select **Overview**. On the toolbar, select **Update Schema**. ++ > [!NOTE] + > + > If the **Update Schema** command is unavailable, your workflow already uses the current schema. ++ ![Screenshot showing Azure portal, Consumption logic app resource, Overview page, and selected Update Schema command.](./media/update-workflow-definition-language-schema/update-schema.png) ++ The **Update Schema** pane opens and shows a link to a document that describes the improvements in the current schema. You can copy and paste the returned workflow definition, which you can copy and paste into your logic app resource definition if necessary. ++1. In the upgrade pane toolbar, select **Save As** so that all the connection references remain valid in the upgraded logic app workflow definition. ++1. Provide a name for your logic app workflow, and enter the status. ++1. To deploy your upgraded logic app workflow, select **Create**. Confirm that your upgraded logic app works as expected. ++ > [!IMPORTANT] + > + > If your workflow uses a Request trigger (previously named "manual"), the callback URL changes for this trigger in your upgraded workflow. + > Test the new callback URL to make sure the end-to-end experience works. To preserve previous URLs, you can clone over your existing logic app workflow. ++1. **Optional**: To overwrite your original logic app workflow with the upgraded version, on the toolbar, next to **Update Schema**, select **Clone**. ++ This step is necessary only if you want to keep the same resource ID or Request trigger's callback URL for your logic app workflow. ++## Upgrade tool notes ++### Resource tags ++After you upgrade, resource tags are removed, so you must reset them for the upgraded workflow. ++### Mapping conditions ++In the upgraded workflow definition, the tool makes the best effort at grouping true and false branch actions together as a scope. Specifically, the designer pattern of `@equals(actions('a').status, 'Skipped')` appears as an `else` action. However, if the tool detects unrecognizable patterns, the tool might create separate conditions for both the true and the false branch. You can remap actions after upgrading, if necessary. ++### 'foreach' loop with condition ++In the upgraded schema, you can use the filter action to replicate the pattern that uses a **For each** loop with one condition per item. However, the change automatically happens when you upgrade. The condition becomes a filter action that appears prior to the **For each** loop, returning only an array of items that match the condition, and passing that array to **For each** action. For an example, see [Loops and scopes](logic-apps-control-flow-loops.md). ++## Next steps ++* [Create workflow definitions for logic apps](logic-apps-author-definitions.md) +* [Automate logic app deployment](logic-apps-azure-resource-manager-templates-overview.md) |
machine-learning | Azure Machine Learning Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/v1/azure-machine-learning-release-notes.md | __RSS feed__: Get notified when this page is updated by copying and pasting the `https://learn.microsoft.com/api/search/rss?search=%22Azure+machine+learning+release+notes%22&locale=en-us` +## 2023-08-21 ++### Azure Machine Learning SDK for Python v1.53.0 + + **azureml-automl-core** + + Support of features/regressors known at the time of forecast in AutoML forecasting TCN models. + + **azureml-automl-dnn-vision** + + Enable flags for log_training_metrics and log_validation_loss for automl object detection and instance segmentation + + **azureml-contrib-automl-dnn-forecasting** + + Support of features/regressors known at the time of forecast in AutoML forecasting TCN models. + + **azureml-core** + + Add appinsights location swap for qatarcentral to point to uaenorth + + **azureml-mlflow** + + Fix for loading models with MLflow load_model APIs when passing an AzureML URI + + **azureml-pipeline-core** + + Skip child run and log error when load child run failed (e.g. 404) using `PipelineRun.get_pipeline_runs`. + + `PipelineEndpoint.list` introduces a new int parameter `max_results`, which indicates the maximum size of the returned list. The default value of `max_results` is 100. + + **azureml-training-tabular** + + Support of features/regressors known at the time of forecast in AutoML forecasting TCN models. + ## 2023-06-26 ### Azure Machine Learning SDK for Python v1.52.0 |
network-watcher | Diagnose Network Security Rules | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/network-watcher/diagnose-network-security-rules.md | Use [az group delete](/cli/azure/group#az-group-delete) to remove the resource g ```azurecli-interactive # Delete the resource group and all the resources it contains. -az group delete --name myResourceGroup --yes --no-wait +az group delete --name 'myResourceGroup' --yes --no-wait ``` ## Next steps - To learn about other Network Watcher tools, see [Azure Network Watcher overview](network-watcher-monitoring-overview.md).-- To learn how to troubleshoot virtual machine routing problems, see [Diagnose a virtual machine network routing problem](diagnose-vm-network-routing-problem.md).+- To learn how to troubleshoot virtual machine routing problems, see [Diagnose a virtual machine network routing problem](diagnose-vm-network-routing-problem.md). |
operator-nexus | Howto Run Instance Readiness Testing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/operator-nexus/howto-run-instance-readiness-testing.md | Last updated 07/13/2023 -# Instance readiness testing +# Instance Readiness Testing Instance Readiness Testing (IRT) is a framework built to orchestrate real-world workloads for testing of the Azure Operator Nexus Platform. Instance Readiness Testing (IRT) is a framework built to orchestrate real-world * Networks to use for the test are specified in a "networks-blueprint.yml" file, see [Input Configuration](#input-configuration). - curl to download IRT package - The User Access Admin & Contributor roles for the execution subscription-- The ability to create security groups in your Active Directory tenant +- The ability to create security groups in your Active Directory tenant ## Input configuration The network information is provided in either a `networks-blueprint.yml` file, s * Two of them with MTU 1500 * One of them with MTU 9000 and shouldn't have a fabric_asn attribute * One (1) Trunked Network-* All vlans should be greater than 500 +* All VLANs should be greater than 500 ## One Time Setup -### Download IRT -IRT is distributed via tarball, download it, extract it, and navigate to the `irt` directory +### Download IRT +IRT is distributed via tarball, download it, extract it, and navigate to the `irt` directory. 1. From your Linux environment, download nexus-irt.tar.gz from aka.ms/nexus-irt `curl -Lo nexus-irt.tar.gz aka.ms/nexus-irt` 1. Extract the tarball to the local file system: `mkdir -p irt && tar xf nexus-irt.tar.gz --directory ./irt` 1. Switch to the new directory `cd irt` There are multiple dependencies expected to be available during execution. Revie * `jq` version 1.6 or greater * `yq` version 4.33 or greater * `azcopy` version 10 or greater-* `az` Azure CLI minimum version not known, stay up to date. +* `az` Azure CLI, stay up to date. Minimum expected version: 2.11.0(supports self upgrade) * `elinks` - for viewing html files on the command line * `tree` - for viewing directory structures-* `moreutils` - for viewing progress from the ACI container +* `moreutils` - for viewing progress from the Azure Container Instance (ACI) container The `setup.sh` script is provided to aid with installing the listed dependencies. It installs any dependencies that aren't available in PATH. It doesn't upgrade any dependencies that don't meet the minimum required versions. -> [!NOTE] +> [!NOTE] > `setup.sh` assumes a nonroot user and attempts to use `sudo` ### All in one setup -`all-in-one-setup.sh` is provided to create all of the Azure resources required to run IRT. This process includes creating a managed identity, a service principal, a security group, isolation domains, and a storage account to archive the test results. These resources can be created during the all in one script, or they can be created step by step per the instructions in this document. Each of the script, individually and via the all in one script, writes updates to your `irt-input.yml` file with the key value pairs needed to utilize the resources you created. Review the `irt-input.example.yml` file for the required inputs needed for the script(s), regardless of the methodology you pursue. All of the scripts are idempotent, and also allow you to use existing resources if desired. -+`all-in-one-setup.sh` is provided to create all of the Azure resources required to run IRT. This process includes creating a managed identity, a service principal, a security group, isolation domains, and a storage account to archive the test results. These resources can be created during the all in one script, or they can be created step by step per the instructions in this document. Each of the script, individually and via the all in one script, writes updates to your `irt-input.yml` file with the key value pairs needed to utilize the resources you created. Review the `irt-input.example.yml` file for the required inputs needed for one or more of the scripts, regardless of the methodology you pursue. All of the scripts are idempotent, and also allow you to use existing resources if desired. ### Step-by-Step setup > [!NOTE] > Only use this section if you're NOT using `all-in-one.sh` -If your workflow is incompatible with `all-in-one.sh`, each resource needed for IRT can be created manually with each supplemental script. Like `all-in-one.sh`, running these scripts writes key/value pairs to your `irt-input.yml` for you to use during your run. These five scripts make up the `all-in-one.sh`. +If your workflow is incompatible with `all-in-one.sh`, each resource needed for IRT can be created manually with each supplemental script. Like `all-in-one.sh`, running these scripts writes key/value pairs to your `irt-input.yml` for you to use during your run. These four scripts make up the `all-in-one.sh`. -IRT makes commands against your resources, and needs permission to do so. IRT requires a Managed Identity and a Service Principal to execute. It also requires that the service principal is a member of the Azure AD Security Group that is also provided as input. +IRT makes commands against your resources, and needs permission to do so. IRT requires a managed identity and a service principal to execute. It also requires that the service principal is a member of the Azure AD Security Group that is also provided as input. #### Create managed identity-A managed identity with the following role assignments is needed to execute tests. The supplemental script, `create-managed-identity.sh` creates a managed identity with these role assignments. - * `Contributor` - For creating and manipulating resources - * `Storage Blob Data Contributor` - For reading from and writing to the storage blob container - * `Log Analytics Reader` - For reading metadata about the LAW -+<details> +<summary>Expand to see how to create managed identity.</summary> -Executing `create-managed-identity.sh` requires the following environment variables to be set; - * **MI_RESOURCE_GROUP** - The resource group the Managed Identity is created in. The resource group is created in `eastus` if the resource group provided doesn't yet exist. - * **MI_NAME** - The name of the Managed Identity to be created. - * **[Optional] SUBSCRIPTION** - to set the subscription. Alternatively, the script uses az CLI context to look up the subscription. +A managed identity with the following role assignments is needed to execute tests. The supplemental script, `create-managed-identity.sh` creates a managed identity with these role assignments. +* `Contributor` - For creating and manipulating resources +* `Storage Blob Data Contributor` - For reading from and writing to the storage blob container +* `Log Analytics Reader` - For reading metadata about the LAW +* `Kubernetes Connected Cluster Role` - For read/write operations on connected cluster ++Executing `create-managed-identity.sh` requires the input yaml to have the following properties, all of them can be overridden by the corresponding environment variables: +```yml +MANAGED_IDENTITY: + RESOURCE_GROUP: "<resource-group>" # env: MANAGED_IDENTITY_RESOURCE_GROUP + NAME: "<name>" # env: MANAGED_IDENTITY_NAME + SUBSCRIPTION: "<subscription>" # env: MANAGED_IDENTITY_SUBSCRIPTION + LOCATION: "<location>" # env: MANAGED_IDENTITY_LOCATION +``` +* `MANAGED_IDENTITY.RESOURCE_GROUP` - The resource group the managed identity is created in. +* `MANAGED_IDENTITY.NAME` - The name of the managed identity to be created. +* `MANAGED_IDENTITY.SUBSCRIPTION` - The subscription where the resource group should reside. +* `MANAGED_IDENTITY.LOCATION` - The location to create the resource group. ```bash # Example execution of the script-MI_RESOURCE_GROUP="<your resource group>" MI_NAME="<your managed identity name>" SUBSCRIPTION="<your subscription ID>" ./create-managed-identity.sh +./create-managed-identity.sh irt-input.yml ``` -**RESULT:** This script prints a value for `MANAGED_IDENTITY_ID`. This key/value pair should be recorded in the irt-input.yml for use. See [Input Configuration](#input-configuration). +> [!NOTE] +> if `MANAGED_IDENTITY_ID` is set in the input yaml or as an environment variable the script won't create anything. +**RESULT:** This script prints a value for `MANAGED_IDENTITY_ID` and sets it to the input.yml. +See [Input Configuration](#input-configuration). ++```yml +MANAGED_IDENTITY_ID: <generated_id> +``` +</details> #### Create service principal and security group-A service principal with the following role assignments. The supplemental script, `create-service-principal.sh` creates a service principal with these role assignments, or add role assignments to an existing service principal. - * `Contributor` - For creating and manipulating resources - * `Storage Blob Data Contributor` - For reading from and writing to the storage blob container - * `Azure ARC Kubernetes Admin` - For ARC enrolling the NAKS cluster +<details> +<summary>Expand to see how to create service principal and security group.</summary> ++A service principal with the following role assignments. The supplemental script, `create-service-principal.sh` creates a service principal with these role assignments, or add role assignments to an existing service principal. ++* `Contributor` - For creating and manipulating resources +* `Storage Blob Data Contributor` - For reading from and writing to the storage blob container +* `Azure ARC Kubernetes Admin` - For ARC enrolling the NAKS cluster Additionally, the script creates the necessary security group, and adds the service principal to the security group. If the security group exists, it adds the service principal to the existing security group. -Executing `create-service-principal.sh` requires the following environment variables to be set: - * SERVICE_PRINCIPAL_NAME - The name of the service principal, created with the `az ad sp create-for-rbac` command. - * AAD_GROUP_NAME - The name of the security group. +Executing `create-service-principal.sh` requires the input yaml to have the following properties, all of them can be overridden by the corresponding environment variables: +```yml +SERVICE_PRINCIPAL: + NAME: "<name>" # env: SERVICE_PRINCIPAL_NAME + AAD_GROUP_NAME: "<aad-group-name>" # env: SERVICE_PRINCIPAL_AAD_GROUP_NAME + SUBSCRIPTION: "<subscription>" # env: SERVICE_PRINCIPAL_SUBSCRIPTION +``` +* `SERVICE_PRINCIPAL.NAME` - The name of the service principal, created with the `az ad sp create-for-rbac` command. +* `SERVICE_PRINCIPAL.AAD_GROUP_NAME` - The name of the security group. +* `SERVICE_PRINCIPAL.SUBSCRIPTION` - The subscription of the service principal. ```bash # Example execution of the script-SERVICE_PRINCIPAL_NAME="<your service principal name>" AAD_GROUP_NAME="<your security group name>" ./create-service-principal.sh +./create-service-principal.sh irt-input.yml ``` -**RESULT:** This script prints values for `AAD_GROUP_ID`, `SP_ID`, `SP_PASSWORD`, and `SP_TENANT`. This key/value pair should be recorded in irt-input.yml for use. See [Input Configuration](#input-configuration). +> [!NOTE] +> if all `SP_ID`,`SP_PASSWORD`,`SP_TENANT_ID`,`AAD_GROUP_ID` are set in the yaml or as an environment variable the script skips creating them. +**RESULT:** This script prints values for `AAD_GROUP_ID`, `SP_ID`, `SP_PASSWORD`, and `SP_TENANT` and sets the values back to the input yaml. +See [Input Configuration](#input-configuration). -#### Create isolation domains -The testing framework doesn't create, destroy, or manipulate isolation domains. Therefore, existing Isolation Domains can be used. Each Isolation Domain requires at least one external network. The supplemental script, `create-l3-isolation-domains.sh`. Internal networks are created, manipulated, and destroy through the course of testing. They're created using the data provided in the networks blueprint. +```yml +SP_ID: "<generated-sp-id>" +SP_PASSWORD: "<generated-sp-password>" # If SP already exists sp password is not retreivable, please fill it in. +SP_TENANT_ID: "<generated-sp-tenant-id>" +AAD_GROUP_ID: "generated-aad-group-id" +``` +</details> ++#### Create l3 isolation domains +<details> +<summary>Expand to see how to create l3 isolation.</summary> ++The testing framework doesn't create, destroy, or manipulate isolation domains. Therefore, existing isolation domains can be used. Each isolation domain requires at least one external network. The supplemental script, `create-l3-isolation-domains.sh`. Internal networks are created, manipulated, and destroyed through the course of testing. ++Executing `create-l3-isolation-domains.sh` requires one **parameter**, a path to a file containing the networks requirements. You can choose either the standalone network-blueprint.yml or the input.yml based on your workflow, both should contain the information needed. ++```bash +# Example of the script being invoked using networks-blueprint.yml: +./create-l3-isolation-domains.sh networks-blueprint.yml +``` -Executing `create-l3-isolation-domains.sh` requires one **parameter**, a path to your networks blueprint file: - ```bash-# Example of the script being invoked: -./create-l3-isolation-domains.sh ./networks-blueprint.yml +# Example of the script being invoked using irt-input.yml: +# the network-blueprint should exist under NETWORK_BLUEPRINT node. +./create-l3-isolation-domains.sh irt-input.yml ```+</details> #### Create archive storage-IRT creates an html test report after running a test scenario. These reports can optionally be uploaded to a blob storage container. the supplementary script `create-archive-storage.sh` to create a storage container, storage account, and resource group if they don't already exist. +<details> +<summary>Expand to see how to create archive storage.</summary> ++IRT creates an html test report after running a test scenario. These reports can optionally be uploaded to a blob storage container. The supplementary script `create-archive-storage.sh` to create a storage container, storage account, and resource group if they don't already exist. +Executing `create-archive-storage.sh` requires the input yaml to have the following properties, all of them can be overridden by the corresponding environment variables: -Executing `create-managed-identity.sh` requires the following environment variables to be set: - * **RESOURCE_GROUP** - The resource group the Managed Identity is created in. The resource group is created in `eastus` if the resource group provided doesn't yet exist. - * **STORAGE_ACCOUNT_NAME** - The name of the Azure storage account to be created. - * **STORAGE_CONTAINER_NAME** - The name of the blob storage container to be created. - * **[Optional] SUBSCRIPTION** - to set the subscription. Alternatively, the script uses the az CLI context to look up the subscription. +```yml +ARCHIVE_STORAGE: + RESOURCE_GROUP: "<resource-group>" # env: ARCHIVE_STORAGE_RESOURCE_GROUP + ACCOUNT_NAME: "<storage-account-name>" # env: ARCHIVE_STORAGE_ACCOUNT_NAME + CONTAINER_NAME: "<storage-container-name>" # env: ARCHIVE_STORAGE_CONTAINER_NAME + SUBSCRIPTION: "<subscription>" # env: ARCHIVE_STORAGE_SUBSCRIPTION + LOCATION: "<location>" # env: ARCHIVE_STORAGE_LOCATION +``` +* `ARCHIVE_STORAGE_RESOURCE_GROUP` - The resource group the managed identity is created in. +* `ARCHIVE_STORAGE_ACCOUNT_NAME` - The name of the Azure storage account to be created. +* `ARCHIVE_STORAGE_CONTAINER_NAME` - The name of the blob storage container to be created. +* `SUBSCRIPTION` - The subscription where the resource group is created in. +* `LOCATION` - The location where the resource group is created in. +> [!NOTE] +> if `PUBLISH_RESULTS_TO` is set in the input yaml or as an environment variable the script skips creating a new one. ```bash # Example execution of the script-RESOURCE_GROUP="<your resource group>" STORAGE_ACCOUNT_NAME="<your storage account name>" STORAGE_CONTAINER_NAME="<your container name>" ./create-archive-storage.sh +./create-archive-storage.sh irt-input.yaml ``` -**RESULT:** This script prints a value for `PUBLISH_RESULTS_TO`. This key/value pair should be recorded in irt-input.yml for use. See [Input Configuration](#input-configuration). -+**RESULT:** This script prints a value for `PUBLISH_RESULTS_TO` and sets the value in the input.yml. See [Input Configuration](#input-configuration). +```yml +PUBLISH_RESULTS_TO: <generated_id> +``` +</details> ## Execution |
reliability | Availability Zones Service Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/reliability/availability-zones-service-support.md | The following regions currently support availability zones: |||||| | Brazil South | France Central | Qatar Central | South Africa North | Australia East | | Canada Central | Italy North* | UAE North | | Central India |-| Central US | Germany West Central | | | Japan East | +| Central US | Germany West Central | Israel Central* | | Japan East | | East US | Norway East | | | Korea Central | | East US 2 | North Europe | | | Southeast Asia | | South Central US | UK South | | | East Asia | |
sap | Monitor Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/center-sap-solutions/monitor-portal.md | You can also set up or register Azure Monitor for SAP solutions to monitor SAP p 1. In the sidebar menu for the VIS, under **Monitoring**, select **Azure Monitor for SAP solutions**. -1. Select whether you want to [create a new Azure Monitor for SAP solutions instance](#create-new-Azure Monitor for SAP solutions-resource), or [register an existing Azure Monitor for SAP solutions instance](#register-existing-Azure Monitor for SAP solutions-resource). If you don't see this option, you've already configured this setting. +1. Select whether you want to [create a new Azure Monitor for SAP solutions instance](#create-new-azure-monitor-for-sap-solutions-resource), or [register an existing Azure Monitor for SAP solutions instance](#register-existing-azure-monitor-for-sap-solutions-resource). If you don't see this option, you've already configured this setting. :::image type="content" source="media/monitor-portal/monitoring-setup.png" lightbox="media/monitor-portal/monitoring-setup.png" alt-text="Screenshot of Azure Monitor for SAP solutions page inside a VIS resource in the Azure portal, showing the option to create or register a new instance."::: |
security | Customer Lockbox Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/security/fundamentals/customer-lockbox-overview.md | Most operations, support, and troubleshooting performed by Microsoft personnel a This article covers how to enable Customer Lockbox and how Lockbox requests are initiated, tracked, and stored for later reviews and audits. -<a name='supported-services-and-scenarios-in-general-availability'></a><a name='supported-services-and-scenarios-in-preview'></a> ## Supported services and scenarios ### General Availability+ The following services are generally available for Customer Lockbox: - Azure API Management You can now enable Customer Lockbox from the [Administration module](https://aka The following steps outline a typical workflow for a Customer Lockbox request. 1. Someone at an organization has an issue with their Azure workload.--2. After this person troubleshoots the issue, but can't fix it, they open a support ticket from the [Azure portal](https://portal.azure.com/signin/index/?feature.settingsportalinstance=mpac). The ticket is assigned to an Azure Customer Support Engineer. --3. An Azure Support Engineer reviews the service request and determines the next steps to resolve the issue. --4. If the support engineer can't troubleshoot the issue by using standard tools and service generated data, the next step is to request elevated permissions by using a Just-In-Time (JIT) access service. This request can be from the original support engineer or from a different engineer because the problem is escalated to the Azure DevOps team. --5. After the access request is submitted by the Azure Engineer, Just-In-Time service evaluates the request taking into account factors such as: +1. After this person troubleshoots the issue, but can't fix it, they open a support ticket from the [Azure portal](https://portal.azure.com/signin/index/?feature.settingsportalinstance=mpac). The ticket is assigned to an Azure Customer Support Engineer. +1. An Azure Support Engineer reviews the service request and determines the next steps to resolve the issue. +1. If the support engineer can't troubleshoot the issue by using standard tools and service generated data, the next step is to request elevated permissions by using a Just-In-Time (JIT) access service. This request can be from the original support engineer or from a different engineer because the problem is escalated to the Azure DevOps team. +1. After the access request is submitted by the Azure Engineer, Just-In-Time service evaluates the request taking into account factors such as: - The scope of the resource - Whether the requester is an isolated identity or using multi-factor authentication - Permissions levels- Based on the JIT rule, this request may also include an approval from Internal Microsoft Approvers. For example, the approver might be the Customer support lead or the DevOps Manager.--6. When the request requires direct access to customer data, a Customer Lockbox request is initiated. For example, remote desktop access to a customer's virtual machine. -+1. When the request requires direct access to customer data, a Customer Lockbox request is initiated. For example, remote desktop access to a customer's virtual machine. + The request is now in a **Customer Notified** state, waiting for the customer's approval before granting access.--7. At the customer organization, the users who have the [Owner role](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles) for the Azure subscription and/or the [Azure Active Directory Global Administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-ad-roles) receive an email from Microsoft, to notify them about the pending access request. For Customer Lockbox requests, this person is the designated approver. -+1. The approver(s) at the customer organization for a given Lockbox request are determined as follows: + - For Subscription scoped requests (requests to access specific resources contained within a subscription), users who have been assigned the Owner role on the associated subscription. + - For Tenant scope requests (requests to access the Azure Active Directory Tenant), users who have been assigned the Global Administrator role on the Tenant. + > [!NOTE] + > Role assignments must be in place before Lockbox starts to process a request. Any role assignments made after Lockbox starts to process a given request will not be recognized by Lockbox. Because of this, to use PIM eligible assignments for the Subscription Owner role, users are required to activate the role before the Customer Lockbox request is initiated. Refer to [Activate Azure AD roles in PIM](../../active-directory/privileged-identity-management/pim-how-to-activate-role.md) / [Activate Azure resource roles in PIM](../../active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md#activate-a-role) for more information on activating PIM eligible roles. + > + > **Role assignments scoped to management groups are not supported in Lockbox at this time.** +1. At the customer organization, designated lockbox approvers ([Azure Subscription Owner](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles)/[Azure AD Global admin](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-ad-roles) receive an email from Microsoft to notify them about the pending access request. + Example email:-+ ![Azure Customer Lockbox - email notification](./media/customer-lockbox-overview/customer-lockbox-email-notification.png)--8. The email notification provides a link to the **Customer Lockbox** blade in the Administration module. Using this link, the designated approver signs in to the Azure portal to view any pending requests that their organization has for Customer Lockbox: -+1. The email notification provides a link to the **Customer Lockbox** blade in the Administration module. Using this link, the designated approver signs in to the Azure portal to view any pending requests that their organization has for Customer Lockbox: ![Azure Customer Lockbox - landing page](./media/customer-lockbox-overview/customer-lockbox-landing-page.png)- The request remains in the customer queue for four days. After this time, the access request automatically expires and no access is granted to Microsoft engineers.--9. To get the details of the pending request, the designated approver can select the lockbox request from **Pending Requests**: -+1. To get the details of the pending request, the designated approver can select the lockbox request from **Pending Requests**: ![Azure Customer Lockbox - view the pending request](./media/customer-lockbox-overview/customer-lockbox-pending-requests.png)--10. The designated approver can also select the **SERVICE REQUEST ID** to view the support ticket request that was created by the original user. This information provides context for why Microsoft Support is engaged, and the history of the reported problem. For example: -+1. The designated approver can also select the **SERVICE REQUEST ID** to view the support ticket request that was created by the original user. This information provides context for why Microsoft Support is engaged, and the history of the reported problem. For example: ![Azure Customer Lockbox - view the support ticket request](./media/customer-lockbox-overview/customer-lockbox-support-ticket.png)--11. After reviewing the request, the designated approver selects **Approve** or **Deny**: -+1. After reviewing the request, the designated approver selects **Approve** or **Deny**: ![Azure Customer Lockbox - select Approve or Deny](./media/customer-lockbox-overview/customer-lockbox-approval.png)- As a result of the selection: - **Approve**: Access is granted to the Microsoft engineer. The access is granted for a default period of eight hours. - **Deny**: The elevated access request by the Microsoft engineer is rejected and no further action is taken.--For auditing purposes, the actions taken in this workflow are logged in [Customer Lockbox request logs](#auditing-logs). + + For auditing purposes, the actions taken in this workflow are logged in [Customer Lockbox request logs](#auditing-logs). ## Auditing logs Customer Lockbox requests are also not triggered by external legal demands for d Customer Lockbox is available for all customers who have an [Azure support plan](https://azure.microsoft.com/support/plans/) with a minimal level of **Developer**. You can enable Customer Lockbox from the [Administration module](https://aka.ms/customerlockbox/administration) in the Customer Lockbox blade. -Customer Lockbox requests are initiated by a Microsoft engineer if this action is needed to progress a support case. +Customer Lockbox requests are initiated by a Microsoft engineer if this action is needed to progress a support case. |
sentinel | Billing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/billing.md | Any other services you use could have associated costs. After you enable Microsoft Sentinel on a Log Analytics workspace consider these configuration options: - Retain all data ingested into the workspace at no charge for the first 90 days. Retention beyond 90 days is charged per the standard [Log Analytics retention prices](https://azure.microsoft.com/pricing/details/monitor/).-- Specify different retention settings for individual data types. Learn about [retention by data type](../azure-monitor/logs/data-retention-archive.md#configure-retention-and-archive-at-the-table-level. +- Specify different retention settings for individual data types. Learn about [retention by data type](../azure-monitor/logs/data-retention-archive.md#configure-retention-and-archive-at-the-table-level). - Enable long-term retention for your data and have access to historical logs by enabling archived logs. Data archive is a low-cost retention layer for archival storage. It's charged based on the volume of data stored and scanned. Learn how to [configure data retention and archive policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md). Archived logs are in public preview. The 90 day retention doesn't apply to basic logs. If you want to extend data retention for basic logs beyond eight days, store that data in archived logs for up to seven years. |
sentinel | Atlassian Confluence Audit Using Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/atlassian-confluence-audit-using-azure-functions.md | ConfluenceAudit | sort by TimeGenerated desc ``` -- ## Prerequisites To integrate with Atlassian Confluence Audit (using Azure Functions) make sure you have: To integrate with Atlassian Confluence Audit (using Azure Functions) make sure y - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/). - **REST API Credentials/permissions**: **ConfluenceAccessToken**, **ConfluenceUsername** is required for REST API. [See the documentation to learn more about API](https://developer.atlassian.com/cloud/confluence/rest/api-group-audit/). Check all [requirements and follow the instructions](https://developer.atlassian.com/cloud/confluence/rest/intro/#auth) for obtaining credentials. - ## Vendor installation instructions - > [!NOTE]- > This connector uses Azure Functions to connect to the Confluence REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. --->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. +> This connector uses Azure Functions to connect to the Confluence REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. +**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. **STEP 1 - Configuration steps for the Confluence API** [Follow the instructions](https://developer.atlassian.com/cloud/confluence/rest/intro/#auth) to obtain the credentials. -- **STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function** ->**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following). --+> [!IMPORTANT] +> Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following). Option 1 - Azure Resource Manager (ARM) Template Use this method for automated deployment of the Confluence Audit data connector [![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-confluenceauditapi-azuredeploy) 2. Select the preferred **Subscription**, **Resource Group** and **Location**. -> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. -3. Enter the **ConfluenceAccessToken**, **ConfluenceUsername**, **ConfluenceHomeSiteName** (short site name part, as example HOMESITENAME from https://HOMESITENAME.atlassian.net) and deploy. + > [!NOTE] + > Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. +3. Enter the **ConfluenceAccessToken**, **ConfluenceUsername**, **ConfluenceHomeSiteName** (short site name part, as example HOMESITENAME from ``` https://HOMESITENAME.atlassian.net ```) and deploy. 4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. 5. Click **Purchase** to deploy. Option 2 - Manual Deployment of Azure Functions Use the following step-by-step instructions to deploy the Confluence Audit data connector manually with Azure Functions (Deployment via Visual Studio Code). - **1. Deploy a Function App** -> **NOTE:** You will need to [prepare VS code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development. +> [!NOTE] +> You will need to [prepare VS code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development. 1. Download the [Azure Function App](https://aka.ms/sentinel-confluenceauditapi-functionapp) file. Extract archive to your local development computer. 2. Start VS Code. Choose File in the main menu and select Open Folder. If you're already signed in, go to the next step. 6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied. 7. Go to Azure Portal for the Function App configuration. - **2. Configure the Function App** 1. In the Function App, select the Function App Name and select **Configuration**. If you're already signed in, go to the next step. WorkspaceID WorkspaceKey logAnalyticsUri (optional)-> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. + - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. 4. Once all application settings have been entered, click **Save**. -- ## Next steps For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-atlassianconfluenceaudit?tab=Overview) in the Azure Marketplace. |
sentinel | Atlassian Jira Audit Using Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/atlassian-jira-audit-using-azure-functions.md | JiraAudit | sort by TimeGenerated desc ``` -- ## Prerequisites To integrate with Atlassian Jira Audit (using Azure Functions) make sure you have: To integrate with Atlassian Jira Audit (using Azure Functions) make sure you hav - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/). - **REST API Credentials/permissions**: **JiraAccessToken**, **JiraUsername** is required for REST API. [See the documentation to learn more about API](https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-audit-records/). Check all [requirements and follow the instructions](https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#authentication) for obtaining credentials. - ## Vendor installation instructions - > [!NOTE]- > This connector uses Azure Functions to connect to the Jira REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. --->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. +> This connector uses Azure Functions to connect to the Jira REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. +**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. > [!NOTE]- > This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-jiraauditapi-parser) to create the Kusto functions alias, **JiraAudit** -+> This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-jiraauditapi-parser) to create the Kusto functions alias, **JiraAudit** **STEP 1 - Configuration steps for the Jira API** [Follow the instructions](https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/#authentication) to obtain the credentials. -- **STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function** ->**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following). --+> [!IMPORTANT] +> Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following). Option 1 - Azure Resource Manager (ARM) Template Use this method for automated deployment of the Jira Audit data connector using [![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentineljiraauditazuredeploy) 2. Select the preferred **Subscription**, **Resource Group** and **Location**. -> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. -3. Enter the **JiraAccessToken**, **JiraUsername**, **JiraHomeSiteName** (short site name part, as example HOMESITENAME from https://HOMESITENAME.atlassian.net) and deploy. + > [!NOTE] + > Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. +3. Enter the **JiraAccessToken**, **JiraUsername**, **JiraHomeSiteName** (short site name part, as example HOMESITENAME from ``` https://HOMESITENAME.atlassian.net ```) and deploy. 4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. 5. Click **Purchase** to deploy. Option 2 - Manual Deployment of Azure Functions Use the following step-by-step instructions to deploy the Jira Audit data connector manually with Azure Functions (Deployment via Visual Studio Code). - **1. Deploy a Function App** -> **NOTE:** You will need to [prepare VS code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development. +> [!NOTE] +> You will need to [prepare VS code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development. 1. Download the [Azure Function App](https://aka.ms/sentinel-jiraauditapi-functionapp) file. Extract archive to your local development computer. 2. Start VS Code. Choose File in the main menu and select Open Folder. If you're already signed in, go to the next step. 6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied. 7. Go to Azure Portal for the Function App configuration. - **2. Configure the Function App** 1. In the Function App, select the Function App Name and select **Configuration**. If you're already signed in, go to the next step. WorkspaceID WorkspaceKey logAnalyticsUri (optional)-> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. + - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. 3. Once all application settings have been entered, click **Save**. -- ## Next steps For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-atlassianjiraaudit?tab=Overview) in the Azure Marketplace. |
sentinel | Braodcom Symantec Dlp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/braodcom-symantec-dlp.md | Install the Microsoft Monitoring Agent on your Linux machine and configure the m 2. Forward Symantec DLP logs to a Syslog agent Configure Symantec DLP to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.-1. [Follow these instructions](https://help.symantec.com/cs/DLP15.7/DLP/v27591174_v133697641/Configuring-the-Log-to-a-Syslog-Server-action?locale=EN_US) to configure the Symantec DLP to forward syslog -2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address. +1. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address. -3. Validate connection +2. Validate connection Follow the instructions to validate your connectivity: |
sentinel | Cisco Asa Ftd Via Ama | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/cisco-asa-ftd-via-ama.md | CommonSecurityLog | sort by TimeGenerated ``` -- ## Prerequisites To integrate with Cisco ASA/FTD via AMA (Preview) make sure you have: - ****: To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc) - ## Vendor installation instructions Enable data collection ruleΓÇï > Cisco ASA/FTD event logs are collected only from **Linux** agents. --- Run the following command to install and apply the Cisco ASA/FTD collector: -+``` sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python Forwarder_AMA_installer.py--+``` ## Next steps |
sentinel | Claroty | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/claroty.md | -The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/continuous-threat-detection/) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel. +The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel. ## Connector attributes |
sentinel | Digital Shadows Searchlight Using Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/digital-shadows-searchlight-using-azure-functions.md | DigitalShadows_CL | order by raised_t desc ``` -- ## Prerequisites To integrate with Digital Shadows Searchlight (using Azure Functions) make sure you have: To integrate with Digital Shadows Searchlight (using Azure Functions) make sure - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/). - **REST API Credentials/permissions**: **Digital Shadows account ID, secret and key** is required. See the documentation to learn more about API on the `https://portal-digitalshadows.com/learn/searchlight-api/overview/description`. - ## Vendor installation instructions - > [!NOTE]- > This connector uses Azure Functions to connect to a 'Digital Shadows Searchlight' to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. --->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. +> This connector uses Azure Functions to connect to a 'Digital Shadows Searchlight' to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. +**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. **STEP 1 - Configuration steps for the 'Digital Shadows Searchlight' API** The provider should provide or link to detailed steps to configure the 'Digital Shadows Searchlight' API endpoint so that the Azure Function can authenticate to it successfully, get its authorization key or token, and pull the appliance's logs into Microsoft Sentinel. - **STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function** ->**IMPORTANT:** Before deploying the 'Digital Shadows Searchlight' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the 'Digital Shadows Searchlight' API authorization key(s) or Token, readily available. ---+> [!IMPORTANT] +> Before deploying the 'Digital Shadows Searchlight' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the 'Digital Shadows Searchlight' API authorization key(s) or Token, readily available. **Option 1 - Azure Resource Manager (ARM) Template** Use this method for automated deployment of the 'Digital Shadows Searchlight' co 1. Click the **Deploy to Azure** button below. [![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Digitalshadows-azuredeploy)-2. Select the preferred **Subscription**, **Resource Group** and **Location**. -3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, 'and/or Other required fields'. ->Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details. -4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. -5. Click **Purchase** to deploy. -+1. Select the preferred **Subscription**, **Resource Group** and **Location**. +1. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, 'and/or Other required fields'. + > [!NOTE] + > If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details. +1. Mark the checkbox labeled **I agree to the terms and conditions stated above**. +1. Click **Purchase** to deploy. **Option 2 - Manual Deployment of Azure Functions** Use this method for automated deployment of the 'Digital Shadows Searchlight' co 1. Create a Function App -1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp). -2. Click **+ Create** at the top. -3. In the **Basics** tab, ensure Runtime stack is set to **python 3.8**. -4. In the **Hosting** tab, ensure **Plan type** is set to **'Consumption (Serverless)'**. -5.select Storage account -6. 'Add other required configurations'. -5. 'Make other preferable configuration changes', if needed, then click **Create**. + 1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp). + 2. Click **+ Create** at the top. + 3. In the **Basics** tab, ensure Runtime stack is set to **python 3.8**. + 4. In the **Hosting** tab, ensure **Plan type** is set to **'Consumption (Serverless)'**. + 5.select Storage account + 6. 'Add other required configurations'. + 7. 'Make other preferable configuration changes', if needed, then click **Create**. 2. Import Function App Code(Zip deployment) -1. Install Azure CLI -2. From terminal type `az functionapp deployment source config-zip -g ResourceGroup -n FunctionApp --src Zip File` and hit enter. Set the `ResourceGroup` value to: your resource group name. Set the `FunctionApp` value to: your newly created function app name. Set the `Zip File` value to: `digitalshadowsConnector.zip`(path to your zip file). Note:- Download the zip file from the link - [Function App Code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Shadows/Data%20Connectors/Digital%20Shadows/digitalshadowsConnector.zip) + 1. Install Azure CLI + 2. From terminal type `az functionapp deployment source config-zip -g ResourceGroup -n FunctionApp --src Zip File` and hit enter. Set the `ResourceGroup` value to: your resource group name. Set the `FunctionApp` value to: your newly created function app name. Set the `Zip File` value to: `digitalshadowsConnector.zip`(path to your zip file). Note:- Download the zip file from the link - [Function App Code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Shadows/Data%20Connectors/Digital%20Shadows/digitalshadowsConnector.zip) 3. Configure the Function App -1. In the Function App screen, click the Function App name and select **Configuration**. -2. In the **Application settings** tab, select **+ New application setting**. -3. Add each of the following 'x (number of)' application settings individually, under Name, with their respective string values (case-sensitive) under Value: + 1. In the Function App screen, click the Function App name and select **Configuration**. + 2. In the **Application settings** tab, select **+ New application setting**. + 3. Add each of the following 'x (number of)' application settings individually, under Name, with their respective string values (case-sensitive) under Value: DigitalShadowsAccountID WorkspaceID WorkspaceKey Use this method for automated deployment of the 'Digital Shadows Searchlight' co HighVariabilityClassifications FUNCTION_NAME logAnalyticsUri (optional)-(add any other settings required by the Function App) -Set the `DigitalShadowsURL` value to: `https://api.searchlight.app/v1` -Set the `HighVariabilityClassifications` value to: `exposed-credential,marked-document` -Set the `ClassificationFilterOperation` value to: `exclude` for exclude function app or `include` for include function app ->Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Azure Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details. -4. Once all application settings have been entered, click **Save**. -+ (add any other settings required by the Function App) + - Set the `DigitalShadowsURL` value to: `https://api.searchlight.app/v1` + - Set the `HighVariabilityClassifications` value to: `exposed-credential,marked-document` + - Set the `ClassificationFilterOperation` value to: `exclude` for exclude function app or `include` for include function app + > [!NOTE] + > If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Azure Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details. + - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: ``` https://CustomerId.ods.opinsights.azure.us ```. +4. Once all application settings have been entered, click **Save**. ## Next steps |
sentinel | Holm Security Asset Data Using Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/holm-security-asset-data-using-azure-functions.md | To integrate with Holm Security Asset Data (using Azure Functions) make sure you **STEP 1 - Configuration steps for the Holm Security API** - [Follow these instructions](https://support.holmsecurity.com/hc/en-us/articles/360027651591-How-do-I-set-up-an-API-token-) to create an API authentication token. + [Follow these instructions](https://www.holmsecurity.com/platform/api-scanning) to create an API authentication token. **STEP 2 - Use the below deployment option to deploy the connector and the associated Azure Function** |
sentinel | Morphisec Utpp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/morphisec-utpp.md | Integrate vital insights from your security products with the Morphisec Data Con | **Kusto function url** | https://aka.ms/sentinel-morphisecutpp-parser | | **Log Analytics table(s)** | CommonSecurityLog (Morphisec)<br/> | | **Data collection rules support** | [Workspace transform DCR](/azure/azure-monitor/logs/tutorial-workspace-transformations-portal) |-| **Supported by** | [Morphisec](https://support.morphisec.com/support/home) | +| **Supported by** | [Morphisec](https://support.morphisec.com/) | ## Query samples |
sentinel | Netskope Using Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/netskope-using-azure-functions.md | Netskope | top 10 by count_ ``` -- ## Prerequisites To integrate with Netskope (using Azure Functions) make sure you have: - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/).-- **Netskope API Token**: A Netskope API Token is required. [See the documentation to learn more about Netskope API](https://innovatechcloud.goskope.com/docs/Netskope_Help/en/rest-api-v1-overview.html). **Note:** A Netskope account is required-+- **Netskope API Token**: A Netskope API Token is required. + > [!NOTE] + > A Netskope account is required ## Vendor installation instructions - > [!NOTE]- > This connector uses Azure Functions to connect to Netskope to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. -+> This connector uses Azure Functions to connect to Netskope to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details. > [!NOTE]- > This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Netskope and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskope/Parsers/Netskope.txt), on the second line of the query, enter the hostname(s) of your Netskope device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update. --->**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. +> This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Netskope and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskope/Parsers/Netskope.txt), on the second line of the query, enter the hostname(s) of your Netskope device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update. +**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App. **STEP 1 - Configuration steps for the Netskope API** [Follow these instructions](https://docs.netskope.com/en/rest-api-v1-overview.html) provided by Netskope to obtain an API Token. **Note:** A Netskope account is required - **STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function** ->**IMPORTANT:** Before deploying the Netskope connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Netskope API Authorization Token, readily available. --+> [!IMPORTANT] +> Before deploying the Netskope connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Netskope API Authorization Token, readily available. Option 1 - Azure Resource Manager (ARM) Template This method provides an automated deployment of the Netskope connector using an - Use the following schema for the `uri` value: `https://<Tenant Name>.goskope.com` Replace `<Tenant Name>` with your domain. - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. - The default **Log Types** is set to pull all 6 available log types (`alert, page, application, audit, infrastructure, network`), remove any are not required. + > [!NOTE] + > If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details. 4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. 5. Click **Purchase** to deploy. 6. After successfully deploying the connector, download the Kusto Function to normalize the data fields. [Follow the steps](https://aka.ms/sentinelgithubparsersnetskope) to use the Kusto function alias, **Netskope**. Option 2 - Manual Deployment of Azure Functions This method provides the step-by-step instructions to deploy the Netskope connector manually with Azure Function. - **1. Create a Function App** 1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**. This method provides the step-by-step instructions to deploy the Netskope connec 3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected. 4. Make other preferrable configuration changes, if needed, then click **Create**. - **2. Import Function App Code** 1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**. This method provides the step-by-step instructions to deploy the Netskope connec 3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**. 4. Click on **Code + Test** on the left pane. 5. Copy the [Function App Code](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Netskope/Data%20Connectors/Netskope/AzureFunctionNetskope/run.ps1) and paste into the Function App `run.ps1` editor.-5. Click **Save**. -+6. Click **Save**. **3. Configure the Function App** This method provides the step-by-step instructions to deploy the Netskope connec timeInterval logTypes logAnalyticsUri (optional)-> - Enter the URI that corresponds to your region. The `uri` value must follow the following schema: `https://<Tenant Name>.goskope.com` - There is no need to add subsquent parameters to the Uri, the Function App will dynamically append the parameteres in the proper format. -> - Set the `timeInterval` (in minutes) to the default value of `5` to correspond to the default Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion. -> - Set the `logTypes` to `alert, page, application, audit, infrastructure, network` - This list represents all the avaliable log types. Select the log types based on logging requirements, seperating each by a single comma. -> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details. -> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. + - Enter the URI that corresponds to your region. The `uri` value must follow the following schema: `https://<Tenant Name>.goskope.com` - There is no need to add subsquent parameters to the Uri, the Function App will dynamically append the parameteres in the proper format. + - Set the `timeInterval` (in minutes) to the default value of `5` to correspond to the default Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion. + - Set the `logTypes` to `alert, page, application, audit, infrastructure, network` - This list represents all the avaliable log types. Select the log types based on logging requirements, seperating each by a single comma. + > [!NOTE] + > If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](/azure/app-service/app-service-key-vault-references) for further details. + - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://<CustomerId>.ods.opinsights.azure.us`. 4. Once all application settings have been entered, click **Save**. 5. After successfully deploying the connector, download the Kusto Function to normalize the data fields. [Follow the steps](https://aka.ms/sentinelgithubparsersnetskope) to use the Kusto function alias, **Netskope**. -- ## Next steps For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/netskope.netskope_mss?tab=Overview) in the Azure Marketplace. |
sentinel | Nozomi Networks N2os | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/nozomi-networks-n2os.md | -The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information. +The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets/) for more information. ## Connector attributes |
sentinel | Nxlog Dns Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/nxlog-dns-logs.md | The NXLog DNS Logs data connector uses Event Tracing for Windows ([ETW](/windows | | | | **Log Analytics table(s)** | NXLog_DNS_Server_CL<br/> | | **Data collection rules support** | Not currently supported |-| **Supported by** | [NXLog](https://nxlog.co/user?destination=node/add/support-ticket) | +| **Supported by** | [NXLog](https://nxlog.co/) | ## Query samples |
sentinel | Symantec Vip | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/symantec-vip.md | SymantecVIP | top 10 by count_ ``` -- ## Prerequisites To integrate with Symantec VIP make sure you have: - **Symantec VIP**: must be configured to export logs via Syslog - ## Vendor installation instructions - > [!NOTE] > This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Symantec VIP and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec%20VIP/Parsers/SymantecVIP.txt), on the second line of the query, enter the hostname(s) of your Symantec VIP device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update. Typically, you should install the agent on a different computer from the one on > Syslog logs are collected only from **Linux** agents. - 2. Configure the logs to be collected Configure the facilities you want to collect and their severities. Configure the facilities you want to collect and their severities. 2. Select **Apply below configuration to my machines** and select the facilities and severities. 3. Click **Save**. --3. Configure and connect the Symantec VIP --[Follow these instructions](https://help.symantec.com/cs/VIP_EG_INSTALL_CONFIG/VIP/v134652108_v128483142/Configuring-syslog) to configure the Symantec VIP Enterprise Gateway to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address. --- ## Next steps For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-symantecvip?tab=Overview) in the Azure Marketplace. |
sentinel | Tenable Io Vulnerability Management Using Azure Function | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/tenable-io-vulnerability-management-using-azure-function.md | Tenable_IO_Assets_CL To integrate with Tenable.io Vulnerability Management (using Azure Function) make sure you have: - **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/).-- **REST API Credentials/permissions**: Both a **TenableAccessKey** and a **TenableSecretKey** is required to access the Tenable REST API. [See the documentation to learn more about API](https://developer.tenable.com/reference#vulnerability-management). Check all [requirements and follow the instructions](https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Settings/GenerateAPIKey.htm) for obtaining credentials.+- **REST API Credentials/permissions**: Both a **TenableAccessKey** and a **TenableSecretKey** is required to access the Tenable REST API. [See the documentation to learn more about API](https://developer.tenable.com/reference#vulnerability-management). Check all [requirements and follow the instructions](https://docs.tenable.com/nessus/Content/GenerateAnAPIKey.htm) for obtaining credentials. ## Vendor installation instructions To integrate with Tenable.io Vulnerability Management (using Azure Function) mak **STEP 1 - Configuration steps for Tenable.io** - [Follow the instructions](https://docs.tenable.com/tenableio/vulnerabilitymanagement/Content/Settings/GenerateAPIKey.htm) to obtain the required API credentials. + [Follow the instructions](https://docs.tenable.com/nessus/Content/GenerateAnAPIKey.htm) to obtain the required API credentials. |
sentinel | Zero Networks Segment Audit Function Using Azure Functions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/data-connectors/zero-networks-segment-audit-function-using-azure-functions.md | The [Zero Networks Segment](https://zeronetworks.com/product/) Audit data connec | Connector attribute | Description | | | | | **Application settings** | APIToken<br/>WorkspaceID<br/>WorkspaceKey<br/>logAnalyticsUri (optional)<br/>uri<br/>tableName |-| **Azure function app code** | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/ZeroNetworks/SegmentFunctionConnector/AzureFunction_ZeroNetworks_Segment_Audit.zip | | **Log Analytics table(s)** | ZNSegmentAudit_CL<br/> | | **Data collection rules support** | Not currently supported | | **Supported by** | [Zero Networks](https://zeronetworks.com) | Use the following step-by-step instructions to deploy the Zero Networks Segment > **NOTE:** You will need to [prepare VS code](/azure/azure-functions/functions-create-first-function-powershell#prerequisites) for Azure function development. -1. Download the [Azure Function App](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/ZeroNetworks/SegmentFunctionConnector/AzureFunction_ZeroNetworks_Segment_Audit.zip) file. Extract archive to your local development computer. +1. Download the Azure Function App file. Extract archive to your local development computer. 2. Start VS Code. Choose File in the main menu and select Open Folder. 3. Select the top level folder from extracted files. 4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button. |
service-bus-messaging | Message Sequencing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/message-sequencing.md | The **SequenceNumber** for a scheduled message is only valid while the message i Because the feature is anchored on individual messages and messages can only be enqueued once, Service Bus doesn't support recurring schedules for messages. +> [!NOTE] +> Message enqueuing time doesn't mean that the message will be sent at the same time. It will get enqueued, but the actual sending time depends on the queue's workload and its state. + ## Next steps To learn more about Service Bus messaging, see the following topics: To learn more about Service Bus messaging, see the following topics: * [Service Bus queues, topics, and subscriptions](service-bus-queues-topics-subscriptions.md) * [Get started with Service Bus queues](service-bus-dotnet-get-started-with-queues.md) * [How to use Service Bus topics and subscriptions](service-bus-dotnet-how-to-use-topics-subscriptions.md)+ |
service-connector | Tutorial Java Jboss Connect Managed Identity Mysql Database | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/tutorial-java-jboss-connect-managed-identity-mysql-database.md | + + Title: 'Tutorial: Access data with managed identity in Java JBoss EAP' +description: Secure Azure Database for MySQL connectivity with managed identity from a sample Java JBoss EAP app, and apply it to other Azure services. +ms.devlang: java + Last updated : 08/14/2023+++++++# Tutorial: Connect to a MySQL Database from Java JBoss EAP App Service with passwordless connection ++[Azure App Service](../app-service/overview.md) provides a highly scalable, self-patching web hosting service in Azure. It also provides a [managed identity](../app-service/overview-managed-identity.md) for your app, which is a turn-key solution for securing access to [Azure Database for MySQL](../mysql/index.yml) and other Azure services. Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the environment variables. In this tutorial, you learn how to: ++> [!div class="checklist"] +> * Create a MySQL database. +> * Deploy a sample JBoss EAP app to Azure App Service using a WAR package. +> * Configure a Spring Boot web application to use Azure Active Directory (Azure AD) authentication with MySQL Database. +> * Connect to MySQL Database with Managed Identity using Service Connector. +++## Prerequisites ++* [Git](https://git-scm.com/) +* [Java JDK](/azure/developer/java/fundamentals/java-support-on-azure) +* [Maven](https://maven.apache.org) +* [Azure CLI](/cli/azure/install-azure-cli) version 2.46.0 or higher. +* [Azure CLI serviceconnector-passwordless extension](/cli/azure/azure-cli-extensions-list) version 0.2.2 or higher. +* [jq](https://jqlang.github.io/jq/) ++## Clone the sample app and prepare the repo ++Run the following commands in your terminal to clone the sample repo and set up the sample app environment. ++```bash +git clone https://github.com/Azure-Samples/Passwordless-Connections-for-Java-Apps +cd Passwordless-Connections-for-Java-Apps/JakartaEE/jboss-eap/ +``` ++## Create an Azure Database for MySQL ++Follow these steps to create an Azure Database for MySQL in your subscription. The Spring Boot app connects to this database and store its data when running, persisting the application state no matter where you run the application. ++1. Sign into the Azure CLI, and optionally set your subscription if you have more than one connected to your login credentials. ++ ```azurecli-interactive + az login + az account set --subscription <subscription-ID> + ``` ++1. Create an Azure Resource Group, noting the resource group name. ++ ```azurecli-interactive + export RESOURCE_GROUP=<resource-group-name> + export LOCATION=eastus ++ az group create --name $RESOURCE_GROUP --location $LOCATION + ``` ++1. Create an Azure Database for MySQL server. The server is created with an administrator account, but it isn't used because we're going to use the Azure AD admin account to perform administrative tasks. ++ ```azurecli-interactive + export MYSQL_ADMIN_USER=azureuser + # MySQL admin access rights won't be used because Azure AD authentication is leveraged to administer the database. + export MYSQL_ADMIN_PASSWORD=<admin-password> + export MYSQL_HOST=<mysql-host-name> ++ # Create a MySQL server. + az mysql flexible-server create \ + --name $MYSQL_HOST \ + --resource-group $RESOURCE_GROUP \ + --location $LOCATION \ + --admin-user $MYSQL_ADMIN_USER \ + --admin-password $MYSQL_ADMIN_PASSWORD \ + --public-access 0.0.0.0 \ + --tier Burstable \ + --sku-name Standard_B1ms \ + --storage-size 32 + ``` ++1. Create a database for the application. ++ ```azurecli-interactive + export DATABASE_NAME=checklist ++ az mysql flexible-server db create \ + --resource-group $RESOURCE_GROUP \ + --server-name $MYSQL_HOST \ + --database-name $DATABASE_NAME + ``` ++## Create an App Service ++Create an Azure App Service resource on Linux. JBoss EAP requires Premium SKU. ++```azurecli-interactive +export APPSERVICE_PLAN=<app-service-plan> +export APPSERVICE_NAME=<app-service-name> +# Create an App Service plan +az appservice plan create \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_PLAN \ + --location $LOCATION \ + --sku P1V3 \ + --is-linux ++# Create an App Service resource. +az webapp create \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + --plan $APPSERVICE_PLAN \ + --runtime "JBOSSEAP:7-java8" +``` ++## Connect the MySQL database with identity connectivity ++Next, connect the database using [Service Connector](../service-connector/overview.md). ++Install the Service Connector passwordless extension for the Azure CLI: ++```azurecli +az extension add --name serviceconnector-passwordless --upgrade +``` ++Then, use the following command to create a user-assigned managed identity for Azure Active Directory authentication. For more information, see [Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/how-to-azure-ad). ++```azurecli +export USER_IDENTITY_NAME=<your-user-assigned-managed-identity-name> +export IDENTITY_RESOURCE_ID=$(az identity create \ + --name $USER_IDENTITY_NAME \ + --resource-group $RESOURCE_GROUP \ + --query id \ + --output tsv) +``` ++> [!IMPORTANT] +> After creating the user-assigned identity, ask your *Global Administrator* or *Privileged Role Administrator* to grant the following permissions for this identity: `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.ALL`. For more information, see the [Permissions](/azure/mysql/flexible-server/concepts-azure-ad-authentication#permissions) section of [Active Directory authentication](/azure/mysql/flexible-server/concepts-azure-ad-authentication). ++Then, connect your app to a MySQL database with a system-assigned managed identity using Service Connector. To make this connection, run the [az webapp connection create](/cli/azure/webapp/connection/create#az-webapp-connection-create-mysql-flexible) command. ++```azurecli-interactive +az webapp connection create mysql-flexible \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + --target-resource-group $RESOURCE_GROUP \ + --server $MYSQL_HOST \ + --database $DATABASE_NAME \ + --system-identity mysql-identity-id=$IDENTITY_RESOURCE_ID \ + --client-type java +``` ++This Service Connector command does the following tasks in the background: ++* Enable system-assigned managed identity for the app `$APPSERVICE_NAME` hosted by Azure App Service. +* Set the Azure Active Directory admin to the current signed-in user. +* Add a database user for the system-assigned managed identity in step 1 and grant all privileges of the database `$DATABASE_NAME` to this user. You can get the user name from the connection string in the output from the previous command. +* Add a connection string to App Settings in the app named `AZURE_MYSQL_CONNECTIONSTRING`. ++ > [!NOTE] + > If you see the error message `The subscription is not registered to use Microsoft.ServiceLinker`, run the command `az provider register --namespace Microsoft.ServiceLinker` to register the Service Connector resource provider, then run the connection command again. ++## Deploy the application ++Follow these steps to prepare data in a database and deploy the application. ++### Create Database schema ++1. Open a firewall to allow connection from your current IP address. ++ ```azurecli + # Create a temporary firewall rule to allow connections from your current machine to the MySQL server + export MY_IP=$(curl http://whatismyip.akamai.com) + az mysql flexible-server firewall-rule create \ + --resource-group $RESOURCE_GROUP \ + --name $MYSQL_HOST \ + --rule-name AllowCurrentMachineToConnect \ + --start-ip-address ${MY_IP} \ + --end-ip-address ${MY_IP} + ``` ++1. Connect to the database and create tables. ++ ```azurecli + export DATABASE_FQDN=${MYSQL_HOST}.mysql.database.azure.com + export CURRENT_USER=$(az account show --query user.name --output tsv) + export RDBMS_ACCESS_TOKEN=$(az account get-access-token \ + --resource-type oss-rdbms \ + --output tsv \ + --query accessToken) + mysql -h "${DATABASE_FQDN}" --user "${CURRENT_USER}" --enable-cleartext-plugin --password="$RDBMS_ACCESS_TOKEN" < azure/init-db.sql + ``` ++1. Remove the temporary firewall rule. ++ ```azurecli + az mysql flexible-server firewall-rule delete \ + --resource-group $RESOURCE_GROUP \ + --name $MYSQL_HOST \ + --rule-name AllowCurrentMachineToConnect + ``` ++### Deploy the application ++1. Update the connection string in App Settings. ++ Get the connection string generated by Service Connector and add passwordless authentication plugin. This connection string is referenced in the startup script. ++ ```azurecli-interactive + export PASSWORDLESS_URL=$(\ + az webapp config appsettings list \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + | jq -c '.[] \ + | select ( .name == "AZURE_MYSQL_CONNECTIONSTRING" ) \ + | .value' \ + | sed 's/"//g') + # Create a new environment variable with the connection string including the passwordless authentication plugin + export PASSWORDLESS_URL=${PASSWORDLESS_URL}'&defaultAuthenticationPlugin=com.azure.identity.extensions.jdbc.mysql.AzureMysqlAuthenticationPlugin&authenticationPlugins=com.azure.identity.extensions.jdbc.mysql.AzureMysqlAuthenticationPlugin' + az webapp config appsettings set \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + --settings "AZURE_MYSQL_CONNECTIONSTRING_PASSWORDLESS=${PASSWORDLESS_URL}" + ``` ++1. The sample app contains a *pom.xml* file that can generate the WAR file. Run the following command to build the app. ++ ```bash + mvn clean package -DskipTests + ``` ++1. Deploy the WAR and the startup script to the app service. ++ ```azurecli + az webapp deploy \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + --src-path target/ROOT.war \ + --type war + az webapp deploy \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + --src-path src/main/webapp/WEB-INF/createMySQLDataSource.sh \ + --type startup + ``` ++## Test sample web app ++Run the following command to test the application. ++```bash +export WEBAPP_URL=$(az webapp show \ + --resource-group $RESOURCE_GROUP \ + --name $APPSERVICE_NAME \ + --query defaultHostName \ + --output tsv) ++# Create a list +curl -X POST -H "Content-Type: application/json" -d '{"name": "list1","date": "2022-03-21T00:00:00","description": "Sample checklist"}' https://${WEBAPP_URL}/checklist ++# Create few items on the list 1 +curl -X POST -H "Content-Type: application/json" -d '{"description": "item 1"}' https://${WEBAPP_URL}/checklist/1/item +curl -X POST -H "Content-Type: application/json" -d '{"description": "item 2"}' https://${WEBAPP_URL}/checklist/1/item +curl -X POST -H "Content-Type: application/json" -d '{"description": "item 3"}' https://${WEBAPP_URL}/checklist/1/item ++# Get all lists +curl https://${WEBAPP_URL}/checklist ++# Get list 1 +curl https://${WEBAPP_URL}/checklist/1 +``` +++## Next steps ++Learn more about running Java apps on App Service on Linux in the developer guide. ++> [!div class="nextstepaction"] +> [Java in App Service Linux dev guide](../app-service/configure-language-java.md?pivots=platform-linux) |
service-fabric | Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/release-notes.md | For more information, see the [Service Fabric 6.5 Release Notes](https://github. | July 2, 2019 | [Azure Service Fabric 6.5 Refresh Release](https://techcommunity.microsoft.com/t5/azure-service-fabric/bg-p/Service-Fabric) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_65CU1.pdf) | | July 29, 2019 | [Azure Service Fabric 6.5 Refresh Release](https://techcommunity.microsoft.com/t5/Azure-Service-Fabric/Azure-Service-Fabric-6-5-Second-Refresh-Release/ba-p/800523) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_65CU2.pdf) | | Aug 23, 2019 | [Azure Service Fabric 6.5 Refresh Release](https://techcommunity.microsoft.com/t5/Azure-Service-Fabric/Azure-Service-Fabric-6-5-Third-Refresh-Release/ba-p/818599) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_65CU3.pdf) |-| Oct 14, 2019 | [Azure Service Fabric 6.5 Refresh Release](https://techcommunity.microsoft.com/t5/Azure-Service-Fabric/Azure-Service-Fabric-6-5-Fifth-Refresh-Release/ba-p/913296) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_65CU5.md | +| Oct 14, 2019 | [Azure Service Fabric 6.5 Refresh Release](https://techcommunity.microsoft.com/t5/Azure-Service-Fabric/Azure-Service-Fabric-6-5-Fifth-Refresh-Release/ba-p/913296) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_65CU5.md) | ### Service Fabric 6.4 releases |
spring-apps | How To Configure Enterprise Spring Cloud Gateway Filters | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-configure-enterprise-spring-cloud-gateway-filters.md | + + Title: How to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan +description: Shows you how to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan to route requests to your applications. +++ Last updated : 07/12/2023+++++# How to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan ++> [!NOTE] +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. ++**This article applies to:** ❌ Basic/Standard ✔️ Enterprise ++This article explains how to use VMware Spring Cloud Gateway route filters with the Azure Spring Apps Enterprise plan to route requests to your applications. ++[VMware Spring Cloud Gateway](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/https://docsupdatetracker.net/index.html) is a commercial VMware Tanzu component based on the open-source Spring Cloud Gateway project. Spring Cloud Gateway handles cross-cutting concerns for API development teams, such as single sign-on (SSO), access control, rate-limiting, resiliency, security, and more. You can accelerate API delivery using modern cloud native patterns, and any programming language you choose for API development. ++VMware Spring Cloud Gateway includes the following features: ++- Dynamic routing configuration, independent of individual applications that can be applied and changed without recompilation. +- Commercial API route filters for transporting authorized JSON Web Token (JWT) claim to application services. +- Client certificate authorization. +- Rate-limiting approaches. +- Circuit breaker configuration. +- Support for accessing application services via HTTP Basic Authentication credentials. ++To integrate with API Portal for VMware Tanzu, VMware Spring Cloud Gateway automatically generates OpenAPI version 3 documentation after any route configuration additions or changes. For more information, see [Use API Portal for VMware Tanzu](./how-to-use-enterprise-api-portal.md). ++## Prerequisites ++- An already provisioned Azure Spring Apps Enterprise plan service instance with Spring Cloud Gateway enabled. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md). ++ > [!NOTE] + > You must enable VMware Spring Cloud Gateway when you provision your Azure Spring Apps service instance. You cannot enable VMware Spring Cloud Gateway after provisioning. ++- [Azure CLI](/cli/azure/install-azure-cli) version 2.0.67 or later. ++## Use filters ++You use filters in your Spring Cloud Gateway configuration to act on the incoming request or outgoing response to a route configuration. ++For example, you can use a filter to add an HTTP header or to deny access based on an authorization token. ++## Use open source filters ++Spring Cloud Gateway OSS includes several `GatewayFilter` factories used to create filters for routes. The following sections describe these factories. ++### AddRequestHeader ++The `AddRequestHeader` factory adds a header to the downstream request's headers for all matching requests. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following example configures an `AddRequestHeader` factory that adds the header `X-Request-red:blue` to the downstream request's headers for all matching requests: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddRequestHeader=X-Request-red, blue" + ] + } +] +``` ++The `AddRequestHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `AddRequestHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "AddRequestHeader=X-Request-red, blue-{segment}" + ] + } +] +``` ++### AddRequestHeadersIfNotPresent ++The `AddRequestHeadersIfNotPresent` factory adds headers if they aren't present in the original request. ++This factory accepts the following configuration parameter: ++- `headers`: A comma-separated list of key-value pairs (header name, header value). ++The following example configures an `AddRequestHeadersIfNotPresent` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddRequestHeadersIfNotPresent=Content-Type:application/json,Connection:keep-alive" + ] + } +] +``` ++### AddRequestParameter ++The `AddRequestParameter` factory adds a parameter to the downstream request's query string for all matching requests. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following example configures an `AddRequestParameter` factory that adds a `red=blue` parameter to the downstream request's query string for all matching requests: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddRequestParameter=red, blue" + ] + } +] +``` ++The `AddRequestParameter` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `AddRequestParameter` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "AddRequestParameter=foo, bar-{segment}" + ] + } +] +``` ++### AddResponseHeader ++The `AddResponseHeader` factory adds a header to the downstream response's headers for all matching requests. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following example configures an `AddResponseHeader` factory that adds a `X-Response-Red:Blue` header to the downstream response's headers for all matching requests: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AddResponseHeader=X-Response-Red, Blue" + ] + } +] +``` ++The `AddResponseHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `AddResponseHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "AddResponseHeader=foo, bar-{segment}" + ] + } +] +``` ++### CircuitBreaker ++The `CircuitBreaker` factory wraps routes in a circuit breaker. ++This factory accepts the following configuration parameters: ++- `name`: The circuit breaker name. +- `fallbackUri`: The reroute URI, which can be a local route or external handler. +- `status codes` (optional): The colon-separated list of status codes to match, in number or text format. +- `failure rate` (optional): The threshold above which the circuit breaker opens. The default value is 50%. +- `duration` (optional): The time to wait before closing again. The default value is 60 seconds. ++The following example configures a `CircuitBreaker` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "CircuitBreaker=myCircuitBreaker,forward:/inCaseOfFailureUseThis,401:NOT_FOUND:500,10,30s" + ] + } +] +``` ++### DeDupeResponseHeader ++The `DeDupeResponseHeader` factory removes duplicate values of response headers. ++This factory accepts the following configuration parameters: ++- `name`: A space-separated list of header names. +- `strategy` (optional): The accepted values are `RETAIN_FIRST`, `RETAIN_LAST`, and `RETAIN_UNIQUE`. The default value is `RETAIN_FIRST`. ++The following example configures a `DeDupeResponseHeader` factory that removes duplicate values of `Access-Control-Allow-Credentials` and `Access-Control-Allow-Origin` response headers when both values are added by the gateway CORS logic and the downstream logic: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "DeDupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin" + ] + } +] +``` ++### FallbackHeaders ++The `FallbackHeaders` factory adds any circuit breaker exception to a header. This filter requires the use of the `CircuitBreaker` filter in another route. ++There are no parameters for this factory. ++The following example configures a `FallbackHeaders` factory with the exception type, message, and (if available) root cause exception type and message that the `FallbackHeaders` filter adds to the request: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "CircuitBreaker=myCircuitBreaker,forward:/inCaseOfFailureUseThis,401:NOT_FOUND:500,10,30s" + ] + }, + { + "predicates": [ + "Path=/inCaseOfFailureUseThis" + ], + "filters": [ + "FallbackHeaders" + ] + } +] +``` ++You can overwrite the names of the headers in the configuration by setting the values of the following parameters (mentioned with their default values): ++- `executionExceptionTypeHeaderName` ("Execution-Exception-Type") +- `executionExceptionMessageHeaderName` ("Execution-Exception-Message") +- `rootCauseExceptionTypeHeaderName` ("Root-Cause-Exception-Type") +- `rootCauseExceptionMessageHeaderName` ("Root-Cause-Exception-Message") ++### JSONToGRPC ++The `JSONToGRPCFilter` factory converts a JSON payload to a gRPC request. ++This factory accepts the following configuration parameter: ++- `protoDescriptor`: A proto descriptor file. ++You can generate this file by using `protoc` and specifying the `--descriptor_set_out` flag, as shown in the following example: ++```bash +protoc --proto_path=src/main/resources/proto/ \ + --descriptor_set_out=src/main/resources/proto/hello.pb \ + src/main/resources/proto/hello.proto +``` ++> [!NOTE] +> The `streaming` parameter isn't supported. ++The following example configures a `JSONToGRPCFilter` factory using the output from `protoc`: ++```json +[ + { + "predicates": [ + "Path=/json/**" + ], + "filters": [ + "JsonToGrpc=file:proto/hello.pb,file:proto/hello.proto,HelloService,hello" + ] + } +] +``` ++### LocalResponseCache ++The `LocalResponseCache` factory overrides the local response cache configuration for specific routes when the global cache is activated. ++This factory accepts the following configuration parameters: ++- `size`: The maximum allowed size of the cache entries for this route before cache eviction begins (in KB, MB, and GB). +- `timeToLive`: The allowed lifespan of a cache entry before expiration. Use the duration suffix `s` for seconds, `m` for minutes, or `h` for hours. ++The following example configures a `LocalResponseCache` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "LocalResponseCache=3m,1MB" + ] + } +] +``` ++### MapRequestHeader ++The `MapRequestHeader` factory adds a header to the downstream request with updated values from the incoming HTTP request's header. ++This factory accepts the following configuration parameters: ++- `fromHeader` +- `toHeader` ++This factory creates a new named header (`toHeader`), and the value is extracted out of an existing named header (`fromHeader`) from the incoming HTTP request. If the input header doesn't exist, the filter has no effect. If the new named header already exists, its values are augmented with the new values. ++The following example configures a `MapRequestHeader` factory that adds the `X-Request-Red:<values>` header to the downstream request with updated values from the incoming HTTP request's `Blue` header: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "MapRequestHeader=Blue, X-Request-Red" + ] + } +] +``` ++### PrefixPath ++The `PrefixPath` factory adds a prefix to the path of all requests. ++This factory accepts the following configuration parameter: ++- `prefix` ++The following example configures a `PrefixPath` factory that adds the prefix `/api` to the path of all requests, so that a request to `/catalog` is sent to `/api/catalog`: ++```json +[ + { + "predicates": [ + "Path=/catalog/**" + ], + "filters": [ + "PrefixPath=/api" + ] + } +] +``` ++### PreserveHostHeader ++The `PreserveHostHeader` factory sets a request attribute that the routing filter inspects to determine whether to send the original host header or the host header determined by the HTTP client. ++There are no parameters for this factory. ++The following example configures a `PreserveHostHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "PreserveHostHeader" + ] + } +] +``` ++### RedirectTo ++The `RedirectTo` factory adds a redirect to the original URL. ++This factory accepts the following configuration parameters: ++- `status`: A 300 series redirect HTTP code, such as `301`. +- `url`: The value of the `Location` header. Must be a valid URI. For relative redirects, you should use `uri: no://op` as the URI of your route definition. ++The following example configures a `RedirectTo` factory that sends a status `302` with a `Location:https://acme.org` header to perform a redirect: ++```json +[ + { + "uri": "https://example.org", + "filters": [ + "RedirectTo=302, https://acme.org" + ] + } +] +``` ++### RemoveJsonAttributesResponseBody ++The `RemoveJsonAttributesResponseBody` factory removes the JSON attributes and their values from JSON response bodies. ++This factory accepts the following configuration parameters: ++- `attribute names`: A comma-separated list of the names of attributes to remove from a JSON response. +- `delete recursively` (optional, boolean): A configuration that removes the attributes only at root level (`false`), or recursively (`true`). The default value is `false`. ++The following example configures a `RemoveJsonAttributesResponseBody` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveJsonAttributesResponseBody=origin,foo,true" + ] + } +] +``` ++### RemoveRequestHeader ++The `RemoveRequestHeader` factory removes a header from the downstream request. ++This factory accepts the following configuration parameter: ++- `name`: The name of the header to be removed. ++The following listing configures a `RemoveRequestHeader` factory that removes the `X-Request-Foo` header before it's sent downstream: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveRequestHeader=X-Request-Foo" + ] + } +] +``` ++### RemoveRequestParameter ++The `RemoveRequestParameter` factory removes a parameter before it's sent downstream. ++This factory accepts the following configuration parameter: ++- `name`: The name of the query parameter to be removed. ++The following example configures a `RemoveRequestParameter` factory that removes the `red` parameter before it's sent downstream: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveRequestParameter=red" + ] + } +] +``` ++### RemoveResponseHeader ++The `RemoveResponseHeader` factory removes a header from the response before it's returned to the gateway client. ++This factory accepts the following configuration parameter: ++- `name`: The name of the header to be removed. ++The following listing configures a `RemoveResponseHeader` factory that removes the `X-Response-Foo` header from the response before it's returned to the gateway client: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RemoveResponseHeader=X-Response-Foo" + ] + } +] +``` ++### RequestHeaderSize ++The `RequestHeaderSize` factory determines the size of the request header. ++This factory accepts the following configuration parameters: ++- `maxSize`: The maximum data size allowed by the request header, including key and value. +- `errorHeaderName`: The name of the response header containing an error message. By default, the name of the response header is `errorMessage`. ++The following listing configures a `RequestHeaderSize` factory that sends a status `431` if the size of any request header is greater than 1000 bytes: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RequestHeaderSize=1000B" + ] + } +] +``` ++### RewriteLocationResponseHeader ++The `RewriteLocationResponseHeader` factory modifies the value of the `Location` response header, usually to get rid of backend-specific details. ++This factory accepts the following configuration parameters: ++- `stripVersionMode`: This parameter has the following possible values: `NEVER_STRIP`, `AS_IN_REQUEST`, and `ALWAYS_STRIP`. The default value is `AS_IN_REQUEST`. ++ - `NEVER_STRIP`: The version isn't stripped, even if the original request path contains no version. + - `AS_IN_REQUEST`: The version is stripped only if the original request path contains no version. + - `ALWAYS_STRIP`: The version is always stripped, even if the original request path contains version. ++- `hostValue`: This parameter is used to replace the `host:port` portion of the response `Location` header when provided. If it isn't provided, the value of the `Host` request header is used. +- `protocolsRegex`: A valid regex `String`, against which the protocol name is matched. If it isn't matched, the filter doesn't work. The default value is `http|https|ftp|ftps`. +- `locationHeaderName` ++The following listing configures a `RewriteLocationResponseHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteLocationResponseHeader=AS_IN_REQUEST, Location, ," + ] + } +] +``` ++In this example, for a request value of `POST` `api.example.com/some/object/name`, the `Location` response header value of `object-service.prod.example.net/v2/some/object/id` is rewritten as `api.example.com/some/object/id`. ++### RewritePath ++The `RewritePath` factory uses Java regular expressions for a flexible way to rewrite the request path. ++This factory accepts the following configuration parameters: ++- `regexp` +- `replacement` ++The following listing configures a `RewritePath` factory: ++```json +[ + { + "predicates": [ + "Path=/red/**" + ], + "filters": [ + "RewritePath=/red/?(?<segment>.*), /$\\{segment}" + ] + } +] +``` ++In this example, for a request path of `/red/blue`, this configuration sets the path to `/blue` before making the downstream request. ++### RewriteResponseHeader ++The `RewriteResponseHeader` factory uses Java regular expressions for a flexible way to rewrite the response header value. ++This factory accepts the following configuration parameters: ++- `name` +- `regexp` +- `replacement` ++The following example configures a `RewriteResponseHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/red/**" + ], + "filters": [ + "RewriteResponseHeader=X-Response-Red, , password=[^&]+, password=***" + ] + } +] +``` ++In this example, for a header value of `/42?user=ford&password=omg!what&flag=true`, the configuration is set to `/42?user=ford&password=***&flag=true` after making the downstream request. ++### SetPath ++The `SetPath` factory offers a simple way to manipulate the request path by allowing templated segments of the path. This filter uses the URI templates from Spring Framework and allows multiple matching segments. ++This factory accepts the following configuration parameter: ++- `template` ++The following example configures a `SetPath` factory: ++```json +[ + { + "predicates": [ + "Path=/red/{segment}" + ], + "filters": [ + "SetPath=/{segment}" + ] + } +] +``` ++In this example, for a request path of `/red/blue`, this configuration sets the path to `/blue` before making the downstream request. ++### SetRequestHeader ++The `SetRequestHeader` factory replaces (rather than adding) all headers with the given name. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following listing configures a `SetRequestHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "SetRequestHeader=X-Request-Red, Blue" + ] + } +] +``` ++In this example, the downstream server responded with `X-Request-Red:1234`, and it's replaced with `X-Request-Red:Blue`. ++The `SetRequestHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `SetRequestHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "SetRequestHeader=foo, bar-{segment}" + ] + } +] +``` ++### SetResponseHeader ++The `SetResponseHeader` factory replaces (rather than adding) all headers with the given name. ++This factory accepts the following configuration parameters: ++- `name` +- `value` ++The following listing configures a `SetResponseHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "SetResponseHeader=X-Response-Red, Blue" + ] + } +] +``` ++In this example, the downstream server responded with `X-Response-Red:1234`, and it's replaced with `X-Response-Red:Blue`. ++The `SetResponseHeader` factory has access to the URI variables used to match a path or host. You can use URI variables in the value, and the variables are expanded at runtime. ++The following example configures an `SetResponseHeader` factory that uses a variable: ++```json +[ + { + "predicates": [ + "Path=/api/{segment}" + ], + "filters": [ + "SetResponseHeader=foo, bar-{segment}" + ] + } +] +``` ++### SetStatus ++The `SetStatus` factory configures the response status of the server request. ++This factory accepts the following configuration parameter: ++- `status`: A valid Spring `HttpStatus` value, which can an integer value such as `404`, or the string representation of the enumeration, such as `NOT_FOUND`. ++The following listing configures a `SetStatus` factory: ++```json +[ + { + "predicates": [ + "Path=/experimental/**" + ], + "filters": [ + "SetStatus=UNAUTHORIZED" + ] + }, + { + "predicates": [ + "Path=/unknown/**" + ], + "filters": [ + "SetStatus=401" + ] + } +] +``` ++### StripPrefix ++The `StripPrefix` factory removes the prefix from the request before sending it downstream. ++This factory accepts the following configuration parameter: ++- `parts`: The number of parts in the path to strip from the request before sending it downstream. The default value is 1. ++The following example configures a `StripPrefix` factory: ++```json +[ + { + "predicates": [ + "Path=/name/**" + ], + "filters": [ + "StripPrefix=2" + ] + } +] +``` ++In this example, a request is made through the gateway to `/name/blue/red`. The request made to `nameservice` appears as `nameservice/red`. ++### Retry ++The `Retry` factory determines the number of retries attempted. ++This factory accepts the following configuration parameters: ++- `retries`: The number of retries that should be attempted. +- `statuses`: The HTTP status codes that should be retried, represented by using `org.springframework.http.HttpStatus`. +- `methods`: The HTTP methods that should be retried, represented by using `org.springframework.http.HttpMethod`. +- `series`: The series of status codes to be retried, represented by using `org.springframework.http.HttpStatus.Series`. +- `exceptions`: The list of thrown exceptions that should be retried. +- `backoff`: The configured exponential backoff for the retries. Retries are performed after a backoff interval of `firstBackoff * (factor ^ n)`, where `n` is the iteration. If `maxBackoff` is configured, the maximum backoff applied is limited to `maxBackoff`. If `basedOnPreviousValue` is true, the `backoff` is calculated by using `prevBackoff * factor`. ++The following defaults are configured for the `Retry` filter, when enabled: ++- `retries`: three times. +- `series`: 5XX series. +- `methods`: GET method. +- `exceptions`: `IOException` and `TimeoutException`. +- `backoff`: disabled. ++The following example configures a `Retry` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Retry=3,INTERNAL_SERVER_ERROR,GET,10ms,50ms,2,false" + ] + } +] +``` ++### RequestSize ++The `RequestSize` factory can restrict a request from reaching the downstream service when the request size is greater than the permissible limit. ++This factory accepts the following configuration parameter: ++- `maxSize`: A `DataSize` type where values are defined as a number followed by an optional `DataUnit` suffix such as `KB` or `MB`. The default suffix value is `B` for bytes. It's the permissible size limit of the request defined in bytes. ++The following example configures a `RequestSize` factory: ++```json +[ + { + "predicates": [ + "Path=/upload" + ], + "filters": [ + "RequestSize=5000000" + ] + } +] +``` ++In this example, when the request is rejected due to size, the `RequestSize` factory sets the response status to `413 Payload Too Large` with another header `errorMessage`. ++The following example shows an `errorMessage`: ++```output +errorMessage : Request size is larger than permissible limit. Request size is 6.0 MB where permissible limit is 5.0 MB +``` ++### TokenRelay ++The `TokenRelay` factory forwards an `OAuth2` access token to downstream resources. This filter is configured as a `boolean` value in the route definition rather than an explicit filter. ++The following example configures a `TokenRelay` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "tokenRelay": true + } +] +``` ++## Use commercial filters ++Spring Cloud Gateway for Kubernetes also provides many custom `GatewayFilter` factories. The following sections describe these factories. ++### AllowedRequestCookieCount ++The `AllowedRequestCookieCount` factory determines whether a matching request is allowed to proceed based on the number of cookies. ++This factory accepts the following configuration parameter: ++- `amount`: The number of allowed cookies. ++The following example configures a `AllowedRequestCookieCount` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AllowedRequestCookieCount=2" + ] + } +] +``` ++### AllowedRequestHeadersCount ++The `AllowedRequestHeadersCount` factory determines whether a matching request is allowed to proceed based on the number of headers. ++This factory accepts the following configuration parameter: ++- `amount`: The number of allowed headers. ++The following example configures a `AllowedRequestHeadersCount` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AllowedRequestHeadersCount=4" + ] + } +] +``` ++### AllowedRequestQueryParamsCount ++The `AllowedRequestQueryParamsCount` factory determines whether a matching request is allowed to proceed based on the number query parameters. ++This factory accepts the following configuration parameter: ++- `amount`: The number of allowed parameters. ++The following example configures a `AllowedRequestQueryParamsCount` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "AllowedRequestQueryParamsCount=3" + ] + } +] +``` ++### BasicAuth ++The `BasicAuth` factory adds a `BasicAuth` `Authorization` header to requests. ++There are no parameters for this factory. ++The following example configures a `BasicAuth` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "BasicAuth" + ] + } +] +``` ++### ClaimHeader ++The `ClaimHeader` factory copies data from a JWT claim into an HTTP header. ++This factory accepts the following configuration parameters: ++- `Claim name`: The case sensitive name of the claim to pass. +- `Header name`: The name of the HTTP header. ++The following example configures a `ClaimHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "ClaimHeader=sub,X-Claim-Sub" + ] + } +] +``` ++### ClientCertificateHeader ++The `ClientCertificateHeader` factory validates the `X-Forwarded-Client-Cert` header certificate. ++This factory accepts the following configuration parameters: ++- `domain pattern`: The `X-Forwarded-Client-Cert` value according to Kubernetes's ability to recognize the client certificate's CA. +- `certificate fingerprint`(optional): The TLS/SSL certificate fingerprint. ++The following example configures a `ClientCertificateHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "ClientCertificateHeader=*.example.com,sha-1:aa:bb:00:99" + ] + } +] +``` ++### Cors ++The `Cors` factory activates the CORS validations on a route. ++This factory accepts the following configuration parameters that are organized as key-value pairs for CORS options: ++- `allowedOrigins` +- `allowedMethods` +- `allowedHeaders` +- `maxAge` +- `allowCredentials` +- `allowedOriginPatterns` ++The following example configures a `Cors` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Cors=[allowedOrigins:https://origin-1,allowedMethods:GET;POST;DELETE,allowedHeaders:*,maxAge:400,allowCredentials:true,allowedOriginPatterns:https://*.test.com:8080]" + ] + } +] +``` ++### JsonToXml ++The `JsonToXml` factory transforms JSON response body into XML response body. ++This factory accepts the following configuration parameter: ++- `wrapper`: The root tag name for the XML response if another root tag is required to generate valid XML. The default value is `response`. ++The following example configures a `JsonToXml` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "JsonToXml=custom-response" + ] + } +] +``` ++### RateLimit ++The `RateLimit` factory determines whether a matching request is allowed to proceed based on request volume. ++This factory accepts the following configuration parameters: ++- `request limit`: The maximum number of requests accepted during the window. +- `window duration`: The window duration in milliseconds. Alternatively, you can use the `s`, `m` or `h` suffixes to specify the duration in seconds, minutes, or hours. +- `partition source` (optional): The location of the partition key (`claim`, `header`, or `IPs`). +- `partition key` (optional): The value used to partition request counters. ++The following example configures a `RateLimit` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RateLimit=1,10s" + ] + } +] +``` ++The following examples show other `RateLimit` configurations: ++``` +RateLimit=1,10s +RateLimit=1,10s,{claim:client_id} +RateLimit=1,10s,{header:client_id} +RateLimit=2,10s,{IPs:2;127.0.0.1;192.168.0.1} +``` ++### RestrictRequestHeaders ++The `RestrictRequestHeaders` factory determines whether a matching request is allowed to proceed based on the headers. ++If there are any HTTP headers that aren't in the case-insensitive `headerList` configuration, then a response of `431 Forbidden error` is returned to the client. ++This factory accepts the following configuration parameter: ++- `headerList`: The case-insensitive list of names of allowed headers. ++The following example configures a `RestrictRequestHeaders` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RestrictRequestHeaders=Content-Type,x-request-temp" + ] + } +] +``` ++### RewriteAllResponseHeaders ++The `RewriteAllResponseHeaders` factory rewrites multiple response headers at once. ++This factory accepts the following configuration parameters: ++- `pattern to match`: The regular expression to match against header values. +- `replacement`: The replacement value. ++The following example configures a `RewriteAllResponseHeaders` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteAllResponseHeaders=\\d,0" + ] + } +] +``` ++### RewriteResponseBody ++The `RewriteResponseBody` factory modifies the body of a response. ++This factory accepts the following configuration parameters that are organized as a comma-separated list of key-value pairs, where each pair accepts the form `pattern to match:replacement`: ++- `pattern to match`: The regular expression to match against text in the response body. +- `replacement`: The replacement value. ++The following example configures a `RewriteResponseBody` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteResponseBody=foo:bar,/path-one/:/path-two/" + ] + } +] +``` ++### RewriteJsonAttributesResponseBody ++The `RewriteJsonAttributesResponseBody` factory rewrites JSON attributes using `JSONPath` notation. ++This factory accepts the following configuration parameters that are organized as a comma-separated list of key-value pairs, where each pair accepts the form `jsonpath:replacement`: ++- `jsonpath`: The `JSONPath` expression to match against the response body. +- `replacement`: The replacement value. ++The following example configures a `RewriteJsonAttributesResponseBody` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "RewriteJsonAttributesResponseBody=slides[1]. Title: Welcome,date:11-11-2022" + ] + } +] +``` ++### Roles ++The `Roles` factory authorizes requests that contain one of the configured roles. ++This factory accepts the following configuration parameter: ++- `roles`: A comma-separated list of authorized roles. ++The following example configures a `Roles` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Roles=role_01,role_02" + ] + } +] +``` ++### Scopes ++The `Scopes` factory authorizes requests that contain one of the configured `OAuth` scopes. ++This factory accepts the following configuration parameter: ++- `scopes`: A comma-separated list of authorized `OAuth` scopes. ++The following example configures a `Scopes` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "Scopes=api.read,api.write,user" + ] + } +] +``` ++### StoreIpAddress ++The `StoreIPAddress` factory is used for extension development only and in the context of the application. ++This factory accepts the following configuration parameter: ++- `attribute name`: The name used to store the IP as an exchange attribute. ++The following example configures a `StoreIPAddress` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "StoreIpAddress=ip" + ] + } +] +``` ++### SSO login ++The `SSO login` factory redirects to authenticate if there's no valid authorization token. This factory is configured as a `boolean` value in the route definition rather than an explicit filter. ++The following example configures a `SSO login` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "ssoEnabled": true + } +] +``` ++### StoreHeader ++The `StoreHeader` factory stores a header value in the context of the application. This filter is used for extension development only. ++This factory accepts the following configuration parameters: ++- `headers`: A list of headers to check. The first one found is used. +- `attribute name`: The name used to store the header value as an exchange attribute. ++The following example configures a `StoreHeader` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "StoreHeader=x-tracing-header,custom-id,x-custom-id,tracingParam" + ] + } +] +``` ++### XmlToJson ++The `XmlToJson` factory transforms XML response body into JSON response body. ++There are no parameters for this factory. ++The following example configures a `XmlToJson` factory: ++```json +[ + { + "predicates": [ + "Path=/api/**" + ], + "filters": [ + "XmlToJson" + ] + } +] +``` ++## Next steps ++- [Azure Spring Apps](index.yml) +- [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](./quickstart-deploy-apps-enterprise.md) |
spring-apps | How To Use Enterprise Spring Cloud Gateway | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-use-enterprise-spring-cloud-gateway.md | Use the following steps to create a sample application using Spring Cloud Gatewa The open-source [Spring Cloud Gateway](https://spring.io/projects/spring-cloud-gateway) project includes many built-in filters for use in Gateway routes. Spring Cloud Gateway provides many custom filters in addition to the filters included in the OSS project. -### Use filters included in Spring Cloud Gateway OSS --You can use Spring Cloud Gateway OSS filters in Spring Cloud Gateway for Kubernetes. Spring Cloud Gateway OSS includes many `GatewayFilter` factories that are used to create filters for routes. For a complete list of these factories, see the [GatewayFilter Factories](https://docs.spring.io/spring-cloud-gateway/docs/current/reference/html/#gatewayfilter-factories) section in the Spring Cloud Gateway documentation. --### Use commercial filters --For more examples of commercial filters, see [Commercial Route Filters](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-route-filters.html#filters-added-in-spring-cloud-gateway-for-kubernetes) in the VMware Spring Cloud Gateway documentation. These examples are written using Kubernetes resource definitions. --The following example shows how to use the [AddRequestHeadersIfNotPresent](https://docs.vmware.com/en/VMware-Spring-Cloud-Gateway-for-Kubernetes/1.2/scg-k8s/GUID-route-filters.html#add-request-headers-if-not-present) filter by converting the Kubernetes resource definition. --Start with the following resource definition in YAML: --```yml -apiVersion: "tanzu.vmware.com/v1" -kind: SpringCloudGatewayRouteConfig -metadata: - name: my-gateway-routes -spec: - service: - name: myapp - routes: - - predicates: - - Path=/api/** - filters: - - AddRequestHeadersIfNotPresent=Content-Type:application/json,Connection:keep-alive -``` --Then, convert `spec.routes` into the following JSON format: +The following example shows how to apply the `AddRequestHeadersIfNotPresent` filter to a route: ```json [ az spring gateway route-config create \ --routes-file <json-file-with-routes> ``` +For more information on available route filters, see [How to use VMware Spring Cloud Gateway Route Filters with the Azure Spring Apps Enterprise plan](./how-to-configure-enterprise-spring-cloud-gateway-filters.md). + ## Next steps - [Azure Spring Apps](index.yml) |
storage | Storage Blob Download Javascript | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-download-javascript.md | The following example downloads a blob by using a file path with the [BlobClient ```javascript async function downloadBlobToFile(containerClient, blobName, fileNameWithPath) { - const blobClient = await containerClient.getBlobClient(blobName); + const blobClient = containerClient.getBlobClient(blobName); await blobClient.downloadToFile(fileNameWithPath); console.log(`download of ${blobName} success`); The following example downloads a blob by creating a Node.js writable stream obj ```javascript async function downloadBlobAsStream(containerClient, blobName, writableStream) { - const blobClient = await containerClient.getBlobClient(blobName); + const blobClient = containerClient.getBlobClient(blobName); const downloadResponse = await blobClient.download(); The following Node.js example downloads a blob to a string with [BlobClient.down async function downloadBlobToString(containerClient, blobName) { - const blobClient = await containerClient.getBlobClient(blobName); + const blobClient = containerClient.getBlobClient(blobName); const downloadResponse = await blobClient.download(); |
storage | Customer Managed Keys Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/customer-managed-keys-overview.md | To revoke access to customer-managed keys, use [PowerShell](./customer-managed-k - [List Blobs](/rest/api/storageservices/list-blobs), when called with the `include=metadata` parameter on the request URI - [Get Blob](/rest/api/storageservices/get-blob) - [Get Blob Properties](/rest/api/storageservices/get-blob-properties)-- [Get Blob Metadata](/rest/api/storageservices/get-bl- ob-metadata)+- [Get Blob Metadata](/rest/api/storageservices/get-blob-metadata) - [Set Blob Metadata](/rest/api/storageservices/set-blob-metadata) - [Snapshot Blob](/rest/api/storageservices/snapshot-blob), when called with the `x-ms-meta-name` request header - [Copy Blob](/rest/api/storageservices/copy-blob) |
storage | Storage Explorer Support Policy Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-explorer-support-policy-lifecycle.md | This table describes the release date and the end of support date for each relea | Storage Explorer version | Release date | End of support date | |:-:|::|:-:|+| v1.31.0 | August 11, 2023 | August 11, 2024 | +| v1.30.2 | July 21, 2023 | July 21, 2024 | +| v1.30.1 | July 13, 2023 | July 13, 2024 | +| v1.30.0 | June 12, 2023 | June 12, 2024 | | v1.29.2 | May 24, 2023 | May 24, 2024 | | v1.29.1 | May 10, 2022 | May 10, 2024 | | v1.29.0 | April 28, 2023 | April 28, 2024 | | v1.28.1 | March 9, 2023 | March 9, 2024 | | v1.28.0 | February 14, 2023 | February 14, 2024 | | v1.27.2 | January 24, 2023 | January 24, 2024 |-| v1.27.1 | December 20, 2022 | December 20, 2023 | +| v1.27.1 | December 20, 2022 | December 20, 2024 | | v1.27.0 | December 2, 2022 | December 2, 2023 | | v1.26.1 | October 17, 2022 | October 17, 2023 | | v1.26.0 | October 5, 2022 | October 5, 2023 | |
storage | Elastic San Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/elastic-san/elastic-san-create.md | description: Learn how to deploy an Azure Elastic SAN (preview) with the Azure p Previously updated : 08/02/2023 Last updated : 08/14/2023 # Deploy an Elastic SAN (preview) -This article explains how to deploy and configure an elastic storage area network (SAN). +This article explains how to deploy and configure an elastic storage area network (SAN). If you're interested in Azure Elastic SAN, or have any feedback you'd like to provide, fill out [https://aka.ms/ElasticSANPreviewSignUp](https://aka.ms/ElasticSANPreviewSignUp). ## Prerequisites This article explains how to deploy and configure an elastic storage area networ [!INCLUDE [elastic-san-regions](../../../includes/elastic-san-regions.md)] -## Register for the preview --Sign up for the preview at [https://aka.ms/ElasticSANPreviewSignUp](https://aka.ms/ElasticSANPreviewSignUp). --If your request for access to the preview is approved, register your subscription with Microsoft.ElasticSAN resource provider and the preview feature using the following command: --# [Portal](#tab/azure-portal) --Use either the Azure PowerShell module or the Azure CLI to register your subscription for the preview. --# [PowerShell](#tab/azure-powershell) --```azurepowershell -Register-AzResourceProvider -ProviderNamespace Microsoft.ElasticSan -Register-AzProviderFeature -FeatureName ElasticSanPreviewAccess -ProviderNamespace Microsoft.ElasticSan -``` --It may take a few minutes for registration to complete. To confirm that you've registered, use the following command: --```azurepowershell -Get-AzResourceProvider -ProviderNamespace Microsoft.ElasticSan -Get-AzProviderFeature -FeatureName "ElasticSanPreviewAccess" -ProviderNamespace "Microsoft.ElasticSan" -``` --# [Azure CLI](#tab/azure-cli) --```azurecli -az provider register --namespace Microsoft.ElasticSan -az feature register --name ElasticSanPreviewAccess --namespace Microsoft.ElasticSan -``` --It may take a few minutes for registration to complete. To confirm you've registered, use the following command: --```azurecli -az provider show --namespace Microsoft.ElasticSan -az feature show --name ElasticSanPreviewAccess --namespace Microsoft.ElasticSan -``` -- ## Create the SAN # [Portal](#tab/azure-portal) |
storage | Storage Files Identity Ad Ds Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-files-identity-ad-ds-enable.md | The cmdlets should return the key value. Once you have the kerb1 key, create eit Setspn -S cifs/your-storage-account-name-here.file.core.windows.net <ADAccountName> ``` -2. Modify the UPN to match the SPN for the AD object (you must have AD PowerShell cmdlets installed and execute the cmdlets in PowerShell 5.1 with elevated privileges). +2. If you have a user account, modify the UPN to match the SPN for the AD object (you must have AD PowerShell cmdlets installed and execute the cmdlets in PowerShell 5.1 with elevated privileges). ```powershell- Set-ADUser -Identity $UserSamAccountName -UserPrincipalName cifs/<StorageAccountName>.file.core.windows.net@<UPN suffixes> + Set-ADUser -Identity $UserSamAccountName -UserPrincipalName cifs/<StorageAccountName>.file.core.windows.net@<DNSRoot> ``` 3. Set the AD account password to the value of the kerb1 key. |
synapse-analytics | Source Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/cicd/source-control.md | The configuration pane shows the following Azure DevOps git settings: Your can also use repository link to quickly point to the git repository you want to connect with. +> [!NOTE] +> Azure Synapse doesn't support connection to Prem Azure DevOps repository. + ### Use a different Azure Active Directory tenant The Azure Repos Git repo can be in a different Azure Active Directory tenant. To specify a different Azure AD tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../../cost-management-billing/manage/add-change-subscription-administrator.md#assign-a-subscription-administrator) |
synapse-analytics | System Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/partner/system-integration.md | This article highlights Microsoft system integration partner companies building | :::image type="content" source="./media/system-integration/capax-global-logo.png" alt-text="The logo of Capax Global."::: |**Capax Global**<br>We improve your business by making better use of information you already have. Building custom solutions that align to your business goals, and setting you up for long-term success. We combine well-established patterns and practices with technology while using our team's wide range of industry and commercial software development experience. We share a passion for technology, innovation, and client satisfaction. Our pride for what we do drives the success of our projects and is fundamental to why people partner with us.|[Capax Global](https://www.capaxglobal.com/)<br>| | :::image type="content" source="./media/system-integration/coeo-logo.png" alt-text="The logo of Coeo."::: |**Coeo**<br>Coeo's team includes cloud consultants with deep expertise in Azure databases, and BI consultants dedicated to providing flexible and scalable analytic solutions. Coeo can help you move to a hybrid or full Azure solution.|[Coeo](https://www.coeo.com/analytics/)<br>| | :::image type="content" source="./media/system-integration/cognizant-logo.png" alt-text="The logo of Cognizant."::: |**Cognizant**<br>As a Microsoft strategic partner, Cognizant has the consulting skills and experience to help customers make the journey to the cloud. For each client project, Cognizant uses its strong partnership with Microsoft to maximize customer benefits from the Azure architecture.|[Cognizant](https://mbg.cognizant.com/technologies-capabilities/microsoft-azure/)<br>|-| :::image type="content" source="./media/system-integration/neal-analytics-logo.png" alt-text="The logo of Neal Analytics."::: |**Neal Analytics**<br>Neal Analytics helps companies navigate their digital transformation journey in converting data into valuable assets and a competitive advantage. With our machine learning and data engineering expertise, we use data to drive margin increases and profitable analytics projects. Comprised of consultants specializing in Data Science, Business Intelligence, Azure AI services, practical AI, Data Management, and IoT, Neal Analytics is trusted to solve unique business problems and optimize operations across industries.|[Neal Analytics](https://nealanalytics.com/)<br>| +| :::image type="content" source="./media/system-integration/neal-analytics-logo.png" alt-text="The logo of Neal Analytics."::: |**Neal Analytics**<br>Neal Analytics helps companies navigate their digital transformation journey in converting data into valuable assets and a competitive advantage. With our machine learning and data engineering expertise, we use data to drive margin increases and profitable analytics projects. Comprised of consultants specializing in Data Science, Business Intelligence, Azure AI services, practical AI, Data Management, and IoT, Neal Analytics is trusted to solve unique business problems and optimize operations across industries.|[Neal Analytics](https://fractal.ai/)<br>| | :::image type="content" source="./media/system-integration/pragmatic-works-logo.png" alt-text="The logo of Pragmatic Works."::: |**Pragmatic Works**<br>Pragmatic Works can help you capitalize on the value of your data by empowering more users and applications on the same dataset. We kickstart, accelerate, and maintain your cloud environment with a range of solutions that fit your business needs.|[Pragmatic Works](https://www.pragmaticworks.com/)<br>| ## Next steps |
traffic-manager | Traffic Manager Faqs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-FAQs.md | -Therefore, Traffic Manager doesnΓÇÖt provide an endpoint or IP address for clients to connect to. If you want static IP address for your service, that must be configured at the service, not in Traffic Manager. +Therefore, Traffic Manager doesnΓÇÖt provide an endpoint or IP address for clients to connect to. If you want a static IP address for your service, it must be configured in the service, not in Traffic Manager. ### What types of traffic can be routed using Traffic Manager? As explained in [How Traffic Manager Works](../traffic-manager/traffic-manager-how-it-works.md), a Traffic Manager endpoint can be any internet facing service hosted inside or outside of Azure. Hence, Traffic Manager can route traffic that originates from the public internet to a set of endpoints that are also internet facing. If you have endpoints that are inside a private network (for example, an internal version of [Azure Load Balancer](../load-balancer/components.md#frontend-ip-configurations)) or have users making DNS requests from such internal networks, then you canΓÇÖt use Traffic Manager to route this traffic. The HTTP host header sent from the client's browser is the most common source of If your client or application receives an HTTP 500 error while using Traffic Manager, this can be caused by a stale DNS query. To resolve the issue, clear the DNS cache and allow the client to issue a new DNS query. -When a service endpoint is unresponsive, clients and applications that are using that endpoint do not reset until the DNS cache is refreshed. The duration of the cache is determined by the time-to-live (TTL) of the DNS record. For more information, see [Traffic Manager and the DNS cache](traffic-manager-how-it-works.md#traffic-manager-and-the-dns-cache). +When a service endpoint is unresponsive, clients and applications that are using that endpoint don't reset until the DNS cache is refreshed. The duration of the cache is determined by the time-to-live (TTL) of the DNS record. For more information, see [Traffic Manager and the DNS cache](traffic-manager-how-it-works.md#traffic-manager-and-the-dns-cache). Also see the following related FAQs in this article: - [What is DNS TTL and how does it impact my users?](#what-is-dns-ttl-and-how-does-it-impact-my-users) One of the metrics provided by Traffic Manager is the number of queries responde ### When I delete a Traffic Manager profile, what is the amount of time before the name of the profile is available for reuse? -It can take up to 2 hours for the name to become available after a Traffic Manger profile is deleted. +When you delete a Traffic Manager profile, the associated domain name is reserved for a period of time. Other Traffic Manager profiles in the same tenant can immediately reuse the name. However, a different Azure tenant is not able to use the same profile name until the reservation expires. This feature enables you to maintain authority over the namespaces that you deploy, eliminating concerns that the name might be taken by another tenant. ++For example, if your Traffic Manager profile name is **label1**, then **label1.trafficmanager.net** is reserved for your tenant even if you delete the profile. Child namespaces, such as **xyz.label1** or **123.abc.label1** are also reserved. When the reservation expires, the name is made available to other tenants. The name associated with a disabled profile is reserved indefinitely. For questions about the length of time a name is reserved, contact your account representative. ## Traffic Manager Geographic traffic routing method End-user devices typically use a DNS resolver to do the DNS lookup on their beha The IP addresses to associate with an endpoint can be specified in two ways. First, you can use the quad dotted decimal octet notation with a start and end addresses to specify the range (for example, 1.2.3.4-5.6.7.8 or 3.4.5.6-3.4.5.6). Second, you can use the CIDR notation to specify the range (for example, 1.2.3.0/24). You can specify multiple ranges and can use both notation types in a range set. A few restrictions apply. -- You canΓÇÖt have overlap of address ranges since each IP needs to be mapped to only a single endpoint+- You canΓÇÖt overlap address ranges since each IP address needs to be mapped to only a single endpoint - The start address canΓÇÖt be more than the end address - In the case of the CIDR notation, the IP address before the '/' should be the start address of that range (for example, 1.2.3.0/24 is valid but 1.2.3.4.4/24 is NOT valid) Traffic Manager monitoring settings are at a per profile level. If you need to u ### How can I assign HTTP headers to the Traffic Manager health checks to my endpoints? -Traffic Manager allows you to specify custom headers in the HTTP(S) health checks it initiates to your endpoints. If you want to specify a custom header, you can do that at the profile level (applicable to all endpoints) or specify it at the endpoint level. If a header is defined at both levels, then the one specified at the endpoint level will override the profile level 1. +Traffic Manager allows you to specify custom headers in the HTTP(S) health checks it initiates to your endpoints. If you want to specify a custom header, you can do that at the profile level (applicable to all endpoints) or specify it at the endpoint level. If a header is defined at both levels, then the one specified at the endpoint level overrides the profile level 1. One common use case for this is specifying host headers so that Traffic Manager requests may get routed correctly to an endpoint hosted in a multi-tenant environment. Another use case of this is to identify Traffic Manager requests from an endpoint's HTTP(S) request logs ### What host header do endpoint health checks use? |
traffic-manager | Traffic Manager How It Works | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-how-it-works.md | Title: How Azure Traffic Manager works -description: This article will help you understand how Traffic Manager routes traffic for high performance and availability of your web applications. +description: This article helps you understand how Traffic Manager routes traffic for high performance and availability of your web applications. Previously updated : 02/27/2023 Last updated : 08/14/2023 When a client attempts to connect to a service, it must first resolve the DNS na **The most important point to understand is that Traffic Manager works at the DNS level which is at the Application layer (Layer-7).** Traffic Manager uses DNS to direct clients to specific service endpoints based on the rules of the traffic-routing method. Clients connect to the selected endpoint **directly**. Traffic Manager is not a proxy or a gateway. Traffic Manager does not see the traffic passing between the client and the service. +Traffic Manager uses profiles to control traffic to your cloud services or website endpoints. For more information about profiles, see [Manage an Azure Traffic Manager profile](traffic-manager-manage-profiles.md). + ## Traffic Manager example Contoso Corp have developed a new partner portal. The URL for this portal is `https://partners.contoso.com/login.aspx`. The application is hosted in three regions of Azure. To improve availability and maximize global performance, they use Traffic Manager to distribute client traffic to the closest available endpoint. To achieve this configuration, they complete the following steps: ![Traffic Manager DNS configuration][1] > [!NOTE]-> When using a vanity domain with Azure Traffic Manager, you must use a CNAME to point your vanity domain name to your Traffic Manager domain name. DNS standards do not allow you to create a CNAME at the 'apex' (or root) of a domain. Thus you cannot create a CNAME for 'contoso.com' (sometimes called a 'naked' domain). You can only create a CNAME for a domain under 'contoso.com', such as 'www.contoso.com'. To work around this limitation, we recommend hosting your DNS domain on [Azure DNS](../dns/dns-overview.md) and using [Alias records](../dns/tutorial-alias-tm.md) to point to your traffic manager profile. Alternatively you can use a simple HTTP redirect to direct requests for 'contoso.com' to an alternative name such as 'www.contoso.com'. +> When using a vanity domain with Azure Traffic Manager, you must use a CNAME to point your vanity domain name to your Traffic Manager domain name. DNS standards don't allow you to create a CNAME at the 'apex' (or root) of a domain. Thus you cannot create a CNAME for 'contoso.com' (sometimes called a 'naked' domain). You can only create a CNAME for a domain under 'contoso.com', such as 'www.contoso.com'. To work around this limitation, we recommend hosting your DNS domain on [Azure DNS](../dns/dns-overview.md) and using [Alias records](../dns/tutorial-alias-tm.md) to point to your traffic manager profile. Alternatively you can use a simple HTTP redirect to direct requests for 'contoso.com' to an alternative name such as 'www.contoso.com'. ### How clients connect using Traffic Manager |
traffic-manager | Traffic Manager Manage Profiles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-manage-profiles.md | description: This article helps you create, disable, enable, and delete an Azure -+ Previously updated : 05/10/2017 Last updated : 08/14/2023 You can create a Traffic Manager profile by using the Azure portal. After creati 1. From a browser, sign in to the [Azure portal](https://portal.azure.com). If you donΓÇÖt already have an account, you can sign up for a [free one-month trial](https://azure.microsoft.com/free/). 2. Click **Create a resource** > **Networking** > **Traffic Manager profile** > **Create**. 4. In the **Create Traffic Manager profile**, complete as follows:- 1. In **Name**, provide a name for your profile. This name needs to be unique within the trafficmanager.net zone and results in the DNS name `<name>`, trafficmanager.net, that is used to access your Traffic Manager profile. + 1. In **Name**, provide a name for your profile. The name needs to be unique within the trafficmanager.net zone and results in the DNS name: `<name>`.trafficmanager.net used to access your Traffic Manager profile. 2. In **Routing method**, select the **Priority** routing method. 3. In **Subscription**, select the subscription you want to create this profile under 4. In **Resource Group**, create a new resource group to place this profile under.- 5. In **Resource group location**, select the location of the resource group. This setting refers to the location of the resource group, and has no impact on the Traffic Manager profile that will be deployed globally. + 5. In **Resource group location**, select the location of the resource group. This setting refers to the location of the resource group, and has no impact on the Traffic Manager profile that is deployed globally. 6. Click **Create**. 7. When the global deployment of your Traffic Manager profile is complete, it is listed in respective resource group as one of the resources. You can disable an existing profile so that Traffic Manager does not refer user 3. Click **Overview** > **Delete**. 4. Confirm to delete the Traffic Manager profile. +> [!NOTE] +> WWhen you delete a Traffic Manager profile, the associated domain name is reserved for a period of time. Other Traffic Manager profiles in the same tenant can immediately reuse the name. However, a different Azure tenant is not able to use the same profile name until the reservation expires. This feature enables you to maintain authority over the namespaces that you deploy, eliminating concerns that the name might be taken by another tenant. For more information, see [Traffic Manager FAQs](traffic-manager-faqs.md#when-i-delete-a-traffic-manager-profile-what-is-the-amount-of-time-before-the-name-of-the-profile-is-available-for-reuse). + ## Next steps * [Add an endpoint](./traffic-manager-manage-endpoints.md) |
traffic-manager | Traffic Manager Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/traffic-manager/traffic-manager-overview.md | Traffic Manager uses DNS to direct client requests to the appropriate service en > Your end-to-end scenarios may benefit from combining these solutions as needed. > For an Azure load-balancing options comparison, see [Overview of load-balancing options in Azure](/azure/architecture/guide/technology-choices/load-balancing-overview). +For more information about Traffic Manager, see: +- [How Traffic Manager works](traffic-manager-how-it-works.md) +- [Traffic Manager FAQs](traffic-manager-FAQs.md) +- [Traffic Manager profiles](traffic-manager-manage-profiles.md) +- [Traffic Manager endpoints](traffic-manager-endpoint-types.md) + **Traffic Manager offers the following features**: ## Increase application availability |
virtual-desktop | Fslogix Profile Container Configure Azure Files Active Directory | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/fslogix-profile-container-configure-azure-files-active-directory.md | To set up a storage account: 1. Select **+ File share**. -1. Enter a **Name**, such as *Profiles*, then for the tier select **Transaction optimized**. +1. Enter a **Name**, such as *profiles*, then for the tier select **Transaction optimized**. ## Join your storage account to Active Directory To configure Profile Container on your session host VMs: 1. Open an elevated PowerShell prompt and run the following commands, replacing `\\<storage-account-name>.file.core.windows.net\<share-name>` with the UNC path to your storage account you created earlier. These commands enable Profile Container and configure the location of the share. ```powershell- $regPath = "HKLM:\SOFTWARE\FSLogix\Profiles" + $regPath = "HKLM:\SOFTWARE\FSLogix\profiles" New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -Value 1 -Force New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType MultiString -Value \\<storage-account-name>.file.core.windows.net\<share-name> -Force ``` |
virtual-machines | Msv3 Mdsv3 Medium Series | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/msv3-mdsv3-medium-series.md | + +# Required metadata +# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main +# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main ++ Title: Overview of Msv3 and Mdsv3 Medium Memory Series +description: Overview of Msv3 and Mdsv3 Medium Memory virtual machines. These virtual machines provide faster performance and lower TCO. ++++# ms.prod: sizes + Last updated : 08/10/2023+++# Msv3 and Mdsv3 Medium Memory Series (Preview) ++> [!IMPORTANT] +> The Msv3 and Mdsv3 Medium Memory Series is currently in preview. Previews are made available to you on the condition that you agree to the [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some aspects of this feature may change prior to general availability (GA). +> +> Customers can [sign up for Msv3 and Mdsv3 Medium Memory Series preview today](https://forms.office.com/r/s0fKkC420i). Msv3 and Mdsv3 Medium Memory Series VMs preview is available in the West Europe, North Europe, East US 2 and East US Azure regions. ++The Msv3 and Mdsv3 Medium Memory(MM) series, powered by 4<sup>th</sup> generation Intel® Xeon® Scalable processors, are the next generation of memory-optimized VM sizes delivering faster performance, lower total cost of ownership and improved resilience to failures compared to previous generation Mv2 VMs. The Mv3 MM offers VM sizes of up to 3TB of memory and 4,000 MBps throughout to remote storage and provides up to 25% networking performance improvements over previous generations. ++## Msv3 Medium Memory series ++[Premium Storage](premium-storage-performance.md): Supported<br> +[Premium Storage caching](premium-storage-performance.md): Supported<br> +[Live Migration](maintenance-and-updates.md): Not Supported<br> +[Memory Preserving Updates](maintenance-and-updates.md): Not Supported<br> +[VM Generation Support](generation-2.md): Generation 2<br> +[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported<br> +[Ephemeral OS Disks](ephemeral-os-disks.md): Not Supported<br> +[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not Supported <br> ++|Size|vCPU|Memory: GiB|Max data disks|Max uncached Premium SSD  throughput: IOPS/MBps|Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps|Max NICs|Max network bandwidth (Mbps)| + | -- | -- | -- | -- | -- | -- | -- | -- | +|Standard_M12s_v3|12|240|64|16,250/390|16,250/390|4|4,000| +|Standard_M24s_v3|24|480|64|32,500/780|32,500/780|8|8,000| +|Standard_M48s_1_v3|48|974|64|65,000/ 1,560|65,000/ 1,560|8|16,000| +|Standard_M96s_1_v3|96|974|64|65,000/ 1,560|65,000/ 1,560|8|16,000| +|Standard_M96s_2_v3|96|1,946|64|130,000/ 3,120|130,000/ 3,120|8|30,000| +|Standard_M176s_3_v3|176|2794|64|130,000/ 4,000|130,000/ 4,000|8|40,000| ++## Mdsv3 Medium Memory series ++These virtual machines feature local SSD storage (up to 400 GiB). ++[Premium Storage](premium-storage-performance.md): Supported<br> +[Premium Storage caching](premium-storage-performance.md): Supported<br> +[Live Migration](maintenance-and-updates.md): Not Supported<br> +[Memory Preserving Updates](maintenance-and-updates.md): Not Supported<br> +[VM Generation Support](generation-2.md): Generation 2<br> +[Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported<br> +[Ephemeral OS Disks](ephemeral-os-disks.md): Supported<br> +[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not Supported <br> ++|Size|vCPU|Memory: GiB|Temp storage (SSD) GiB|Max data disks|Max temp storage throughput: IOPS/MBps*|Max uncached Premium SSD  throughput: IOPS/MBps|Max uncached Ultra Disk and Premium SSD V2 disk throughput: IOPS/MBps|Max NICs|Max network bandwidth (Mbps)| +| -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | +|Standard_M12ds_v3|12|240|400|64|10,000/100|16,250/390|16,250/390|4|4,000| +|Standard_M24ds_v3|24|480|400|64|20,000/200|32,500/780|32,500/780|8|8,000| +|Standard_M48ds_1_v3|48|974|400|64|40,000/400|65,000/ 1,560|65,000/ 1,560|8|16,000| +|Standard_M96ds_1_v3|96|974|400|64|40,000/400|65,000/ 1,560|65,000/ 1,560|8|16,000| +|Standard_M96ds_2_v3|96|1,946|400|64|160,000/1600|130,000/ 3,120|130,000/ 3,120|8|30,000| +|Standard_M176ds_3_v3|176|2794|400|64|160,000/1600|130,000/ 4,000|130,000/ 4,000|8|40,000| ++<sup>*</sup> Read iops is optimized for sequential reads<br> +++## Other sizes and information ++- [General purpose](sizes-general.md) +- [Memory optimized](sizes-memory.md) +- [Storage optimized](sizes-storage.md) +- [GPU optimized](sizes-gpu.md) +- [High performance compute](sizes-hpc.md) +- [Previous generations](sizes-previous-gen.md) ++Pricing Calculator: [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) ++More information on Disks Types: [Disk Types](./disks-types.md#ultra-disks) + |
virtual-machines | Snapshot Copy Managed Disk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/snapshot-copy-managed-disk.md | First, you'll use the [New-AzSnapshotConfig](/powershell/module/az.compute/new-a -CreateOption copy ``` - If you want to store your snapshot in zone-resilient storage, you must create the snapshot in a region that supports [availability zones](../availability-zones/az-overview.md and include the `-SkuName Standard_ZRS` parameter. For a list of regions that support availability zones, see [Azure regions with availability zones](../availability-zones/az-region.md#azure-regions-with-availability-zones). + If you want to store your snapshot in zone-resilient storage, you must create the snapshot in a region that supports [availability zones](../availability-zones/az-overview.md) and include the `-SkuName Standard_ZRS` parameter. For a list of regions that support availability zones, see [Azure regions with availability zones](../availability-zones/az-region.md#azure-regions-with-availability-zones). 1. Take the snapshot. |
virtual-network-manager | Create Virtual Network Manager Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network-manager/create-virtual-network-manager-template.md | + + Title: 'Quickstart: Create a mesh network topology with Azure Virtual Network Manager using Azure Resource Manager template - ARM template' +description: In this article, you create a mesh network topology with Azure Virtual Network Manager using Azure Resource Manager template, ARM template. +++ Last updated : 08/15/2023++++++# Quickstart: Create a mesh network topology with Azure Virtual Network Manager using Azure Resource Manager template -ARM template ++Get started with Azure Virtual Network Manager by using Azure Resource Manager templates to manage connectivity for all your virtual networks. ++In this quickstart, an Azure Resource Manager template is used to deploy Azure Virtual Network Manager with different connectivity topology and network group membership types. Use deployment parameters to specify the type of configuration to deploy. ++> [!IMPORTANT] +> Azure Virtual Network Manager is generally available for Virtual Network Manager and hub-and-spoke connectivity configurations. Mesh connectivity configurations and security admin rules remain in public preview. +> +> This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +++If your environment meets the prerequisites and you're familiar with using ARM templates, select the **Deploy to Azure** button. The template opens in the Azure portal. ++ [![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsubscription-deployments%2Fmicrosoft.network%2Fvirtual-network-manager-connectivity%2Fazuredeploy.json) ++## Prerequisites ++- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). +- To support deploying Azure Policy for [dynamic group membership](concept-network-groups.md#dynamic-membership), the template is designed to deploy at the subscription scope. However, it's not a requirement for Azure Virtual Network Manager if using static group membership. ++## Review the template ++The template used in this quickstart is from [Azure Quickstart Templates](/samples/azure/azure-quickstart-templates/virtual-network-manager-connectivity/) +++The template defines multiple Azure resources: ++- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks) +- [**Microsoft.Resources/resourceGroups**](/azure/templates/microsoft.resources/resourcegroups) +- [**Microsoft.Resources/deployments**](/azure/templates/microsoft.resources/deployments) +- [**Microsoft.Authorization/policyDefinitions**](/azure/templates/microsoft.authorization/policydefinitions) +- [**Microsoft.Authorization/policyAssignments**](/azure/templates/microsoft.authorization/policyassignments) +- [**Microsoft.Network/networkManagers/networkGroups/staticMembers**](/azure/templates/microsoft.network/networkmanagers/networkgroups/staticmembers) +- [**Microsoft.Network/networkManagers/networkGroups**](/azure/templates/microsoft.network/networkmanagers/networkgroups) +- [**Microsoft.Network/networkManagers/connectivityConfigurations**](/azure/templates/Microsoft.Network/networkManagers/connectivityconfigurations) +- [**Microsoft.ManagedIdentity/userAssignedIdentities**](/azure/templates/microsoft.managedidentity/userassignedidentities) +- [**Microsoft.Authorization/roleAssignments**](/azure/templates/microsoft.authorization/roleassignments) +- [**Microsoft.Resources/deploymentScripts**](/azure/templates/microsoft.resources/deploymentscripts) ++## Deploy the template ++1. Sign in to Azure and open the Azure Resource Manager template by selecting the **Deploy to Azure** button here. The template creates the instance of Azure Virtual Network Manager, the network infrastructure, and the network manager configurations. ++ [![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fsubscription-deployments%2Fmicrosoft.network%2Fvirtual-network-manager-connectivity%2Fazuredeploy.json) ++1. In the Azure portal, select or enter the following information: ++ | Setting | Value | + ||| + | Subscription | Select the subscription to use for the deployment. | + | **Instance Details** | | + | Resource Group Name | Use the default of **rg-avnm-sample** | + | Region | Select the region to deploy the resources. | + | Location | Enter the location to deploy the resources. The location value is used in the resource naming convention</br> The location matches the **Region** you've chosen, and is written with no spaces. For example, **East US** is written as **EastUS**. | + | Connectivity Topology | Select the connectivity topology to deploy. The options include **mesh**, **hubAndSpoke**, and **meshWithHubAndSpoke**. | + | Network Group Membership Type | Select the network group membership type. The options include **static** and **dynamic**. | ++1. Select **Review + create** to review the settings and read the terms and conditions statement. +1. Select **Create** to deploy the template. +1. The deployment takes a few minutes to complete. After the deployment is complete, the **Deployment succeeded** message appears. ++## Validate the deployment ++1. From the **Home** page in the Azure portal, select **Resource groups** and select **rg-avnm-sample**. +1. Verify all of the components are deployed successfully. ++ :::image type="content" source="media/create-virtual-network-manager-template/template-resources.png" alt-text="Screenshot of all deployed resources in Azure portal."::: ++1. Select the **avnm-EastUS** resource. +1. In the **Network Groups** page, select **Settings>NetworkGroups>ng-EastUS-static**. + + :::image type="content" source="media/create-virtual-network-manager-template/static-network-group.png" alt-text="Screenshot of deployed network groups in Azure portal."::: ++1. On the **ng-EastUS-static** page, select **Settings>Group Members** and verify a set of virtual networks are deployed. ++ :::image type="content" source="media/create-virtual-network-manager-template/mesh-group-members.png" alt-text="Screenshot of static members in network group for a static topology deployment."::: ++> [!NOTE] +> Depending on the selections you made for the deployment, you may see different virtual networks for the group members. ++## Clean up resources ++When you no longer need the resources that you created with the private endpoint, delete the resource group. Doing so removes the private endpoint and all the related resources. ++1. To delete the resource group, open the resource group in the Azure portal and select **Delete resource group**. +1. Enter the name of the resource group, and then select **Delete**. +1. One the resource group is deleted, verify the network manager instance and all related resources are deleted. ++## Next steps ++For more information about deploying Azure Virtual Network Manager, see: +> [!div class="nextstepaction"] +> [Quickstart: Create a mesh network topology with Azure Virtual Network Manager using Terraform](create-virtual-network-manager-terraform.md) |
virtual-network | Vnet Integration For Azure Services | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/vnet-integration-for-azure-services.md | To compare and understand the differences, see the following table. | Impacts the cost of your solution | No | Yes (see [Private link pricing](https://azure.microsoft.com/pricing/details/private-link/)) | | Impacts the [composite SLA](/azure/architecture/framework/resiliency/business-metrics#composite-slas) of your solution | No | Yes (Private link service itself has a [99.99% SLA](https://azure.microsoft.com/support/legal/sla/private-link/)) | | Setup and maintenance | Simple to set up with less management overhead | Extra effort is required |-| Limits | No limit on the total number of service endpoints in a virtual network. Azure services may enforce limits on the number of subnets used for securing the resource. (see [virtual network FAQ](virtual-networks-faq.md#are-there-any-limits-on-how-many-virtual network-service-endpoints-i-can-set-up-from-my-virtual network)) | Yes (see [Private Link limits](../azure-resource-manager/management/azure-subscription-service-limits.md#private-link-limits)) | +| Limits | No limit on the total number of service endpoints in a virtual network. Azure services may enforce limits on the number of subnets used for securing the resource. (see [virtual network FAQ](virtual-networks-faq.md#are-there-any-limits-on-how-many-vnet-service-endpoints-i-can-set-up-from-my-vnet)) | Yes (see [Private Link limits](../azure-resource-manager/management/azure-subscription-service-limits.md#private-link-limits)) | **Azure service resources secured to virtual networks aren't reachable from on-premises networks. If you want to allow traffic from on-premises, allow public (typically, NAT) IP addresses from your on-premises or ExpressRoute. These IP addresses can be added through the IP firewall configuration for the Azure service resources. For more information, see the [virtual network FAQ](virtual-networks-faq.md#can-an-on-premises-devices-ip-address-that-is-connected-through-azure-virtual-network-gateway-vpn-or-expressroute-gateway-access-azure-paas-service-over-vnet-service-endpoints). |
vpn-gateway | Bgp Howto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/vpn-gateway/bgp-howto.md | -This article helps you enable BGP on cross-premises site-to-site (S2S) VPN connections and VNet-to-VNet connections using the Azure portal. This article helps you enable BGP on cross-premises site-to-site (S2S) VPN connections and VNet-to-VNet connections using Azure PowerShell. You can also create this configuration using the [Azure portal](bgp-howto.md) or [PowerShell](vpn-gateway-bgp-resource-manager-ps.md) steps. +This article helps you enable BGP on cross-premises site-to-site (S2S) VPN connections and VNet-to-VNet connections using the Azure portal. You can also create this configuration using the [Azure CLI](bgp-how-to-cli.md) or [PowerShell](vpn-gateway-bgp-resource-manager-ps.md) steps. BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. BGP enables the VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers. In this step, you create a new connection that has BGP enabled. If you already h #### To create a connection 1. To create a new connection, go to your virtual network gateway **Connections** page.-1. Click **+Add** to open the **Add a connection page**. +1. Select **+Add** to open the **Add a connection page**. 1. Fill in the necessary values. 1. Select **Enable BGP** to enable BGP on this connection.-1. Click **OK** to save changes. +1. Select **OK** to save changes. #### To update an existing connection 1. Go to your virtual network gateway **Connections** page.-1. Click the connection you want to modify. +1. Select the connection you want to modify. 1. Go to the **Configuration** page for the connection. 1. Change the **BGP** setting to **Enabled**. 1. **Save** your changes. |
web-application-firewall | Waf Front Door Drs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-drs.md | DRS 2.0 includes 17 rule groups, as shown in the following table. Each group con |[General](#general-20)|General group| |[METHOD-ENFORCEMENT](#drs911-20)|Lock-down methods (PUT, PATCH)| |[PROTOCOL-ENFORCEMENT](#drs920-20)|Protect against protocol and encoding issues|-|[PROTOCOL-ATTACK](#drs921-20|Protect against header injection, request smuggling, and response splitting| +|[PROTOCOL-ATTACK](#drs921-20)|Protect against header injection, request smuggling, and response splitting| |[APPLICATION-ATTACK-LFI](#drs930-20)|Protect against file and path attacks| |[APPLICATION-ATTACK-RFI](#drs931-20)|Protect against remote file inclusion (RFI) attacks| |[APPLICATION-ATTACK-RCE](#drs932-20)|Protect again remote code execution attacks| |