Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Force Password Reset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/force-password-reset.md | |
active-directory-b2c | Manage Custom Policies Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/manage-custom-policies-powershell.md | |
active-directory-b2c | Tenant Management Directory Quota | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-directory-quota.md | The response from the API call looks similar to the following json: { "directorySizeQuota": { "used": 211802,- "total": 300000 + "total": 50000000 } } ] If your tenant usage is higher that 80%, you can remove inactive users or reques ## Request increase directory quota size -You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) +You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) |
active-directory-domain-services | Alert Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-service-principal.md | ms.assetid: f168870c-b43a-4dd6-a13f-5cfadc5edf2c + Last updated 01/29/2023 - # Known issues: Service principal alerts in Azure Active Directory Domain Services |
active-directory-domain-services | Create Forest Trust Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-forest-trust-powershell.md | For more conceptual information about forest types in Azure AD DS, see [How do f [Install-Script]: /powershell/module/powershellget/install-script <!-- EXTERNAL LINKS -->-[powershell-gallery]: https://www.powershellgallery.com/ +[powershell-gallery]: https://www.powershellgallery.com/ |
active-directory-domain-services | Powershell Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-create-instance.md | |
active-directory-domain-services | Powershell Scoped Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-scoped-synchronization.md | |
active-directory-domain-services | Secure Your Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/secure-your-domain.md | |
active-directory-domain-services | Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/synchronization.md | ms.assetid: 57cbf436-fc1d-4bab-b991-7d25b6e987ef + Last updated 04/03/2023 - # How objects and credentials are synchronized in an Azure Active Directory Domain Services managed domain |
active-directory-domain-services | Template Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/template-create-instance.md | |
active-directory-domain-services | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot.md | ms.assetid: 4bc8c604-f57c-4f28-9dac-8b9164a0cf0b + Last updated 01/29/2023 - # Common errors and troubleshooting steps for Azure Active Directory Domain Services |
active-directory-domain-services | Tutorial Create Instance Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/tutorial-create-instance-advanced.md | To see this managed domain in action, create and join a virtual machine to the d [availability-zones]: ../reliability/availability-zones-overview.md [concepts-sku]: administration-concepts.md#azure-ad-ds-skus -<!-- EXTERNAL LINKS --> +<!-- EXTERNAL LINKS --> |
active-directory-domain-services | Tutorial Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/tutorial-create-instance.md | Before you domain-join VMs and deploy applications that use the managed domain, [concepts-sku]: administration-concepts.md#azure-ad-ds-skus <!-- EXTERNAL LINKS -->-[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix +[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix |
active-directory | Customize Application Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md | Applications and systems that support customization of the attribute list includ > Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). > [!NOTE]-> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. +> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. Provisioning multi-valued directory extension attributes is not supported. When you're editing the list of supported attributes, the following properties are provided: |
active-directory | Inbound Provisioning Api Configure App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md | If you're configuring inbound user provisioning to on-premises Active Directory, ## Create your API-driven provisioning app -1. Log in to the [Microsoft Entra portal](<https://entra.microsoft.com>). +1. Log in to the [Microsoft Entra admin center](<https://entra.microsoft.com>). 2. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 3. Click on **New application** to create a new provisioning application. [![Screenshot of Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox) |
active-directory | Inbound Provisioning Api Curl Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-curl-tutorial.md | -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-custom-attributes.md | You have configured API-driven provisioning app. You're provisioning app is succ In this step, we'll add the two attributes "HireDate" and "JobCode" that are not part of the standard SCIM schema to the provisioning app and use them in the provisioning data flow. -1. Log in to Microsoft Entra portal with application administrator role. +1. Log in to Microsoft Entra admin center with application administrator role. 1. Go to **Enterprise applications** and open your API-driven provisioning app. 1. Open the **Provisioning** blade. 1. Click on the **Edit Provisioning** button. In this step, we'll add the two attributes "HireDate" and "JobCode" that are not 1. **Save** your changes > [!NOTE]-> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra Portal to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process. +> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra admin center to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process. ## Step 2 - Map the custom attributes |
active-directory | Inbound Provisioning Api Grant Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-grant-access.md | Depending on how your API client authenticates with Azure AD, you can select bet ## Configure a service principal This configuration registers an app in Azure AD that represents the external API client and grants it permission to invoke the inbound provisioning API. The service principal client id and client secret can be used in the OAuth client credentials grant flow. -1. Log in to Microsoft Entra portal (https://entra.microsoft.com) with global administrator or application administrator login credentials. +1. Log in to Microsoft Entra admin center (https://entra.microsoft.com) with global administrator or application administrator login credentials. 1. Browse to **Azure Active Directory** -> **Applications** -> **App registrations**. 1. Click on the option **New registration**. 1. Provide an app name, select the default options, and click on **Register**. |
active-directory | Inbound Provisioning Api Graph Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-graph-explorer.md | This tutorial describes how you can quickly test [API-driven inbound provisionin ## Verify processing of bulk request payload -You can verify the processing either from the Microsoft Entra portal or using Graph Explorer. +You can verify the processing either from the Microsoft Entra admin center or using Graph Explorer. -### Verify processing from Microsoft Entra portal -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +### Verify processing from Microsoft Entra admin center +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-postman.md | In this step, you'll configure the Postman app and invoke the API using the conf If the API invocation is successful, you see the message `202 Accepted.` Under Headers, the **Location** attribute points to the provisioning logs API endpoint. ## Verify processing of bulk request payload-You can verify the processing either from the Microsoft Entra portal or using Postman. +You can verify the processing either from the Microsoft Entra admin center or using Postman. -### Verify processing from Microsoft Entra portal -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +### Verify processing from Microsoft Entra admin center +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-powershell.md | To illustrate the procedure, let's use the CSV file `Samples/csv-with-2-records. This section explains how to send the generated bulk request payload to your inbound provisioning API endpoint. -1. Log in to your Entra portal as *Application Administrator* or *Global Administrator*. +1. Log in to your Microsoft Entra admin center as *Application Administrator* or *Global Administrator*. 1. Copy the `ServicePrincipalId` associated with your provisioning app from **Provisioning App** > **Properties** > **Object ID**. :::image type="content" border="true" source="./media/inbound-provisioning-api-powershell/object-id.png" alt-text="Screenshot of the Object ID." lightbox="./media/inbound-provisioning-api-powershell/object-id.png"::: This section explains how to send the generated bulk request payload to your inb $ThumbPrint = $ClientCertificate.ThumbPrint ``` The generated certificate is stored **Current User\Personal\Certificates**. You can view it using the **Control Panel** -> **Manage user certificates** option. -1. To associate this certificate with a valid service principal, log in to your Entra portal as *Application Administrator*. +1. To associate this certificate with a valid service principal, log in to your Microsoft Entra admin center as *Application Administrator*. 1. Open [the service principal you configured](inbound-provisioning-api-grant-access.md#configure-a-service-principal) under **App Registrations**. 1. Copy the **Object ID** from the **Overview** blade. Use the value to replace the string `<AppObjectId>`. Copy the **Application (client) Id**. We will use it later and it is referenced as `<AppClientId>`. 1. Run the following command to upload your certificate to the registered service principal. PS > CSV2SCIM.ps1 -Path <path-to-csv-file> > [!NOTE] > The `AttributeMapping` and `ValidateAttributeMapping` command-line parameters refer to the mapping of CSV column attributes to the standard SCIM schema elements. -It doesn't refer to the attribute mappings that you perform in the Entra portal provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes. +It doesn't refer to the attribute mappings that you perform in the Microsoft Entra admin center provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes. | Parameter | Description | Processing remarks | |-|-|--| |
active-directory | User Provisioning Sync Attributes For Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md | |
active-directory | User Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning.md | In Azure Active Directory (Azure AD), the term *app provisioning* refers to auto Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and many more. -Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. Your application must support [SCIM](https://aka.ms/scimoverview). Or, you must build a SCIM gateway to connect to your legacy application. If so, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support these applications as well. --App provisioning lets you: +Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. The table below provides a mapping of protocols to connectors supported. ++|Protocol |Connector| +|--|--| +| SCIM | [SCIM - SaaS](use-scim-to-provision-users-and-groups.md) <br />[SCIM - On-prem / Private network](./on-premises-scim-provisioning.md) | +| LDAP | [LDAP](./on-premises-ldap-connector-configure.md)| +| SQL | [SQL](./tutorial-ecma-sql-connector.md) | +| REST | [Web Services](./on-premises-web-services-connector.md)| +| SOAP | [Web Services](./on-premises-web-services-connector.md)| +| Flat-file| [PowerShell](./on-premises-powershell-connector.md) | +| Custom | [Custom ECMA connectors](./on-premises-custom-connector.md) <br /> [Connectors and gateways built by partners](./partner-driven-integrations.md)| - **Automate provisioning**: Automatically create new accounts in the right systems for new people when they join your team or organization. - **Automate deprovisioning**: Automatically deactivate accounts in the right systems when people leave the team or organization. |
active-directory | Application Proxy Configure Cookie Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-cookie-settings.md | |
active-directory | Application Proxy Configure Custom Home Page | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md | |
active-directory | Application Proxy Ping Access Publishing Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md | Azure Active Directory (Azure AD) Application Proxy has partnered with PingAcces With PingAccess for Azure AD, you can give users access and single sign-on (SSO) to applications that use headers for authentication. Application Proxy treats these applications like any other, using Azure AD to authenticate access and then passing traffic through the connector service. PingAccess sits in front of the applications and translates the access token from Azure AD into a header. The application then receives the authentication in the format it can read. -Your users wonΓÇÖt notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so theyΓÇÖll still balance loads automatically. +Your users won't notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so they'll still balance loads automatically. ## How do I get access? For more information, see [Azure Active Directory editions](../fundamentals/what ## Publish your application in Azure -This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If youΓÇÖve already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section. +This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If you've already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section. > [!NOTE] > Since this scenario is a partnership between Azure AD and PingAccess, some of the instructions exist on the Ping Identity site. To publish your own on-premises application: > [!NOTE] > For a more detailed walkthrough of this step, see [Add an on-premises app to Azure AD](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). - 1. **Internal URL**: Normally you provide the URL that takes you to the appΓÇÖs sign-in page when youΓÇÖre on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess. + 1. **Internal URL**: Normally you provide the URL that takes you to the app's sign-in page when you're on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess. > [!WARNING] > For this type of single sign-on, the internal URL must use `https` and can't use `http`. Also, there is a constraint when configuring an application that no two apps should have the same internal URL as this allows App Proxy to maintain distinction between applications. To publish your own on-premises application: 1. **Translate URL in Headers**: Choose **No**. > [!NOTE]- > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener youΓÇÖve configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners). + > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener you've configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners). 1. Select **Add**. The overview page for the new application appears. In addition to the external URL, an authorize endpoint of Azure Active Directory Finally, set up your on-premises application so that users have read access and other applications have read/write access: -1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the APIs for Windows Azure Active Directory. +1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the permissions for Microsoft Graph. ![Shows the Request API permissions page](./media/application-proxy-configure-single-sign-on-with-ping-access/required-permissions.png) |
active-directory | Powershell Assign Group To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-group-to-app.md | |
active-directory | Powershell Assign User To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-user-to-app.md | |
active-directory | Powershell Display Users Group Of App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-display-users-group-of-app.md | |
active-directory | Powershell Get All App Proxy Apps Basic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-basic.md | |
active-directory | Powershell Get All App Proxy Apps By Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-by-connector-group.md | |
active-directory | Powershell Get All App Proxy Apps Extended | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended.md | |
active-directory | Powershell Get All App Proxy Apps With Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-with-policy.md | |
active-directory | Powershell Get All Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-connectors.md | |
active-directory | Powershell Get All Custom Domain No Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domain-no-cert.md | |
active-directory | Powershell Get All Custom Domains And Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domains-and-certs.md | |
active-directory | Powershell Get All Default Domain Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-default-domain-apps.md | |
active-directory | Powershell Get All Wildcard Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-wildcard-apps.md | |
active-directory | Powershell Get Custom Domain Identical Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-identical-cert.md | |
active-directory | Powershell Get Custom Domain Replace Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-replace-cert.md | |
active-directory | Powershell Move All Apps To Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-move-all-apps-to-connector-group.md | |
active-directory | Architecture Icons | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/architecture-icons.md | + + Title: Microsoft Entra architecture icons +description: Learn about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. +++++ Last updated : 08/15/2023++++# Customer intent: As a new or existing customer, I want to learn how I can use the official Microsoft Entra icons in architectural diagrams, training materials, or documentation. +++# Microsoft Entra architecture icons ++Helping our customers design and architect new solutions is core to the Microsoft Entra mission. Architecture diagrams can help communicate design decisions and the relationships between components of a given workload. This article provides information about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. ++## General guidelines ++### Do's ++- Use the icon to illustrate how products can work together. +- In diagrams, we recommend including the product name somewhere close to the icon. ++### Don'ts ++- Don't crop, flip, or rotate icons. +- Don't distort or change the icon shape in any way. +- Don't use Microsoft product icons to represent your product or service. +- Don't use Microsoft product icons in marketing communications. ++## Icon updates ++| Month | Change description | +|-|--| +| August 2023 | Added a downloadable package that contains the Microsoft Entra architecture icons, branding playbook (which contains guidelines about the Microsoft Security visual identity), and terms of use. | ++## Icon terms ++Microsoft permits the use of these icons in architectural diagrams, training materials, or documentation. You may copy, distribute, and display the icons only for the permitted use unless granted explicit permission by Microsoft. Microsoft reserves all other rights. ++ > [!div class="button"] + > [I agree to the above terms. Download icons.](https://download.microsoft.com/download/a/4/2/a4289cad-4eaf-4580-87fd-ce999a601516/Microsoft-Entra-architecture-icons.zip?wt.mc_id=microsoftentraicons_downloadmicrosoftentraicons_content_cnl_csasci) ++## More icon sets from Microsoft ++- [Azure architecture icons](/azure/architecture/icons) +- [Microsoft 365 architecture icons and templates](/microsoft-365/solutions/architecture-icons-templates) +- [Dynamics 365 icons](/dynamics365/get-started/icons) +- [Microsoft Power Platform icons](/power-platform/guidance/icons) |
active-directory | Govern Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/govern-service-accounts.md | |
active-directory | Multi Tenant Common Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-common-considerations.md | |
active-directory | Multi Tenant User Management Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-user-management-scenarios.md | |
active-directory | Recoverability Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/recoverability-overview.md | Create a process of predefined communications to make others aware of the issue Document the state of your tenant and its objects regularly. Then if a hard delete or misconfiguration occurs, you have a roadmap to recovery. The following tools can help you document your current state: - [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Azure AD configurations.-- [Azure AD Exporter](https://github.com/microsoft/azureadexporter) is a tool you can use to export your configuration settings.+- [Entra Exporter](https://github.com/microsoft/entraexporter) is a tool you can use to export your configuration settings. - [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) is a module of the PowerShell Desired State Configuration framework. You can use it to export configurations for reference and application of the prior state of many settings. - [Conditional Access APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) can be used to manage your Conditional Access policies as code. |
active-directory | Resilient External Processes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilient-external-processes.md | Identity experience framework (IEF) policies allow you to call an external syste - If the data that is necessary for authentication is relatively static and small, and has no other business reason to be externalized from the directory, then consider having it in the directory. -- Remove API calls from the pre-authenticated path whenever possible. If you can't, then you must place strict protections for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in front of your APIs. Attackers can load the sign-in page and try to flood your API with DoS attacks and cripple your application. For example, using CAPTCHA in your sign in, sign up flow can help.+- Remove API calls from the pre-authenticated path whenever possible. If you can't, then you must place strict protections for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in front of your APIs. Attackers can load the sign-in page and try to flood your API with DoS attacks and disable your application. For example, using CAPTCHA in your sign in, sign up flow can help. - Use [API connectors of built-in sign-up user flow](../../active-directory-b2c/api-connectors-overview.md) wherever possible to integrate with web APIs either After federating with an identity provider during sign-up or before creating the user. Since the user flows are already extensively tested, it's likely that you don't have to perform user flow-level functional, performance, or scale testing. You still need to test your applications for functionality, performance, and scale. |
active-directory | Service Accounts Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/service-accounts-managed-identities.md | |
active-directory | Service Accounts Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/service-accounts-principal.md | |
active-directory | Certificate Based Authentication Federation Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-android.md | description: Learn about the supported scenarios and the requirements for config + Last updated 09/30/2022 |
active-directory | Certificate Based Authentication Federation Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-get-started.md | description: Learn how to configure certificate-based authentication with federa + Last updated 05/04/2022 |
active-directory | Certificate Based Authentication Federation Ios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-ios.md | description: Learn about the supported scenarios and the requirements for config + Last updated 09/30/2022 |
active-directory | Concept Authentication Default Enablement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-default-enablement.md | The following table lists each setting that can be set to Microsoft managed and | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled | | [System-preferred MFA](concept-system-preferred-multifactor-authentication.md) | Enabled | | [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled | +| [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled | As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication. |
active-directory | Concept Authentication Oath Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-oath-tokens.md | OATH TOTP hardware tokens typically come with a secret key, or seed, pre-program Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow. -OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). :::image type="content" border="true" source="./media/concept-authentication-methods/oath-tokens.png" alt-text="Screenshot of OATH token management." lightbox="./media/concept-authentication-methods/oath-tokens.png"::: |
active-directory | Concept Certificate Based Authentication Certificateuserids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md | |
active-directory | Concept Mfa Regional Opt In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-regional-opt-in.md | For Voice verification, the following region codes require an opt-in. | 236 | Central African Republic | | 237 | Cameroon | | 238 | Cabo Verde |-| 239 | Sao Tome and Principe | +| 239 | São Tomé and Príncipe | | 240 | Equatorial Guinea | | 241 | Gabon | | 242 | Congo | |
active-directory | Concept Password Ban Bad Combined Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md | description: Learn about the combined password policy and check for weak passwor + Last updated 04/02/2023 |
active-directory | Concept Resilient Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-resilient-controls.md | |
active-directory | Concept Sspr Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-policy.md | |
active-directory | Concepts Azure Multi Factor Authentication Prompts Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md | description: Learn about the recommended configuration for reauthentication prom + Previously updated : 03/28/2023 Last updated : 08/15/2023 Azure Active Directory (Azure AD) has multiple settings that determine how often The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt. -It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken). +It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions by using Microsoft Graph PowerShell](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession). This article details recommended configurations and how different settings work and interact with each other. |
active-directory | How To Certificate Based Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-certificate-based-authentication.md | |
active-directory | How To Mfa Authenticator Lite | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-authenticator-lite.md | To disable Authenticator Lite in the Azure portal, complete the following steps: Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application. -<img width="1112" alt="Entra portal Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png"> +<img width="1112" alt="Microsoft Entra admin center Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png"> 3. On the Configure tab, for **Microsoft Authenticator on companion applications**, change Status to Disabled, and click Save. |
active-directory | How To Migrate Mfa Server To Azure Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md | description: Step-by-step guidance to migrate from MFA Server on-premises to Azu + Last updated 01/29/2023 |
active-directory | How To Migrate Mfa Server To Mfa With Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md | Title: Migrate to Azure AD MFA with federations description: Step-by-step guidance to move from MFA Server on-premises to Azure AD MFA with federation + Last updated 05/23/2023 |
active-directory | Howto Authentication Passwordless Phone | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-phone.md | description: Enable passwordless sign-in to Azure AD using Microsoft Authenticat + Last updated 05/16/2023 |
active-directory | Howto Authentication Use Email Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md | description: Learn how to enable users to sign in to Azure Active Directory with + Last updated 06/01/2023 -> Sign-in to Azure AD with email as an alternate login ID is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Sign-in to Azure AD with email as an alternate login ID is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). Many organizations want to let users sign in to Azure Active Directory (Azure AD) using the same credentials as their on-premises directory environment. With this approach, known as hybrid authentication, users only need to remember one set of credentials. |
active-directory | Howto Mfa Getstarted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-getstarted.md | Title: Deployment considerations for Azure AD Multi-Factor Authentication description: Learn about deployment considerations and strategy for successful implementation of Azure AD Multi-Factor Authentication + Last updated 03/06/2023 |
active-directory | Howto Mfa Mfasettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-mfasettings.md | To unblock a user, complete the following steps: Users who report an MFA prompt as suspicious are set to **High User Risk**. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the **Fraud Alert** automatic blocking feature and don't have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in. For more information about using risk-based policies, see [Risk-based access policies](../identity-protection/concept-identity-protection-policies.md). -To enable **Report suspicious activity** from the Authentication Methods Settings: +To enable **Report suspicious activity** from the Authentication methods **Settings**: 1. In the Azure portal, click **Azure Active Directory** > **Security** > **Authentication Methods** > **Settings**. -1. Set **Report suspicious activity** to **Enabled**. +1. Set **Report suspicious activity** to **Enabled**. The feature remains disabled if you choose **Microsoft managed**. For more information about Microsoft managed values, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md). 1. Select **All users** or a specific group. +1. Select a **Reporting code**. +1. Click **Save**. ++>[!NOTE] +>If you enable **Report suspicious activity** and specify a custom voice reporting value while the tenant still has **Fraud Alert** enabled in parallel with a custom voice reporting number configured, the **Report suspicious activity** value will be used instead of **Fraud Alert**. ### View suspicious activity events OATH TOTP hardware tokens typically come with a secret key, or seed, pre-program Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow. -OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms). +OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). ![Screenshot that shows the OATH tokens section.](media/concept-authentication-methods/mfa-server-oath-tokens-azure-ad.png) The following table lists more numbers for different countries. | Sri Lanka | +94 117750440 | | Sweden | +46 701924176 | | Taiwan | +886 277515260 |-| Turkey | +90 8505404893 | +| T├╝rkiye | +90 8505404893 | | Ukraine | +380 443332393 | | United Arab Emirates | +971 44015046 | | Vietnam | +84 2039990161 | |
active-directory | Howto Mfa Nps Extension Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-errors.md | If you encounter errors with the NPS extension for Azure AD Multi-Factor Authent | **REQUEST_FORMAT_ERROR** <br> Radius Request missing mandatory Radius userName\Identifier attribute.Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension does not work when installed over such installations and errors out since it cannot read the details from the authentication request. | | **REQUEST_MISSING_CODE** | Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. **PAP** supports all the authentication methods of Azure AD MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. **CHAPV2** and **EAP** support phone call and mobile app notification. | | **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you are using cross-forest trusts, [contact support](#contact-microsoft-support) for further help. |+| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP will observe user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). | ### Alternate login ID errors |
active-directory | Howto Mfa Nps Extension Rdg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md | description: Integrate your Remote Desktop Gateway infrastructure with Azure AD + Last updated 01/29/2023 |
active-directory | Howto Mfa Nps Extension Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md | description: Integrate your VPN infrastructure with Azure AD MFA by using the Ne + Last updated 01/29/2023 |
active-directory | Howto Mfa Nps Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md | |
active-directory | Howto Mfa Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-reporting.md | |
active-directory | Howto Mfa Userstates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userstates.md | |
active-directory | Howto Password Smart Lockout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-password-smart-lockout.md | Based on your organizational requirements, you can customize the Azure AD smart To check or modify the smart lockout values for your organization, complete the following steps: -1. Sign in to the [Entra portal](https://entra.microsoft.com/#home). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**. 1. Set the **Lockout threshold**, based on how many failed sign-ins are allowed on an account before its first lockout. |
active-directory | Howto Registration Mfa Sspr Combined Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md | description: Troubleshoot Azure AD Multi-Factor Authentication and self-service + Last updated 01/29/2023 |
active-directory | Howto Sspr Authenticationdata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-authenticationdata.md | |
active-directory | V1 Permissions Consent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/v1-permissions-consent.md | |
active-directory | Block Legacy Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/block-legacy-authentication.md | The following messaging protocols support legacy authentication: - Universal Outlook - Used by the Mail and Calendar app for Windows 10. - Other clients - Other protocols identified as utilizing legacy authentication. -For more information about these authentication protocols and services, see [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities). +For more information about these authentication protocols and services, see [Sign-in activity reports](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities). ### Identify legacy authentication use Before you can block legacy authentication in your directory, you need to first #### Sign-in log indicators -1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Azure Active Directory** > **Sign-in logs**. 1. Add the **Client App** column if it isn't shown by clicking on **Columns** > **Client App**. 1. Select **Add filters** > **Client App** > choose all of the legacy authentication protocols and select **Apply**. 1. If you've activated the [new sign-in activity reports preview](../reports-monitoring/concept-all-sign-ins.md), repeat the above steps also on the **User sign-ins (non-interactive)** tab. |
active-directory | Concept Condition Filters For Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-condition-filters-for-devices.md | There are multiple scenarios that organizations can now enable using filter for ## Create a Conditional Access policy -Filter for devices is an option when creating a Conditional Access policy in the Azure portal or using the Microsoft Graph API. +Filter for devices is an optional control when creating a Conditional Access policy. The following steps will help create two Conditional Access policies to support the first scenario under [Common scenarios](#common-scenarios). Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Concept Conditional Access Cloud Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md | description: What are cloud apps, actions, and authentication context in an Azur + Last updated 06/27/2023 For example, an organization may keep files in SharePoint sites like the lunch m ### Configure authentication contexts -Authentication contexts are managed in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Authentication context**. +Authentication contexts are managed under **Azure Active Directory** > **Security** > **Conditional Access** > **Authentication context**. -![Manage authentication context in the Azure portal](./media/concept-conditional-access-cloud-apps/conditional-access-authentication-context-get-started.png) +![Manage authentication context](./media/concept-conditional-access-cloud-apps/conditional-access-authentication-context-get-started.png) -Create new authentication context definitions by selecting **New authentication context** in the Azure portal. Organizations are limited to a total of 25 authentication context definitions. Configure the following attributes: +Create new authentication context definitions by selecting **New authentication context**. Organizations are limited to a total of 25 authentication context definitions. Configure the following attributes: - **Display name** is the name that is used to identify the authentication context in Azure AD and across applications that consume authentication contexts. We recommend names that can be used across resources, like "trusted devices", to reduce the number of authentication contexts needed. Having a reduced set limits the number of redirects and provides a better end to end-user experience. - **Description** provides more information about the policies it's used by Azure AD administrators and those applying authentication contexts to resources. |
active-directory | Concept Conditional Access Policy Common | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-policy-common.md | Policies in this category provide new ways to protect against compromise. -Find these templates in the **[Microsoft Entra admin center](https://entra.microsoft.com)** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category. +Find these templates in the [Microsoft Entra admin center](https://entra.microsoft.com) > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category. :::image type="content" source="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png" alt-text="Screenshot that shows how to create a Conditional Access policy from a preconfigured template in the Microsoft Entra admin center." lightbox="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png"::: > [!IMPORTANT]-> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. Simply navigate to **Microsoft Entra admin center** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Policies**, select the policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. +> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. You can find these policies in the [Microsoft Entra admin center](https://entra.microsoft.com) > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Policies**. Select a policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. By default, each policy is created in [report-only mode](concept-conditional-access-report-only.md), we recommended organizations test and monitor usage, to ensure intended result, before turning on each policy. |
active-directory | Concept Conditional Access Session | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-session.md | For more information, see the article [Configure authentication session manageme - **Disable** only work when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy. You can choose to disable all users or specific users and groups. ## Disable resilience defaults |
active-directory | Concept Conditional Access Users Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-users-groups.md | By default the policy provides an option to exclude the current user from the po ![Warning, don't lock yourself out!](./media/concept-conditional-access-users-groups/conditional-access-users-and-groups-lockout-warning.png) -If you do find yourself locked out, see [What to do if you're locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal) +If you do find yourself locked out, see [What to do if you're locked out?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out) ### External partner access |
active-directory | Concept Continuous Access Evaluation Strict Enforcement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-strict-enforcement.md | Repeat steps 2 and 3 with expanding groups of users until Strictly Enforce Locat Administrators can investigate the Sign-in logs to find cases with **IP address (seen by resource)**. -1. Sign in to the **Azure portal** as at least a Global Reader. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). 1. Browse to **Azure Active Directory** > **Sign-ins**. 1. Find events to review by adding filters and columns to filter out unnecessary information. 1. Add the **IP address (seen by resource)** column and filter out any blank items to narrow the scope. The **IP address (seen by resource)** is blank when that IP seen by Azure AD matches the IP address seen by the resource. |
active-directory | Concept Continuous Access Evaluation Workload | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md | Last updated 07/22/2022 -+ When a clientΓÇÖs access to a resource is blocked due to CAE being triggered, th The following steps detail how an admin can verify sign in activity in the sign-in logs: -1. Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process. 1. Select an entry to see activity details. The **Continuous access evaluation** field indicates whether a CAE token was issued in a particular sign-in attempt. The following steps detail how an admin can verify sign in activity in the sign- - [Register an application with Azure AD and create a service principal](../develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) - [How to use Continuous Access Evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md) - [Sample application using continuous access evaluation](https://github.com/Azure-Samples/ms-identity-dotnetcore-daemon-graph-cae)+- [Securing workload identities with Azure AD Identity Protection](../identity-protection/concept-workload-identity-risk.md) - [What is continuous access evaluation?](../conditional-access/concept-continuous-access-evaluation.md) |
active-directory | Concept Continuous Access Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md | Customers who have configured CAE settings under Security before have to migrate :::image type="content" source="media/concept-continuous-access-evaluation/migrate-continuous-access-evaluation.png" alt-text="Portal view showing the option to migrate continuous access evaluation to a Conditional Access policy." lightbox="media/concept-continuous-access-evaluation/migrate-continuous-access-evaluation.png"::: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Continuous access evaluation**. 1. You have the option to **Migrate** your policy. This action is the only one that you have access to at this point. 1. Browse to **Conditional Access** and you find a new policy named **Conditional Access policy created from CAE settings** with your settings configured. Administrators can choose to customize this policy or create their own to replace it. Changes made to Conditional Access policies and group membership made by adminis When Conditional Access policy or group membership changes need to be applied to certain users immediately, you have two options. - Run the [revoke-mgusersign PowerShell command](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession) to revoke all refresh tokens of a specified user.-- Select "Revoke Session" on the user profile page in the Azure portal to revoke the user's session to ensure that the updated policies are applied immediately.+- Select "Revoke Session" on the user profile page to revoke the user's session to ensure that the updated policies are applied immediately. ### IP address variation and networks with IP address shared or unknown egress IPs |
active-directory | Concept Filter For Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-filter-for-applications.md | Custom security attributes are security sensitive and can only be managed by del 1. Assign the appropriate role to the users who will manage or report on these attributes at the directory scope. - For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). + For detailed steps, see [Assign Azure roles](../../role-based-access-control/role-assignments-portal.md). ## Create custom security attributes Follow the instructions in the article, [Add or deactivate custom security attri :::image type="content" source="media/concept-filter-for-applications/edit-filter-for-applications.png" alt-text="A screenshot showing a Conditional Access policy with the edit filter window showing an attribute of require MFA." lightbox="media/concept-filter-for-applications/edit-filter-for-applications.png"::: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. Set up a sample application that, demonstrates how a job or a Windows service ca When you don't have a service principal listed in your tenant, it can't be targeted. The Office 365 suite is an example of one such service principal. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Enterprise applications**. 1. Select the service principal you want to apply a custom security attribute to. 1. Under **Manage** > **Custom security attributes (preview)**, select **Add assignment**. |
active-directory | Concept Token Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-token-protection.md | Users who perform specialized roles like those described in [Privileged access s The steps that follow help create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. Monitoring Conditional Access enforcement of token protection before and after e Use Azure AD sign-in log to verify the outcome of a token protection enforcement policy in report only mode or in enabled mode. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Sign-in logs**. 1. Select a specific request to determine if the policy is applied or not. 1. Go to the **Conditional Access** or **Report-Only** pane depending on its state and select the name of your policy requiring token protection. |
active-directory | How To App Protection Policy Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md | The following policy is put in to [Report-only mode](howto-conditional-access-in The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [Preview: App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | How To Policy Mfa Admin Portals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-policy-mfa-admin-portals.md | Microsoft recommends securing access to any Microsoft admin portals like Microso ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | How To Policy Phish Resistant Admin Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-policy-phish-resistant-admin-mfa.md | Organizations can choose to include or exclude roles as they see fit. ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-apis.md | description: Using the Azure AD Conditional Access APIs and PowerShell to manage + Last updated 09/10/2020 |
active-directory | Howto Conditional Access Insights Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md | If you haven't integrated Azure AD logs with Azure Monitor logs, you need to tak To access the insights and reporting workbook: -1. Sign in to the **Azure portal**. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Insights and reporting**. ### Get started: Select parameters You can also investigate the sign-ins of a specific user by searching for sign-i To configure a Conditional Access policy in report-only mode: -1. Sign into the **Azure portal** as a Conditional Access Administrator, security administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select an existing policy or create a new policy. 1. Under **Enable policy** set the toggle to **Report-only** mode. To configure a Conditional Access policy in report-only mode: ### Why are queries failing due to a permissions error? -In order to access the workbook, you need the proper Azure AD permissions and Log Analytics workspace permissions. To test whether you have the proper workspace permissions by running a sample log analytics query: +In order to access the workbook, you need the proper permissions in Azure AD and Log Analytics. To test whether you have the proper workspace permissions by running a sample log analytics query: -1. Sign in to the **Azure portal**. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Log Analytics**. 1. Type `SigninLogs` into the query box and select **Run**. 1. If the query doesn't return any results, your workspace may not have been configured correctly. |
active-directory | Howto Conditional Access Policy Admin Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md | Organizations can choose to include or exclude roles as they see fit. The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multifactor authentication. Some organizations may be ready to move to stronger authentication methods for their administrators. These organizations may choose to implement a policy like the one described in the article [Require phishing-resistant multifactor authentication for administrators](how-to-policy-phish-resistant-admin-mfa.md). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy All Users Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md | Organizations that use [Subscription Activation](/windows/deployment/windows-10- The following steps help create a Conditional Access policy to require all users do multifactor authentication. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Authentication Strength External | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-authentication-strength-external.md | The authentication methods that external users can use to satisfy MFA requiremen Determine if one of the built-in authentication strengths will work for your scenario or if you'll need to create a custom authentication strength. -1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator. -1. Browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Authentication methods** > **Authentication strengths**. 1. Review the built-in authentication strengths to see if one of them meets your requirements. 1. If you want to enforce a different set of authentication methods, [create a custom authentication strength](https://aka.ms/b2b-auth-strengths). Determine if one of the built-in authentication strengths will work for your sce Use the following steps to create a Conditional Access policy that applies an authentication strength to external users. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Azure Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md | The following steps will help create a Conditional Access policy to require user > [!CAUTION] > Make sure you understand how Conditional Access works before setting up a policy to manage access to Microsoft Azure Management. Make sure you don't create conditions that could block your own access to the portal. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Block Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-access.md | -> Misconfiguration of a block policy can lead to organizations being locked out of the Azure portal. +> Misconfiguration of a block policy can lead to organizations being locked out. Policies like these can have unintended side effects. Proper testing and validation are vital before enabling. Administrators should utilize tools such as [Conditional Access report-only mode](concept-conditional-access-report-only.md) and [the What If tool in Conditional Access](what-if-tool.md) when making changes. The following steps will help create Conditional Access policies to block access The first policy blocks access to all apps except for Microsoft 365 applications if not on a trusted location. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Block Legacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md | Organizations can choose to deploy this policy using the steps outlined below or The following steps will help create a Conditional Access policy to block legacy authentication requests. This policy is put in to [Report-only mode](howto-conditional-access-insights-reporting.md) to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policy applies as they intend, they can switch to **On** or stage the deployment by adding specific groups and excluding others. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Compliant Device Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device-admin.md | Organizations can choose to include or exclude roles as they see fit. The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Compliant Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md | Requiring a hybrid Azure AD joined device is dependent on your devices already b The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Location | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-location.md | With the location condition in Conditional Access, you can control access to you ## Define locations -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Named locations**. 1. Choose the type of location to create. 1. **Countries location** or **IP ranges location**. More information about the location condition in Conditional Access can be found ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md | Organizations can choose to deploy this policy using the steps outlined below or The following policy applies to the selected users, who attempt to register using the combined registration experience. The policy requires users to be in a trusted network location, do multifactor authentication or use Temporary Access Pass credentials. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration with TAP**. Organizations may choose to require other grant controls with or in place of **R For [guest users](../external-identities/what-is-b2b.md) who need to register for multifactor authentication in your directory you may choose to block registration from outside of [trusted network locations](concept-conditional-access-conditions.md#locations) using the following guide. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**. |
active-directory | Howto Conditional Access Policy Risk User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk-user.md | Organizations can choose to deploy this policy using the steps outlined below or ## Enable with Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Policy Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk.md | Organizations can choose to deploy this policy using the steps outlined below or ## Enable with Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Conditional Access Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md | description: Customize Azure AD authentication session configuration including u + Last updated 07/18/2023 To make sure that your policy works as expected, the recommended best practice i ### Policy 1: Sign-in frequency control -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. To make sure that your policy works as expected, the recommended best practice i ### Policy 2: Persistent browser session -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. To make sure that your policy works as expected, the recommended best practice i 1. Select **Persistent browser session**. > [!NOTE]- > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane in the Azure portal for the same user if you have configured both policies. + > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane for the same user if you have configured both policies. 1. Select a value from dropdown. 1. Save your policy. ### Policy 3: Sign-in frequency control every time risky user -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Continuous Access Evaluation Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot.md | Administrators can monitor and troubleshoot sign in events where [continuous acc Administrators can monitor user sign-ins where continuous access evaluation (CAE) is applied. This information is found in the Azure AD sign-in logs: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Sign-in logs**. 1. Apply the **Is CAE Token** filter. The continuous access evaluation insights workbook allows administrators to view Log Analytics integration must be completed before workbooks are displayed. For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Workbooks**. 1. Under **Public Templates**, search for **Continuous access evaluation insights**. Admins can view records filtered by time range and application. Admins can compa To unblock users, administrators can add specific IP addresses to a trusted named location. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations. > [!NOTE] |
active-directory | Howto Policy App Enforced Restriction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-app-enforced-restriction.md | Block or limit access to SharePoint, OneDrive, and Exchange content from unmanag ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Policy Approved App Or App Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-approved-app-or-app-protection.md | The following steps will help create a Conditional Access policy requiring an ap Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. After administrators confirm the settings using [report-only mode](howto-conditi This policy will block all Exchange ActiveSync clients using basic authentication from connecting to Exchange Online. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Policy Guest Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-guest-mfa.md | Require guest users perform multifactor authentication when accessing your organ ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Policy Persistent Browser Session | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-persistent-browser-session.md | Protect user access on unmanaged devices by preventing browser sessions from rem ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Policy Unknown Unsupported Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-unknown-unsupported-device.md | Users will be blocked from accessing company resources when the device type is u ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Location Condition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/location-condition.md | The location found using the public IP address a client provides to Azure Active ## Named locations -Locations exist in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. +Locations exist under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. > [!VIDEO https://www.youtube.com/embed/P80SffTIThY] To define a named location by IPv4/IPv6 address ranges, you need to provide: - One or more IP ranges. - Optionally **Mark as trusted location**. -![New IP locations in the Azure portal](./media/location-condition/new-trusted-location.png) +![New IP locations](./media/location-condition/new-trusted-location.png) Named locations defined by IPv4/IPv6 address ranges are subject to the following limitations: To define a named location by country/region, you need to provide: - Add one or more countries/regions. - Optionally choose to **Include unknown countries/regions**. -![Country as a location in the Azure portal](./media/location-condition/new-named-location-country-region.png) +![Country as a location](./media/location-condition/new-named-location-country-region.png) If you select **Determine location by IP address**, the system collects the IP address of the device the user is signing into. When a user signs in, Azure AD resolves the user's IPv4 or [IPv6](/troubleshoot/azure/active-directory/azure-ad-ipv6-support) address (starting April 3, 2023) to a country or region, and the mapping updates periodically. Organizations can use named locations defined by countries/regions to block traffic from countries/regions where they don't do business. |
active-directory | Migrate Approved Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/migrate-approved-client-app.md | The following steps make an existing Conditional Access policy require an approv Organizations can choose to update their policies using the following steps. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select a policy that uses the approved client app grant. 1. Under **Access controls** > **Grant**, select **Grant access**. The following steps help create a Conditional Access policy requiring an approve Organizations can choose to deploy this policy using the following steps. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/overview.md | Administrators can create policies from scratch or start from a template policy Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies in Azure AD. -Conditional Access is found in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access**. +Conditional Access is found in the [Microsoft Entra admin center](https://entra.microsoft.com) under **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. - The **Overview** page provides a summary of policy state, users, devices, and applications as well as general and security alerts with suggestions. - The **Coverage** page provides a synopsis of applications with and without Conditional Access policy coverage over the last seven days. |
active-directory | Plan Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/plan-conditional-access.md | Taking into account our learnings in the use of Conditional Access and supportin **Ensure that every app has at least one Conditional Access policy applied**. From a security perspective it's better to create a policy that encompasses **All cloud apps**, and then exclude applications that you don't want the policy to apply to. This practice ensures you don't need to update Conditional Access policies every time you onboard a new application. > [!TIP]-> Be very careful in using block and all apps in a single policy. This could lock admins out of the Azure portal, and exclusions cannot be configured for important endpoints such as Microsoft Graph. +> Be very careful in using block and all apps in a single policy. This could lock admins out, and exclusions cannot be configured for important endpoints such as Microsoft Graph. ### Minimize the number of Conditional Access policies |
active-directory | Policy Migration Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/policy-migration-mfa.md | -This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies in the Azure portal](policy-migration.md) before you start migrating your classic policies. +This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies](policy-migration.md) before you start migrating your classic policies. ![Classic policy details requiring MFA for Salesforce app](./media/policy-migration/33.png) The migration process consists of the following steps: [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Navigate to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select, **Classic policies**. The migration process consists of the following steps: 1. In the list of classic policies, select the policy you wish to migrate. Document the configuration settings so that you can re-create with a new Conditional Access policy. -For examples of common policies and their configuration in the Azure portal, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md). +For examples of common policies and their configuration, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md). ## Disable the classic policy |
active-directory | Require Tou | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/require-tou.md | In this quickstart, you'll configure a Conditional Access policy in Azure Active To complete the scenario in this quickstart, you need: - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. You can sign up for a trial in the Azure portal.+- Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. - A test account to sign-in with - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users.md#add-a-new-user). ## Sign-in without terms of use This section provides you with the steps to create a sample ToU. When you create 1. In Microsoft Word, create a new document. 1. Type **My terms of use**, and then save the document on your computer as **mytou.pdf**.-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or a Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. - :::image type="content" source="media/require-tou/terms-of-use-azure-ad-conditional-access.png" alt-text="Screenshot of terms of use shown in the Azure portal highlighting the new terms button." lightbox="media/require-tou/terms-of-use-azure-ad-conditional-access.png"::: + :::image type="content" source="media/require-tou/terms-of-use-azure-ad-conditional-access.png" alt-text="Screenshot of terms of use highlighting the new terms button." lightbox="media/require-tou/terms-of-use-azure-ad-conditional-access.png"::: 1. In the menu on the top, select **New terms**. - :::image type="content" source="media/require-tou/new-terms-of-use-creation.png" alt-text="Screenshot that shows creating a new terms of use policy in the Azure portal." lightbox="media/require-tou/new-terms-of-use-creation.png"::: + :::image type="content" source="media/require-tou/new-terms-of-use-creation.png" alt-text="Screenshot that shows creating a new terms of use policy." lightbox="media/require-tou/new-terms-of-use-creation.png"::: 1. In the **Name** textbox, type **My TOU**. 1. Upload your terms of use PDF file. |
active-directory | Resilience Defaults | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/resilience-defaults.md | You can configure Conditional Access resilience defaults from the Azure portal, ### Azure portal -1. Navigate to the **Azure portal** > **Security** > **Conditional Access** +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** 1. Create a new policy or select an existing policy 1. Open the Session control settings 1. Select Disable resilience defaults to disable the setting for this policy. Sign-ins in scope of the policy will be blocked during an Azure AD outage |
active-directory | Terms Of Use | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/terms-of-use.md | Azure AD terms of use policies use the PDF format to present content. The PDF fi Once you've completed your terms of use policy document, use the following procedure to add it. -1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. Select, **New terms**. ![New term of use pane to specify your terms of use settings](./media/terms-of-use/new-tou.png) -1. In the **Name** box, enter a name for the terms of use policy used in the Azure portal. +1. In the **Name** box, enter a name for the terms of use policy. 1. For **Terms of use document**, browse to your finalized terms of use policy PDF and select it. 1. Select the language for your terms of use policy document. The language option allows you to upload multiple terms of use policies, each with a different language. The version of the terms of use policy that an end user sees is based on their browser preferences. 1. In the **Display name** box, enter a title that users see when they sign in. Once you've completed your terms of use policy document, use the following proce The Terms of use blade shows a count of the users who have accepted and declined. These counts and who accepted/declined are stored for the life of the terms of use policy. -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. ![Terms of use blade listing the number of user show have accepted and declined](./media/terms-of-use/view-tou.png) If you want to view more activity, Azure AD terms of use policies include audit To get started with Azure AD audit logs, use the following procedure: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. Select a terms of use policy. 1. Select **View audit logs**. Users can review and see the terms of use policies that they've accepted by usin You can edit some details of terms of use policies, but you can't modify an existing document. The following procedure describes how to edit the details. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit terms**. You can edit some details of terms of use policies, but you can't modify an exis ## Update the version or pdf of an existing terms of use -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit terms**. You can edit some details of terms of use policies, but you can't modify an exis ## View previous versions of a ToU -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy for which you want to view a version history. 1. Select **Languages and version history** You can edit some details of terms of use policies, but you can't modify an exis ## See who has accepted each version -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. To see who has currently accepted the ToU, select the number under the **Accepted** column for the ToU you want. 1. By default, the next page will show you the current state of each user's acceptance to the ToU You can edit some details of terms of use policies, but you can't modify an exis The following procedure describes how to add a ToU language. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit Terms** If a user is using browser that isn't supported, they're asked to use a differen You can delete old terms of use policies using the following procedure. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to remove. 1. Select **Delete terms**. |
active-directory | Troubleshoot Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access.md | Organizations should avoid the following configurations: **For all users, all cloud apps:** - **Block access** - This configuration blocks your entire organization.-- **Require device to be marked as compliant** - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.+- **Require device to be marked as compliant** - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back in to change the policy. - **Require Hybrid Azure AD domain joined device** - This policy block access has also the potential to block access for all users in your organization if they don't have a hybrid Azure AD joined device. - **Require app protection policy** - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. If you're an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure. More information can be found about the problem by clicking **More Details** in To find out which Conditional Access policy or policies applied and why do the following. -1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Global Reader. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Sign-ins**. 1. Find the event for the sign-in to review. Add or remove filters and columns to filter out unnecessary information. 1. Add filters to narrow the scope: To determine the service dependency, check the sign-ins log for the application :::image type="content" source="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png" alt-text="Screenshot that shows an example sign-in log showing an Application calling a Resource. This scenario is also known as a service dependency." lightbox="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png"::: -## What to do if you're locked out of the Azure portal? +## What to do if you're locked out? -If you're locked out of the Azure portal due to an incorrect setting in a Conditional Access policy: +If you're locked out of the due to an incorrect setting in a Conditional Access policy: -- Check is there are other administrators in your organization that aren't blocked yet. An administrator with access to the Azure portal can disable the policy that is impacting your sign-in. +- Check is there are other administrators in your organization that aren't blocked yet. An administrator with access can disable the policy that is impacting your sign-in. - If none of the administrators in your organization can update the policy, submit a support request. Microsoft support can review and upon confirmation update the Conditional Access policies that are preventing access. ## Next steps - [Use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md)-- [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md)+- [Sign-in activity reports](../reports-monitoring/concept-sign-ins.md) - [Troubleshooting Conditional Access using the What If tool](troubleshoot-conditional-access-what-if.md) |
active-directory | Troubleshoot Policy Changes Audit Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-policy-changes-audit-log.md | Find these options in the **Azure portal** > **Azure Active Directory**, **Diagn ## Use the audit log -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Audit logs**. 1. Select the **Date** range you want to query. 1. From the **Service** filter, select **Conditional Access** and select the **Apply** button. |
active-directory | What If Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/what-if-tool.md | When the evaluation has finished, the tool generates a report of the affected po ## Running the tool -You can find the **What If** tool in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**. +You can find the **What If** tool under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**. Before you can run the What If tool, you must provide the conditions you want to evaluate. Before you can run the What If tool, you must provide the conditions you want to The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions, see the article [Building a Conditional Access policy](concept-conditional-access-policies.md). ## Evaluation |
active-directory | Workload Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/workload-identity.md | -Conditional Access policies have historically applied only to users when they access apps and services like SharePoint online or the Azure portal. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. +Conditional Access policies have historically applied only to users when they access apps and services like SharePoint Online. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. A [workload identity](../workload-identities/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they: Conditional Access for workload identities enables blocking service principals f Create a location based Conditional Access policy that applies to service principals. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. Create a risk-based Conditional Access policy that applies to service principals :::image type="content" source="media/workload-identity/conditional-access-workload-identity-risk-policy.png" alt-text="Creating a Conditional Access policy with a workload identity and risk as a condition." lightbox="media/workload-identity/conditional-access-workload-identity-risk-policy.png"::: -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. If you wish to roll back this feature, you can delete or disable any created pol The sign-in logs are used to review how policy is enforced for service principals or the expected affects of policy when using report-only mode. -1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service principal sign-ins**. +1. Browse to **Microsoft Entra ID (Azure AD)** > **Monitoring & health** > **Sign-in logs** > **Service principal sign-ins**. 1. Select a log entry and choose the **Conditional Access** tab to view evaluation information. Failure reason when Service Principal is blocked by Conditional Access: ΓÇ£Access has been blocked due to Conditional Access policies.ΓÇ¥ To view results of a risk-based policy, refer to the **Report-only** tab of even You can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations canΓÇÖt be used. This identifier is the Object ID of the app registration, not of the service principal. -1. Browse to the **Azure portal** > **Azure Active Directory** > **Enterprise Applications**, find the application you registered. +1. Browse to **Microsoft Entra ID (Azure AD)** > **Applications** > **Enterprise Applications**, find the application you registered. 1. From the **Overview** tab, copy the **Object ID** of the application. This identifier is the unique to the service principal, used by Conditional Access policy to find the calling app. ### Microsoft Graph |
active-directory | Api Find An Api How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/api-find-an-api-how-to.md | - Title: Find an API for a custom-developed app -description: How to configure the permissions you need to access a particular API in your custom developed Azure AD application -------- Previously updated : 09/27/2021-----# How to find a specific API needed for a custom-developed application --Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. --## Configuring a resource application to expose web APIs --When you expose your web API, the API be displayed in the **Select an API** list when adding permissions to an app registration. To add access scopes, follow the steps outlined in [Configure an application to expose web APIs](quickstart-configure-app-expose-web-apis.md). --## Configuring a client application to access web APIs --When you add permissions to your app registration, you can **add API access** to exposed web APIs. To access web APIs, follow the steps outlined in [Configure a client application to access web APIs](quickstart-configure-app-access-web-apis.md). --## Next steps --- [Understanding the Azure Active Directory application manifest](./reference-app-manifest.md) |
active-directory | App Objects And Service Principals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/app-objects-and-service-principals.md | |
active-directory | Authentication Flows App Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-flows-app-scenarios.md | Title: Microsoft identity platform authentication flows & app scenarios + Title: Microsoft identity platform app types and authentication flows description: Learn about application scenarios for the Microsoft identity platform, including authenticating identities, acquiring tokens, and calling protected APIs. Previously updated : 05/05/2022 Last updated : 08/11/2023 -#Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform. +# Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform. -# Authentication flows and application scenarios +# Microsoft identity platform app types and authentication flows The Microsoft identity platform supports authentication for different kinds of modern application architectures. All of the architectures are based on the industry-standard protocols [OAuth 2.0 and OpenID Connect](./v2-protocols.md). By using the [authentication libraries for the Microsoft identity platform](reference-v2-libraries.md), applications authenticate identities and acquire tokens to access protected APIs. This article describes authentication flows and the application scenarios that t ## Application categories -Tokens can be acquired from several types of applications, including: +[Security tokens](./security-tokens.md) can be acquired from several types of applications, including: - Web apps - Mobile apps The following sections describe the categories of applications. Authentication scenarios involve two activities: -- **Acquiring security tokens for a protected web API**: We recommend that you use the [Microsoft Authentication Library (MSAL)](reference-v2-libraries.md), developed and supported by Microsoft.+- **Acquiring security tokens for a protected web API**: We recommend that you use the [Microsoft Authentication Library (MSAL)](msal-overview.md), developed and supported by Microsoft. - **Protecting a web API or a web app**: One challenge of protecting these resources is validating the security token. On some platforms, Microsoft offers [middleware libraries](reference-v2-libraries.md). ### With users or without users The available authentication flows differ depending on the sign-in audience. Som For more information, see [Supported account types](v2-supported-account-types.md#account-type-support-in-authentication-flows). -## Application scenarios +## Application types The Microsoft identity platform supports authentication for these app architectures: For a desktop app to call a web API that signs in users, use the interactive tok There's another possibility for Windows-hosted applications on computers joined either to a Windows domain or by Azure Active Directory (Azure AD). These applications can silently acquire a token by using [integrated Windows authentication](https://aka.ms/msal-net-iwa). -Applications running on a device without a browser can still call an API on behalf of a user. To authenticate, the user must sign in on another device that has a web browser. This scenario requires that you use the [device code flow](https://aka.ms/msal-net-device-code-flow). +Applications running on a device without a browser can still call an API on behalf of a user. To authenticate, the user must sign in on another device that has a web browser. This scenario requires that you use the [device code flow](v2-oauth2-device-code.md). ![Device code flow](media/scenarios/device-code-flow-app.svg) Similar to a desktop app, a mobile app calls the interactive token-acquisition m MSAL iOS and MSAL Android use the system web browser by default. However, you can direct them to use the embedded web view instead. There are specificities that depend on the mobile platform: Universal Windows Platform (UWP), iOS, or Android. -Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL can now interact with brokers. For more information about brokers, see [Leveraging brokers on Android and iOS](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS). +Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL can now interact with brokers. For more information about brokers, see [Leveraging brokers on Android and iOS](msal-net-use-brokers-with-xamarin-apps.md). For more information, see [Mobile app that calls web APIs](scenario-mobile-overview.md). |
active-directory | Authentication Protocols | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-protocols.md | - Title: Microsoft identity platform authentication protocols -description: An overview of the authentication protocols supported by the Microsoft identity platform -------- Previously updated : 09/27/2021-------# Microsoft identity platform authentication protocols --The Microsoft identity platform supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Microsoft identity platform. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section. --## Authentication protocols articles and reference --* [Important Information About Signing Key Rollover in Microsoft identity platform](./signing-key-rollover.md) ΓÇô Learn about Microsoft identity platformΓÇÖs signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios. -* [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that the Microsoft identity platform issues. -* [OAuth 2.0 in Microsoft identity platform](v2-oauth2-auth-code-flow.md) - Learn about the implementation of OAuth 2.0 in Microsoft identity platform. -* [OpenID Connect 1.0](v2-protocols-oidc.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication. -* [Service to Service Calls with Client Credentials](v2-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls. -* [Service to Service Calls with On-Behalf-Of Flow](v2-oauth2-on-behalf-of-flow.md) - Learn how to use OAuth 2.0 On-Behalf-Of flow for service to service calls. -* [SAML Protocol Reference](./saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Microsoft identity platform. --## See also --* [Microsoft identity platform overview](v2-overview.md) -* [Active Directory Code Samples](sample-v2-code.md) |
active-directory | Consent Framework Links | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/consent-framework-links.md | - Title: How application consent works -description: Learn more about how the Azure AD consent framework works to see how you can use it when developing applications on Azure AD --------- Previously updated : 09/27/2021-----# How application consent works --This article is to help you learn more about how the Azure AD consent framework works so you can develop applications more effectively. --## Recommended documents --- Get a general understanding of [how consent allows a resource owner to govern an application's access to resources](./developer-glossary.md#consent).-- Get a step-by-step overview of [how the Azure AD consent framework implements consent](./quickstart-register-app.md).-- For more depth, learn [how a multi-tenant application can use the consent framework](./howto-convert-app-to-be-multi-tenant.md) to implement "user" and "admin" consent, supporting more advanced multi-tier application patterns.-- For more depth, learn [how consent is supported at the OAuth 2.0 protocol layer during the authorization code grant flow.](v2-oauth2-auth-code-flow.md#request-an-authorization-code)--## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Custom Extension Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-extension-get-started.md | -This article describes how to configure and setup a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token. +This article describes how to configure and set up a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token. This how-to guide demonstrates the token issuance start event with a REST API running in Azure Functions and a sample OpenID Connect application. Before you start, take a look at following video, which demonstrates how to configure Azure AD custom claims provider with Function App: In this step, you configure a custom authentication extension, which will be use # [Microsoft Graph](#tab/microsoft-graph) -Create an Application Registration to authenticate your custom authentication extension to your Azure Function. +Register an application to authenticate your custom authentication extension to your Azure Function. -1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/applications` -1. Select **Request Body** and paste the following JSON: +1. Sign in to [Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. The account must have the privileges to create and manage an application registration in the tenant. +2. Run the following request. - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/applications + Content-type: application/json + {- "displayName": "authenticationeventsAPI" + "displayName": "authenticationeventsAPI" } ``` -1. Select **Run Query** to submit the request. --1. Copy the **Application ID** value (*appId*) from the response. You need this value later, which is referred to as the `{authenticationeventsAPI_AppId}`. Also get the object ID of the app (*ID*), which is referred to as `{authenticationeventsAPI_ObjectId}` from the response. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/csharp/v1/tutorial-application-basics-create-app-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/go/v1/tutorial-application-basics-create-app-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/javascript/v1/tutorial-application-basics-create-app-javascript-snippets.md)] + + # [PHP](#tab/php) + Snippet not available. + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/powershell/v1/tutorial-application-basics-create-app-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/python/v1/tutorial-application-basics-create-app-python-snippets.md)] + + -Create a service principal in the tenant for the authenticationeventsAPI app registration: +3. From the response, record the value of **id** and **appId** of the newly created app registration. These values will be referenced in this article as `{authenticationeventsAPI_ObjectId}` and `{authenticationeventsAPI_AppId}` respectively. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals` -1. Select **Request Body** and paste the following JSON: +Create a service principal in the tenant for the authenticationeventsAPI app registration. - ```json - { - "appId": "{authenticationeventsAPI_AppId}" - } - ``` +Still in Graph Explorer, run the following request. Replace `{authenticationeventsAPI_AppId}` with the value of **appId** that you recorded from the previous step. -1. Select **Run Query** to submit the request. +```http +POST https://graph.microsoft.com/v1.0/servicePrincipals +Content-type: application/json + +{ + "appId": "{authenticationeventsAPI_AppId}" +} +``` ### Set the App ID URI, access token version, and required resource access Update the newly created application to set the application ID URI value, the access token version, and the required resource access. -1. Set the HTTP method to **PATCH**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId}` -1. Select **Request Body** and paste the following JSON: +In Graph Explorer, run the following request. + - Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier. + - Set the `{authenticationeventsAPI_AppId}` value with the **appId** that you recorded earlier. + - An example value is `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as you'll use it later in this article in place of `{functionApp_IdentifierUri}`. - Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier. - - Set the `{authenticationeventsAPI_AppId}` value with the App ID generated from the app registration created in the previous step. - - An example value would be `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as it is used in following steps and is referenced as `{functionApp_IdentifierUri}`. - - ```json +```http +POST https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId} +Content-type: application/json ++{ +"identifierUris": [ + "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}" +], +"api": { + "requestedAccessTokenVersion": 2, + "acceptMappedClaims": null, + "knownClientApplications": [], + "oauth2PermissionScopes": [], + "preAuthorizedApplications": [] +}, +"requiredResourceAccess": [ {- "identifierUris": [ - "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}" - ], - "api": { - "requestedAccessTokenVersion": 2, - "acceptMappedClaims": null, - "knownClientApplications": [], - "oauth2PermissionScopes": [], - "preAuthorizedApplications": [] - }, - "requiredResourceAccess": [ + "resourceAppId": "00000003-0000-0000-c000-000000000000", + "resourceAccess": [ {- "resourceAppId": "00000003-0000-0000-c000-000000000000", - "resourceAccess": [ - { - "id": "214e810f-fda8-4fd7-a475-29461495eb00", - "type": "Role" - } - ] + "id": "214e810f-fda8-4fd7-a475-29461495eb00", + "type": "Role" } ] }- ``` --1. Select **Run Query** to submit the request. +] +} +``` ### Register a custom authentication extension -Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the App Registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`. +Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the app registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/beta/identity/customAuthenticationExtensions` -1. Select **Request Body** and paste the following JSON: +1. In Graph Explorer, run the following request. Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step. + - You'll need the *CustomAuthenticationExtension.ReadWrite.All* delegated permission. - Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step. + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/beta/identity/customAuthenticationExtensions + Content-type: application/json - ```json { "@odata.type": "#microsoft.graph.onTokenIssuanceStartCustomExtension", "displayName": "onTokenIssuanceStartCustomExtension", Next, you register the custom authentication extension. You register the custom ] } ```+ # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] -1. Select **Run Query** to submit the request. + -Record the ID value of the created custom claims provider object. The ID is needed in a later step and is referred to as the `{customExtensionObjectId}`. +1. Record the **id** value of the created custom claims provider object. You'll use the value later in this tutorial in place of `{customExtensionObjectId}`. ### 2.2 Grant admin consent -After your custom authentication extension is created, you'll be taken to the **Overview** tab of the new custom authentication extension. +After your custom authentication extension is created, open the **Overview** tab of the new custom authentication extension. From the **Overview** page, select the **Grant permission** button to give admin consent to the registered app, which allows the custom authentication extension to authenticate to your API. The custom authentication extension uses `client_credentials` to authenticate to the Azure Function App using the `Receive custom authentication extension HTTP requests` permission. The following screenshot shows how to register the *My Test application*. ### 3.1 Get the application ID -In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps. +In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps. In Microsoft Graph, it's referenced by the **appId** propety. :::image type="content" border="false"source="media/custom-extension-get-started/get-the-test-application-id.png" alt-text="Screenshot that shows how to copy the application ID."::: Next, assign the attributes from the custom claims provider, which should be iss # [Microsoft Graph](#tab/microsoft-graph) -First create an event listener to trigger a custom authentication extension using the token issuance start event: --1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/beta/identity/authenticationEventListeners` -1. Select **Request Body** and paste the following JSON: +First create an event listener to trigger a custom authentication extension for the *My Test application* using the token issuance start event. - Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier. +1. Sign in to [Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. +1. Run the following request. Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier. + - You'll need the *EventListener.ReadWrite.All* delegated permission. - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/beta/identity/authenticationEventListeners + Content-type: application/json + { "@odata.type": "#microsoft.graph.onTokenIssuanceStartListener", "conditions": { First create an event listener to trigger a custom authentication extension usin } ``` -1. Select **Run Query** to submit the request. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + + -Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider: +Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/policies/claimsmappingpolicies` -1. Select **Request Body** and paste the following JSON: +1. Still in Graph Explorer, run the following request. You'll need the *Policy.ReadWrite.ApplicationConfiguration* delegated permission. +++ # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies + Content-type: application/json - ```json { "definition": [ "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"CustomClaimsProvider\",\"ID\":\"DateOfBirth\",\"JwtClaimType\":\"dob\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"CustomRoles\",\"JwtClaimType\":\"my_roles\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"CorrelationId\",\"JwtClaimType\":\"correlationId\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"ApiVersion\",\"JwtClaimType\":\"apiVersion \"},{\"Value\":\"tokenaug_V2\",\"JwtClaimType\":\"policy_version\"}]}}" Next, create the claims mapping policy, which describes which claims can be issu "isOrganizationDefault": false } ```+ # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/csharp/create-claimsmappingpolicy-from-claimsmappingpolicies-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/go/create-claimsmappingpolicy-from-claimsmappingpolicies-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/javascript/create-claimsmappingpolicy-from-claimsmappingpolicies-javascript-snippets.md)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/php/create-claimsmappingpolicy-from-claimsmappingpolicies-php-snippets.md)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/powershell/create-claimsmappingpolicy-from-claimsmappingpolicies-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/python/create-claimsmappingpolicy-from-claimsmappingpolicies-python-snippets.md)] + + -1. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`. -1. Select **Run Query** to submit the request. +2. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`. -Get the `servicePrincipal` objectId: +Get the service principal object ID: -1. Set the HTTP method to **GET**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}')/claimsMappingPolicies/$ref`. Replace `{App_to_enrich_ID}` with *My Test Application* App ID. -1. Record the `id` value, later it's referred to as `{test_App_Service_Principal_ObjectId}`. +1. Run the following request in Graph Explorer. Replace `{App_to_enrich_ID}` with the **appId** of *My Test Application*. -Assign the claims mapping policy to the `servicePrincipal` of *My Test Application*: + ```http + GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}') + ``` ++Record the value of **id**. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref` -1. Select **Request Body** and paste the following JSON: +Assign the claims mapping policy to the service principal of *My Test Application*. ++1. Run the following request in Graph Explorer. You'll need the *Policy.ReadWrite.ApplicationConfiguration* and *Application.ReadWrite.All* delegated permission. ++ # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref + Content-type: application/json - ```json { "@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/{claims_mapping_policy_ID}" } ``` -1. Select **Run Query** to submit the request. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/csharp/create-claimsmappingpolicy-from-serviceprincipal-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/go/create-claimsmappingpolicy-from-serviceprincipal-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/javascript/create-claimsmappingpolicy-from-serviceprincipal-javascript-snippets.md)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/php/create-claimsmappingpolicy-from-serviceprincipal-php-snippets.md)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/powershell/create-claimsmappingpolicy-from-serviceprincipal-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/python/create-claimsmappingpolicy-from-serviceprincipal-python-snippets.md)] + + |
active-directory | Delegated And App Perms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/delegated-and-app-perms.md | - Title: Differences between delegated and app permissions -description: Learn about delegated and application permissions, how they are used by clients and exposed by resources for applications you are developing with Azure AD --------- Previously updated : 11/10/2022-----# How to recognize differences between delegated and application permissions --## Recommended documents --- Learn more about how client applications use [delegated and application permission requests](developer-glossary.md#permissions) to access resources.-- Learn about [delegated and application permissions](permissions-consent-overview.md).-- See step-by-step instructions on how to [configure a client application's permission requests](quickstart-configure-app-access-web-apis.md)-- For more depth, learn how resource applications expose [scopes](developer-glossary.md#scopes) and [application roles](developer-glossary.md#roles) to client applications, which manifest as delegated and application permissions respectively in the Azure portal. --## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | How Applications Are Added | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-applications-are-added.md | |
active-directory | Howto Create Self Signed Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-self-signed-certificate.md | To customize the start and expiry date and other properties of the certificate, Use the certificate you create using this method to authenticate from an application running from your machine. For example, authenticate from Windows PowerShell. -In an elevated PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate. +In a PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate. ```powershell $certname = "{certificateName}" ## Replace {certificateName} |
active-directory | Identity Videos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/identity-videos.md | ___ <!-- IMAGES -->-[auth-fund-01-img]: ./media/identity-videos/aad-auth-fund-01.jpg -[auth-fund-02-img]: ./media/identity-videos/aad-auth-fund-02.jpg -[auth-fund-03-img]: ./media/identity-videos/aad-auth-fund-03.jpg -[auth-fund-04-img]: ./media/identity-videos/aad-auth-fund-04.jpg -[auth-fund-05-img]: ./media/identity-videos/aad-auth-fund-05.jpg -[auth-fund-06-img]: ./media/identity-videos/aad-auth-fund-06.jpg +[auth-fund-01-img]: ./media/identity-videos/auth-fund-01.jpg +[auth-fund-02-img]: ./media/identity-videos/auth-fund-02.jpg +[auth-fund-03-img]: ./media/identity-videos/auth-fund-03.jpg +[auth-fund-04-img]: ./media/identity-videos/auth-fund-04.jpg +[auth-fund-05-img]: ./media/identity-videos/auth-fund-05.jpg +[auth-fund-06-img]: ./media/identity-videos/auth-fund-06.jpg <!-- VIDEOS --> [auth-fund-01-vid]: https://www.youtube.com/watch?v=fbSVgC8nGz4&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=1 |
active-directory | Mark App As Publisher Verified | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/mark-app-as-publisher-verified.md | Title: Mark an app as publisher verified -description: Describes how to mark an app as publisher verified. When an application is marked as publisher verified, it means that the publisher (application developer) has verified the authenticity of their organization using a Microsoft Partner Network (MPN) account that has completed the verification process and has associated this MPN account with that application registration. +description: Describes how to mark an app as publisher verified. When an application is marked as publisher verified, it means that the publisher (application developer) has verified the authenticity of their organization using a Cloud Partner Program (CPP) account that has completed the verification process and has associated this CPP account with that application registration. -When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process. +When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Cloud Partner Program (CPP) account and has associated this CPP account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process. ## Quickstart-If you are already enrolled in the Microsoft Partner Network (MPN) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: +If you are already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: 1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) 1. Choose an app and click **Branding & properties**. -1. Click **Add MPN ID to verify publisher** and review the listed requirements. +1. Click **Add Partner One ID to verify publisher** and review the listed requirements. -1. Enter your MPN ID and click **Verify and save**. +1. Enter your Partner One ID and click **Verify and save**. For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md). ## Mark your app as publisher verified Make sure you meet the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified. -1. Sign in using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) to an organizational (Azure AD) account authorized to make changes to the app you want to mark as Publisher Verified and on the MPN Account in Partner Center. +1. Sign in using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) to an organizational (Azure AD) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center. - The Azure AD user must have one of the following [roles](../roles/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. - - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): MPN Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Azure AD). + - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): CPP Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Azure AD). 1. Navigate to the **App registrations** blade: Make sure you meet the [pre-requisites](publisher-verification-overview.md#requi 1. Ensure the appΓÇÖs [publisher domain](howto-configure-publisher-domain.md) is set. -1. Ensure that either the publisher domain or a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your MPN account. +1. Ensure that either the publisher domain or a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your CPP account. -1. Click **Add MPN ID to verify publisher** near the bottom of the page. +1. Click **Add Partner One ID to verify publisher** near the bottom of the page. -1. Enter the **MPN ID** for: +1. Enter the **Partner One ID** for: - - A valid Microsoft Partner Network account that has completed the verification process. + - A valid Cloud Partner Program account that has completed the verification process. - The Partner global account (PGA) for your organization. |
active-directory | Msal Client Application Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-client-application-configuration.md | The authority you specify in your code needs to be consistent with the **Support The authority can be: - An Azure AD cloud authority.-- An Azure AD B2C authority. See [B2C specifics](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics).-- An Active Directory Federation Services (AD FS) authority. See [AD FS support](https://aka.ms/msal-net-adfs-support).+- An Azure AD B2C authority. See [B2C specifics](msal-net-b2c-considerations.md). +- An Active Directory Federation Services (AD FS) authority. See [AD FS support](msal-net-adfs-support.md). Azure AD cloud authorities have two parts: You can override the redirect URI by using the `RedirectUri` property (for examp - `RedirectUriOnAndroid` = "msauth-5a434691-ccb2-4fd1-b97b-b64bcfbc03fc://com.microsoft.identity.client.sample"; - `RedirectUriOnIos` = $"msauth.{Bundle.ID}://auth"; -For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Leveraging-the-broker-on-iOS). +For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](msal-net-use-brokers-with-xamarin-apps.md). For more Android details, see [Brokered auth in Android](msal-android-single-sign-on.md). ### Redirect URI for confidential client apps |
active-directory | Permissions Consent Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/permissions-consent-overview.md | Depending on the permissions they require, some applications might require an ad Preauthorization allows a resource application owner to grant permissions without requiring users to see a consent prompt for the same set of permissions that have been preauthorized. This way, an application that has been preauthorized won't ask users to consent to permissions. Resource owners can preauthorize client apps in the Azure portal or by using PowerShell and APIs, like Microsoft Graph. -## Next steps +## See also - [Delegated access scenario](delegated-access-primer.md) - [User and admin consent overview](../manage-apps/user-admin-consent-overview.md) - [OpenID connect scopes](scopes-oidc.md)+-- [Making your application multi-tenant](./howto-convert-app-to-be-multi-tenant.md) +- [AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Perms For Given Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/perms-for-given-api.md | - Title: Select permissions for a given API -description: Learn about how permissions requests work for client and resource applications for applications you are developing --------- Previously updated : 11/10/2022-----# How to select permissions for a given API --## Recommended documents --- Learn more about how client applications use [delegated and application permission requests](./developer-glossary.md#permissions) to access resources.-- Learn about [scopes and permissions in the Microsoft identity platform](scopes-oidc.md)-- See step-by-step instructions on how to [configure a client application's permission requests](./quickstart-configure-app-access-web-apis.md)-- For more depth, learn how resource applications expose [scopes](./developer-glossary.md#scopes) and [application roles](./developer-glossary.md#roles) to client applications, which manifest as delegated and application permissions respectively in the Azure portal.--## Next steps --[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Publisher Verification Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/publisher-verification-overview.md | -When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (MCPP), formerly known as Microsoft Partner Network (MPN), account that's been [verified](/partner-center/verification-responses) and associating the verified PartnerID with an app registration. +When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (CPP), formerly known as Microsoft Partner Network (MPN), account that's been [verified](/partner-center/verification-responses) and associating the verified PartnerID with an app registration. When the publisher of an app has been verified, a blue *verified* badge appears in the Azure Active Directory (Azure AD) consent prompt for the app and on other webpages: Publisher verification for an app has the following benefits: App developers must meet a few requirements to complete the publisher verification process. Many Microsoft partners will have already satisfied these requirements. -- The developer must have an MPN ID for a valid [Microsoft Cloud Partner Program](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process. The MPN account must be the [partner global account (PGA)](/partner-center/account-structure#the-top-level-is-the-partner-global-account-pga) for the developer's organization.+- The developer must have an Partner One ID for a valid [Microsoft Cloud Partner Program](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process. The CPP account must be the [partner global account (PGA)](/partner-center/account-structure#the-top-level-is-the-partner-global-account-pga) for the developer's organization. > [!NOTE]- > The MPN account you use for publisher verification can't be your partner location MPN ID. Currently, location MPN IDs aren't supported for the publisher verification process. + > The CPP account you use for publisher verification can't be your partner location Partner One ID. Currently, location Partner One IDs aren't supported for the publisher verification process. - The app that's to be publisher verified must be registered by using an Azure AD work or school account. Apps that are registered by using a Microsoft account can't be publisher verified. -- The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the MPN PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account).+- The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the CPP PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account). - The app must be registered in an Azure AD tenant and have a [publisher domain](howto-configure-publisher-domain.md) set. The feature is not supported in Azure AD B2C tenant. -- The domain of the email address that's used during MPN account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) +- The domain of the email address that's used during CPP account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) -- The user who initiates verification must be authorized to make changes both to the app registration in Azure AD and to the MPN account in Partner Center. The user who initiates the verification must have one of the required roles in both Azure AD and Partner Center.+- The user who initiates verification must be authorized to make changes both to the app registration in Azure AD and to the CPP account in Partner Center. The user who initiates the verification must have one of the required roles in both Azure AD and Partner Center. - In Azure AD, this user must be a member of one of the following [roles](../roles/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. - - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): MPN Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD). + - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): CPP Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD). - The user who initiates verification must sign in by using [Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md). |
active-directory | Quickstart Configure App Access Web Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-access-web-apis.md | By specifying a web API's scopes in your client app's registration, the client a [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] +Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. + In the first scenario, you grant a client app access to your own web API, both of which you should have registered as part of the prerequisites. If you don't yet have both a client app and a web API registered, complete the steps in the two [Prerequisites](#prerequisites) articles. This diagram shows how the two app registrations relate to one another. In this section, you add permissions to the client app's registration. |
active-directory | Quickstart Configure App Expose Web Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-expose-web-apis.md | In this quickstart, you'll register a web API with the Microsoft identity platfo ## Register the web API +Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. + To provide scoped access to the resources in your web API, you first need to register the API with the Microsoft identity platform. Perform the steps in the **Register an application** section of [Quickstart: Register an app with the Microsoft identity platform](quickstart-register-app.md). |
active-directory | Registration Config How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-how-to.md | - Title: Get the endpoints for an Azure AD app registration -description: How to find the authentication endpoints for a custom application you're developing or registering with Azure AD. --------- Previously updated : 11/09/2022-----# How to discover endpoints --You can find the authentication endpoints for your application in the [Azure portal](https://portal.azure.com). --1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. Select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu. -- The **Endpoints** page is displayed, showing the authentication endpoints for your tenant. - - Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application. --**National clouds** (for example Azure AD China, Germany, and US Government) have their own app registration portal and Azure AD authentication endpoints. Learn more in the [National clouds overview](authentication-national-cloud.md). --## Next steps --For more information about endpoints in the different Azure environments, see the [National clouds overview](authentication-national-cloud.md). |
active-directory | Registration Config Specific Application Property How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-specific-application-property-how-to.md | - Title: Azure portal registration fields for custom-developed apps -description: Guidance for registering a custom developed application with Azure AD --------- Previously updated : 09/27/2021-----# Azure portal registration fields for custom-developed apps --This article gives you a brief description of all the available fields in the application registration form in the [Azure portal](https://portal.azure.com). --## Register a new application --- To register a new application, sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.--- From the left navigation pane, click **Azure Active Directory.**--- Choose **App registrations** and click **Add**.--- This open up the application registration form.--## Fields in the application registration form --| Field | Description | -||| -| Name | The name of the application. It should have a minimum of four characters. | -| Supported account types| Select which accounts you would like your application to support: accounts in this organizational directory only, accounts in any organizational directory, or accounts in any organizational directory and personal Microsoft accounts. | -| Redirect URI (optional) | Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application. For web applications, provide the base URL of your app. For example, http://localhost:31544 might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as myapp://auth. To see specific examples for web applications or native applications, check out our [quickstarts](./index.yml).| --Once you have filled the above fields, the application is registered in the Azure portal, and you are redirected to the application overview page. The settings pages in the left pane under **Manage** have more fields for you to customize your application. The tables below describe all the fields. You would only see a subset of these fields, depending on whether you created a web application or a public client application. --### Overview --| Field | Description | -|--|--| -| Application ID | When you register an application, Azure AD assigns your application an Application ID. The application ID can be used to uniquely identify your application in authentication requests to Azure AD, as well as to access resources like the Graph API. | -| App ID URI | This should be a unique URI, usually of the form **https://<tenant\_name>/<application\_name>.** This is used during the authorization grant flow, as a unique identifier to specify the resource that the token should be issued for. It also becomes the 'aud' claim in the issued access token. | --### Branding --| Field | Description | -|--|--| -| Upload new logo | You can use this to upload a logo for your application. The logo must be in .bmp, .jpg or .png format, and the file size should be less than 100 KB. The dimensions for the image should be 215x215 pixels, with central image dimensions of 94x94 pixels.| -| Home page URL | This is the sign-on URL specified during application registration.| --### Authentication --| Field | Description | -|--|--| -| Front-channel logout URL | This is the single sign-out logout URL. Azure AD sends a logout request to this URL when the user clears their session with Azure AD using any other registered application.| -| Supported account types | This switch specifies whether the application can be used by multiple tenants. Typically, this means that external organizations can use your application by registering it in their tenant and granting access to their organization's data.| -| Redirect URLs | The redirect, or reply, URLs are the endpoints where Azure AD returns any tokens that your application requests. For native applications, this is where the user is sent after successful authorization. Azure AD checks that the redirect URI your application supplies in the OAuth 2.0 request matches one of the registered values in the portal.| --### Certificates and secrets --| Field | Description | -|--|--| -| Client secrets | You can create client secrets, or keys, to programmatically access web APIs secured by Azure AD without any user interaction. From the **New client secret** page, enter a key description and the expiration date and save to generate the key. Make sure to save it somewhere secure, as you won't be able to access it later. | --## Next steps --[Managing Applications with Azure Active Directory](../manage-apps/what-is-application-management.md) |
active-directory | Registration Config Sso How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-sso-how-to.md | - Title: Configure application single sign-on -description: How to configure single sign-on for a custom application you are developing and registering with Azure AD. --------- Previously updated : 07/15/2019-----# How to configure single sign-on for an application --Enabling federated single sign-on (SSO) in your app is automatically enabled when federating through Azure AD for OpenID Connect, SAML 2.0, or WS-Fed. If your end users are having to sign in despite already having an existing session with Azure AD, itΓÇÖs likely your app may be misconfigured. --* If youΓÇÖre using Microsoft Authentication Library (MSAL), make sure you have **PromptBehavior** set to **Auto** rather than **Always**. --* If youΓÇÖre building a mobile app, you may need additional configurations to enable brokered or non-brokered SSO. --For Android, see [Enabling Cross App SSO in Android](msal-android-single-sign-on.md). --For iOS, see [Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md). --## Next steps --[Azure AD SSO](../manage-apps/what-is-single-sign-on.md)<br> --[Enabling Cross App SSO in Android](msal-android-single-sign-on.md)<br> --[Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md)<br> --[Integrating Apps to AzureAD](./quickstart-register-app.md)<br> --[Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md)<br> --[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Scenario Web App Call Api Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-call-api-acquire-token.md | These advanced steps are covered in chapter 3 of the [3-WebApp-multi-APIs](https The code for ASP.NET is similar to the code shown for ASP.NET Core: -- A controller action, protected by an [Authorize] attribute, extracts the tenant ID and user ID of the `ClaimsPrincipal` member of the controller. (ASP.NET uses `HttpContext.User`.)-*Microsoft.Identity.Web* adds extension methods to the Controller that provide convenience services to call Microsoft Graph or a downstream web API, or to get an authorization header, or even a token. The methods used to call an API directly are explained in detail in [A web app that calls web APIs: Call an API](scenario-web-app-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token. +- A controller action, protected by an `[Authorize]` attribute, extracts the tenant ID and user ID of the `ClaimsPrincipal` member of the controller (ASP.NET uses `HttpContext.User`). This ensures that only authenticated users can use the app. +**Microsoft.Identity.Web** adds extension methods to the Controller that provide convenience services to call Microsoft Graph or a downstream web API, or to get an authorization header, or even a token. The methods used to call an API directly are explained in detail in [A web app that calls web APIs: Call an API](scenario-web-app-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token. -If, however, you do want to manually acquire a token or build an authorization header, the following code shows how to use *Microsoft.Identity.Web* to do so in a controller. It calls an API (Microsoft Graph) using the REST API instead of the Microsoft Graph SDK. +If, however, you do want to manually acquire a token or build an authorization header, the following code shows how to use Microsoft.Identity.Web to do so in a controller. It calls an API (Microsoft Graph) using the REST API instead of the Microsoft Graph SDK. To get an authorization header, you get an `IAuthorizationHeaderProvider` service from the controller using an extension method `GetAuthorizationHeaderProvider`. To get an authorization header to call an API on behalf of the user, use `CreateAuthorizationHeaderForUserAsync`. To get an authorization header to call a downstream API on behalf of the application itself, in a daemon scenario, use `CreateAuthorizationHeaderForAppAsync`. -The controller methods are protected by an `[Authorize]` attribute that ensures only authenticated users can use the web app. -- The following snippet shows the action of the `HomeController`, which gets an authorization header to call Microsoft Graph as a REST API: - ```csharp [Authorize] public class HomeController : Controller public class HomeController : Controller # [Java](#tab/java) -In the Java sample, the code that calls an API is in the getUsersFromGraph method in [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62). +In the Java sample, the code that calls an API is in the `getUsersFromGraph` method in [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62). The method attempts to call `getAuthResultBySilentFlow`. If the user needs to consent to more scopes, the code processes the `MsalInteractionRequiredException` object to challenge the user. public ModelAndView getUserFromGraph(HttpServletRequest httpRequest, HttpServlet # [Node.js](#tab/nodejs) -In the Node.js sample, the code that acquires a token is in the *acquireToken* method of the **AuthProvider** class. +In the Node.js sample, the code that acquires a token is in the `acquireToken` method of the `AuthProvider` class. :::code language="js" source="~/ms-identity-node/App/auth/AuthProvider.js" range="79-121"::: This access token is then used to handle requests to the `/profile` endpoint: # [Python](#tab/python) -In the Python sample, the code that calls the API is in `app.py`. +In the Python sample, the code that calls the API is in *app.py*. The code attempts to get a token from the token cache. If it can't get a token, it redirects the user to the sign-in route. Otherwise, it can proceed to call the API. Move on to the next article in this scenario, Move on to the next article in this scenario, [Call a web API](scenario-web-app-call-api-call-api.md?tabs=python). -+ |
active-directory | Setup Multi Tenant App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/setup-multi-tenant-app.md | - Title: Configure a new multi-tenant application -description: Learn how to configure an application as multi-tenant, and how multi-tenant applications work --------- Previously updated : 11/10/2022-----# How to configure a new multi-tenant application --Here is a list of recommended topics to learn more about multi-tenant applications: --- Get a general understanding of [what it means to be a multi-tenant application](./developer-glossary.md#multi-tenant-application)-- Learn about [tenancy in Azure Active Directory](single-and-multi-tenant-apps.md)-- Get a general understanding of [how to configure an application to be multi-tenant](./howto-convert-app-to-be-multi-tenant.md)-- Get a step-by-step overview of [how the Azure AD consent framework is used to implement consent](./quickstart-register-app.md), which is required for multi-tenant applications-- For more depth, learn [how a multi-tenant application is configured and coded end-to-end](./howto-convert-app-to-be-multi-tenant.md), including how to register, use the "common" endpoint, implement "user" and "admin" consent, how to implement more advanced multi-tier scenarios--## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Single Sign On Saml Protocol | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-sign-on-saml-protocol.md | Title: Azure single sign-on SAML protocol + Title: Single sign-on SAML protocol description: This article describes the single sign-on (SSO) SAML protocol in Azure Active Directory documentationcenter: .net To request a user authentication, cloud services send an `AuthnRequest` element | Parameter | Type | Description | | | | |-| ID | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. | -| Version | Required | This parameter should be set to **2.0**. | -| IssueInstant | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. | -| AssertionConsumerServiceURL | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. | -| ForceAuthn | Optional | This is a boolean value. If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Azure AD. | -| IsPassive | Optional | This is a boolean value that specifies whether Azure AD should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Azure AD will attempt to authenticate the user using the session cookie. | --All other `AuthnRequest` attributes, such as Consent, Destination, AssertionConsumerServiceIndex, AttributeConsumerServiceIndex, and ProviderName are **ignored**. +| `ID` | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. | +| `Version` | Required | This parameter should be set to `2.0`. | +| `IssueInstant` | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. | +| `AssertionConsumerServiceURL` | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. | +| `ForceAuthn` | Optional | This is a boolean value. If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Azure AD. | +| `IsPassive` | Optional | This is a boolean value that specifies whether Azure AD should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Azure AD will attempt to authenticate the user using the session cookie. | ++All other `AuthnRequest` attributes, such as `Consent`, `Destination`, `AssertionConsumerServiceIndex`, `AttributeConsumerServiceIndex`, and `ProviderName` are **ignored**. Azure AD also ignores the `Conditions` element in `AuthnRequest`. |
active-directory | Troubleshoot Publisher Verification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/troubleshoot-publisher-verification.md | If you're unable to complete the process or are experiencing unexpected behavior ## Common Issues Below are some common issues that may occur during the process. -- **I donΓÇÖt know my Microsoft Partner Network ID (MPN ID) or I donΓÇÖt know who the primary contact for the account is.** - 1. Navigate to the [MPN enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new). +- **I donΓÇÖt know my Cloud Partner Program ID (Partner One ID) or I donΓÇÖt know who the primary contact for the account is.** + 1. Navigate to the [Cloud Partner Program enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new). 2. Sign in with a user account in the org's primary Azure AD tenant. - 3. If an MPN account already exists, this is recognized and you are added to the account. - 4. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed. + 3. If an Cloud Partner Program account already exists, this is recognized and you are added to the account. + 4. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the Partner One ID and primary account contact will be listed. - **I donΓÇÖt know who my Azure AD Global Administrator (also known as company admin or tenant admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?** 1. Sign in to the [Azure portal](https://portal.azure.com) using a user account in your organization's primary tenant. Below are some common issues that may occur during the process. 3. Select the desired admin role. 4. The list of users assigned that role will be displayed. -- **I don't know who the admin(s) for my MPN account are**- Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles. +- **I don't know who the admin(s) for my CPP account are** + Go to the [CPP User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles. -- **I am getting an error saying that my MPN ID is invalid or that I do not have access to it.**+- **I am getting an error saying that my Partner One ID is invalid or that I do not have access to it.** Follow the [remediation guidance](#mpnaccountnotfoundornoaccess). - **When I sign in to the Azure portal, I do not see any apps registered. Why?** Response 204 No Content ``` > [!NOTE]-> *verifiedPublisherID* is your MPN ID. +> *verifiedPublisherID* is your Partner One ID. ### Unset Verified Publisher The following is a list of the potential error codes you may receive, either whe ### MPNAccountNotFoundOrNoAccess -The MPN ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid Partner One ID and try again. -Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Partner Center- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. Can also be caused by the tenant the app is registered in not being added to the MPN account, or an invalid MPN ID. +Most commonly caused by the signed-in user not being a member of the proper role for the CPP account in Partner Center- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. Can also be caused by the tenant the app is registered in not being added to the CPP account, or an invalid Partner One ID. **Remediation Steps** 1. Go to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) and verify that: - - The MPN ID is correct. + - The Partner One ID is correct. - There are no errors or ΓÇ£pending actionsΓÇ¥ shown, and the verification status under Legal business profile and Partner info both say ΓÇ£authorizedΓÇ¥ or ΓÇ£successΓÇ¥.-2. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the [multi-tenant-account instructions](/partner-center/multi-tenant-account). All Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account. -3. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions for [creating user accounts and setting permissions](/partner-center/create-user-accounts-and-set-permissions). +2. Go to the [CPP tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the [multi-tenant-account instructions](/partner-center/multi-tenant-account). All Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account. +3. Go to the [CPP User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions for [creating user accounts and setting permissions](/partner-center/create-user-accounts-and-set-permissions). ### MPNGlobalAccountNotFound -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused when an MPN ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. +Most commonly caused when an Partner One ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab Most commonly caused when an MPN ID is provided which corresponds to a Partner L ### MPNAccountInvalid -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab Most commonly caused by the wrong MPN ID being provided. ### MPNAccountNotVetted -The MPN ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again. +The Partner One ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again. -Most commonly caused by when the MPN account hasn't completed the [verification](/partner-center/verification-responses) process. +Most commonly caused by when the CPP account hasn't completed the [verification](/partner-center/verification-responses) process. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) and verify that there are no errors or **pending actions** shown, and that the verification status under Legal business profile and Partner info both say **authorized** or **success**. Most commonly caused by when the MPN account hasn't completed the [verification] ### NoPublisherIdOnAssociatedMPNAccount -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab Most commonly caused by the wrong MPN ID being provided. ### MPNIdDoesNotMatchAssociatedMPNAccount -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab See [requirements](publisher-verification-overview.md) for a list of allowed dom You aren't authorized to set the verified publisher property on application (<`AppId`). -Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. +Most commonly caused by the signed-in user not being a member of the proper role for the CPP account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. **Remediation Steps** 1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant. Most commonly caused by the signed-in user not being a member of the proper role ### MPNIdWasNotProvided -The MPN ID wasn't provided in the request body or the request content type wasn't "application/json". +The Partner One ID wasn't provided in the request body or the request content type wasn't "application/json". -Most commonly caused when the verification is being performed via Graph API, and the MPN ID wasnΓÇÖt provided in the request. +Most commonly caused when the verification is being performed via Graph API, and the Partner One ID wasnΓÇÖt provided in the request. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab If you've reviewed all of the previous information and are still receiving an er - ObjectId of target application - AppId of target application - TenantId where app is registered-- MPN ID+- Partner One ID - REST request being made - Error code and message being returned |
active-directory | V2 App Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-app-types.md | -The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios). +The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-types). ## The basics |
active-directory | V2 Oauth Ropc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth-ropc.md | Title: Sign in with resource owner password credentials grant + Title: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials description: Support browser-less authentication flows using the resource owner password credential (ROPC) grant. The Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password > [!WARNING] > Microsoft recommends you do _not_ use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable. - > [!IMPORTANT] > > * The Microsoft identity platform only supports the ROPC grant within Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint. |
active-directory | V2 Oauth2 Implicit Grant Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md | Title: OAuth 2.0 implicit grant flow - The Microsoft identity platform + Title: Microsoft identity platform and OAuth 2.0 implicit grant flow description: Secure single-page apps using Microsoft identity platform implicit flow. -# Microsoft identity platform and implicit grant flow +# Microsoft identity platform and OAuth 2.0 implicit grant flow The Microsoft identity platform supports the OAuth 2.0 implicit grant flow as described in the [OAuth 2.0 Specification](https://tools.ietf.org/html/rfc6749#section-4.2). The defining characteristic of the implicit grant is that tokens (ID tokens or access tokens) are returned directly from the /authorize endpoint instead of the /token endpoint. This is often used as part of the [authorization code flow](v2-oauth2-auth-code-flow.md), in what is called the "hybrid flow" - retrieving the ID token on the /authorize request along with an authorization code. The following diagram shows what the entire implicit sign-in flow looks like and To initially sign the user into your app, you can send an [OpenID Connect](v2-protocols-oidc.md) authentication request and get an `id_token` from the Microsoft identity platform. > [!IMPORTANT]-> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned: `The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'` +> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned: +> +> `The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'` ``` // Line breaks for legibility only client_id=6731de76-14a6-49ae-97bc-6eba6914391e | | | | | `tenant` | required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](./v2-protocols.md#endpoints).Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.| | `client_id` | required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |-| `response_type` | required |Must include `id_token` for OpenID Connect sign-in. It may also include the response_type `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, user.read on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This id_token+code response is sometimes called the hybrid flow. | -| `redirect_uri` | recommended |The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be URL-encoded. | -| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (id_tokens), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | +| `response_type` | required | Must include `id_token` for OpenID Connect sign-in. It may also include the `response_type`, `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, `user.read` on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This `id_token`+`code` response is sometimes called the hybrid flow. | +| `redirect_uri` | recommended |The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except it must be URL-encoded. | +| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (`id_tokens`), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | | `response_mode` | optional |Specifies the method that should be used to send the resulting token back to your app. Defaults to query for just an access token, but fragment if the request includes an id_token. | | `state` | recommended |A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. |-| `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | -| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | +| `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting ID token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | +| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, `select_account`, and `consent`. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via SSO, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | | `login_hint` | optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](./optional-claims.md) from an earlier sign-in. | | `domain_hint` | optional |If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. This parameter is commonly used for Line of Business apps that operate in a single tenant, where they'll provide a domain name within a given tenant, forwarding the user to the federation provider for that tenant. This hint prevents guests from signing into this application, and limits the use of cloud credentials like FIDO. | code=0.AgAAktYV-sfpYESnQynylW_UKZmH-C9y_G1A | | | | `code` | Included if `response_type` includes `code`. It's an authorization code suitable for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). | | `access_token` |Included if `response_type` includes `token`. The access token that the app requested. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. |-| `token_type` |Included if `response_type` includes `token`. Will always be `Bearer`. | +| `token_type` |Included if `response_type` includes `token`. This will always be `Bearer`. | | `expires_in`|Included if `response_type` includes `token`. Indicates the number of seconds the token is valid, for caching purposes. | | `scope` |Included if `response_type` includes `token`. Indicates the scope(s) for which the access_token will be valid. May not include all the requested scopes if they weren't applicable to the user. For example, Azure AD-only scopes requested when logging in using a personal account. |-| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token reference`](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested and `response_type` included `id_tokens`. | +| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about ID tokens, see the [`id_token reference`](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested and `response_type` included `id_tokens`. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | [!INCLUDE [remind-not-to-validate-access-tokens](includes/remind-not-to-validate-access-tokens.md)] For details on the query parameters in the URL, see [send the sign in request](# > [!TIP] > Try copy & pasting the request below into a browser tab! (Don't forget to replace the `login_hint` values with the correct value for your user) >->`https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=fragment&state=12345&nonce=678910&prompt=none&login_hint={your-username}` +> ``` +> https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=fragment&state=12345&nonce=678910&prompt=none&login_hint={your-username} +> ``` > > Note that this will work even in browsers without third party cookie support, since you're entering this directly into a browser bar as opposed to opening it within an iframe. access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q.. | Parameter | Description | | | | | `access_token` |Included if `response_type` includes `token`. The access token that the app requested, in this case for the Microsoft Graph. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. |-| `token_type` | Will always be `Bearer`. | +| `token_type` | This will always be `Bearer`. | | `expires_in` | Indicates the number of seconds the token is valid, for caching purposes. |-| `scope` | Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | +| `scope` | Indicates the scope(s) for which the access token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | | `id_token` | A signed JSON Web Token (JWT). Included if `response_type` includes `id_token`. The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token` reference](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | If you receive this error in the iframe request, the user must interactively sig ## Refreshing tokens -The implicit grant does not provide refresh tokens. Both `id_token`s and `access_token`s will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new `id_token`, be sure to use `id_token` in the `response_type` and `scope=openid`, as well as a `nonce` parameter. +The implicit grant does not provide refresh tokens. Both ID tokens and access tokens will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new ID token, be sure to use `id_token` in the `response_type` and `scope=openid`, as well as a `nonce` parameter. In browsers that do not support third party cookies, this will result in an error indicating that no user is signed in. |
active-directory | Assign Local Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md | When you connect a Windows device with Azure AD using an Azure AD join, Azure AD - The Azure AD joined device local administrator role - The user performing the Azure AD join -By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been *only* assigned the device administrator role to manage a device. +By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to users with the Global Administrator role, you can also enable users that have been *only* assigned the Azure AD Joined Device Local Administrator role to manage a device. -## Manage the global administrators role +## Manage the Global Administrator role -To view and update the membership of the Global Administrator role, see: +To view and update the membership of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) role, see: - [View all members of an administrator role in Azure Active Directory](../roles/manage-roles-portal.md) - [Assign a user to administrator roles in Azure Active Directory](../fundamentals/how-subscriptions-associated-directory.md) -## Manage the device administrator role +## Manage the Azure AD Joined Device Local Administrator role [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -In the Azure portal, you can manage the device administrator role from **Device settings**. +You can manage the [Azure AD Joined Device Local Administrator](/azure/active-directory/roles/permissions-reference#azure-ad-joined-device-local-administrator) role from **Device settings**. -1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). 1. Browse to **Azure Active Directory** > **Devices** > **Device settings**. 1. Select **Manage Additional local administrators on all Azure AD joined devices**. 1. Select **Add assignments** then choose the other administrators you want to add and select **Add**. -To modify the device administrator role, configure **Additional local administrators on all Azure AD joined devices**. +To modify the Azure AD Joined Device Local Administrator role, configure **Additional local administrators on all Azure AD joined devices**. > [!NOTE] > This option requires Azure AD Premium licenses. -Device administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: +Azure AD Joined Device Local Administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope this role to a specific set of devices. Updating the Azure AD Joined Device Local Administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: - Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges. - User signs out and signs back in, not lock/unlock, to refresh their profile. -Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token. +Users aren't directly listed in the local administrator group, the permissions are received through the Primary Refresh Token. > [!NOTE] > The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the administrator privileges are applied immediately after their first sign-in to the device. ## Manage administrator privileges using Azure AD groups (preview) -Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices. +Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you with the granularity to configure distinct administrators for different groups of devices. Organizations can use Intune to manage these policies using [Custom OMA-URI Settings](/mem/intune/configuration/custom-settings-windows-10) or [Account protection policy](/mem/intune/protect/endpoint-security-account-protection-policy). A few considerations for using this policy: -- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID is defined by the property `securityIdentifier` in the API response.+- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID equates to the property `securityIdentifier` in the API response. - Administrator privileges using this policy are evaluated only for the following well-known groups on a Windows 10 or newer device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users. By default, Azure AD adds the user performing the Azure AD join to the administr - [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by [creating an Autopilot profile](/intune/enrollment-autopilot#create-an-autopilot-deployment-profile).-- [Bulk enrollment](/intune/windows-bulk-enroll) - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined aren't added to the administrators group. +- [Bulk enrollment](/intune/windows-bulk-enroll) - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device has been joined aren't added to the administrators group. ## Manually elevate a user on a device Additionally, you can also add users using the command prompt: ## Considerations -- You can only assign role based groups to the device administrator role.-- Device administrators are assigned to all Azure AD Joined devices. They can't be scoped to a specific set of devices.+- You can only assign role based groups to the Azure AD Joined Device Local Administrator role. +- The Azure AD Joined Device Local Administrator role is assigned to all Azure AD Joined devices. This role can't be scoped to a specific set of devices. - Local administrator rights on Windows devices aren't applicable to [Azure AD B2B guest users](../external-identities/what-is-b2b.md).-- When you remove users from the device administrator role, changes aren't instant. Users still have local administrator privilege on a device as long as they're signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours.+- When you remove users from the Azure AD Joined Device Local Administrator role, changes aren't instant. Users still have local administrator privilege on a device as long as they're signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours. ## Next steps -- To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).+- To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md). - To learn more about device-based Conditional Access, see [Conditional Access: Require compliant or hybrid Azure AD joined device](../conditional-access/howto-conditional-access-policy-compliant-device.md). |
active-directory | Device Join Out Of Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-join-out-of-box.md | Your device may restart several times as part of the setup process. Your device :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-device-sign-in-info.png" alt-text="Screenshot of Windows 11 out-of-box experience showing the sign-in experience."::: 1. Continue to follow the prompts to set up your device. 1. Azure AD checks if an enrollment in mobile device management is required and starts the process.- 1. Windows registers the device in the organizationΓÇÖs directory in Azure AD and enrolls it in mobile device management, if applicable. + 1. Windows registers the device in the organizationΓÇÖs directory and enrolls it in mobile device management, if applicable. 1. If you sign in with a managed user account, Windows takes you to the desktop through the automatic sign-in process. Federated users are directed to the Windows sign-in screen to enter your credentials. :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-complete-automatic-sign-in-desktop.png" alt-text="Screenshot of Windows 11 at the desktop after first run experience Azure AD joined."::: To verify whether a device is joined to your Azure AD, review the **Access work ## Next steps -- For more information about managing devices in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).+- For more information about managing devices, see [managing devices using the Azure portal](manage-device-identities.md). - [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune) - [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) - [Passwordless authentication options for Azure Active Directory](../authentication/concept-authentication-passwordless.md) |
active-directory | Enterprise State Roaming Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-enable.md | Enterprise State Roaming provides users with a unified experience across their W [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Azure Active Directory** > **Devices** > **Enterprise State Roaming**. 1. Select **Users may sync settings and app data across devices**. For more information, see [how to configure device settings](./manage-device-identities.md). The country/region value is set as part of the Azure AD directory creation proce Follow these steps to view a per-user device sync status report. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Azure Active Directory** > **Users** > **All users**. 1. Select the user, and then select **Devices**. 1. Select **View devices syncing settings and app data** to show sync status. |
active-directory | Enterprise State Roaming Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md | Enterprise State Roaming requires the device to be registered with Azure AD. Alt **Potential issue**: **WamDefaultSet** and **AzureAdJoined** both have ΓÇ£NOΓÇ¥ in the field value, the device was domain-joined and registered with Azure AD, and the device doesn't sync. If it's showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Azure AD. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. -**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. +**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. ## Enterprise State Roaming and multifactor authentication |
active-directory | How To Hybrid Join Verify | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/how-to-hybrid-join-verify.md | description: Verify configurations for hybrid Azure AD joined devices + Last updated 02/27/2023 For downlevel devices, see the article [Troubleshooting hybrid Azure Active Dire ## Using the Azure portal -1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices). -2. Information on how to locate a device can be found in [How to manage device identities using the Azure portal](./manage-device-identities.md). -3. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle. -4. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Browse to **Azure Active Directory** > **Devices** > **All devices**. +1. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle. +1. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed. ## Using PowerShell |
active-directory | Howto Manage Local Admin Passwords | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-manage-local-admin-passwords.md | Other than the built-in Azure AD roles of Cloud Device Administrator, Intune Adm To enable Windows LAPS with Azure AD, you must take actions in Azure AD and the devices you wish to manage. We recommend organizations [manage Windows LAPS using Microsoft Intune](/mem/intune/protect/windows-laps-policy). However, if your devices are Azure AD joined but you're not using Microsoft Intune or Microsoft Intune isn't supported (like for Windows Server 2019/2022), you can still deploy Windows LAPS for Azure AD manually. For more information, see the article [Configure Windows LAPS policy settings](/windows-server/identity/laps/laps-management-policy-settings). -1. Sign in to the **Azure portal** as a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Sign in to the **Azure portal** as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). 1. Browse to **Azure Active Directory** > **Devices** > **Device settings** 1. Select **Yes** for the Enable Local Administrator Password Solution (LAPS) setting and select **Save**. You may also use the Microsoft Graph API [Update deviceRegistrationPolicy](/graph/api/deviceregistrationpolicy-update?view=graph-rest-beta&preserve-view=true). 1. Configure a client-side policy and set the **BackUpDirectory** to be Azure AD. |
active-directory | Howto Vm Sign In Azure Ad Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md | To configure role assignments for your Azure AD-enabled Linux VMs: | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** | | Assign access to | User, group, service principal, or managed identity | - ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) + ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) After a few moments, the security principal is assigned the role at the selected scope. The application that appears in the Conditional Access policy is called *Azure L If the Azure Linux VM Sign-In application is missing from Conditional Access, make sure the application isn't in the tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Azure Active Directory** > **Enterprise applications**. 1. Remove the filters to see all applications, and search for **Virtual Machine**. If you don't see Microsoft Azure Linux Virtual Machine Sign-In as a result, the service principal is missing from the tenant. |
active-directory | Howto Vm Sign In Azure Ad Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md | To configure role assignments for your Azure AD-enabled Windows Server 2019 Data | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** | | Assign access to | User, group, service principal, or managed identity | - ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) + ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) ### Azure Cloud Shell Exit code -2145648607 translates to `DSREG_AUTOJOIN_DISC_FAILED`. The extension - `curl https://pas.windows.net/ -D -` > [!NOTE]- > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID** in the Azure portal. + > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID**. > > Attempts to connect to `enterpriseregistration.windows.net` might return 404 Not Found, which is expected behavior. Attempts to connect to `pas.windows.net` might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable. Share your feedback about this feature or report problems with using it on the [ If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application is in the tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Azure Active Directory** > **Enterprise applications**. 1. Remove the filters to see all applications, and search for **VM**. If you don't see **Azure Windows VM Sign-In** as a result, the service principal is missing from the tenant. |
active-directory | Hybrid Join Manual | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-manual.md | description: Learn how to manually configure hybrid Azure Active Directory join + Last updated 07/05/2022 The following script helps you with the creation of the issuance transform rules #### Remarks * This script appends the rules to the existing rules. Don't run the script twice, because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.-* If you have multiple verified domain names (as shown in the Azure portal or via the **Get-MsolDomain** cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule: +* If you have multiple verified domain names, set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule: ``` c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] |
active-directory | Manage Device Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md | -[![Screenshot that shows the devices overview in the Azure portal.](./media/manage-device-identities/devices-azure-portal.png)](./media/manage-device-identities/devices-azure-portal.png#lightbox) +[![Screenshot that shows the devices overview.](./media/manage-device-identities/devices-azure-portal.png)](./media/manage-device-identities/devices-azure-portal.png#lightbox) You can access the devices overview by completing these steps: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). 1. Go to **Azure Active Directory** > **Devices**. In the devices overview, you can view the number of total devices, stale devices, noncompliant devices, and unmanaged devices. You'll also find links to Intune, Conditional Access, BitLocker keys, and basic monitoring. From there, you can go to **All devices** to: - Review device-related audit logs. - Download devices. -[![Screenshot that shows the All devices view in the Azure portal.](./media/manage-device-identities/all-devices-azure-portal.png)](./media/manage-device-identities/all-devices-azure-portal.png#lightbox) +[![Screenshot that shows the All devices view.](./media/manage-device-identities/all-devices-azure-portal.png)](./media/manage-device-identities/all-devices-azure-portal.png#lightbox) > [!TIP] > - Hybrid Azure AD joined Windows 10 or newer devices don't have an owner. If you're looking for a device by owner and don't find it, search by the device ID. In this preview, you have the ability to infinitely scroll, reorder columns, and To enable the preview in the **All devices** view: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). 2. Go to **Azure Active Directory** > **Devices** > **All devices**. 3. Select the **Preview features** button. 4. Turn on the toggle that says **Enhanced devices list experience**. Select **Apply**. The exported list includes these device identity attributes: If you want to manage device identities by using the Azure portal, the devices need to be either [registered or joined](overview.md) to Azure AD. As an administrator, you can control the process of registering and joining devices by configuring the following device settings. -You must be assigned one of the following roles to view device settings in the Azure portal: +You must be assigned one of the following roles to view device settings: - Global Administrator - Global Reader You must be assigned one of the following roles to view device settings in the A - Windows 365 Administrator - Directory Reviewer -You must be assigned one of the following roles to manage device settings in the Azure portal: +You must be assigned one of the following roles to manage device settings: - Global Administrator - Cloud Device Administrator |
active-directory | Manage Stale Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md | description: Learn how to remove stale devices from your database of registered + Last updated 09/27/2022 -#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data. - +#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data. # How To: Manage stale devices in Azure AD If the delta between the existing value of the activity timestamp and the curren You have two options to retrieve the value of the activity timestamp: -- The **Activity** column on the [devices page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices) in the Azure portal+- The **Activity** column on the [devices page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices). - :::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot of a page in the Azure portal listing the name, owner, and other information on devices. One column lists the activity time stamp." border="false"::: + :::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot listing the name, owner, and other information of devices. One column lists the activity time stamp." border="false"::: -- The [Get-AzureADDevice](/powershell/module/azuread/Get-AzureADDevice) cmdlet+- The [Get-AzureADDevice](/powershell/module/azuread/Get-AzureADDevice) cmdlet. :::image type="content" source="./media/manage-stale-devices/02.png" alt-text="Screenshot showing command-line output. One line is highlighted and lists a time stamp for the ApproximateLastLogonTimeStamp value." border="false"::: Any authentication where a device is being used to authenticate to Azure AD are Devices managed with Intune can be retired or wiped, for more information see the article [Remove devices by using wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe). -To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md) +To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md) |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/overview.md | Getting devices in to Azure AD can be done in a self-service manner or a control - Learn more about [Azure AD registered devices](concept-device-registration.md) - Learn more about [Azure AD joined devices](concept-directory-join.md) - Learn more about [hybrid Azure AD joined devices](concept-hybrid-join.md)-- To get an overview of how to manage device identities in the Azure portal, see [Managing device identities using the Azure portal](manage-device-identities.md).+- To get an overview of how to manage device identities, see [Managing device identities using the Azure portal](manage-device-identities.md). - To learn more about device-based Conditional Access, see [Configure Azure Active Directory device-based Conditional Access policies](../conditional-access/concept-conditional-access-grant.md). |
active-directory | Troubleshoot Device Windows Joined | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-windows-joined.md | -1. Sign in to the **Azure portal**. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). 1. Browse to **Azure Active Directory** > **Devices** > **Diagnose and solve problems**. 1. Select **Troubleshoot** under the **Windows 10+ related issue** troubleshooter. :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane of the Azure portal." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png"::: |
active-directory | Troubleshoot Hybrid Join Windows Current | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md | Use Event Viewer to look for the log entries that are logged by the Azure AD Clo | Error code | Reason | Resolution | | | | |-| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled in the Azure portal. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. | +| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. | | **AADSTS50034: The user account `Account` does not exist in the `tenant id` directory** | Azure AD is unable to find the user account in the tenant. | <li>Ensure that the user is typing the correct UPN.<li>Ensure that the on-premises user account is being synced with Azure AD.<li>Event 1144 (Azure AD analytics logs) will contain the UPN provided. | | **AADSTS50126: Error validating credentials due to invalid username or password.** | <li>The username and password entered by the user in the Windows LoginUI are incorrect.<li>If the tenant has password hash sync enabled, the device is hybrid-joined, and the user just changed the password, it's likely that the new password hasn't synced with Azure AD. | To acquire a fresh PRT with the new credentials, wait for the Azure AD password sync to finish. | | | | |
active-directory | Troubleshoot Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-primary-refresh-token.md | You can find a full list and description of server error codes in [Azure AD auth - Azure AD can't authenticate the device to issue a PRT. -- The device might have been deleted or disabled in the Azure portal. (For more information, see [Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10/11 devices?](./faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices))+- The device might have been deleted or disabled. (For more information, see [Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10/11 devices?](./faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices)) ##### Solution -Re-register the device based on the device join type. For instructions, see [I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on the device says it's still registered. What should I do?](./faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do). +Re-register the device based on the device join type. For instructions, see [I disabled or deleted my device. But the local state on the device says it's still registered. What should I do?](./faq.yml#i-disabled-or-deleted-my-device--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do). </details> <details> |
active-directory | Directory Delete Howto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md | |
active-directory | Directory Self Service Signup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-self-service-signup.md | |
active-directory | Domains Admin Takeover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-admin-takeover.md | |
active-directory | Domains Verify Custom Subdomain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-verify-custom-subdomain.md | |
active-directory | Groups Assign Sensitivity Labels | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md | |
active-directory | Groups Change Type | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-change-type.md | |
active-directory | Groups Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-lifecycle.md | |
active-directory | Groups Naming Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-naming-policy.md | |
active-directory | Groups Restore Deleted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-restore-deleted.md | |
active-directory | Groups Self Service Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-self-service-management.md | |
active-directory | Groups Settings Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-cmdlets.md | |
active-directory | Groups Settings V2 Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-v2-cmdlets.md | |
active-directory | Licensing Group Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-group-advanced.md | |
active-directory | Licensing Ps Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-ps-examples.md | |
active-directory | Linkedin Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/linkedin-integration.md | |
active-directory | Users Bulk Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-restore.md | |
active-directory | Users Custom Security Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-custom-security-attributes.md | |
active-directory | Users Restrict Guest Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-restrict-guest-permissions.md | |
active-directory | Users Revoke Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-revoke-access.md | |
active-directory | Authentication Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/authentication-conditional-access.md | description: Learn how to enforce multi-factor authentication policies for Azure + Last updated 04/17/2023 |
active-directory | Bulk Invite Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/bulk-invite-powershell.md | Last updated 07/31/2023 ---# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user. + +# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user. # Tutorial: Use PowerShell to bulk invite Azure AD B2B collaboration users |
active-directory | Code Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/code-samples.md | Last updated 04/06/2023 -+ # Customer intent: As a tenant administrator, I want to bulk-invite external users to an organization from email addresses that I've stored in a .csv file. |
active-directory | How To Customize Languages Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-customize-languages-customers.md | The following languages are supported in the customer tenant: - Spanish (Spain) - Swedish (Sweden) - Thai (Thailand)- - Turkish (Turkey) + - Turkish (T├╝rkiye) - Ukrainian (Ukraine) 6. Customize the elements on the **Basics**, **Layout**, **Header**, **Footer**, **Sign-in form**, and **Text** tabs. For detailed instructions, see [Customize the branding and end-user experience](how-to-customize-branding-customers.md). |
active-directory | How To Facebook Federation Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-facebook-federation-customers.md | At this point, the Facebook identity provider has been set up in your customer t ## Next steps - [Add Google as an identity provider](how-to-google-federation-customers.md)-- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md)+- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md) |
active-directory | How To Google Federation Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-google-federation-customers.md | At this point, the Google identity provider has been set up in your Azure AD, bu ## Next steps - [Add Facebook as an identity provider](how-to-facebook-federation-customers.md)-- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md)+- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md) |
active-directory | How To Single Page App Vanillajs Sign In Sign Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-single-page-app-vanillajs-sign-in-sign-out.md | - Title: Tutorial - Add sign-in and sign-out to a Vanilla JavaScript single-page app (SPA) for a customer tenant -description: Learn how to configure a Vanilla JavaScript single-page app (SPA) to sign in and sign out users with your Azure Active Directory (AD) for customers tenant. -------- Previously updated : 05/25/2023-#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. ---# Tutorial: Add sign-in and sign-out to a vanilla JavaScript single-page app for a customer tenant --In the [previous article](how-to-single-page-app-vanillajs-configure-authentication.md), you edited the popup and redirection files that handle the sign-in page response. This tutorial demonstrates how to build a responsive user interface (UI) that contains a **Sign-In** and **Sign-Out** button and run the project to test the sign-in and sign-out functionality. --In this tutorial; --> [!div class="checklist"] -> * Add code to the *https://docsupdatetracker.net/index.html* file to create the user interface -> * Add code to the *signout.html* file to create the sign-out page -> * Sign in and sign out of the application --## Prerequisites --* Completion of the prerequisites and steps in [Create components for authentication and authorization](how-to-single-page-app-vanillajs-configure-authentication.md). --## Add code to the *https://docsupdatetracker.net/index.html* file --The main page of the SPA, *https://docsupdatetracker.net/index.html*, is the first page that is loaded when the application is started. It's also the page that is loaded when the user selects the **Sign-Out** button. --1. Open *public/https://docsupdatetracker.net/index.html* and add the following code snippet: -- ```html - <!DOCTYPE html> - <html lang="en"> - - <head> - <meta charset="UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no"> - <title>Microsoft identity platform</title> - <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon"> - <link rel="stylesheet" href="./styles.css"> - - <!-- adding Bootstrap 5 for UI components --> - <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/css/bootstrap.min.css" rel="stylesheet" - integrity="sha384-Zenh87qX5JnK2Jl0vWa8Ck2rdkQ2Bzep5IDxbcnCeuOxjzrPF/et3URy9Bv1WTRi" crossorigin="anonymous"> - - <!-- msal.min.js can be used in the place of msal-browser.js --> - <script src="/msal-browser.min.js"></script> - </head> - - <body> - <nav class="navbar navbar-expand-sm navbar-dark bg-primary navbarStyle"> - <a class="navbar-brand" href="/">Microsoft identity platform</a> - <div class="navbar-collapse justify-content-end"> - <button type="button" id="signIn" class="btn btn-secondary" onclick="signIn()">Sign-in</button> - <button type="button" id="signOut" class="btn btn-success d-none" onclick="signOut()">Sign-out</button> - </div> - </nav> - <br> - <h5 id="title-div" class="card-header text-center">Vanilla JavaScript single-page application secured with MSAL.js - </h5> - <h5 id="welcome-div" class="card-header text-center d-none"></h5> - <br> - <div class="table-responsive-ms" id="table"> - <table id="table-div" class="table table-striped d-none"> - <thead id="table-head-div"> - <tr> - <th>Claim Type</th> - <th>Value</th> - <th>Description</th> - </tr> - </thead> - <tbody id="table-body-div"> - </tbody> - </table> - </div> - <!-- importing bootstrap.js and supporting js libraries --> - <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" - integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"> - </script> - <script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.6/dist/umd/popper.min.js" - integrity="sha384-oBqDVmMz9ATKxIep9tiCxS/Z9fNfEXiDAYTujMAeBAsjFuCZSmKbSSUnQlmh/jp3" - crossorigin="anonymous"></script> - <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/js/bootstrap.bundle.min.js" - integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3" - crossorigin="anonymous"></script> - - <!-- importing app scripts (load order is important) --> - <script type="text/javascript" src="./authConfig.js"></script> - <script type="text/javascript" src="./ui.js"></script> - <script type="text/javascript" src="./claimUtils.js"></script> - <!-- <script type="text/javascript" src="./authRedirect.js"></script> --> - <!-- uncomment the above line and comment the line below if you would like to use the redirect flow --> - <script type="text/javascript" src="./authPopup.js"></script> - </body> - - </html> - ``` --1. Save the file. --## Add code to the *signout.html* file --1. Open *public/signout.html* and add the following code snippet: -- ```html - <!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1.0"> - <title>Azure AD | Vanilla JavaScript SPA</title> - <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon"> - - <!-- adding Bootstrap 4 for UI components --> - <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous"> - </head> - <body> - <div class="jumbotron" style="margin: 10%"> - <h1>Goodbye!</h1> - <p>You have signed out and your cache has been cleared.</p> - <a class="btn btn-primary" href="/" role="button">Take me back</a> - </div> - </body> - </html> - ``` --1. Save the file. --## Add code to the *ui.js* file --When authorization has been configured, the user interface can be created to allow users to sign in and sign out when the project is run. To build the user interface (UI) for the application, [Bootstrap](https://getbootstrap.com/) is used to create a responsive UI that contains a **Sign-In** and **Sign-Out** button. --1. Open *public/ui.js* and add the following code snippet: -- ```javascript - // Select DOM elements to work with - const signInButton = document.getElementById('signIn'); - const signOutButton = document.getElementById('signOut'); - const titleDiv = document.getElementById('title-div'); - const welcomeDiv = document.getElementById('welcome-div'); - const tableDiv = document.getElementById('table-div'); - const tableBody = document.getElementById('table-body-div'); - - function welcomeUser(username) { - signInButton.classList.add('d-none'); - signOutButton.classList.remove('d-none'); - titleDiv.classList.add('d-none'); - welcomeDiv.classList.remove('d-none'); - welcomeDiv.innerHTML = `Welcome ${username}!`; - }; - - function updateTable(account) { - tableDiv.classList.remove('d-none'); - - const tokenClaims = createClaimsTable(account.idTokenClaims); - - Object.keys(tokenClaims).forEach((key) => { - let row = tableBody.insertRow(0); - let cell1 = row.insertCell(0); - let cell2 = row.insertCell(1); - let cell3 = row.insertCell(2); - cell1.innerHTML = tokenClaims[key][0]; - cell2.innerHTML = tokenClaims[key][1]; - cell3.innerHTML = tokenClaims[key][2]; - }); - }; - ``` --1. Save the file. --## Add code to the *styles.css* file --1. Open *public/styles.css* and add the following code snippet: -- ```css - .navbarStyle { - padding: .5rem 1rem !important; - } - - .table-responsive-ms { - max-height: 39rem !important; - padding-left: 10%; - padding-right: 10%; - } - ``` --1. Save the file. --## Run your project and sign in --Now that all the required code snippets have been added, the application can be called and tested in a web browser. --1. Open a new terminal and run the following command to start your express web server. - ```powershell - npm start - ``` -1. Open a new private browser, and enter the application URI into the browser, `http://localhost:3000/`. -1. Select **No account? Create one**, which starts the sign-up flow. -1. In the **Create account** window, enter the email address registered to your Azure Active Directory (AD) for customers tenant, which starts the sign-up flow as a user for your application. -1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed. -- 1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**. --1. The SPA will now display a button saying **Request Profile Information**. Select it to display profile data. -- :::image type="content" source="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png" alt-text="Screenshot of sign in into a vanilla JS SPA." lightbox="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png"::: --## Sign out of the application --1. To sign out of the application, select **Sign out** in the navigation bar. -1. A window appears asking which account to sign out of. -1. Upon successful sign out, a final window appears advising you to close all browser windows. --## Next steps --- [Enable self-service password reset](./how-to-enable-password-reset-customers.md) |
active-directory | Sample Single Page App Vanillajs Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-single-page-app-vanillajs-sign-in.md | Title: Sign in users in a sample vanilla JavaScript single-page application -description: Learn how to configure a sample JavaSCript single-page application (SPA) to sign in and sign out users. +description: Learn how to configure a sample JavaScript single-page application (SPA) to sign in and sign out users. If you choose to download the `.zip` file, extract the sample app file to a fold ``` 1. Open a web browser and navigate to `http://localhost:3000/`.-1. Select **No account? Create one**, which starts the sign-up flow. -1. In the **Create account** window, enter the email address registered to your customer tenant, which starts the sign-up flow as a user for your application. -1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed. -1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**. +1. Sign-in with an account registered to the customer tenant. +1. Once signed in the display name is shown next to the **Sign out** button as shown in the following screenshot. 1. The SPA will now display a button saying **Request Profile Information**. Select it to display profile data. :::image type="content" source="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png" alt-text="Screenshot of sign in into a vanilla JS SPA." lightbox="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png"::: |
active-directory | Samples Ciam All | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/samples-ciam-all.md | These samples and how-to guides demonstrate how to integrate a single-page appli > [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | - | -- | - |-> | JavaScript, Vanilla | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | +> | JavaScript, Vanilla | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](tutorial-single-page-app-vanillajs-prepare-tenant.md) | > | JavaScript, Angular | • [Sign in users](./sample-single-page-app-angular-sign-in.md) | | > | JavaScript, React | • [Sign in users](./sample-single-page-app-react-sign-in.md) | • [Sign in users](./tutorial-single-page-app-react-sign-in-prepare-tenant.md) | These samples and how-to guides demonstrate how to write a daemon application th > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Single-page application | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | +> | Single-page application | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](tutorial-single-page-app-vanillajs-prepare-tenant.md) | ### JavaScript, Angular |
active-directory | Tutorial Single Page App Vanillajs Configure Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-single-page-app-vanillajs-configure-authentication.md | + + Title: Tutorial - Handle authentication flows in a Vanilla JavaScript single-page app +description: Learn how to configure authentication for a Vanilla JavaScript single-page app (SPA) with your Azure Active Directory (AD) for customers tenant. +++++++++ Last updated : 08/17/2023+#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. +++# Tutorial: Handle authentication flows in a Vanilla JavaScript single-page app ++In the [previous article](./tutorial-single-page-app-vanillajs-prepare-app.md), you created a Vanilla JavaScript (JS) single-page application (SPA) and a server to host it. This tutorial demonstrates how to configure the application to authenticate and authorize users to access protected resources. ++In this tutorial; ++> [!div class="checklist"] +> * Configure the settings for the application +> * Add code to *authRedirect.js* to handle the authentication flow +> * Add code to *authPopup.js* to handle the authentication flow ++## Prerequisites ++* Completion of the prerequisites and steps in [Prepare a single-page application for authentication](tutorial-single-page-app-vanillajs-prepare-app.md). ++## Edit the authentication configuration file ++The application uses the [Implicit Grant Flow](../../develop/v2-oauth2-implicit-grant-flow.md) to authenticate users. The Implicit Grant Flow is a browser-based flow that doesn't require a back-end server. The flow redirects the user to the sign-in page, where the user signs in and consents to the permissions that are being requested by the application. The purpose of *authConfig.js* is to configure the authentication flow. ++1. Open *public/authConfig.js* and add the following code snippet: ++ ```javascript + /** + * Configuration object to be passed to MSAL instance on creation. + * For a full list of MSAL.js configuration parameters, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md + */ + const msalConfig = { + auth: { + clientId: 'Enter_the_Application_Id_Here', // This is the ONLY mandatory field that you need to supply. + authority: 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace "Enter_the_Tenant_Subdomain_Here" with your tenant subdomain + redirectUri: '/', // You must register this URI on Azure Portal/App Registration. Defaults to window.location.href e.g. http://localhost:3000/ + navigateToLoginRequestUrl: true, // If "true", will navigate back to the original request location before processing the auth code response. + }, + cache: { + cacheLocation: 'sessionStorage', // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO. + storeAuthStateInCookie: false, // set this to true if you have to support IE + }, + system: { + loggerOptions: { + loggerCallback: (level, message, containsPii) => { + if (containsPii) { + return; + } + switch (level) { + case msal.LogLevel.Error: + console.error(message); + return; + case msal.LogLevel.Info: + console.info(message); + return; + case msal.LogLevel.Verbose: + console.debug(message); + return; + case msal.LogLevel.Warning: + console.warn(message); + return; + } + }, + }, + }, + }; + + /** + * An optional silentRequest object can be used to achieve silent SSO + * between applications by providing a "login_hint" property. + */ + + // const silentRequest = { + // scopes: ["openid", "profile"], + // loginHint: "example@domain.net" + // }; + + // exporting config object for jest + if (typeof exports !== 'undefined') { + module.exports = { + msalConfig: msalConfig, + loginRequest: loginRequest, + }; + } + ``` ++1. Replace the following values with the values from the Azure portal: + - Find the `Enter_the_Application_Id_Here` value and replace it with the **Application ID (clientId)** of the app you registered in the Microsoft Entra admin center. + - In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, [learn how to read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details). +2. Save the file. ++## Adding code to the redirection file ++A redirection file is required to handle the response from the sign-in page. It is used to extract the access token from the URL fragment and use it to call the protected API. It is also used to handle errors that occur during the authentication process. ++1. Open *public/authRedirect.js* and add the following code snippet: ++ ```javascript + // Create the main myMSALObj instance + // configuration parameters are located at authConfig.js + const myMSALObj = new msal.PublicClientApplication(msalConfig); + + let username = ""; + + /** + * A promise handler needs to be registered for handling the + * response returned from redirect flow. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/initialization.md#redirect-apis + */ + myMSALObj.handleRedirectPromise() + .then(handleResponse) + .catch((error) => { + console.error(error); + }); + + function selectAccount() { + + /** + * See here for more info on account retrieval: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md + */ + + const currentAccounts = myMSALObj.getAllAccounts(); + + if (!currentAccounts) { + return; + } else if (currentAccounts.length > 1) { + // Add your account choosing logic here + console.warn("Multiple accounts detected."); + } else if (currentAccounts.length === 1) { + welcomeUser(currentAccounts[0].username); + updateTable(currentAccounts[0]); + } + } + + function handleResponse(response) { + + /** + * To see the full list of response object properties, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response + */ + + if (response !== null) { + welcomeUser(response.account.username); + updateTable(response.account); + } else { + selectAccount(); + } + } + + function signIn() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + myMSALObj.loginRedirect(loginRequest); + } + + function signOut() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + // Choose which account to logout from by passing a username. + const logoutRequest = { + account: myMSALObj.getAccountByUsername(username), + postLogoutRedirectUri: '/signout', // remove this line if you would like navigate to index page after logout. + + }; + + myMSALObj.logoutRedirect(logoutRequest); + } + ``` ++1. Save the file. ++## Adding code to the *authPopup.js* file ++The application uses *authPopup.js* to handle the authentication flow when the user signs in using the pop-up window. The pop-up window is used when the user is already signed in and the application needs to get an access token for a different resource. ++1. Open *public/authPopup.js* and add the following code snippet: ++ ```javascript + // Create the main myMSALObj instance + // configuration parameters are located at authConfig.js + const myMSALObj = new msal.PublicClientApplication(msalConfig); + + let username = ""; + + function selectAccount () { + + /** + * See here for more info on account retrieval: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md + */ + + const currentAccounts = myMSALObj.getAllAccounts(); + + if (!currentAccounts || currentAccounts.length < 1) { + return; + } else if (currentAccounts.length > 1) { + // Add your account choosing logic here + console.warn("Multiple accounts detected."); + } else if (currentAccounts.length === 1) { + username = currentAccounts[0].username + welcomeUser(currentAccounts[0].username); + updateTable(currentAccounts[0]); + } + } + + function handleResponse(response) { + + /** + * To see the full list of response object properties, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response + */ + + if (response !== null) { + username = response.account.username + welcomeUser(username); + updateTable(response.account); + } else { + selectAccount(); + } + } + + function signIn() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + myMSALObj.loginPopup(loginRequest) + .then(handleResponse) + .catch(error => { + console.error(error); + }); + } + + function signOut() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + // Choose which account to logout from by passing a username. + const logoutRequest = { + account: myMSALObj.getAccountByUsername(username), + mainWindowRedirectUri: '/signout' + }; + + myMSALObj.logoutPopup(logoutRequest); + } + + selectAccount(); + ``` ++1. Save the file. ++## Next steps ++> [!div class="nextstepaction"] +> [Sign in and sign out of the Vanilla JS SPA](./tutorial-single-page-app-vanillajs-sign-in-sign-out.md) |
active-directory | Tutorial Single Page App Vanillajs Prepare App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-single-page-app-vanillajs-prepare-app.md | + + Title: Tutorial - Prepare a Vanilla JavaScript single-page app (SPA) for authentication in a customer tenant +description: Learn how to prepare a Vanilla JavaScript single-page app (SPA) for authentication and authorization with your Azure Active Directory (AD) for customers tenant. +++++++++ Last updated : 08/17/2023+#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure AD for customers tenant. +++# Tutorial: Prepare a Vanilla JavaScript single-page app for authentication in a customer tenant ++In the [previous article](tutorial-single-page-app-vanillajs-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (AD) for customers tenant. This article shows you how to create a Vanilla JavaScript (JS) single-page app (SPA) and configure it to sign in and sign out users with your customer tenant. ++In this tutorial; ++> [!div class="checklist"] +> * Create a Vanilla JavaScript project in Visual Studio Code +> * Install required packages +> * Add code to *server.js* to create a server ++## Prerequisites ++* Completion of the prerequisites and steps in [Prepare your customer tenant to authenticate a Vanilla JavaScript single-page app](tutorial-single-page-app-vanillajs-prepare-tenant.md). +* Although any integrated development environment (IDE) that supports Vanilla JS applications can be used, **Visual Studio Code** is recommended for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page. +* [Node.js](https://nodejs.org/en/download/). ++## Create a new Vanilla JS project and install dependencies ++1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project. +1. Open a new terminal by selecting **Terminal** > **New Terminal**. +1. Run the following command to create a new Vanilla JS project: ++ ```powershell + npm init -y + ``` +1. Create additional folders and files to achieve the following project structure: ++ ``` + ΓööΓöÇΓöÇ public + ΓööΓöÇΓöÇ authConfig.js + ΓööΓöÇΓöÇ authPopup.js + ΓööΓöÇΓöÇ authRedirect.js + ΓööΓöÇΓöÇ claimUtils.js + ΓööΓöÇΓöÇ https://docsupdatetracker.net/index.html + ΓööΓöÇΓöÇ signout.html + ΓööΓöÇΓöÇ styles.css + ΓööΓöÇΓöÇ ui.js + ΓööΓöÇΓöÇ server.js + ``` + +## Install app dependencies ++1. In the **Terminal**, run the following command to install the required dependencies for the project: ++ ```powershell + npm install express morgan @azure/msal-browser + ``` ++## Edit the *server.js* file ++**Express** is a web application framework for **Node.js**. It's used to create a server that hosts the application. **Morgan** is the middleware that logs HTTP requests to the console. The server file is used to host these dependencies and contains the routes for the application. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview/). ++1. Add the following code snippet to the *server.js* file: ++ ```javascript + const express = require('express'); + const morgan = require('morgan'); + const path = require('path'); + + const DEFAULT_PORT = process.env.PORT || 3000; + + // initialize express. + const app = express(); + + // Configure morgan module to log all requests. + app.use(morgan('dev')); + + // serve public assets. + app.use(express.static('public')); + + // serve msal-browser module + app.use(express.static(path.join(__dirname, "node_modules/@azure/msal-browser/lib"))); + + // set up a route for signout.html + app.get('/signout', (req, res) => { + res.sendFile(path.join(__dirname + '/public/signout.html')); + }); + + // set up a route for redirect.html + app.get('/redirect', (req, res) => { + res.sendFile(path.join(__dirname + '/public/redirect.html')); + }); + + // set up a route for https://docsupdatetracker.net/index.html + app.get('/', (req, res) => { + res.sendFile(path.join(__dirname + '/https://docsupdatetracker.net/index.html')); + }); + + app.listen(DEFAULT_PORT, () => { + console.log(`Sample app listening on port ${DEFAULT_PORT}!`); + }); ++ ``` ++In this code, the **app** variable is initialized with the **express** module and **express** is used to serve the public assets. **Msal-browser** is served as a static asset and is used to initiate the authentication flow. ++## Next steps ++> [!div class="nextstepaction"] +> [Configure SPA for authentication](tutorial-single-page-app-vanillajs-configure-authentication.md) |
active-directory | Tutorial Single Page App Vanillajs Prepare Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-single-page-app-vanillajs-prepare-tenant.md | + + Title: Tutorial - Prepare your customer tenant to authenticate users in a Vanilla JavaScript single-page application +description: Learn how to configure your Azure Active Directory (AD) for customers tenant for authentication with a Vanilla JavaScript single-page app (SPA). +++++++++ Last updated : 08/17/2023+#Customer intent: As a developer, I want to learn how to configure a Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. +++# Tutorial: Prepare your customer tenant to authenticate a Vanilla JavaScript single-page app ++This tutorial series demonstrates how to build a Vanilla JavaScript single-page application (SPA) and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for JavaScript](/javascript/api/overview/msal-overview) library to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences. ++In this tutorial; ++> [!div class="checklist"] +> * Register a SPA in the Microsoft Entra admin center, and record its identifiers +> * Define the platform and URLs +> * Grant permissions to the SPA to access the Microsoft Graph API +> * Create a sign in and sign out user flow in the Microsoft Entra admin center +> * Associate your SPA with the user flow ++## Prerequisites ++- An Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +- This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions: ++ * Application administrator + * Application developer + * Cloud application administrator ++- An Azure AD for customers tenant. If you haven't already, [create one now](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl). You can use an existing customer tenant if you have one. ++## Register the SPA and record identifiers +++## Add a platform redirect URL +++## Grant API permissions +++## Create a user flow +++## Associate the SPA with the user flow +++## Next steps ++> [!div class="nextstepaction"] +> [Prepare your Vanilla JS SPA](tutorial-single-page-app-Vanillajs-prepare-app.md) |
active-directory | Tutorial Single Page App Vanillajs Sign In Sign Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-single-page-app-vanillajs-sign-in-sign-out.md | + + Title: Tutorial - Add sign-in and sign-out to a Vanilla JavaScript single-page app (SPA) for a customer tenant +description: Learn how to configure a Vanilla JavaScript single-page app (SPA) to sign in and sign out users with your Azure Active Directory (AD) for customers tenant. ++++++++ Last updated : 08/02/2023+#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. +++# Tutorial: Add sign-in and sign-out to a Vanilla JavaScript single-page app for a customer tenant ++In the [previous article](tutorial-single-page-app-vanillajs-configure-authentication.md), you edited the popup and redirection files that handle the sign-in page response. This tutorial demonstrates how to build a responsive user interface (UI) that contains a **Sign-In** and **Sign-Out** button and run the project to test the sign-in and sign-out functionality. ++In this tutorial; ++> [!div class="checklist"] +> * Add code to the *https://docsupdatetracker.net/index.html* file to create the user interface +> * Add code to the *signout.html* file to create the sign-out page +> * Sign in and sign out of the application ++## Prerequisites ++* Completion of the prerequisites and steps in [Create components for authentication and authorization](tutorial-single-page-app-vanillajs-configure-authentication.md). ++## Add code to the *https://docsupdatetracker.net/index.html* file ++The main page of the SPA, *https://docsupdatetracker.net/index.html*, is the first page that is loaded when the application is started. It's also the page that is loaded when the user selects the **Sign-Out** button. ++1. Open *public/https://docsupdatetracker.net/index.html* and add the following code snippet: ++ ```html + <!DOCTYPE html> + <html lang="en"> + + <head> + <meta charset="UTF-8"> + <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no"> + <title>Microsoft identity platform</title> + <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon"> + <link rel="stylesheet" href="./styles.css"> + + <!-- adding Bootstrap 5 for UI components --> + <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/css/bootstrap.min.css" rel="stylesheet" + integrity="sha384-Zenh87qX5JnK2Jl0vWa8Ck2rdkQ2Bzep5IDxbcnCeuOxjzrPF/et3URy9Bv1WTRi" crossorigin="anonymous"> + + <!-- msal.min.js can be used in the place of msal-browser.js --> + <script src="/msal-browser.min.js"></script> + </head> + + <body> + <nav class="navbar navbar-expand-sm navbar-dark bg-primary navbarStyle"> + <a class="navbar-brand" href="/">Microsoft identity platform</a> + <div class="navbar-collapse justify-content-end"> + <button type="button" id="signIn" class="btn btn-secondary" onclick="signIn()">Sign-in</button> + <button type="button" id="signOut" class="btn btn-success d-none" onclick="signOut()">Sign-out</button> + </div> + </nav> + <br> + <h5 id="title-div" class="card-header text-center">Vanilla JavaScript single-page application secured with MSAL.js + </h5> + <h5 id="welcome-div" class="card-header text-center d-none"></h5> + <br> + <div class="table-responsive-ms" id="table"> + <table id="table-div" class="table table-striped d-none"> + <thead id="table-head-div"> + <tr> + <th>Claim Type</th> + <th>Value</th> + <th>Description</th> + </tr> + </thead> + <tbody id="table-body-div"> + </tbody> + </table> + </div> + <!-- importing bootstrap.js and supporting js libraries --> + <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" + integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"> + </script> + <script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.6/dist/umd/popper.min.js" + integrity="sha384-oBqDVmMz9ATKxIep9tiCxS/Z9fNfEXiDAYTujMAeBAsjFuCZSmKbSSUnQlmh/jp3" + crossorigin="anonymous"></script> + <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/js/bootstrap.bundle.min.js" + integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3" + crossorigin="anonymous"></script> + + <!-- importing app scripts (load order is important) --> + <script type="text/javascript" src="./authConfig.js"></script> + <script type="text/javascript" src="./ui.js"></script> + <script type="text/javascript" src="./claimUtils.js"></script> + <!-- <script type="text/javascript" src="./authRedirect.js"></script> --> + <!-- uncomment the above line and comment the line below if you would like to use the redirect flow --> + <script type="text/javascript" src="./authPopup.js"></script> + </body> + + </html> + ``` ++1. Save the file. ++## Add code to the *claimUtils.js* file ++1. Open *public/claimUtils.js* and add the following code snippet: + + ```javascript + /** + * Populate claims table with appropriate description + * @param {Object} claims ID token claims + * @returns claimsObject + */ + const createClaimsTable = (claims) => { + let claimsObj = {}; + let index = 0; + + Object.keys(claims).forEach((key) => { + if (typeof claims[key] !== 'string' && typeof claims[key] !== 'number') return; + switch (key) { + case 'aud': + populateClaim( + key, + claims[key], + "Identifies the intended recipient of the token. In ID tokens, the audience is your app's Application ID, assigned to your app in the Azure portal.", + index, + claimsObj + ); + index++; + break; + case 'iss': + populateClaim( + key, + claims[key], + 'Identifies the issuer, or authorization server that constructs and returns the token. It also identifies the Azure AD tenant for which the user was authenticated. If the token was issued by the v2.0 endpoint, the URI will end in /v2.0. The GUID that indicates that the user is a consumer user from a Microsoft account is 9188040d-6c67-4c5b-b112-36a304b66dad.', + index, + claimsObj + ); + index++; + break; + case 'iat': + populateClaim( + key, + changeDateFormat(claims[key]), + 'Issued At indicates when the authentication for this token occurred.', + index, + claimsObj + ); + index++; + break; + case 'nbf': + populateClaim( + key, + changeDateFormat(claims[key]), + 'The nbf (not before) claim identifies the time (as UNIX timestamp) before which the JWT must not be accepted for processing.', + index, + claimsObj + ); + index++; + break; + case 'exp': + populateClaim( + key, + changeDateFormat(claims[key]), + "The exp (expiration time) claim identifies the expiration time (as UNIX timestamp) on or after which the JWT must not be accepted for processing. It's important to note that in certain circumstances, a resource may reject the token before this time. For example, if a change in authentication is required or a token revocation has been detected.", + index, + claimsObj + ); + index++; + break; + case 'name': + populateClaim( + key, + claims[key], + "The principal about which the token asserts information, such as the user of an application. This value is immutable and can't be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource. By default, the subject claim is populated with the object ID of the user in the directory", + index, + claimsObj + ); + index++; + break; + case 'preferred_username': + populateClaim( + key, + claims[key], + 'The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since it is mutable, this value must not be used to make authorization decisions. It can be used for username hints, however, and in human-readable UI as a username. The profile scope is required in order to receive this claim.', + index, + claimsObj + ); + index++; + break; + case 'nonce': + populateClaim( + key, + claims[key], + 'The nonce matches the parameter included in the original /authorize request to the IDP. If it does not match, your application should reject the token.', + index, + claimsObj + ); + index++; + break; + case 'oid': + populateClaim( + key, + claims[key], + 'The oid (userΓÇÖs object id) is the only claim that should be used to uniquely identify a user in an Azure AD tenant. The token might have one or more of the following claim, that might seem like a unique identifier, but is not and should not be used as such.', + index, + claimsObj + ); + index++; + break; + case 'tid': + populateClaim( + key, + claims[key], + 'The tenant ID. You will use this claim to ensure that only users from the current Azure AD tenant can access this app.', + index, + claimsObj + ); + index++; + break; + case 'upn': + populateClaim( + key, + claims[key], + '(user principal name) ΓÇô might be unique amongst the active set of users in a tenant but tend to get reassigned to new employees as employees leave the organization and others take their place or might change to reflect a personal change like marriage.', + index, + claimsObj + ); + index++; + break; + case 'email': + populateClaim( + key, + claims[key], + 'Email might be unique amongst the active set of users in a tenant but tend to get reassigned to new employees as employees leave the organization and others take their place.', + index, + claimsObj + ); + index++; + break; + case 'acct': + populateClaim( + key, + claims[key], + 'Available as an optional claim, it lets you know what the type of user (homed, guest) is. For example, for an individualΓÇÖs access to their data you might not care for this claim, but you would use this along with tenant id (tid) to control access to say a company-wide dashboard to just employees (homed users) and not contractors (guest users).', + index, + claimsObj + ); + index++; + break; + case 'sid': + populateClaim(key, claims[key], 'Session ID, used for per-session user sign-out.', index, claimsObj); + index++; + break; + case 'sub': + populateClaim( + key, + claims[key], + 'The sub claim is a pairwise identifier - it is unique to a particular application ID. If a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim.', + index, + claimsObj + ); + index++; + break; + case 'ver': + populateClaim( + key, + claims[key], + 'Version of the token issued by the Microsoft identity platform', + index, + claimsObj + ); + index++; + break; + case 'auth_time': + populateClaim( + key, + claims[key], + 'The time at which a user last entered credentials, represented in epoch time. There is no discrimination between that authentication being a fresh sign-in, a single sign-on (SSO) session, or another sign-in type.', + index, + claimsObj + ); + index++; + break; + case 'at_hash': + populateClaim( + key, + claims[key], + 'An access token hash included in an ID token only when the token is issued together with an OAuth 2.0 access token. An access token hash can be used to validate the authenticity of an access token', + index, + claimsObj + ); + index++; + break; + case 'uti': + case 'rh': + index++; + break; + default: + populateClaim(key, claims[key], '', index, claimsObj); + index++; + } + }); + + return claimsObj; + }; + + /** + * Populates claim, description, and value into an claimsObject + * @param {string} claim + * @param {string} value + * @param {string} description + * @param {number} index + * @param {Object} claimsObject + */ + const populateClaim = (claim, value, description, index, claimsObject) => { + let claimsArray = []; + claimsArray[0] = claim; + claimsArray[1] = value; + claimsArray[2] = description; + claimsObject[index] = claimsArray; + }; + + /** + * Transforms Unix timestamp to date and returns a string value of that date + * @param {string} date Unix timestamp + * @returns + */ + const changeDateFormat = (date) => { + let dateObj = new Date(date * 1000); + return `${date} - [${dateObj.toString()}]`; + }; + ``` ++1. Save the file. ++## Add code to the *signout.html* file ++1. Open *public/signout.html* and add the following code snippet: ++ ```html + <!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="UTF-8"> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + <title>Azure AD | Vanilla JavaScript SPA</title> + <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon"> + + <!-- adding Bootstrap 4 for UI components --> + <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/boot8strap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous"> + </head> + <body> + <div class="jumbotron" style="margin: 10%"> + <h1>Goodbye!</h1> + <p>You have signed out and your cache has been cleared.</p> + <a class="btn btn-primary" href="/" role="button">Take me back</a> + </div> + </body> + </html> + ``` ++1. Save the file. ++## Add code to the *ui.js* file ++When authorization has been configured, the user interface can be created to allow users to sign in and sign out when the project is run. To build the user interface (UI) for the application, [Bootstrap](https://getbootstrap.com/) is used to create a responsive UI that contains a **Sign-In** and **Sign-Out** button. ++1. Open *public/ui.js* and add the following code snippet: ++ ```javascript + // Select DOM elements to work with + const signInButton = document.getElementById('signIn'); + const signOutButton = document.getElementById('signOut'); + const titleDiv = document.getElementById('title-div'); + const welcomeDiv = document.getElementById('welcome-div'); + const tableDiv = document.getElementById('table-div'); + const tableBody = document.getElementById('table-body-div'); + + function welcomeUser(username) { + signInButton.classList.add('d-none'); + signOutButton.classList.remove('d-none'); + titleDiv.classList.add('d-none'); + welcomeDiv.classList.remove('d-none'); + welcomeDiv.innerHTML = `Welcome ${username}!`; + }; + + function updateTable(account) { + tableDiv.classList.remove('d-none'); + + const tokenClaims = createClaimsTable(account.idTokenClaims); + + Object.keys(tokenClaims).forEach((key) => { + let row = tableBody.insertRow(0); + let cell1 = row.insertCell(0); + let cell2 = row.insertCell(1); + let cell3 = row.insertCell(2); + cell1.innerHTML = tokenClaims[key][0]; + cell2.innerHTML = tokenClaims[key][1]; + cell3.innerHTML = tokenClaims[key][2]; + }); + }; + ``` ++1. Save the file. ++## Add code to the *styles.css* file ++1. Open *public/styles.css* and add the following code snippet: ++ ```css + .navbarStyle { + padding: .5rem 1rem !important; + } + + .table-responsive-ms { + max-height: 39rem !important; + padding-left: 10%; + padding-right: 10%; + } + ``` ++1. Save the file. ++## Run your project and sign in ++Now that all the required code snippets have been added, the application can be called and tested in a web browser. ++1. Open a new terminal and run the following command to start your express web server. + ```powershell + npm start + ``` +1. Open a new private browser, and enter the application URI into the browser, `http://localhost:3000/`. +1. Select **No account? Create one**, which starts the sign-up flow. +1. In the **Create account** window, enter the email address registered to your Azure Active Directory (AD) for customers tenant, which starts the sign-up flow as a user for your application. +1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed. ++ 1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**. ++1. The SPA will now display a button saying **Request Profile Information**. Select it to display profile data. ++ :::image type="content" source="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png" alt-text="Screenshot of sign in into a Vanilla JS SPA." lightbox="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png"::: ++## Sign out of the application ++1. To sign out of the application, select **Sign out** in the navigation bar. +1. A window appears asking which account to sign out of. +1. Upon successful sign out, a final window appears advising you to close all browser windows. ++## Next steps ++- [Enable self-service password reset](./how-to-enable-password-reset-customers.md) |
active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/whats-new-docs.md | Title: "What's new in Azure Active Directory for customers" description: "New and updated documentation for the Azure Active Directory for customers documentation." Previously updated : 08/01/2023 Last updated : 08/17/2023 Welcome to what's new in Azure Active Directory for customers documentation. Thi - [Add user attributes to token claims](how-to-add-attributes-to-token.md) - Added attributes to token claims: fixed steps for updating the app manifest - [Tutorial: Prepare a React single-page app (SPA) for authentication in a customer tenant](./tutorial-single-page-app-react-sign-in-prepare-app.md) - JavaScript tutorial edits, code sample updates and fixed SPA aligning content styling - [Tutorial: Add sign-in and sign-out to a React single-page app (SPA) for a customer tenant](./tutorial-single-page-app-react-sign-in-sign-out.md) - JavaScript tutorial edits and fixed SPA aligning content styling-- [Tutorial: Handle authentication flows in a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-configure-authentication.md) - Fixed SPA aligning content styling-- [Tutorial: Prepare a vanilla JavaScript single-page app for authentication in a customer tenant](how-to-single-page-app-vanillajs-prepare-app.md) - Fixed SPA aligning content styling-- [Tutorial: Prepare your customer tenant to authenticate a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-prepare-tenant.md) - Fixed SPA aligning content styling-- [Tutorial: Add sign-in and sign-out to a vanilla JavaScript single-page app for a customer tenant](how-to-single-page-app-vanillajs-sign-in-sign-out.md) - Fixed SPA aligning content styling+- [Tutorial: Handle authentication flows in a Vanilla JavaScript single-page app](tutorial-single-page-app-vanillajs-configure-authentication.md) - Fixed SPA aligning content styling +- [Tutorial: Prepare a Vanilla JavaScript single-page app for authentication in a customer tenant](tutorial-single-page-app-vanillajs-prepare-app.md) - Fixed SPA aligning content styling +- [Tutorial: Prepare your customer tenant to authenticate a Vanilla JavaScript single-page app](tutorial-single-page-app-vanillajs-prepare-tenant.md) - Fixed SPA aligning content styling +- [Tutorial: Add sign-in and sign-out to a Vanilla JavaScript single-page app for a customer tenant](tutorial-single-page-app-vanillajs-sign-in-sign-out.md) - Fixed SPA aligning content styling - [Tutorial: Prepare your customer tenant to authenticate users in a React single-page app (SPA)](tutorial-single-page-app-react-sign-in-prepare-tenant.md) - Fixed SPA aligning content styling - [Tutorial: Prepare an ASP.NET web app for authentication in a customer tenant](tutorial-web-app-dotnet-sign-in-prepare-app.md) - ASP.NET web app fixes - [Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app](tutorial-web-app-dotnet-sign-in-prepare-tenant.md) - ASP.NET web app fixes |
active-directory | Customize Invitation Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customize-invitation-api.md | description: Azure Active Directory B2B collaboration supports your cross-compan + Last updated 12/02/2022 -# Customer intent: As a tenant administrator, I want to customize the invitation process with the API. +# Customer intent: As a tenant administrator, I want to customize the invitation process with the API. # Azure Active Directory B2B collaboration API and customization Check out the invitation API reference in [https://developer.microsoft.com/graph - [What is Azure AD B2B collaboration?](what-is-b2b.md) - [Add and invite guest users](add-users-administrator.md) - [The elements of the B2B collaboration invitation email](invitation-email-elements.md)- |
active-directory | Direct Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/direct-federation.md | Last updated 03/15/2023 -+ |
active-directory | External Collaboration Settings Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-collaboration-settings-configure.md | description: Learn how to enable Active Directory B2B external collaboration and + Last updated 10/24/2022 |
active-directory | Facebook Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/facebook-federation.md | Last updated 01/20/2023 -+ --# Customer intent: As a tenant administrator, I want to set up Facebook as an identity provider for guest user login. +# Customer intent: As a tenant administrator, I want to set up Facebook as an identity provider for guest user login. # Add Facebook as an identity provider for External Identities |
active-directory | Google Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/google-federation.md | Last updated 01/20/2023 -+ |
active-directory | Invite Internal Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/invite-internal-users.md | description: If you have internal user accounts for partners, distributors, supp + Last updated 07/27/2023 |
active-directory | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/troubleshoot.md | Last updated 05/23/2023 tags: active-directory -+ |
active-directory | User Properties | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/user-properties.md | Last updated 05/18/2023 -+ --# Customer intent: As a tenant administrator, I want to learn about B2B collaboration guest user properties and states before and after invitation redemption. +# Customer intent: As a tenant administrator, I want to learn about B2B collaboration guest user properties and states before and after invitation redemption. # Properties of an Azure Active Directory B2B collaboration user |
active-directory | Custom Security Attributes Add | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-add.md | |
active-directory | Custom Security Attributes Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-manage.md | |
active-directory | Data Storage Eu | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-eu.md | The following sections provide information about customer data that doesn't meet ## Services permanently excluded from the EU Data Residency and EU Data Boundary -* **Reason for customer data egress** - Some forms of communication rely on a network that is operated by global providers, such as phone calls and SMS. Device vendor-specific services such Apple Push Notifications, may be outside of Europe. +* **Reason for customer data egress** - Some forms of communication, such as phone calls or text messaging platforms like SMS, RCS, or WhatsApp, rely on a network that is operated by global providers. Device vendor-specific services, such as push notifications from Apple or Google, may be outside of Europe. * **Types of customer data being egressed** - User account data (phone number). * **Customer data location at rest** - In EU Data Boundary. * **Customer data processing** - Some processing may occur globally. |
active-directory | New Name | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/new-name.md | -To unify the [Microsoft Entra](/entra) product family, reflect the progression to modern multicloud identity security, and simplify secure access experiences for all, we're renaming Azure Active Directory (Azure AD) to Microsoft Entra ID. +To communicate the multicloud, multiplatform functionality of the products, alleviate confusion with Windows Server Active Directory, and unify the [Microsoft Entra](/entra) product family, we're renaming Azure Active Directory (Azure AD) to Microsoft Entra ID. -## No action is required from you +## No interruptions to usage or service If you're using Azure AD today or are currently deploying Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations will continue to function as they do today without any action from you. You can continue to use familiar Azure AD capabilities that you can access through the Azure portal, Microsoft 365 admin center, and the [Microsoft Entra admin center](https://entra.microsoft.com). -## Only the name is changing - All features and capabilities are still available in the product. Licensing, terms, service-level agreements, product certifications, support and pricing remain the same. +To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling. + Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô will continue to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra). :::image type="content" source="./media/new-name/azure-ad-new-name.png" alt-text="Diagram showing the new name for Azure AD and Azure AD External Identities." border="false" lightbox="./media/new-name/azure-ad-new-name-high-res.png"::: During 2023, you may see both the current Azure AD name and the new Microsoft Entra ID name in support area paths. For self-service support, look for the topic path of "Microsoft Entra" or "Azure Active Directory/Microsoft Entra ID." -## Identity developer and devops experiences aren't impacted by the rename +## Guide to Azure AD name changes and exceptions -To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling. +We encourage content creators, organizations with internal documentation for IT or identity security admins, developers of Azure AD-enabled apps, independent software vendors, or partners of Microsoft to update your experiences and use the new name by the end of 2023. We recommend changing the name in customer-facing experiences, prioritizing highly visible surfaces. -Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts. +### Product name -Naming is also not changing for: +Microsoft Entra ID is the new name for Azure AD. Please replace the product names Azure Active Directory, Azure AD, and AAD with Microsoft Entra ID. -- [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) - Use to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API.-- [Microsoft Graph](/graph) - Get programmatic access to organizations, user, and application data stored in Microsoft Entra ID.-- [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) - Acts as an API wrapper for the Microsoft Graph APIs and helps administer every Microsoft Entra ID feature that has an API in Microsoft Graph.-- [Windows Server Active Directory](/troubleshoot/windows-server/identity/active-directory-overview), commonly known as "Active Directory," and all related Windows Server identity services associated with Active Directory.-- [Active Directory Federation Services (AD FS)](/windows-server/identity/active-directory-federation-services) nor [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/active-directory-domain-services) nor the product name "Active Directory" or any corresponding features.-- [Azure Active Directory B2C](../../active-directory-b2c/index.yml) will continue to be available as an Azure service.-- [Any deprecated or retired functionality, feature, or service](what-is-deprecated.md) of Azure AD.+- Microsoft Entra is the name for the product family of identity and network access solutions. +- Microsoft Entra ID is one of the products within that family. +- Acronym usage is not encouraged, but if you must replace AAD with an acronym due to space limitations, please use ME-ID. ++### Logo/icon ++Please change the Azure AD product icon in your experiences. The Azure AD icons are now at end-of-life. ++| **Azure AD product icons** | **Microsoft Entra ID product icon** | +|:--:|:--:| +| ![Azure AD product icon](./media/new-name/azure-ad-icon-1.png) ![Alternative Azure AD product icon](./media/new-name/azure-ad-icon-2.png) | ![Microsoft Entra ID product icon](./media/new-name/microsoft-entra-id-icon.png) | ++You can download the new Microsoft Entra ID icon here: [Microsoft Entra architecture icons](../architecture/architecture-icons.md) ++### Feature names ++Capabilities or services formerly known as "Azure Active Directory <feature name>" or "Azure AD <feature name>" will be branded as Microsoft Entra product family features. This is done across our portfolio to avoid naming length and complexity, and because many features work across all the products. For example: ++- "Azure AD Conditional Access" is now "Microsoft Entra Conditional Access" +- "Azure AD single sign-on" is now "Microsoft Entra single sign-on" ++See the [Glossary of updated terminology](#glossary-of-updated-terminology) later in this article for more examples. ++### Exceptions and clarifications to the Azure AD name change ++Names aren't changing for Active Directory, developer tools, Azure AD B2C, nor deprecated or retired functionality, features, or services. ++Don't rename the following features, functionality, or services. ++#### Azure AD renaming exceptions and clarifications ++| **Correct terminology** | **Details** | +|-|-| +| Active Directory <br/><br/>• Windows Server Active Directory <br/>• Active Directory Federation Services (AD FS) <br/>• Active Directory Domain Services (AD DS) <br/>• Active Directory <br/>• Any Active Directory feature(s) | Windows Server Active Directory, commonly known as Active Directory, and related features and services associated with Active Directory aren't branded with Microsoft Entra. | +| Authentication library <br/><br/>• Azure AD Authentication Library (ADAL) <br/>• Microsoft Authentication Library (MSAL) | Azure Active Directory Authentication Library (ADAL) is deprecated. While existing apps that use ADAL will continue to work, Microsoft will no longer release security fixes on ADAL. Migrate applications to the Microsoft Authentication Library (MSAL) to avoid putting your app's security at risk. <br/><br/>[Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) - Provides security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. | +| B2C <br/><br/>• Azure Active Directory B2C <br/>• Azure AD B2C | [Azure Active Directory B2C](/azure/active-directory-b2c) isn't being renamed. Microsoft Entra External ID for customers is Microsoft's new customer identity and access management (CIAM) solution. | +| Graph <br/><br/>• Azure Active Directory Graph <br/>• Azure AD Graph <br/>• Microsoft Graph | Azure Active Directory (Azure AD) Graph is deprecated. Going forward, we will make no further investment in Azure AD Graph, and Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.<br/><br/>[Microsoft Graph](/graph) - Grants programmatic access to organization, user, and application data stored in Microsoft Entra ID. | +| PowerShell <br/><br/>• Azure Active Directory PowerShell <br/>• Azure AD PowerShell <br/>• Microsoft Graph PowerShell | Azure AD PowerShell for Graph is planned for deprecation on March 30, 2024. For more info on the deprecation plans, see the deprecation update. We encourage you to migrate to Microsoft Graph PowerShell, which is the recommended module for interacting with Azure AD. <br/><br/>[Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) - Acts as an API wrapper for the Microsoft Graph APIs and helps administer every Microsoft Entra ID feature that has an API in Microsoft Graph. | +| Accounts <br/><br/>• Microsoft account <br/>• Work or school account | For end user sign-ins and account experiences, follow guidance for work and school accounts in [Sign in with Microsoft branding guidelines](../develop/howto-add-branding-in-apps.md). | +| Microsoft identity platform | The Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts. | ++## Glossary of updated terminology ++Features of the identity and network access products are attributed to Microsoft EntraΓÇöthe product family, not the individual product name. ++You're not required to use the Microsoft Entra attribution with features. Only use if needed to clarify whether you're talking about a concept versus the feature in a specific product, or when comparing a Microsoft Entra feature with a competing feature. ++Only official product names are capitalized, plus Conditional Access and My * apps. ++| **Category** | **Old terminology** | **Correct name as of July 2023** | +|-||-| +| **Microsoft Entra product family** | Microsoft Azure Active Directory<br/> Azure Active Directory<br/> Azure Active Directory (Azure AD)<br/> Azure AD<br/> AAD | Microsoft Entra ID<br/> (Second use: Microsoft Entra ID is preferred, ID is acceptable in product/UI experiences, ME-ID if abbreviation is necessary) | +| | Azure Active Directory External Identities<br/> Azure AD External Identities | Microsoft Entra External ID<br/> (Second use: External ID) | +| | Azure Active Directory Identity Governance<br/> Azure AD Identity Governance<br/> Microsoft Entra Identity Governance | Microsoft Entra ID Governance<br/> (Second use: ID Governance) | +| | *New* | Microsoft Entra Internet Access<br/> (Second use: Internet Access) | +| | Cloud Knox | Microsoft Entra Permissions Management<br/> (Second use: Permissions Management) | +| | *New* | Microsoft Entra Private Access<br/> (Second use: Private Access) | +| | Azure Active Directory Verifiable Credentials<br/> Azure AD Verifiable Credentials | Microsoft Entra Verified ID<br/> (Second use: Verified ID) | +| | Azure Active Directory Workload Identities<br/> Azure AD Workload Identities | Microsoft Entra Workload ID<br/> (Second use: Workload ID) | +| | Azure Active Directory Domain Services<br/> Azure AD Domain Services | Microsoft Entra Domain Services<br/> (Second use: Domain Services) | +| **Microsoft Entra ID SKUs** | Azure Active Directory Premium P1 | Microsoft Entra ID P1 | +| | Azure Active Directory Premium P1 for faculty | Microsoft Entra ID P1 for faculty | +| | Azure Active Directory Premium P1 for students | Microsoft Entra ID P1 for students | +| | Azure Active Directory Premium P1 for government | Microsoft Entra ID P1 for government | +| | Azure Active Directory Premium P2 | Microsoft Entra ID P2 | +| | Azure Active Directory Premium P2 for faculty | Microsoft Entra ID P2 for faculty | +| | Azure Active Directory Premium P2 for students | Microsoft Entra ID P2 for students | +| | Azure Active Directory Premium P2 for government | Microsoft Entra ID P2 for government | +| | Azure Active Directory Premium F2 | Microsoft Entra ID F2 | +| **Microsoft Entra ID service plans** | Azure Active Directory Free | Microsoft Entra ID Free | +| | Azure Active Directory Premium P1 | Microsoft Entra ID P1 | +| | Azure Active Directory Premium P2 | Microsoft Entra ID P2 | +| | Azure Active Directory for education | Microsoft Entra ID for education | +| **Features and functionality** | Azure AD access token authentication<br/> Azure Active Directory access token authentication | Microsoft Entra access token authenticationΓÇ»| +| | Azure AD account<br/> Azure Active Directory account | Microsoft Entra account<br/><br/> This terminology is only used with IT admins and developers. End users authenticate with a work or school account. | +| | Azure AD activity logs<br/> Azure AD audit log | Microsoft Entra activity logs | +| | Azure AD admin<br/> Azure Active Directory admin | Microsoft Entra admin | +| | Azure AD admin center<br/> Azure Active Directory admin center | Replace with Microsoft Entra admin center and update link to entra.microsoft.com | +| | Azure AD application proxy<br/> Azure Active Directory application proxy | Microsoft Entra application proxy | +| | Azure AD authentication<br/> authenticate with an Azure AD identity<br/> authenticate with Azure AD<br/> authentication to Azure AD | Microsoft Entra authentication<br/> authenticate with a Microsoft Entra identity<br/> authenticate with Microsoft Entra<br/> authentication to Microsoft Entra<br/><br/> This terminology is only used with administrators. End users authenticate with a work or school account. | +| | Azure AD B2B<br/> Azure Active Directory B2B | Microsoft Entra B2B | +| | Azure AD built-in roles<br/> Azure Active Directory built-in roles | Microsoft Entra built-in roles | +| | Azure AD Conditional Access<br/> Azure Active Directory Conditional Access | Microsoft Entra Conditional Access<br/> (Second use: Conditional Access) | +| | Azure AD cloud-only identities<br/> Azure Active Directory cloud-only identities | Microsoft Entra cloud-only identities | +| | Azure AD Connect<br/> Azure Active Directory Connect | Microsoft Entra Connect | +| | Azure AD Connect Sync<br/> Azure Active Directory Connect Sync | Microsoft Entra Connect Sync | +| | Azure AD domain<br/> Azure Active Directory domain | Microsoft Entra domain | +| | Azure AD Domain Services<br/> Azure Active Directory Domain Services | Microsoft Entra Domain Services | +| | Azure AD enterprise application<br/> Azure Active Directory enterprise application | Microsoft Entra enterprise application | +| | Azure AD federation services<br/> Azure Active Directory federation services | Active Directory Federation Services | +| | Azure AD groups<br/> Azure Active Directory groups | Microsoft Entra groups | +| | Azure AD hybrid identities<br/> Azure Active Directory hybrid identities | Microsoft Entra hybrid identities | +| | Azure AD identities<br/> Azure Active Directory identities | Microsoft Entra identities | +| | Azure AD identity protection<br/> Azure Active Directory identity protection | Microsoft Entra ID Protection | +| | Azure AD integrated authentication<br/> Azure Active Directory integrated authentication | Microsoft Entra integrated authentication | +| | Azure AD join<br/> Azure AD joined<br/> Azure Active Directory join<br/> Azure Active Directory joined | Microsoft Entra join<br/> Microsoft Entra joined | +| | Azure AD login<br/> Azure Active Directory login | Microsoft Entra login | +| | Azure AD managed identities<br/> Azure Active Directory managed identities | Microsoft Entra managed identities | +| | Azure AD multifactor authentication (MFA)<br/> Azure Active Directory multifactor authentication (MFA) | Microsoft Entra multifactor authentication (MFA)<br/> (Second use: MFA) | +| | Azure AD OAuth and OpenID Connect<br/> Azure Active Directory OAuth and OpenID Connect | Microsoft Entra ID OAuth and OpenID Connect | +| | Azure AD object<br/> Azure Active Directory object | Microsoft Entra object | +| | Azure Active Directory-only authentication<br/> Azure AD-only authentication | Microsoft Entra-only authentication | +| | Azure AD pass-through authentication (PTA)<br/> Azure Active Directory pass-through authentication (PTA) | Microsoft Entra pass-through authentication | +| | Azure AD password authentication<br/> Azure Active Directory password authentication | Microsoft Entra password authentication | +| | Azure AD password hash synchronization (PHS)<br/> Azure Active Directory password hash synchronization (PHS) | Microsoft Entra password hash synchronization | +| | Azure AD password protection<br/> Azure Active Directory password protection | Microsoft Entra password protection | +| | Azure AD principal ID<br/> Azure Active Directory principal ID | Microsoft Entra principal ID | +| | Azure AD Privileged Identity Management (PIM)<br/> Azure Active Directory Privileged Identity Management (PIM) | Microsoft Entra Privileged Identity Management (PIM) | +| | Azure AD registered<br/> Azure Active Directory registered | Microsoft Entra registered | +| | Azure AD reporting and monitoring<br/> Azure Active Directory reporting and monitoring | Microsoft Entra reporting and monitoring | +| | Azure AD role<br/> Azure Active Directory role | Microsoft Entra role | +| | Azure AD schema<br/> Azure Active Directory schema | Microsoft Entra schema | +| | Azure AD Seamless single sign-on (SSO)<br/> Azure Active Directory Seamless single sign-on (SSO) | Microsoft Entra seamless single sign-on (SSO)<br/> (Second use: SSO) | +| | Azure AD self-service password reset (SSPR)<br/> Azure Active Directory self-service password reset (SSPR) | Microsoft Entra self-service password reset (SSPR) | +| | Azure AD service principal<br/> Azure Active Directory service principal | Microsoft Entra service principal | +| | Azure AD Sync<br/> Azure Active Directory Sync | Microsoft Entra Sync | +| | Azure AD tenant<br/> Azure Active Directory tenant | Microsoft Entra tenant | +| | Create a user in Azure AD<br/> Create a user in Azure Active Directory | Create a user in Microsoft Entra | +| | Federated with Azure AD<br/> Federated with Azure Active Directory | Federated with Microsoft Entra | +| | Hybrid Azure AD Join<br/> Hybrid Azure AD Joined | Microsoft Entra hybrid join<br/> Microsoft Entra hybrid joined | +| | Managed identities in Azure AD for Azure SQL | Managed identities in Microsoft Entra for Azure SQL | +| **Acronym usage** | AAD | ME-ID<br/><br/> Note that this isn't an official abbreviation for the product but may be used in code or when absolute shortest form is required. | ## Frequently asked questions ### When is the name change happening? -The name change will start appearing across Microsoft experiences after a 30-day notification period, which started July 11, 2023. Display names for SKUs and service plans will change on October 1, 2023. We expect most naming text string changes in Microsoft experiences to be completed by the end of 2023. +The name change will appear across Microsoft experiences starting August 15, 2023. Display names for SKUs and service plans will change on October 1, 2023. We expect most naming text string changes in Microsoft experiences and partner experiences to be completed by the end of 2023. ### Why is the name being changed? No, only the name Azure AD is going away. Capabilities remain the same. ### What will happen to the Azure AD capabilities and features like App Gallery or Conditional Access? +All features and capabilities remain unchanged aside from the name. Customers can continue to use all features without any interruption. + The naming of features changes to Microsoft Entra. For example: - Azure AD tenant -> Microsoft Entra tenant - Azure AD account -> Microsoft Entra account-- Azure AD joined -> Microsoft Entra joined-- Azure AD Conditional Access -> Microsoft Entra Conditional Access -All features and capabilities remain unchanged aside from the name. Customers can continue to use all features without any interruption. +See the [Glossary of updated terminology](#glossary-of-updated-terminology) for more examples. ### Are licenses changing? Are there any changes to pricing? There are no changes to the identity features and functionality available in Mic In addition to the capabilities they already have, Microsoft 365 E5 customers will also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra P2, currently known as Azure AD Premium P2. -### How and when are customers being notified? --The name changes are publicly announced as of July 11, 2023. --Banners, alerts, and message center posts will notify users of the name change. These will be displayed on the tenant overview page, portals including Azure, Microsoft 365, and Microsoft Entra admin center, and Microsoft Learn. --### What if I use the Azure AD name in my content or app? --We'd like your help spreading the word about the name change and implementing it in your own experiences. If you're a content creator, author of internal documentation for IT or identity security admins, developer of Azure ADΓÇôenabled apps, independent software vendor, or Microsoft partner, we hope you use the naming guidance outlined in the following section ([Azure AD name changes and exceptions](#azure-ad-name-changes-and-exceptions)) to make the name change in your content and product experiences by the end of 2023. --## Azure AD name changes and exceptions --We encourage content creators, organizations with internal documentation for IT or identity security admins, developers of Azure AD-enabled apps, independent software vendors, or partners of Microsoft to stay current with the new naming guidance by updating copy by the end of 2023. We recommend changing the name in customer-facing experiences, prioritizing highly visible surfaces. --### Product name --Replace the product name "Azure Active Directory" or "Azure AD" or "AAD" with Microsoft Entra ID. +### What's changing for identity developer and devops experience? -*Microsoft Entra* is the correct name for the family of identity and network access solutions, one of which is *Microsoft Entra ID.* +Identity developer and devops experiences aren't being renamed. To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling. -### Logo/icon +Many technical components either have low visibility to customers (for example, sign-in URLs), or usually aren't branded, like APIs. -Azure AD is becoming Microsoft Entra ID, and the product icon is also being updated. Work with your Microsoft partner organization to obtain the new product icon. --### Feature names +Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts. -Capabilities or services formerly known as "Azure Active Directory <feature name>" or "Azure AD <feature name>" will be branded as Microsoft Entra product family features. For example: +Naming is also not changing for: -- "Azure AD Conditional Access" is becoming "Microsoft Entra Conditional Access"-- "Azure AD single sign-on" is becoming "Microsoft Entra single sign-on"-- "Azure AD tenant" is becoming "Microsoft Entra tenant"+- [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview) ΓÇô Acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. +- [Microsoft Graph](/graph) ΓÇô Get programmatic access to organizational, user, and application data stored in Microsoft Entra ID. +- [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) ΓÇô Acts as an API wrapper for the Microsoft Graph APIs; helps administer every Microsoft Entra ID feature that has an API in Microsoft Graph. +- [Windows Server Active Directory](/troubleshoot/windows-server/identity/active-directory-overview), commonly known as ΓÇ£Active DirectoryΓÇ¥, and all related Windows Server identity services, associated with Active Directory. +- [Active Directory Federation Services (AD FS)](/windows-server/identity/active-directory-federation-services) nor [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/active-directory-domain-services) nor the product name ΓÇ£Active DirectoryΓÇ¥ or any corresponding features. +- [Azure Active Directory B2C](/azure/active-directory-b2c) will continue to be available as an Azure service. +- Any deprecated or retired functionality, feature, or service of Azure Active Directory. -### Exceptions to Azure AD name change +### How and when are customers being notified? -Products or features that are being deprecated aren't being renamed. These products or features include: +The name changes were publicly announced on July 11, 2023. -- Azure AD Authentication Library (ADAL), replaced by [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md)-- Azure AD Graph, replaced by [Microsoft Graph](/graph)-- Azure Active Directory PowerShell for Graph (Azure AD PowerShell), replaced by [Microsoft Graph PowerShell](/powershell/microsoftgraph)+Banners, alerts, and message center posts notified users of the name change. The change was also displayed on the tenant overview page in the portals including Azure, Microsoft 365, and Microsoft Entra admin center, and Microsoft Learn. -Names that don't have "Azure AD" also aren't changing. These products or features include Active Directory Federation Services (AD FS), Microsoft identity platform, and Windows Server Active Directory Domain Services (AD DS). +### What if I use the Azure AD name in my content or app? -End users shouldn't be exposed to the Azure AD or Microsoft Entra ID name. For sign-ins and account user experiences, follow guidance for work and school accounts in [Sign in with Microsoft branding guidelines](../develop/howto-add-branding-in-apps.md). +We'd like your help spreading the word about the name change and implementing it in your own experiences. If you're a content creator, author of internal documentation for IT or identity security admins, developer of Azure ADΓÇôenabled apps, independent software vendor, or Microsoft partner, we hope you use the naming guidance outlined in the ([Glossary of updated terminology](#glossary-of-updated-terminology)) to make the name change in your content and product experiences by the end of 2023. ## Next steps |
active-directory | Scenario Azure First Sap Identity Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md | This document provides advice on the **technical design and configuration** of S | [IDS](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/d6a8db70bdde459f92f2837349f95090.html) | SAP ID Service. An instance of IAS used by SAP to authenticate customers and partners to SAP-operated PaaS and SaaS services. | | [IPS](https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/2d2685d469a54a56b886105a06ccdae6.html) | SAP Cloud Identity Services - Identity Provisioning Service. IPS helps to synchronize identities between different stores / target systems. | | [XSUAA](https://blogs.sap.com/2019/01/07/uaa-xsuaa-platform-uaa-cfuaa-what-is-it-all-about/) | Extended Services for Cloud Foundry User Account and Authentication. XSUAA is a multi-tenant OAuth authorization server within the SAP BTP. |-| [CF](https://www.cloudfoundry.org/) | Cloud Foundry. Cloud Foundry is the environment on which SAP built their multi-cloud offering for BTP (AWS, Azure, GCP, Alibaba). | +| [CF](https://www.cloudfoundry.org/) | Cloud Foundry. Cloud Foundry is the environment on which SAP built their multicloud offering for BTP (AWS, Azure, GCP, Alibaba). | | [Fiori](https://www.sap.com/products/fiori.html) | The web-based user experience of SAP (as opposed to the desktop-based experience). | ## Overview Regardless of where the authorization information comes from, it can then be emi ## Next Steps - Learn more about the initial setup in [this tutorial](../saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md)-- Discover additional [SAP integration scenarios with Azure AD](../../sap/workloads/integration-get-started.md#azure-ad) and beyond+- Discover additional [SAP integration scenarios with Azure AD](../../sap/workloads/integration-get-started.md#microsoft-entra-id-formerly-azure-ad) and beyond |
active-directory | Security Defaults | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-defaults.md | description: Get protected from common identity threats using Azure AD security + Last updated 07/31/2023 |
active-directory | What Is Deprecated | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/what-is-deprecated.md | |
active-directory | Whats New Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-archive.md | For more information on how to enable this feature, see: [Cloud Sync directory e **Service category:** Audit **Product capability:** Monitoring & Reporting -This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a Windows 10+ device that is having an issue(s) and suggests remediation steps to resolve the issue(s). Admins can work with end user to collect client-side logs, and then upload them to this troubleshooter in the Entra Portal. For more information, see: [Troubleshooting Windows devices in Azure AD](../devices/troubleshoot-device-windows-joined.md). +This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a Windows 10+ device that is having an issue(s) and suggests remediation steps to resolve the issue(s). Admins can work with end user to collect client-side logs, and then upload them to this troubleshooter in the Microsoft Entra admin center. For more information, see: [Troubleshooting Windows devices in Azure AD](../devices/troubleshoot-device-windows-joined.md). The ability for users to create tenants from the Manage Tenant overview has been **Service category:** My Apps **Product capability:** End User Experiences -We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md). +We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Microsoft Entra admin centers. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md). Customers can now meet their complex audit and recertification requirements thro Currently, users can self-service leave for an organization without the visibility of their IT administrators. Some organizations may want more control over this self-service process. -With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra portal. In order to restrict users to leave an organization, customers need to include "Global privacy contact" and "Privacy statement URL" under tenant properties. +With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra admin center. In order to restrict users to leave an organization, customers need to include "Global privacy contact" and "Privacy statement URL" under tenant properties. A new policy API is available for the administrators to control tenant wide policy: [externalIdentitiesPolicy resource type](/graph/api/resources/externalidentitiespolicy?view=graph-rest-beta&preserve-view=true) |
active-directory | Whats New Sovereign Clouds | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md | In the **All Devices** settings under the Registered column, you can now select **Service category:** My Apps **Product capability:** End User Experiences -We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md). +We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Microsoft Entra admin centers. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md). |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md | |
active-directory | Entitlement Management Access Package Approval Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-access-package-approval-policy.md | -Each access package must have one or more access package assignment policies, before a user can be assigned access. When an access package is created in the Entra portal, the Entra portal automatically creates the first access package assignment policy for that access package. The policy determines who can request access, and who if anyone must approve access. +Each access package must have one or more access package assignment policies, before a user can be assigned access. When an access package is created in the Microsoft Entra admin center, the Microsoft Entra admin center automatically creates the first access package assignment policy for that access package. The policy determines who can request access, and who if anyone must approve access. As an access package manager, you can change the approval and requestor information settings for an access package at any time by editing an existing policy or adding a new additional policy for requesting access. |
active-directory | Entitlement Management Custom Teams Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-custom-teams-extension.md | Prerequisite roles: Global administrator, Identity Governance administrator, or To create a Logic App and custom extension in a catalog, you'd follow these steps: -1. Navigate To Entra portal [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement) +1. Navigate To Microsoft Entra admin center [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement) 1. In the left menu, select **Catalogs**. |
active-directory | Entitlement Management External Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-external-users.md | - + Title: Govern access for external users in entitlement management description: Learn about the settings you can specify to govern access for external users in entitlement management. The following diagram and steps provide an overview of how external users are gr 1. If the policy settings include an expiration date, then later when the access package assignment for the external user expires, the external user's access rights from that access package are removed. -1. Depending on the lifecycle of external users settings, when the external user no longer has any access package assignments, the external user is blocked from signing in and the guest user account is removed from your directory. +1. Depending on the lifecycle of external users settings, when the external user no longer has any access package assignments, the external user will be blocked from signing in, and the external user account will be removed from your directory. ## Settings for external users To ensure people outside of your organization can request access packages and ge ### Review your Microsoft 365 group sharing settings -- If you want to include Microsoft 365 groups in your access packages for external users, make sure the **Let users add new guests to the organization** is set to **On** to allow guest access. For more information, see [Manage guest access to Microsoft 365 Groups](/microsoft-365/admin/create-groups/manage-guest-access-in-groups?view=microsoft-365-worldwide#manage-groups-guest-access).+- If you want to include Microsoft 365 groups in your access packages for external users, make sure the **Let users add new guests to the organization** is set to **On** to allow guest access. For more information, see [Manage guest access to Microsoft 365 Groups](/microsoft-365/admin/create-groups/manage-guest-access-in-groups#manage-groups-guest-access). - If you want external users to be able to access the SharePoint Online site and resources associated with a Microsoft 365 group, make sure you turn on SharePoint Online external sharing. For more information, see [Turn external sharing on or off](/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting). To ensure people outside of your organization can request access packages and ge ## Manage the lifecycle of external users -You can select what happens when an external user, who was invited to your directory through making an access package request, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they're blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory. +You can select what happens when an external user, who was invited to your directory through making an access package request, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they're blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory. You can also configure that an external user is not blocked from sign in or deleted, or that an external user is not blocked from sign in but is deleted (preview). **Prerequisite role:** Global administrator, Identity Governance administrator or User administrator You can select what happens when an external user, who was invited to your direc 1. Once an external user loses their last assignment to any access packages, if you want to block them from signing in to this directory, set the **Block external user from signing in to this directory** to **Yes**. > [!NOTE]- > If a user is blocked from signing in to this directory, then the user will be unable to re-request the access package or request additional access in this directory. Do not configure blocking them from signing in if they will subsequently need to request access to other access packages. + > Entitlement management only blocks external guest user accounts from signing in that were invited through entitlement management or that were added to entitlement management for lifecycle management. Also, note that a user will be blocked from signing in even if that user was added to resources in this directory that were not access package assignments. If a user is blocked from signing in to this directory, then the user will be unable to re-request the access package or request additional access in this directory. Do not configure blocking them from signing in if they will subsequently need to request access to this or other access packages. 1. Once an external user loses their last assignment to any access packages, if you want to remove their guest user account in this directory, set **Remove external user** to **Yes**. > [!NOTE]- > Entitlement management only removes accounts that were invited through entitlement management. Also, note that a user will be blocked from signing in and removed from this directory even if that user was added to resources in this directory that were not access package assignments. If the guest was present in this directory prior to receiving access package assignments, they will remain. However, if the guest was invited through an access package assignment, and after being invited was also assigned to a OneDrive for Business or SharePoint Online site, they will still be removed. + > Entitlement management only removes external guest user accounts that were invited through entitlement management or that were added to entitlement management for lifecycle managementh. Also, note that a user will be removed from this directory even if that user was added to resources in this directory that were not access package assignments. If the guest was present in this directory prior to receiving access package assignments, they will remain. However, if the guest was invited through an access package assignment, and after being invited was also assigned to a OneDrive for Business or SharePoint Online site, they will still be removed. -1. If you want to remove the guest user account in this directory, you can set the number of days before it's removed. If you want to remove the guest user account as soon as they lose their last assignment to any access packages, set **Number of days before removing external user from this directory** to **0**. +1. If you want to remove the guest user account in this directory, you can set the number of days before it's removed. While an external user is notified when their access package expires, there is no notification when their account is removed. If you want to remove the guest user account as soon as they lose their last assignment to any access packages, set **Number of days before removing external user from this directory** to **0**. 1. Select **Save**. |
active-directory | Entitlement Management Ticketed Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-ticketed-provisioning.md | To add a Logic App workflow to an existing catalog, you use an ARM template for Provide the Azure subscription, resource group details, along with the Logic App name and the Catalog ID to associate the Logic App with and select purchase. For more information on how to create a new catalog, please follow the steps in this document: [Create and manage a catalog of resources in entitlement management](entitlement-management-catalog-create.md). -1. Navigate To Entra portal [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement) +1. Navigate To Microsoft Entra admin center [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement) 1. In the left menu, select **Catalogs**. After registering your application, you must add a client secret by following th To authorize the created application to call the [MS Graph resume API](/graph/api/accesspackageassignmentrequest-resume) you'd do the following steps: -1. Navigate to the Entra portal [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement) +1. Navigate to the Microsoft Entra admin center [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement) 1. In the left menu, select **Catalogs**. |
active-directory | Tutorial Prepare User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/tutorial-prepare-user-accounts.md | |
active-directory | Understanding Lifecycle Workflows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/understanding-lifecycle-workflows.md | For a detailed guide on setting the execution conditions for a workflow, see: [C While newly created workflows are enabled by default, scheduling is an option that must be enabled manually. To verify whether the workflow is scheduled, you can view the **Scheduled** column. -Once scheduling is enabled, the workflow is evaluated every three hours to determine whether or not it should run based on the execution conditions. +Once scheduling is enabled, the workflow is evaluated based on the interval that is set within your workflow settings(default of three hours) to determine whether or not it should run based on the execution conditions. [![Workflow template schedule.](media/understanding-lifecycle-workflows/workflow-10.png)](media/understanding-lifecycle-workflows/workflow-10.png#lightbox) |
active-directory | Custom Attribute Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/custom-attribute-mapping.md | |
active-directory | How To Inbound Synch Ms Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md | |
active-directory | How To Install | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-install.md | To update an existing agent to use the Group Managed Service Account created dur >[!IMPORTANT] > After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md). -## Enable password writeback in Azure AD Connect cloud sync +++## Enable password writeback in cloud sync ++You can enable password writeback in SSPR directly in the portal or through PowerShell. ++### Enable password writeback in the portal +To use *password writeback* and enable the self-service password reset (SSPR) service to detect the cloud sync agent, using the portal, complete the following steps: ++ 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account. + 2. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**. + 3. Check the option for **Enable password write back for synced users** . + 4. (optional) If Azure AD Connect provisioning agents are detected, you can additionally check the option for **Write back passwords with Azure AD Connect cloud sync**. + 5. Check the option for **Allow users to unlock accounts without resetting their password** to *Yes*. + 6. When ready, select **Save**. ++### Using PowerShell To use *password writeback* and enable the self-service password reset (SSPR) service to detect the cloud sync agent, use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and the tenantΓÇÖs global administrator credentials: |
active-directory | Migrate Azure Ad Connect To Cloud Sync | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md | |
active-directory | Reference Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md | |
active-directory | How To Bypassdirsyncoverrides | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-bypassdirsyncoverrides.md | |
active-directory | How To Connect Emergency Ad Fs Certificate Rotation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-emergency-ad-fs-certificate-rotation.md | |
active-directory | How To Connect Fed O365 Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-o365-certs.md | ms.assetid: 543b7dc1-ccc9-407f-85a1-a9944c0ba1be na+ Last updated 01/26/2023 |
active-directory | How To Connect Fed Saml Idp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-saml-idp.md | description: This document describes using a SAML 2.0 compliant Idp for single s -+ na |
active-directory | How To Connect Fed Single Adfs Multitenant Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-single-adfs-multitenant-federation.md | ms.assetid: na+ Last updated 01/26/2023 |
active-directory | How To Connect Install Existing Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-existing-tenant.md | description: This topic describes how to use Connect when you have an existing A + Last updated 01/26/2023 |
active-directory | How To Connect Install Multiple Domains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-multiple-domains.md | ms.assetid: 5595fb2f-2131-4304-8a31-c52559128ea4 na+ Last updated 01/26/2023 |
active-directory | How To Connect Install Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-prerequisites.md | ms.assetid: 91b88fda-bca6-49a8-898f-8d906a661f07 na+ Last updated 05/02/2023 |
active-directory | How To Connect Password Hash Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-password-hash-synchronization.md | |
active-directory | How To Connect Sync Change The Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-change-the-configuration.md | |
active-directory | How To Connect Sync Feature Preferreddatalocation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-feature-preferreddatalocation.md | description: Describes how to put your Microsoft 365 user resources close to the + Last updated 01/26/2023 |
active-directory | How To Connect Syncservice Duplicate Attribute Resiliency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-syncservice-duplicate-attribute-resiliency.md | ms.assetid: 537a92b7-7a84-4c89-88b0-9bce0eacd931 na+ Last updated 01/26/2023 |
active-directory | How To Connect Syncservice Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-syncservice-features.md | ms.assetid: 213aab20-0a61-434a-9545-c4637628da81 na+ Last updated 01/26/2023 |
active-directory | Migrate From Federation To Cloud Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/migrate-from-federation-to-cloud-authentication.md | description: This article has information about moving your hybrid identity envi + Last updated 04/04/2023 |
active-directory | Reference Connect Accounts Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-accounts-permissions.md | |
active-directory | Reference Connect Adsynctools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-adsynctools.md | |
active-directory | Reference Connect Version History Archive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history-archive.md | Last updated 01/19/2023 -+ # Azure AD Connect: Version release history archive |
active-directory | Reference Connect Version History | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history.md | To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to - We have enabled Auto Upgrade for tenants with custom synchronization rules. Note that deleted (not disabled) default rules will be re-created and enabled upon Auto Upgrade. - We have added Microsoft Azure AD Connect Agent Updater service to the install. This new service will be used for future auto upgrades. - We have removed the Synchronization Service WebService Connector Config program from the install.+ - Default sync rule ΓÇ£In from AD ΓÇô User CommonΓÇ¥ was updated to flow the employeeType attribute. ### Bug Fixes - We have made improvements to accessibility. |
active-directory | Tshoot Connect Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-connectivity.md | |
active-directory | Tshoot Connect Object Not Syncing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-object-not-syncing.md | ms.assetid: na+ Last updated 01/19/2023 |
active-directory | Tshoot Connect Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-sso.md | |
active-directory | Tshoot Connect Sync Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-sync-errors.md | |
active-directory | Verify Sync Tool Version | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/verify-sync-tool-version.md | + + Title: 'Verify your version of cloud sync or connect sync' +description: This article describes the steps to verify the version of the provisioning agent or connect sync. ++documentationcenter: '' +++editor: '' +++ na + Last updated : 08/17/2023++++++# Verify your version of the provisioning agent or connect sync +This article describes the steps to verify the installed version of the provisioning agent and connect sync. ++## Verify the provisioning agent +To see what version of the provisioning agent your using, use the following steps: +++## Verfiy connect sync +To see what version of connect sync your using, use the following steps: ++### On the local server ++To verify that the agent is running, follow these steps: ++ 1. Sign in to the server with an administrator account. + 2. Open **Services** either by navigating to it or by going to *Start/Run/Services.msc*. + 3. Under **Services**, make sure that **Microsoft Azure AD Sync** is present and the status is **Running**. +++### Verify the connect sync version ++To verify that the version of the agent running, follow these steps: ++1. Navigate to 'C:\Program Files\Microsoft Azure AD Connect' +2. Right-click on **AzureADConnect.exe** and select **properties**. +3. Click the **details** tab and the version number ID next to the Product version. ++## Next steps +- [Common scenarios](common-scenarios.md) +- [Choosing the right sync tool](https://setup.microsoft.com/azure/add-or-sync-users-to-azure-ad) +- [Steps to start](get-started.md) +- [Prerequisites](prerequisites.md) |
active-directory | Concept Workload Identity Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/concept-workload-identity-risk.md | To make use of workload identity risk, including the new **Risky workload identi - Workload Identities Premium licensing: You can view and acquire licenses on the [Workload Identities blade](https://portal.azure.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) in the Azure portal. - One of the following administrator roles assigned- - Global Administrator - Security Administrator - Security Operator - Security Reader Users assigned the Conditional Access administrator role can create policies that use risk as a condition.+ - Global Administrator ## Workload identity risk detections We detect risk on workload identities across sign-in behavior and offline indica Organizations can find workload identities that have been flagged for risk in one of two locations: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Reader](../roles/permissions-reference.md#security-reader). 1. Browse to **Azure Active Directory** > **Security** > **Risky workload identities**. 1. Or browse to **Azure Active Directory** > **Security** > **Risk detections**. 1. Select the **Workload identity detections** tab.' For improved security and resilience of your workload identities, Continuous Acc ## Investigate risky workload identities -Identity Protection provides organizations with two reports they can use to investigate workload identity risk. These reports are the risky workload identities, and risk detections for workload identities. All reports allow for downloading of events in .CSV format for further analysis outside of the Azure portal. +Identity Protection provides organizations with two reports they can use to investigate workload identity risk. These reports are the risky workload identities, and risk detections for workload identities. All reports allow for downloading of events in .CSV format for further analysis. Some of the key questions to answer during your investigation include: The [Azure Active Directory security operations guide for Applications](../archi Once you determine if the workload identity was compromised, dismiss the accountΓÇÖs risk, or confirm the account as compromised in the Risky workload identities report. You can also select ΓÇ£Disable service principalΓÇ¥ if you want to block the account from further sign-ins. ## Remediate risky workload identities |
active-directory | Howto Identity Protection Configure Mfa Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md | For more information on Azure AD multifactor authentication, see [What is Azure [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator) 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **MFA registration policy**. 1. Under **Assignments** > **Users** 1. Under **Include**, select **All users** or **Select individuals and groups** if limiting your rollout. |
active-directory | Howto Identity Protection Configure Risk Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md | Before organizations enable remediation policies, they may want to [investigate] ### User risk policy in Conditional Access -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. After confirming your settings using [report-only mode](../conditional-access/ho ### Sign-in risk policy in Conditional Access -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
active-directory | Howto Identity Protection Remediate Unblock | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md | Administrators are given two options when resetting a password for their users: If after investigation and confirming that the user account isn't at risk of being compromised, then you can choose to dismiss the risky user. -To **Dismiss user risk**, search for and select **Azure AD Risky users** in the Azure portal or the Entra portal, select the affected user, and select **Dismiss user(s) risk**. +To **Dismiss user risk**, search for and select **Azure AD Risky users** in the Azure portal or the Microsoft Entra admin center, select the affected user, and select **Dismiss user(s) risk**. When you select **Dismiss user risk**, the user is no longer at risk, and all the risky sign-ins of this user and corresponding risk detections are dismissed as well. |
active-directory | Howto Identity Protection Simulate Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-simulate-risk.md | Simulating the atypical travel condition is difficult because the algorithm uses **To simulate an atypical travel risk detection, perform the following steps**: 1. Using your standard browser, navigate to [https://myapps.microsoft.com](https://myapps.microsoft.com). -2. Enter the credentials of the account you want to generate an atypical travel risk detection for. -3. Change your user agent. You can change user agent in Microsoft Edge from Developer Tools (F12). -4. Change your IP address. You can change your IP address by using a VPN, a Tor add-on, or creating a new virtual machine in Azure in a different data center. -5. Sign-in to [https://myapps.microsoft.com](https://myapps.microsoft.com) using the same credentials as before and within a few minutes after the previous sign-in. +1. Enter the credentials of the account you want to generate an atypical travel risk detection for. +1. Change your user agent. You can change user agent in Microsoft Edge from Developer Tools (F12). +1. Change your IP address. You can change your IP address by using a VPN, a Tor add-on, or creating a new virtual machine in Azure in a different data center. +1. Sign-in to [https://myapps.microsoft.com](https://myapps.microsoft.com) using the same credentials as before and within a few minutes after the previous sign-in. The sign-in shows up in the Identity Protection dashboard within 2-4 hours. The sign-in shows up in the Identity Protection dashboard within 2-4 hours. This risk detection indicates that the application's valid credentials have been leaked. This leak can occur when someone checks in the credentials in a public code artifact on GitHub. Therefore, to simulate this detection, you need a GitHub account and can [sign up a GitHub account](https://docs.github.com/get-started/signing-up-for-github) if you don't have one already. -**To simulate Leaked Credentials in GitHub for Workload Identities, perform the following steps**: -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Browse to **Azure Active Directory** > **App registrations**. -3. Select **New registration** to register a new application or reuse an existing stale application. -4. Select **Certificates & Secrets** > **New client Secret** , add a description of your client secret and set an expiration for the secret or specify a custom lifetime and select **Add**. Record the secret's value for later use for your GitHub Commit. +### Simulate Leaked Credentials in GitHub for Workload Identities ++1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator). +1. Browse to **Azure Active Directory** > **App registrations**. +1. Select **New registration** to register a new application or reuse an existing stale application. +1. Select **Certificates & Secrets** > **New client Secret** , add a description of your client secret and set an expiration for the secret or specify a custom lifetime and select **Add**. Record the secret's value for later use for your GitHub Commit. > [!Note] > **You can not retrieve the secret again after you leave this page**. -5. Get the TenantID and Application(Client)ID in the **Overview** page. -6. Ensure you disable the application via **Azure Active Directory** > **Enterprise Application** > **Properties** > Set **Enabled for users to sign-in** to **No**. -7. Create a **public** GitHub Repository, add the following config and commit the change as a file with the .txt extension. +1. Get the TenantID and Application(Client)ID in the **Overview** page. +1. Ensure you disable the application via **Azure Active Directory** > **Enterprise Application** > **Properties** > Set **Enabled for users to sign-in** to **No**. +1. Create a **public** GitHub Repository, add the following config and commit the change as a file with the .txt extension. ```GitHub file "AadClientId": "XXXX-2dd4-4645-98c2-960cf76a4357", "AadSecret": "p3n7Q~XXXX", "AadTenantDomain": "XXXX.onmicrosoft.com", "AadTenantId": "99d4947b-XXX-XXXX-9ace-abceab54bcd4", ```-7. In about 8 hours, you'll be able to view a leaked credential detection under **Azure Active Directory** > **Security** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit. +1. In about 8 hours, you'll be able to view a leaked credential detection under **Azure Active Directory** > **Security** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit. ## Testing risk policies This section provides you with steps for testing the user and the sign-in risk p To test a user risk security policy, perform the following steps: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **Overview**. 1. Select **Configure user risk policy**. 1. Under **Assignments** To test a user risk security policy, perform the following steps: To test a sign-in risk policy, perform the following steps: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Azure portal](https://portal.azure.com) as at least a [Security Administrator](../roles/permissions-reference.md#security-administrator). 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **Overview**. 1. Select **Configure sign-in risk policy**. 1. Under **Assignments** |
active-directory | App Management Powershell Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/app-management-powershell-samples.md | |
active-directory | Assign User Or Group Access Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/assign-user-or-group-access-portal.md | |
active-directory | Configure Authentication For Federated Users Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md | |
active-directory | Configure Permission Classifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-permission-classifications.md | |
active-directory | Configure Risk Based Step Up Consent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-risk-based-step-up-consent.md | |
active-directory | Configure User Consent Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/configure-user-consent-groups.md | |
active-directory | Delete Application Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/delete-application-portal.md | Last updated 06/21/2023 zone_pivot_groups: enterprise-apps-all-+ #Customer intent: As an administrator of an Azure AD tenant, I want to delete an enterprise application. |
active-directory | Disable User Sign In Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/disable-user-sign-in-portal.md | |
active-directory | Hide Application From User Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/hide-application-from-user-portal.md | |
active-directory | Home Realm Discovery Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/home-realm-discovery-policy.md | |
active-directory | Howto Saml Token Encryption | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/howto-saml-token-encryption.md | Last updated 06/15/2023 -+ # Configure Azure Active Directory SAML token encryption |
active-directory | Manage Application Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-application-permissions.md | |
active-directory | Migrate Adfs Application Activity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-application-activity.md | -The AD FS application activity report in the [Entra portal](https://entra.microsoft.com) lets you quickly identify which of your applications are capable of being migrated to Azure AD. It assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and gives guidance on preparing individual applications for migration. With the AD FS application activity report, you can: +The AD FS application activity report in the [Microsoft Entra admin center](https://entra.microsoft.com) lets you quickly identify which of your applications are capable of being migrated to Azure AD. It assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and gives guidance on preparing individual applications for migration. With the AD FS application activity report, you can: * **Discover AD FS applications and scope your migration.** The AD FS application activity report lists all AD FS applications in your organization that have had an active user login in the last 30 days. The report indicates an apps readiness for migration to Azure AD. The report doesn't display Microsoft related relying parties in AD FS such as Office 365. For example, relying parties with name 'urn:federation:MicrosoftOnline'. The AD FS application activity data is available to users who are assigned any o ## Discover AD FS applications that can be migrated -The AD FS application activity report is available in the [Entra portal](https://entra.microsoft.com) under Azure AD **Usage & insights** reporting. The AD FS application activity report analyzes each AD FS application to determine if it can be migrated as-is, or if additional review is needed. +The AD FS application activity report is available in the [Microsoft Entra admin center](https://entra.microsoft.com) under Azure AD **Usage & insights** reporting. The AD FS application activity report analyzes each AD FS application to determine if it can be migrated as-is, or if additional review is needed. -1. Sign in to the [Entra portal](https://entra.microsoft.com) with an admin role that has access to AD FS application activity data (global administrator, reports reader, security reader, application administrator, or cloud application administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with an admin role that has access to AD FS application activity data (global administrator, reports reader, security reader, application administrator, or cloud application administrator). 2. Select **Azure Active Directory**, and then select **Enterprise applications**. |
active-directory | Migrate Adfs Apps Stages | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-apps-stages.md | Update the configuration of your production app to point to your production Azur Your line-of-business apps are those that your organization developed or those that are a standard packaged product. -Line-of-business apps that use OAuth 2.0, OpenID Connect, or WS-Federation can be integrated with Azure AD as [app registrations](../develop/quickstart-register-app.md). Integrate custom apps that use SAML 2.0 or WS-Federation as [non-gallery applications](add-application-portal.md) on the enterprise applications page in the [Entra portal](https://entra.microsoft.com/#home). +Line-of-business apps that use OAuth 2.0, OpenID Connect, or WS-Federation can be integrated with Azure AD as [app registrations](../develop/quickstart-register-app.md). Integrate custom apps that use SAML 2.0 or WS-Federation as [non-gallery applications](add-application-portal.md) on the enterprise applications page in the [Microsoft Entra admin center](https://entra.microsoft.com/#home). ## Next steps |
active-directory | Migrate Adfs Represent Security Policies | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-represent-security-policies.md | Explicit group authorization in AD FS: To map this rule to Azure AD: -1. In the [Entra portal](https://entra.microsoft.com/#home), [create a user group](../fundamentals/how-to-manage-groups.md) that corresponds to the group of users from AD FS. +1. In the [Microsoft Entra admin center](https://entra.microsoft.com/#home), [create a user group](../fundamentals/how-to-manage-groups.md) that corresponds to the group of users from AD FS. 1. Assign app permissions to the group: :::image type="content" source="media/migrate-adfs-represent-security-policies/allow-a-group-explicitly-2.png" alt-text="Screenshot shows how to add a user assignment to the app."::: Explicit user authorization in AD FS: To map this rule to Azure AD: -* In the [Entra portal](https://entra.microsoft.com/#home), add a user to the app through the Add Assignment tab of the app as shown below: +* In the [Microsoft Entra admin center](https://entra.microsoft.com/#home), add a user to the app through the Add Assignment tab of the app as shown below: :::image type="content" source="media/migrate-adfs-represent-security-policies/authorize-a-specific-user-2.png" alt-text="Screenshot shows My SaaS apps in Azure."::: The following are examples of types of MFA rules in AD FS, and how you can map t MFA rule settings in AD FS: ### Example 1: Enforce MFA based on users/groups Emit attributes as Claims rule in AD FS: To map the rule to Azure AD: -1. In the [Entra portal](https://entra.microsoft.com/#home), select **Enterprise Applications** and then **Single sign-on** to view the SAML-based sign-on configuration: +1. In the [Microsoft Entra admin center](https://entra.microsoft.com/#home), select **Enterprise Applications** and then **Single sign-on** to view the SAML-based sign-on configuration: :::image type="content" source="media/migrate-adfs-represent-security-policies/map-emit-attributes-as-claims-rule-2.png" alt-text="Screenshot shows the Single sign-on page for your Enterprise Application."::: In this table, we've listed some useful Permit and Except options and how they m | From Devices with Specific Trust Level| Set this from the **Device State** control under Assignments -> Conditions| Use the **Exclude** option under Device State Condition and Include **All devices** | | With Specific Claims in the Request| This setting can't be migrated| This setting can't be migrated | -Here's an example of how to configure the Exclude option for trusted locations in the Entra portal: +Here's an example of how to configure the Exclude option for trusted locations in the Microsoft Entra admin center: :::image type="content" source="media/migrate-adfs-represent-security-policies/map-built-in-access-control-policies-3.png" alt-text="Screenshot of mapping access control policies."::: Your existing external users can be set up in these two ways in AD FS: As you progress with your migration, you can take advantage of the benefits that [Azure AD B2B](../external-identities/what-is-b2b.md) offers by migrating these users to use their own corporate identity when such an identity is available. This streamlines the process of signing in for those users, as they're often signed in with their own corporate sign-in. Your organization's administration is easier as well, by not having to manage accounts for external users. - **Federated external Identities**ΓÇöIf you're currently federating with an external organization, you have a few approaches to take:- - [Add Azure Active Directory B2B collaboration users in the Entra portal](../external-identities/add-users-administrator.md). You can proactively send B2B collaboration invitations from the Azure AD administrative portal to the partner organization for individual members to continue using the apps and assets they're used to. + - [Add Azure Active Directory B2B collaboration users in the Microsoft Entra admin center](../external-identities/add-users-administrator.md). You can proactively send B2B collaboration invitations from the Azure AD administrative portal to the partner organization for individual members to continue using the apps and assets they're used to. - [Create a self-service B2B sign-up workflow](../external-identities/self-service-portal.md) that generates a request for individual users at your partner organization using the B2B invitation API. No matter how your existing external users are configured, they likely have permissions that are associated with their account, either in group membership or specific permissions. Evaluate whether these permissions need to be migrated or cleaned up. |
active-directory | Migrate Adfs Saml Based Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-saml-based-sso.md | Apps that you can move easily today include SAML 2.0 apps that use the standard The following require more configuration steps to migrate to Azure AD: * Custom authorization or multi-factor authentication (MFA) rules in AD FS. You configure them using the [Azure AD Conditional Access](../conditional-access/overview.md) feature.-* Apps with multiple Reply URL endpoints. You configure them in Azure AD using PowerShell or the Entra portal interface. +* Apps with multiple Reply URL endpoints. You configure them in Azure AD using PowerShell or the Microsoft Entra admin center interface. * WS-Federation apps such as SharePoint apps that require SAML version 1.1 tokens. You can configure them manually using PowerShell. You can also add a preintegrated generic template for SharePoint and SAML 1.1 applications from the gallery. We support the SAML 2.0 protocol. * Complex claims issuance transforms rules. For information about supported claims mappings, see: * [Claims mapping in Azure Active Directory](../develop/saml-claims-customization.md). Migration requires assessing how the application is configured on-premises, and The following table describes some of the most common mapping of settings between an AD FS Relying Party Trust to Azure AD Enterprise Application: * AD FSΓÇöFind the setting in the AD FS Relying Party Trust for the app. Right-click the relying party and select Properties.-* Azure ADΓÇöThe setting is configured within [Entra portal](https://entra.microsoft.com/#home) in each application's SSO properties. +* Azure ADΓÇöThe setting is configured within [Microsoft Entra admin center](https://entra.microsoft.com/#home) in each application's SSO properties. | Configuration setting| AD FS| How to configure in Azure AD| SAML Token | | - | - | - | - | The following table describes some of the most common mapping of settings betwee Configure your applications to point to Azure AD versus AD FS for SSO. Here, we're focusing on SaaS apps that use the SAML protocol. However, this concept extends to custom line-of-business apps as well. > [!NOTE]-> The configuration values for Azure AD follows the pattern where your Azure Tenant ID replaces {tenant-id} and the Application ID replaces {application-id}. You find this information in the [Entra portal](https://entra.microsoft.com/#home) under **Azure Active Directory > Properties**: +> The configuration values for Azure AD follows the pattern where your Azure Tenant ID replaces {tenant-id} and the Application ID replaces {application-id}. You find this information in the [Microsoft Entra admin center](https://entra.microsoft.com/#home) under **Azure Active Directory > Properties**: * Select Directory ID to see your Tenant ID. * Select Application ID to see your Application ID. SaaS apps need to know where to send authentication requests and how to validate | - | - | - | | **IdP Sign-on URL** <p>Sign-on URL of the IdP from the app's perspective (where the user is redirected for sign-in).| The AD FS sign-on URL is the AD FS federation service name followed by "/adfs/ls/." <p>For example: `https://fs.contoso.com/adfs/ls/`| Replace {tenant-id} with your tenant ID. <p> ΓÇÄFor apps that use the SAML-P protocol: [https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) <p>ΓÇÄFor apps that use the WS-Federation protocol: [https://login.microsoftonline.com/{tenant-id}/wsfed](https://login.microsoftonline.com/{tenant-id}/wsfed) | | **IdP sign-out URL**<p>Sign-out URL of the IdP from the app's perspective (where the user is redirected when they choose to sign out of the app).| The sign-out URL is either the same as the sign-on URL, or the same URL with "wa=wsignout1.0" appended. For example: `https://fs.contoso.com/adfs/ls/?wa=wsignout1.0`| Replace {tenant-id} with your tenant ID.<p>For apps that use the SAML-P protocol:<p>[https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) <p> ΓÇÄFor apps that use the WS-Federation protocol: [https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0](https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0) |-| **Token signing certificate**<p>The IdP uses the private key of the certificate to sign issued tokens. It verifies that the token came from the same IdP that the app is configured to trust.| Find the AD FS token signing certificate in AD FS Management under **Certificates**.| Find it in the Entra portal in the application's **Single sign-on properties** under the header **SAML Signing Certificate**. There, you can download the certificate for upload to the app. <p>ΓÇÄIf the application has more than one certificate, you can find all certificates in the federation metadata XML file. | +| **Token signing certificate**<p>The IdP uses the private key of the certificate to sign issued tokens. It verifies that the token came from the same IdP that the app is configured to trust.| Find the AD FS token signing certificate in AD FS Management under **Certificates**.| Find it in the Microsoft Entra admin center in the application's **Single sign-on properties** under the header **SAML Signing Certificate**. There, you can download the certificate for upload to the app. <p>ΓÇÄIf the application has more than one certificate, you can find all certificates in the federation metadata XML file. | | **Identifier/ "issuer"**<p>Identifier of the IdP from the app's perspective (sometimes called the "issuer ID").<p>ΓÇÄIn the SAML token, the value appears as the Issuer element.| The identifier for AD FS is usually the federation service identifier in AD FS Management under **Service > Edit Federation Service Properties**. For example: `http://fs.contoso.com/adfs/services/trust`| Replace {tenant-id} with your tenant ID.<p>https:\//sts.windows.net/{tenant-id}/ | | **IdP federation metadata**<p>Location of the IdP's publicly available federation metadata. (Some apps use federation metadata as an alternative to the administrator configuring URLs, identifier, and token signing certificate individually.)| Find the AD FS federation metadata URL in AD FS Management under **Service > Endpoints > Metadata > Type: Federation Metadata**. For example: `https://fs.contoso.com/FederationMetadat). | |
active-directory | Migrate Okta Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-federation.md | |
active-directory | Migrate Okta Sync Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sync-provisioning.md | |
active-directory | Prevent Domain Hints With Home Realm Discovery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/prevent-domain-hints-with-home-realm-discovery.md | Last updated 03/16/2023 zone_pivot_groups: home-realm-discovery--+ #customer intent: As an admin, I want to disable auto-acceleration to federated IDP during sign in using Home Realm Discovery policy # Disable auto-acceleration sign-in |
active-directory | Restore Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/restore-application.md | |
active-directory | Powershell Export Apps With Secrets Beyond Required | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/scripts/powershell-export-apps-with-secrets-beyond-required.md | |
active-directory | How To Assign App Role Managed Identity Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md | |
active-directory | Qs Configure Powershell Windows Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md | |
active-directory | Concept Pim For Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/concept-pim-for-groups.md | One group can be an eligible member of another group, even if one of those group If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation will be only for the user that requested the activation for, it does not mean that the entire Group A becomes an active member of Group B. +## Privileged Identity Management and app provisioning (Public Preview) ++If the group is configured for [app provisioning](../app-provisioning/index.yml), activation of group membership will trigger provisioning of group membership (and user account itself if it wasnΓÇÖt provisioned previously) to the application using SCIM protocol. ++In Public Preview we have a functionality that triggers provisioning right after group membership is activated in PIM. +Provisioning configuration depends on the application. Generally, we recommend having at least two groups assigned to the application. Depending on the number of roles in your application, you may choose to define additional ΓÇ£privileged groups.ΓÇ¥: +++|Group|Purpose|Members|Group membership|Role assigned in the application| +|--|--|--|--|--| +|All users group|Ensure that all users that need access to the application are constantly provisioned to the application.|All users that need to access application.|Active|None, or low-privileged role| +|Privileged group|Provide just-in-time access to privileged role in the application.|Users that need to have just-in-time access to privileged role in the application.|Eligible|Privileged role| + ## Next steps - [Bring groups into Privileged Identity Management](groups-discover-groups.md) |
active-directory | Pim Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/pim-roles.md | We support all Microsoft 365 roles in the Azure AD Roles and Administrators port > [!NOTE] > - Eligible users for the SharePoint administrator role, the Device administrator role, and any roles trying to access the Microsoft Security & Compliance Center might experience delays of up to a few hours after activating their role. We are working with those teams to fix the issues.-> - For information about delays activating the Azure AD Joined Device Local Administrator role, see [How to manage the local administrators group on Azure AD joined devices](../devices/assign-local-admin.md#manage-the-device-administrator-role). +> - For information about delays activating the Azure AD Joined Device Local Administrator role, see [How to manage the local administrators group on Azure AD joined devices](../devices/assign-local-admin.md#manage-the-azure-ad-joined-device-local-administrator-role). ## Next steps |
active-directory | Concept Diagnostic Settings Logs Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-diagnostic-settings-logs-options.md | ++ + Title: Logs available for streaming to endpoints from Azure Active Directory +description: Learn about the Azure Active Directory logs available for streaming to an endpoint for storage, analysis, or monitoring. +++++++ Last updated : 08/09/2023++++++# Learn about the identity logs you can stream to an endpoint ++Using Diagnostic settings in Azure Active Directory (Azure AD), you can route activity logs to several endpoints for long term retention and data insights. You select the logs you want to route, then select the endpoint. ++This article describes the logs that you can route to an endpoint from Azure AD Diagnostic settings. ++## Prerequisites ++Setting up an endpoint, such as an event hub or storage account, may require different roles and licenses. To create or edit a new Diagnostic setting, you need a user who's a **Security Administrator** or **Global Administrator** for the Azure AD tenant. ++To help decide which log routing option is best for you, see [How to access activity logs](howto-access-activity-logs.md). The overall process and requirements for each endpoint type are covered in the following articles. ++- [Send logs to a Log Analytics workspace to integrate with Azure Monitor logs](howto-integrate-activity-logs-with-azure-monitor-logs.md) +- [Archive logs to a storage account](howto-archive-logs-to-storage-account.md) +- [Stream logs to an event hub](howto-stream-logs-to-event-hub.md) +- [Send to a partner solution](../../partner-solutions/overview.md) ++## Activity log options ++The following logs can be sent to an endpoint. Some logs may be in public preview but still visible in the portal. ++### Audit logs ++The `AuditLogs` report capture changes to applications, groups, users, and licenses in your Azure AD tenant. Once you've routed your audit logs, you can filter or analyze by date/time, the service that logged the event, and who made the change. For more information, see [Audit logs](concept-audit-logs.md). ++### Sign-in logs ++The `SignInLogs` send the interactive sign-in logs, which are logs generated by your users signing in. Sign-in logs are generated by users providing their username and password on an Azure AD sign-in screen or passing an MFA challenge. For more information, see [Interactive user sign-ins](concept-all-sign-ins.md#interactive-user-sign-ins). ++### Non-interactive sign-in logs ++The `NonInteractiveUserSIgnInLogs` are sign-ins done on behalf of a user, such as by a client app. The device or client uses a token or code to authenticate or access a resource on behalf of a user. For more information, see [Non-interactive user sign-ins](concept-all-sign-ins.md#non-interactive-user-sign-ins). ++### Service principal sign-in logs ++If you need to review sign-in activity for apps or service principals, the `ServicePrincipalSignInLogs` may be a good option. In these scenarios, certificates or client secrets are used for authentication. For more information, see [Service principal sign-ins](concept-all-sign-ins.md#service-principal-sign-ins). ++### Managed identity sign-in logs ++The `ManagedIdentitySignInLogs` provide similar insights as the service principal sign-in logs, but for managed identities, where Azure manages the secrets. For more information, see [Managed identity sign-ins](concept-all-sign-ins.md#managed-identity-for-azure-resources-sign-ins). ++### Provisioning logs ++If your organization provisions users through a third-party application such as Workday or ServiceNow, you may want to export the `ProvisioningLogs` reports. For more information, see [Provisioning logs](concept-provisioning-logs.md). ++### AD FS sign-in logs ++Sign-in activity for Active Directory Federated Services (AD FS) applications are captured in this Usage and insight reports. You can export the `ADFSSignInLogs` report to monitor sign-in activity for AD FS applications. For more information, see [AD FS sign-in logs](concept-usage-insights-report.md#ad-fs-application-activity). ++### Risky users ++The `RiskyUsers` logs identify users who are at risk based on their sign-in activity. This report is part of Azure AD Identity Protection and uses sign-in data from Azure AD. For more information, see [What is Azure AD Identity Protection?](../identity-protection/overview-identity-protection.md). ++### User risk events ++The `UserRiskEvents` logs are part of Azure AD Identity Protection. These logs capture details about risky sign-in events. For more information, see [How to investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins). ++### Risky service principals ++The `RiskyServicePrincipals` logs provide information about service principals that Azure AD Identity Protection detected as risky. Service principal risk represents the probability that an identity or account is compromised. These risks are calculated asynchronously using data and patterns from Microsoft's internal and external threat intelligence sources. These sources may include security researchers, law enforcement professionals, and security teams at Microsoft. For more information, see [Securing workload identities](../identity-protection/concept-workload-identity-risk.md) ++### Service principal risk events ++The `ServicePrincipalRiskEvents` logs provide details around the risky sign-in events for service principals. These logs may include any identified suspicious events related to the service principal accounts. For more information, see [Securing workload identities](../identity-protection/concept-workload-identity-risk.md) ++### Enriched Microsoft 365 audit logs ++The `EnrichedOffice365AuditLogs` logs are associated with the enriched logs you can enable for Microsoft Entra Internet Access. Selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet to secure access to your Microsoft 365 traffic *and* you enabled the enriched logs. For more information, see [How to use the Global Secure Access enriched Microsoft 365 logs](../../global-secure-access/how-to-view-enriched-logs.md). ++### Microsoft Graph activity logs ++The `MicrosoftGraphActivityLogs` logs are associated with a feature that is still in preview. The logs are visible in Azure AD, but selecting these options won't add new logs to your workspace unless your organization was included in the preview. ++### Network access traffic logs ++The `NetworkAccessTrafficLogs` logs are associated with Microsoft Entra Internet Access and Microsoft Entra Private Access. The logs are visible in Azure AD, but selecting this option doesn't add new logs to your workspace unless your organization is using Microsoft Entra Internet Access and Microsoft Entra Private Access to secure access to your corporate resources. For more information, see [What is Global Secure Access?](../../global-secure-access/overview-what-is-global-secure-access.md). ++## Next steps ++- [Learn about the sign-ins logs](concept-all-sign-ins.md) +- [Explore how to access the activity logs](howto-access-activity-logs.md) |
active-directory | Concept Log Monitoring Integration Options Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-log-monitoring-integration-options-considerations.md | + + Title: Azure Active Directory activity log integration options and considerations +description: Introduction to the options and considerations for integrating Azure Active Directory activity logs with storage and analysis tools. +++++++ Last updated : 08/09/2023++++# Azure AD activity log integrations ++Using **Diagnostic settings** in Azure Active Directory (Azure AD), you can route activity logs to several endpoints for long term data retention and insights. You can archive logs for storage, route to Security Information and Event Management (SIEM) tools, and integrate logs with Azure Monitor logs. ++With these integrations, you can enable rich visualizations, monitoring, and alerting on the connected data. This article describes the recommended uses for each integration type or access method. Cost considerations for sending Azure AD activity logs to various endpoints are also covered. ++## Supported reports ++The following logs can be integrated with one of many endpoints: ++* The [**audit logs activity report**](concept-audit-logs.md) gives you access to the history of every task that's performed in your tenant. +* With the [**sign-in activity report**](concept-sign-ins.md), you can see when users attempt to sign in to your applications or troubleshoot sign-in errors. +* With the [**provisioning logs**](../app-provisioning/application-provisioning-log-analytics.md), you can monitor which users have been created, updated, and deleted in all your third-party applications. +* The [**risky users logs**](../identity-protection/howto-identity-protection-investigate-risk.md#risky-users) helps you monitor changes in user risk level and remediation activity. +* With the [**risk detections logs**](../identity-protection/howto-identity-protection-investigate-risk.md#risk-detections), you can monitor user's risk detections and analyze trends in risk activity detected in your organization. ++## Integration options ++To help choose the right method for integrating Azure AD activity logs for storage or analysis, think about the overall task you're trying to accomplish. We've grouped the options into three main categories: ++- Troubleshooting +- Long-term storage +- Analysis and monitoring ++### Troubleshooting ++If you're performing troubleshooting tasks but you don't need to retain the logs for more than 30 days, we recommend using the Azure portal or Microsoft Graph to access activity logs. You can filter the logs for your scenario and export or download them as needed. ++If you're performing troubleshooting tasks *and* you need to retain the logs for more than 30 days, take a look at the long-term storage options. ++### Long-term storage ++If you're performing troubleshooting tasks *and* you need to retain the logs for more than 30 days, you can export your logs to an Azure storage account. This option is ideal of you don't plan on querying that data often. ++If you need to query the data that you're retaining for more than 30 days, take a look at the analysis and monitoring options. ++### Analysis and monitoring ++If your scenario requires that you retain data for more than 30 days *and* you plan on querying that data regularly, you've got a few options to integrate your data with SIEM tools for analysis and monitoring. ++If you have a third party SIEM tool, we recommend setting up an Event Hubs namespace and event hub that you can stream your data through. With an event hub, you can stream logs to one of the supported SIEM tools. ++If you don't plan on using a third-party SIEM tool, we recommend sending your Azure AD activity logs to Azure Monitor logs. With this integration, you can query your activity logs with Log Analytics. In Addition to Azure Monitor logs, Microsoft Sentinel provides near real-time security detection and threat hunting. If you decide to integrate with SIEM tools later, you can stream your Azure AD activity logs along with your other Azure data through an event hub. ++## Cost considerations ++There's a cost for sending data to a Log Analytics workspace, archiving data in a storage account, or streaming logs to an event hub. The amount of data and the cost incurred can vary significantly depending on the tenant size, the number of policies in use, and even the time of day. ++Because the size and cost for sending logs to an endpoint is difficult to predict, the most accurate way to determine your expected costs is to route your logs to an endpoint for day or two. With this snapshot, you can get an accurate prediction for your expected costs. You can also get an estimate of your costs by downloading a sample of your logs and multiplying accordingly to get an estimate for one day. ++Other considerations for sending Azure AD logs to Azure Monitor logs are covered in the following Azure Monitor cost details articles: ++- [Azure Monitor logs cost calculations and options](../../azure-monitor/logs/cost-logs.md) +- [Azure Monitor cost and usage](../../azure-monitor/usage-estimated-costs.md) +- [Optimize costs in Azure Monitor](../../azure-monitor/best-practices-cost.md) ++Azure Monitor provides the option to exclude whole events, fields, or parts of fields when ingesting logs from Azure AD. Learn more about this cost saving feature in [Data collection transformation in Azure Monitor](../../azure-monitor/essentials/data-collection-transformations.md). ++## Estimate your costs ++To estimate the costs for your organization, you can estimate either the daily log size or the daily cost for integrating your logs with an endpoint. ++The following factors could affect costs for your organization: ++- Audit log events use around 2 KB of data storage +- Sign-in log events use on average 11.5 KB of data storage +- A tenant of about 100,000 users could incur about 1.5 million events per day +- Events are batched into about 5-minute intervals and sent as a single message that contains all the events within that time frame ++### Daily log size ++To estimate the daily log size, gather a sample of your logs, adjust the sample to reflect your tenant size and settings, then apply that sample to the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/). ++If you haven't downloaded logs from the Azure portal, review the [How to download logs in Azure AD](howto-download-logs.md) article. Depending on the size of your organization, you may need to choose a different sample size to start your estimation. The following sample sizes are a good place to start: ++- 1000 records +- For large tenants, 15 minutes of sign-ins +- For small to medium tenants, 1 hour of sign-ins ++You should also consider the geographic distribution and peak hours of your users when you capture your data sample. If your organization is based in one region, it's likely that sign-ins peak around the same time. Adjust your sample size and when you capture the sample accordingly. ++With the data sample captured, multiply accordingly to find out how large the file would be for one day. ++### Estimate the daily cost ++To get an idea of how much a log integration could cost for your organization, you can enable an integration for a day or two. Use this option if your budget allows for the temporary increase. ++To enable a log integration, follow the steps in the [Integrate activity logs with Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md) article. If possible, create a new resource group for the logs and endpoint you want to try out. Having a devoted resource group makes it easy to view the cost analysis and then delete it when you're done. ++With the integration enabled, navigate to **Azure portal** > **Cost Management** > **Cost analysis**. There are several ways to analyze costs. This [Cost Management quickstart](../../cost-management-billing/costs/quick-acm-cost-analysis.md) should help you get started. The figures in the following screenshot are used for example purposes and are not intended to reflect actual amounts. ++![Screenshot of a cost analysis breakdown as a pie chart.](media/concept-activity-logs-azure-monitor/cost-analysis-breakdown.png) ++Make sure you're using your new resource group as the scope. Explore the daily costs and forecasts to get an idea of how much your log integration could cost. ++## Calculate estimated costs ++From the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/) landing page, you can estimate the costs for various products. ++- [Azure Monitor](https://azure.microsoft.com/pricing/details/monitor/) +- [Azure storage](https://azure.microsoft.com/pricing/details/storage/blobs/) +- [Azure Event Hubs](https://azure.microsoft.com/pricing/details/event-hubs/) +- [Microsoft Sentinel](https://azure.microsoft.com/pricing/details/microsoft-sentinel/) ++Once you have an estimate for the GB/day that will be sent to an endpoint, enter that value in the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/). The figures in the following screenshot are used for example purposes and are not intended to reflect actual prices. ++![Screenshot of the Azure pricing calculator, with 8 GB/Day used as an example.](media/concept-activity-logs-azure-monitor/azure-pricing-calculator-values.png) ++## Next steps ++* [Create a storage account](../../storage/common/storage-account-create.md) +* [Archive activity logs to a storage account](quickstart-azure-monitor-route-logs-to-storage-account.md) +* [Route activity logs to an event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md) +* [Integrate activity logs with Azure Monitor](howto-integrate-activity-logs-with-log-analytics.md) |
active-directory | Howto Access Activity Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-access-activity-logs.md | Title: Access activity logs in Azure AD -description: Learn how to choose the right method for accessing the activity logs in Azure AD. +description: Learn how to choose the right method for accessing the activity logs in Azure Active Directory. -# How To: Access activity logs in Azure AD +# How to access activity logs in Azure AD -The data in your Azure Active Directory (Azure AD) logs enables you to assess many aspects of your Azure AD tenant. To cover a broad range of scenarios, Azure AD provides you with various options to access your activity log data. As an IT administrator, you need to understand the intended uses cases for these options, so that you can select the right access method for your scenario. +The data collected in your Azure Active Directory (Azure AD) logs enables you to assess many aspects of your Azure AD tenant. To cover a broad range of scenarios, Azure AD provides you with several options to access your activity log data. As an IT administrator, you need to understand the intended uses cases for these options, so that you can select the right access method for your scenario. You can access Azure AD activity logs and reports using the following methods: Each of these methods provides you with capabilities that may align with certain ## Prerequisites -The required roles and licenses may vary based on the report. Global Administrator can access all reports, but we recommend using a role with least privilege access to align with the [Zero Trust guidance](/security/zero-trust/zero-trust-overview). +The required roles and licenses may vary based on the report. Global Administrators can access all reports, but we recommend using a role with least privilege access to align with the [Zero Trust guidance](/security/zero-trust/zero-trust-overview). | Log / Report | Roles | Licenses | |--|--|--| The required roles and licenses may vary based on the report. Global Administrat | Usage and insights | Security Reader<br>Reports Reader<br> Security Administrator | Premium P1/P2 | | Identity Protection* | Security Administrator<br>Security Operator<br>Security Reader<br>Global Reader | Azure AD Free/Microsoft 365 Apps<br>Azure AD Premium P1/P2 | -*The level of access and capabilities for Identity Protection varies with the role and license. For more information, see the [license requirements for Identity Protection](../identity-protection/overview-identity-protection.md#license-requirements). +*The level of access and capabilities for Identity Protection vary with the role and license. For more information, see the [license requirements for Identity Protection](../identity-protection/overview-identity-protection.md#license-requirements). Audit logs are available for features that you've licensed. To access the sign-ins logs using the Microsoft Graph API, your tenant must have an Azure AD Premium license associated with it. The SIEM tools you can integrate with your event hub can provide analysis and mo ## Access logs with Microsoft Graph API -The Microsoft Graph API provides a unified programmability model that you can use to access data for your Azure AD Premium tenants. It doesn't require an administrator or developer to set up extra infrastructure to support your script or app. The Microsoft Graph API is **not** designed for pulling large amounts of activity data. Pulling large amounts of activity data using the API may lead to issues with pagination and performance. +The Microsoft Graph API provides a unified programmability model that you can use to access data for your Azure AD Premium tenants. It doesn't require an administrator or developer to set up extra infrastructure to support your script or app. ### Recommended uses We recommend manually downloading and storing your activity logs if you have bud Use the following basic steps to archive or download your activity logs. -### Archive activity logs to a storage account +#### Archive activity logs to a storage account 1. Sign in to the [Azure portal](https://portal.azure.com) using one of the required roles. 1. Create a storage account. |
active-directory | Howto Archive Logs To Storage Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-archive-logs-to-storage-account.md | + + Title: How to archive activity logs to a storage account +description: Learn how to archive Azure Active Directory logs to a storage account +++++++ Last updated : 08/09/2023++++# Customer intent: As an IT administrator, I want to learn how to archive Azure AD logs to an Azure storage account so I can retain it for longer than the default retention period. +++# How to archive Azure AD logs to an Azure storage account ++If you need to store Azure Active Directory (Azure AD) activity logs for longer than the [default retention period](reference-reports-data-retention.md), you can archive your logs to a storage account. ++## Prerequisites ++To use this feature, you need: ++* An Azure subscription with an Azure storage account. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/). +* A user who's a *Security Administrator* or *Global Administrator* for the Azure AD tenant. ++## Archive logs to an Azure storage account +++6. Under **Destination Details** select the **Archive to a storage account** check box. ++7. Select the appropriate **Subscription** and **Storage account** from the menus. ++ ![Diagnostics settings](media/howto-archive-logs-to-storage-account/diagnostic-settings-storage.png) ++8. After the categories have been selected, in the **Retention days** field, type in the number of days of retention you need of your log data. By default, this value is *0*, which means that logs are retained in the storage account indefinitely. If you set a different value, events older than the number of days selected are automatically cleaned up. ++ > [!NOTE] + > The Diagnostic settings storage retention feature is being deprecated. For details on this change, see [**Migrate from diagnostic settings storage retention to Azure Storage lifecycle management**](../../azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy.md). + +9. Select **Save** to save the setting. ++10. Close the window to return to the Diagnostic settings pane. ++## Next steps ++- [Learn about other ways to access activity logs](howto-access-activity-logs.md) +- [Manually download activity logs](howto-download-logs.md) +- [Integrate activity logs with Azure Monitor logs](howto-integrate-activity-logs-with-azure-monitor-logs.md) +- [Stream logs to an event hub](howto-stream-logs-to-event-hub.md) |
active-directory | Howto Configure Prerequisites For Reporting Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md | -The Azure Active Directory (Azure AD) [reporting APIs](/graph/api/resources/azure-ad-auditlog-overview) provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools. The reporting API uses [OAuth](../../api-management/api-management-howto-protect-backend-with-aad.md) to authorize access to the web APIs. +The Azure Active Directory (Azure AD) [reporting APIs](/graph/api/resources/azure-ad-auditlog-overview) provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools. The reporting API uses [OAuth](../../api-management/api-management-howto-protect-backend-with-aad.md) to authorize access to the web APIs. The Microsoft Graph API is **not** designed for pulling large amounts of activity data. Pulling large amounts of activity data using the API may lead to issues with pagination and performance. This article describes how to enable Microsoft Graph to access the Azure AD reporting APIs in the Azure portal and through PowerShell To get access to the reporting data through the API, you need to have one of the - Security Administrator - Global Administrator -In order to access the sign-in reports for a tenant, an Azure AD tenant must have associated Azure AD Premium P1 or P2 license. Alternatively if the directory type is Azure AD B2C, the sign-in reports are accessible through the API without any additional license requirement. +In order to access the sign-in reports for a tenant, an Azure AD tenant must have associated Azure AD Premium P1 or P2 license. If the directory type is Azure AD B2C, the sign-in reports are accessible through the API without any additional license requirement. Registration is needed even if you're accessing the reporting API using a script. The registration gives you an **Application ID**, which is required for the authorization calls and enables your code to receive tokens. To configure your directory to access the Azure AD reporting API, you must sign in to the [Azure portal](https://portal.azure.com) in one of the required roles. |
active-directory | Howto Download Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-download-logs.md | -# How to: Download logs in Azure Active Directory +# How to download logs in Azure Active Directory The Azure Active Directory (Azure AD) portal gives you access to three types of activity logs: |
active-directory | Howto Integrate Activity Logs With Arcsight | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-arcsight.md | - Title: Integrate logs with ArcSight using Azure Monitor -description: Learn how to integrate Azure Active Directory logs with ArcSight using Azure Monitor ------- Previously updated : 10/31/2022-------# Integrate Azure Active Directory logs with ArcSight using Azure Monitor --[Micro Focus ArcSight](https://software.microfocus.com/products/siem-security-information-event-management/overview) is a security information and event management (SIEM) solution that helps you detect and respond to security threats in your platform. You can now route Azure Active Directory (Azure AD) logs to ArcSight using Azure Monitor using the ArcSight connector for Azure AD. This feature allows you to monitor your tenant for security compromise using ArcSight. --In this article, you learn how to route Azure AD logs to ArcSight using Azure Monitor. --## Prerequisites --To use this feature, you need: -* An Azure event hub that contains Azure AD activity logs. Learn how to [stream your activity logs to an event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md). -* A configured instance of ArcSight Syslog NG Daemon SmartConnector (SmartConnector) or ArcSight Load Balancer. If the events are sent to ArcSight Load Balancer, they're sent to the SmartConnector by the Load Balancer. --Download and open the [configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs](https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292). This guide contains the steps you need to install and configure the ArcSight SmartConnector for Azure Monitor. --## Integrate Azure AD logs with ArcSight --1. First, complete the steps in the **Prerequisites** section of the configuration guide. This section includes the following steps: - * Set user permissions in Azure, to ensure there's a user with the **owner** role to deploy and configure the connector. - * Open ports on the server with Syslog NG Daemon SmartConnector, so it's accessible from Azure. - * The deployment runs a Windows PowerShell script, so you must enable PowerShell to run scripts on the machine where you want to deploy the connector. --2. Follow the steps in the **Deploying the Connector** section of configuration guide to deploy the connector. This section walks you through how to download and extract the connector, configure application properties and run the deployment script from the extracted folder. --3. Use the steps in the **Verifying the Deployment in Azure** to make sure the connector is set up and functions correctly. Verify the following prerequisites: - * The requisite Azure functions are created in your Azure subscription. - * The Azure AD logs are streamed to the correct destination. - * The application settings from your deployment are persisted in the Application Settings in Azure Function Apps. - * A new resource group for ArcSight is created in Azure, with an Azure AD application for the ArcSight connector and storage accounts containing the mapped files in CEF format. --4. Finally, complete the post-deployment steps in the **Post-Deployment Configurations** of the configuration guide. This section explains how to perform another configuration if you are on an App Service Plan to prevent the function apps from going idle after a timeout period, configure streaming of resource logs from the event hub, and update the SysLog NG Daemon SmartConnector keystore certificate to associate it with the newly created storage account. --5. The configuration guide also explains how to customize the connector properties in Azure, and how to upgrade and uninstall the connector. There's also a section on performance improvements, including upgrading to an [Azure Consumption plan](https://azure.microsoft.com/pricing/details/functions) and configuring an ArcSight Load Balancer if the event load is greater than what a single Syslog NG Daemon SmartConnector can handle. --## Next steps --[Configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs](https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292) |
active-directory | Howto Integrate Activity Logs With Azure Monitor Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-azure-monitor-logs.md | + + Title: Integrate Azure Active Directory logs with Azure Monitor logs +description: Learn how to integrate Azure Active Directory logs with Azure Monitor logs for querying and analysis. +++++++ Last updated : 08/08/2023+++++# Integrate Azure AD logs with Azure Monitor logs ++Using **Diagnostic settings** in Azure Active Directory (Azure AD), you can integrate logs with Azure Monitor so your sign-in activity and the audit trail of changes within your tenant can be analyzed along with other Azure data. ++This article provides the steps to integrate Azure Active Directory (Azure AD) logs with Azure Monitor. ++Use the integration of Azure AD activity logs and Azure Monitor to perform the following tasks: ++- Compare your Azure AD sign-in logs against security logs published by Microsoft Defender for Cloud. +- Troubleshoot performance bottlenecks on your applicationΓÇÖs sign-in page by correlating application performance data from Azure Application Insights. +- Analyze the Identity Protection risky users and risk detections logs to detect threats in your environment. +- Identify sign-ins from applications still using the Active Directory Authentication Library (ADAL) for authentication. [Learn about the ADAL end-of-support plan.](../develop/msal-migration.md) ++> [!NOTE] +> Integrating Azure Active Directory logs with Azure Monitor automatically enables the Azure Active Directory data connector within Microsoft Sentinel. ++## How do I access it? ++To use this feature, you need: ++* An Azure subscription. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/). +* An Azure AD Premium P1 or P2 tenant. +* **Global Administrator** or **Security Administrator** access for the Azure AD tenant. +* A **Log Analytics workspace** in your Azure subscription. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md). +* Permission to access data in a Log Analytics workspace. See [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/logs/manage-access.md) for information on the different permission options and how to configure permissions. ++## Create a Log Analytics workspace ++A Log Analytics workspace allows you to collect data based on a variety or requirements, such as geographic location of the data, subscription boundaries, or access to resources. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md). ++Looking for how to set up a Log Analytics workspace for Azure resources outside of Azure AD? Check out the [Collect and view resource logs for Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md) article. ++## Send logs to Azure Monitor ++Follow the steps below to send logs from Azure Active Directory to Azure Monitor logs. Looking for how to set up Log Analytics workspace for Azure resources outside of Azure AD? Check out the [Collect and view resource logs for Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md) article. +++6. Under **Destination Details** select the **Send to Log Analytics workspace** check box. ++7. Select the appropriate **Subscription** and **Log Analytics workspace** from the menus. ++8. Select the **Save** button. ++ ![Screenshot of the Diagnostics settings with some destination details shown.](./media/howto-integrate-activity-logs-with-azure-monitor-logs/diagnostic-settings-log-analytics-workspace.png) ++If you do not see logs appearing in the selected destination after 15 minutes, sign out and back into Azure to refresh the logs. ++## Next steps ++* [Analyze Azure AD activity logs with Azure Monitor logs](howto-analyze-activity-logs-log-analytics.md) +* [Learn about the data sources you can analyze with Azure Monitor](../../azure-monitor/data-sources.md) +* [Automate creating diagnostic settings with Azure Policy](../../azure-monitor/essentials/diagnostic-settings-policy.md) |
active-directory | Howto Integrate Activity Logs With Log Analytics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md | - Title: Integrate Azure Active Directory logs with Azure Monitor | Microsoft Docs -description: Learn how to integrate Azure Active Directory logs with Azure Monitor ------- Previously updated : 06/26/2023------# How to integrate Azure AD logs with Azure Monitor logs --Using **Diagnostic settings** in Azure Active Directory (Azure AD), you can integrate logs with Azure Monitor so sign-in activity and the audit trail of changes within your tenant can be analyzed along with other Azure data. Integrating Azure AD logs with Azure Monitor logs enables rich visualizations, monitoring, and alerting on the connected data. --This article provides the steps to integrate Azure Active Directory (Azure AD) logs with Azure Monitor Logs. --## Roles and licenses --To integrate Azure AD logs with Azure Monitor, you need the following roles and licenses: --* **An Azure subscription:** If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/). --* **An Azure AD Premium P1 or P2 tenant:** You can find the license type of your tenant on the [Overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) page in Azure AD. --* **Security Administrator access for the Azure AD tenant:** This role is required to set up the Diagnostics settings. --* **Permission to access data in a Log Analytics workspace:** See [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/logs/manage-access.md) for information on the different permission options and how to configure permissions. --## Integrate logs with Azure Monitor logs --To send Azure AD logs to Azure Monitor Logs you must first have a [Log Analytics workspace](../../azure-monitor/logs/log-analytics-overview.md). Then you can set up the Diagnostics settings in Azure AD to send your activity logs to that workspace. --### Create a Log Analytics workspace --A Log Analytics workspace allows you to collect data based on a variety or requirements, such as geographic location of the data, subscription boundaries, or access to resources. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md). --Looking for how to set up a Log Analytics workspace for Azure resources outside of Azure AD? Check out the [Collect and view resource logs for Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md) article. --### Set up Diagnostics settings --Once you have a Log Analytics workspace created, follow the steps below to send logs from Azure Active Directory to that workspace. ---Follow the steps below to send logs from Azure Active Directory to Azure Monitor. Looking for how to set up Log Analytics workspace for Azure resources outside of Azure AD? Check out the [Collect and view resource logs for Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md) article. --1. Sign in to the [Azure portal](https://portal.azure.com) as a **Security Administrator**. --1. Go to **Azure Active Directory** > **Diagnostic settings**. You can also select **Export Settings** from the Audit logs or Sign-in logs. --1. Select **+ Add diagnostic setting** to create a new integration or select **Edit setting** to change an existing integration. --1. Enter a **Diagnostic setting name**. If you're editing an existing integration, you can't change the name. --1. Any or all of the following logs can be sent to the Log Analytics workspace. Some logs may be in public preview but still visible in the portal. - * `AuditLogs` - * `SignInLogs` - * `NonInteractiveUserSignInLogs` - * `ServicePrincipalSignInLogs` - * `ManagedIdentitySignInLogs` - * `ProvisioningLogs` - * `ADFSSignInLogs` Active Directory Federation Services (ADFS) - * `RiskyServicePrincipals` - * `RiskyUsers` - * `ServicePrincipalRiskEvents` - * `UserRiskEvents` --1. The following logs are in preview but still visible in Azure AD. At this time, selecting these options will not add new logs to your workspace unless your organization was included in the preview. - * `EnrichedOffice365AuditLogs` - * `MicrosoftGraphActivityLogs` - * `NetworkAccessTrafficLogs` --1. In the **Destination details**, select **Send to Log Analytics workspace** and choose the appropriate details from the menus that appear. - * You can also send logs to any or all of the following destinations. Additional fields appear, depending on your selection. - * **Archive to a storage account:** Provide the number of days you'd like to retain the data in the **Retention days** boxes that appear next to the log categories. Select the appropriate details from the menus that appear. - * **Stream to an event hub:** Select the appropriate details from the menus that appear. - * **Send to partner solution:** Select the appropriate details from the menus that appear. --1. Select **Save** to save the setting. -- ![Screenshot of the Diagnostics settings with some destination details shown.](./media/howto-integrate-activity-logs-with-log-analytics/Configure.png) --If you do not see logs appearing in the selected destination after 15 minutes, sign out and back into Azure to refresh the logs. --> [!NOTE] -> Integrating Azure Active Directory logs with Azure Monitor will automatically enable the Azure Active Directory data connector within Microsoft Sentinel. --## Next steps --* [Analyze Azure AD activity logs with Azure Monitor logs](howto-analyze-activity-logs-log-analytics.md) -* [Learn about the data sources you can analyze with Azure Monitor](../../azure-monitor/data-sources.md) -* [Automate creating diagnostic settings with Azure Policy](../../azure-monitor/essentials/diagnostic-settings-policy.md) |
active-directory | Howto Integrate Activity Logs With Splunk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-splunk.md | - Title: Integrate Splunk using Azure Monitor -description: Learn how to integrate Azure Active Directory logs with Splunk using Azure Monitor. ------- Previously updated : 10/31/2022-------# How to: Integrate Azure Active Directory logs with Splunk using Azure Monitor --In this article, you learn how to integrate Azure Active Directory (Azure AD) logs with Splunk by using Azure Monitor. You first route the logs to an Azure event hub, and then you integrate the event hub with Splunk. --## Prerequisites --To use this feature, you need: --- An Azure event hub that contains Azure AD activity logs. Learn how to [stream your activity logs to an event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md). --- The [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/#/details). --## Integrate Azure Active Directory logs --1. Open your Splunk instance, and select **Data Summary**. -- ![The "Data Summary" button](./media/howto-integrate-activity-logs-with-splunk/DataSummary.png) --2. Select the **Sourcetypes** tab, and then select **mscs:azure:eventhub** -- ![The Data Summary Sourcetypes tab](./media/howto-integrate-activity-logs-with-splunk/source-eventhub.png) --Append **body.records.category=AuditLogs** to the search. The Azure AD activity logs are shown in the following figure: -- ![Activity logs](./media/howto-integrate-activity-logs-with-splunk/activity-logs.png) --> [!NOTE] -> If you cannot install an add-on in your Splunk instance (for example, if you're using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector. To do so, use this [Azure function](https://github.com/splunk/azure-functions-splunk), which is triggered by new messages in the event hub. -> --## Next steps --* [Interpret audit logs schema in Azure Monitor](./overview-reports.md) -* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md) |
active-directory | Howto Integrate Activity Logs With Sumologic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-sumologic.md | - Title: Stream logs to SumoLogic using Azure Monitor -description: Learn how to integrate Azure Active Directory logs with SumoLogic using Azure Monitor. ------- Previously updated : 10/31/2022-------# Integrate Azure Active Directory logs with SumoLogic using Azure Monitor --In this article, you learn how to integrate Azure Active Directory (Azure AD) logs with SumoLogic using Azure Monitor. You first route the logs to an Azure event hub, and then you integrate the event hub with SumoLogic. --## Prerequisites --To use this feature, you need: -* An Azure event hub that contains Azure AD activity logs. Learn how to [stream your activity logs to an event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md). -* A SumoLogic single sign-on enabled subscription. --## Steps to integrate Azure AD logs with SumoLogic --1. First, [stream the Azure AD logs to an Azure event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md). -2. Configure your SumoLogic instance to [collect logs for Azure Active Directory](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#collecting-logs-for-azure-active-directory). -3. [Install the Azure AD SumoLogic app](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#viewing-azure-active-directory-dashboards) to use the pre-configured dashboards that provide real-time analysis of your environment. -- ![Dashboard](./media/howto-integrate-activity-logs-with-sumologic/overview-dashboard.png) --## Next steps --* [Interpret audit logs schema in Azure Monitor](./overview-reports.md) -* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md) |
active-directory | Howto Manage Inactive User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md | |
active-directory | Howto Stream Logs To Event Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-stream-logs-to-event-hub.md | + + Title: Stream Azure Active Directory logs to an event hub +description: Learn how to stream Azure Active Directory logs to an event hub for SIEM tool integration. +++++++ Last updated : 08/08/2023++++# How to stream activity logs to an event hub ++Your Azure Active Directory (Azure AD) tenant produces large amounts of data every second. Sign-in activity and logs of changes made in your tenant add up to a lot of data that can be hard to analyze. Integrating with Security Information and Event Management (SIEM) tools can help you gain insights into your environment. ++This article shows how you can stream your logs to an event hub, to integrate with one of several SIEM tools. ++## Prerequisites ++To stream logs to a SIEM tool, you first need to create an **Azure event hub**. ++Once you have an event hub that contains Azure AD activity logs, you can set up the SIEM tool integration using the **Azure AD Diagnostics Settings**. ++## Stream logs to an event hub +++6. Select the **Stream to an event hub** check box. ++7. Select the Azure subscription, Event Hubs namespace, and optional event hub where you want to route the logs. ++The subscription and Event Hubs namespace must both be associated with the Azure AD tenant from where you're streaming the logs. ++Once you have the Azure event hub ready, navigate to the SIEM tool you want to integrate with the activity logs. You'll finish the process in the SIEM tool. ++We currently support Splunk, SumoLogic, and ArcSight. Select a tab below to get started. Refer to the tool's documentation. ++# [Splunk](#tab/splunk) ++To use this feature, you need the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/#/details). ++### Integrate Azure AD logs with Splunk ++1. Open your Splunk instance and select **Data Summary**. ++ ![The "Data Summary" button](./media/howto-stream-logs-to-event-hub/datasummary.png) ++1. Select the **Sourcetypes** tab, and then select **mscs:azure:eventhub** ++ ![The Data Summary Sourcetypes tab](./media/howto-stream-logs-to-event-hub/source-eventhub.png) ++Append **body.records.category=AuditLogs** to the search. The Azure AD activity logs are shown in the following figure: ++ ![Activity logs](./media/howto-stream-logs-to-event-hub/activity-logs.png) ++If you cannot install an add-on in your Splunk instance (for example, if you're using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector. To do so, use this [Azure function](https://github.com/splunk/azure-functions-splunk), which is triggered by new messages in the event hub. ++# [SumoLogic](#tab/SumoLogic) ++To use this feature, you need a SumoLogic single sign-on enabled subscription. ++### Integrate Azure AD logs with SumoLogic ++1. Configure your SumoLogic instance to [collect logs for Azure Active Directory](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#collecting-logs-for-azure-active-directory). ++1. [Install the Azure AD SumoLogic app](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#viewing-azure-active-directory-dashboards) to use the pre-configured dashboards that provide real-time analysis of your environment. ++ ![Dashboard](./media/howto-stream-logs-to-event-hub/overview-dashboard.png) ++# [ArcSight](#tab/ArcSight) ++To use this feature, you need a configured instance of ArcSight Syslog NG Daemon SmartConnector (SmartConnector) or ArcSight Load Balancer. If the events are sent to ArcSight Load Balancer, they're sent to the SmartConnector by the Load Balancer. ++Download and open the [configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs](https://software.microfocus.com/products/siem-security-information-event-management/overview). This guide contains the steps you need to install and configure the ArcSight SmartConnector for Azure Monitor. ++## Integrate Azure AD logs with ArcSight ++1. Complete the steps in the **Prerequisites** section of the ArcSight configuration guide. This section includes the following steps: + * Set user permissions in Azure to ensure there's a user with the **owner** role to deploy and configure the connector. + * Open ports on the server with Syslog NG Daemon SmartConnector so it's accessible from Azure. + * The deployment runs a Windows PowerShell script, so you must enable PowerShell to run scripts on the machine where you want to deploy the connector. ++1. Follow the steps in the **Deploying the Connector** section of the ArcSight configuration guide to deploy the connector. This section walks you through how to download and extract the connector, configure application properties and run the deployment script from the extracted folder. ++1. Use the steps in the **Verifying the Deployment in Azure** to make sure the connector is set up and functions correctly. Verify the following prerequisites: + * The requisite Azure functions are created in your Azure subscription. + * The Azure AD logs are streamed to the correct destination. + * The application settings from your deployment are persisted in the Application Settings in Azure Function Apps. + * A new resource group for ArcSight is created in Azure, with an Azure AD application for the ArcSight connector and storage accounts containing the mapped files in CEF format. ++1. Complete the post-deployment steps in the **Post-Deployment Configurations** of the ArcSight configuration guide. This section explains how to perform another configuration if you are on an App Service Plan to prevent the function apps from going idle after a timeout period, configure streaming of resource logs from the event hub, and update the SysLog NG Daemon SmartConnector keystore certificate to associate it with the newly created storage account. ++1. The configuration guide also explains how to customize the connector properties in Azure, and how to upgrade and uninstall the connector. There's also a section on performance improvements, including upgrading to an [Azure Consumption plan](https://azure.microsoft.com/pricing/details/functions) and configuring an ArcSight Load Balancer if the event load is greater than what a single Syslog NG Daemon SmartConnector can handle. ++++## Activity log integration options and considerations ++If your current SIEM isn't supported in Azure Monitor diagnostics yet, you can set up **custom tooling** by using the Event Hubs API. To learn more, see the [Getting started receiving messages from an event hub](../../event-hubs/event-hubs-dotnet-standard-getstarted-send.md). ++**IBM QRadar** is another option for integrating with Azure AD activity logs. The DSM and Azure Event Hubs Protocol are available for download at [IBM support](https://www.ibm.com/support). For more information about integration with Azure, go to the [IBM QRadar Security Intelligence Platform 7.3.0](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_microsoft_azure_overview.html?cp=SS42VS_7.3.0) site. ++Some sign-in categories contain large amounts of log data, depending on your tenantΓÇÖs configuration. In general, the non-interactive user sign-ins and service principal sign-ins can be 5 to 10 times larger than the interactive user sign-ins. ++## Next steps ++- [Analyze Azure AD activity logs with Azure Monitor logs](howto-analyze-activity-logs-log-analytics.md) +- [Use Microsoft Graph to access Azure AD activity logs](quickstart-access-log-with-graph-api.md) |
active-directory | Howto Use Recommendations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-recommendations.md | -# How to: Use Azure AD recommendations +# How to use Azure Active Directory Recommendations The Azure Active Directory (Azure AD) recommendations feature provides you with personalized insights with actionable guidance to: |
active-directory | Howto Use Workbooks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-workbooks.md | + + Title: Azure Monitor workbooks for Azure Active Directory +description: Learn how to use Azure Monitor workbooks for Azure Active Directory reports. +++++++ Last updated : 08/10/2023+++++# How to use Azure Active Directory Workbooks ++Workbooks are found in Azure AD and in Azure Monitor. The concepts, processes, and best practices are the same for both types of workbooks, however, workbooks for Azure Active Directory (AD) cover only those identity management scenarios that are associated with Azure AD. ++When using workbooks, you can either start with an empty workbook, or use an existing template. Workbook templates enable you to quickly get started using workbooks without needing to build from scratch. ++- **Public templates** published to a [gallery](../../azure-monitor/visualize/workbooks-overview.md#the-gallery) are a good starting point when you're just getting started with workbooks. +- **Private templates** are helpful when you start building your own workbooks and want to save one as a template to serve as the foundation for multiple workbooks in your tenant. ++## Prerequisites ++To use Azure Workbooks for Azure AD, you need: ++- An Azure AD tenant with a [Premium P1 license](../fundamentals/get-started-premium.md) +- A Log Analytics workspace *and* access to that workspace +- The appropriate roles for Azure Monitor *and* Azure AD ++### Log Analytics workspace ++You must create a [Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md) *before* you can use Azure AD Workbooks. There are a combination of factors that determine access to Log Analytics workspaces. You need the right roles for the workspace *and* the resources sending the data. ++For more information, see [Manage access to Log Analytics workspaces](../../azure-monitor/logs/manage-access.md). ++### Azure Monitor roles ++Azure Monitor provides [two built-in roles](../../azure-monitor/roles-permissions-security.md#monitoring-reader) for viewing monitoring data and editing monitoring settings. Azure role-based access control (RBAC) also provides two Log Analytics built-in roles that grant similar access. ++- **View**: + - Monitoring Reader + - Log Analytics Reader ++- **View and modify settings**: + - Monitoring Contributor + - Log Analytics Contributor ++For more information on the Azure Monitor built-in roles, see [Roles, permissions, and security in Azure Monitor](../../azure-monitor/roles-permissions-security.md#monitoring-reader). ++For more information on the Log Analytics RBAC roles, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md#log-analytics-contributor) ++### Azure AD roles ++Read only access allows you to view Azure AD log data inside a workbook, query data from Log Analytics, or read logs in the Azure AD portal. Update access adds the ability to create and edit diagnostic settings to send Azure AD data to a Log Analytics workspace. ++- **Read**: + - Reports Reader + - Security Reader + - Global Reader ++- **Update**: + - Security Administrator ++For more information on Azure AD built-in roles, see [Azure AD built-in roles](../roles/permissions-reference.md). ++## How to access Azure Workbooks for Azure AD +++1. Sign in to the [Azure portal](https://portal.azure.com). +1. Navigate to **Azure Active Directory** > **Monitoring** > **Workbooks**. + - **Workbooks**: All workbooks created in your tenant + - **Public Templates**: Prebuilt workbooks for common or high priority scenarios + - **My Templates**: Templates you've created +1. Select a report or template from the list. Workbooks may take a few moments to populate. + - Search for a template by name. + - Select the **Browse across galleries** to view templates that aren't specific to Azure AD. ++ ![Find the Azure Monitor workbooks in Azure AD](./media/howto-use-azure-monitor-workbooks/azure-monitor-workbooks-in-azure-ad.png) ++## Create a new workbook ++Workbooks can be created from scratch or from a template. When creating a new workbook, you can add elements as you go or use the **Advanced Editor** option to paste in the JSON representation of a workbook, copied from the [workbooks GitHub repository](https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json). ++**To create a new workbook from scratch**: +1. Navigate to **Azure AD** > **Monitoring** > **Workbooks**. +1. Select **+ New**. +1. Select an element from the **+ Add** menu. ++ For more information on the available elements, see [Creating an Azure Workbook](../../azure-monitor/visualize/workbooks-create-workbook.md). ++ ![Screenshot of the Azure Workbooks +Add menu options.](./media/howto-use-azure-monitor-workbooks/create-new-workbook-elements.png) ++**To create a new workbook from a template**: +1. Navigate to **Azure AD** > **Monitoring** > **Workbooks**. +1. Select a workbook template from the Gallery. +1. Select **Edit** from the top of the page. + - Each element of the workbook has its own **Edit** button. + - For more information on editing workbook elements, see [Azure Workbooks Templates](../../azure-monitor/visualize/workbooks-templates.md) ++1. Select the **Edit** button for any element. Make your changes and select **Done editing**. + ![Screenshot of a workbook in Edit mode, with the Edit and Done Editing buttons highlighted.](./media/howto-use-azure-monitor-workbooks/edit-buttons.png) +1. When you're done editing the workbook, select the **Save As** to save your workbook with a new name. +1. In the **Save As** window: + - Provide a **Title**, **Subscription**, **Resource Group** (you must have the ability to save a workbook for the selected Resource Group), and **Location**. + - Optionally choose to save your workbook content to an [Azure Storage Account](../../azure-monitor/visualize/workbooks-bring-your-own-storage.md). +1. Select the **Apply** button. ++## Next steps ++* [Create interactive reports by using Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md). +* [Create custom Azure Monitor queries using Azure PowerShell](../governance/entitlement-management-logs-and-reporting.md). |
active-directory | Overview Monitoring Health | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-monitoring-health.md | + + Title: What is Azure Active Directory monitoring and health? +description: Provides a general overview of Azure Active Directory monitoring and health. +++++++ Last updated : 08/15/2023++++++# What is Azure Active Directory monitoring and health? ++The features of Azure Active Directory (Azure AD) Monitoring and health provide a comprehensive view of identity related activity in your environment. This data enables you to: ++- Determine how your users utilize your apps and services. +- Detect potential risks affecting the health of your environment. +- Troubleshoot issues preventing your users from getting their work done. ++Sign-in and audit logs comprise the activity logs behind many Azure AD reports, which can be used to analyze, monitor, and troubleshoot activity in your tenant. Routing your activity logs to an analysis and monitoring solution provides greater insights into your tenant's health and security. ++This article describes the types of activity logs available in Azure AD, the reports that use the logs, and the monitoring services available to help you analyze the data. ++## Identity activity logs ++Activity logs help you understand the behavior of users in your organization. There are three types of activity logs in Azure AD: ++- [**Audit logs**](concept-audit-logs.md) include the history of every task performed in your tenant. ++- [**Sign-in logs**](concept-all-sign-ins.md) capture the sign-in attempts of your users and client applications. ++- [**Provisioning logs**](concept-provisioning-logs.md) provide information around users provisioned in your tenant through a third party service. ++The activity logs can be viewed in the Azure portal or using the Microsoft Graph API. Activity logs can also be routed to various endpoints for storage or analysis. To learn about all of the options for viewing the activity logs, see [How to access activity logs](howto-access-activity-logs.md). ++### Audit logs ++Audit logs provide you with records of system activities for compliance. This data enables you to address common scenarios such as: ++- Someone in my tenant got access to an admin group. Who gave them access? +- I want to know the list of users signing into a specific app because I recently onboarded the app and want to know if itΓÇÖs doing well. +- I want to know how many password resets are happening in my tenant. ++### Sign-in logs ++The sign-ins logs enable you to find answers to questions such as: ++- What is the sign-in pattern of a user? +- How many users have users signed in over a week? +- WhatΓÇÖs the status of these sign-ins? ++### Provisioning logs ++You can use the provisioning logs to find answers to questions like: ++- What groups were successfully created in ServiceNow? +- What users were successfully removed from Adobe? +- What users from Workday were successfully created in Active Directory? ++## Identity reports ++Reviewing the data in the Azure AD activity logs can provide helpful information for IT administrators. To streamline the process of reviewing data on key scenarios, we've created several reports on common scenarios that use the activity logs. ++- [Identity Protection](../identity-protection/overview-identity-protection.md) uses sign-in data to create reports on risky users and sign-in activities. +- Activity related to your applications, such as service principal and app credential activity, are used to create reports in [Usage and insights](concept-usage-insights-report.md). +- [Azure AD workbooks](overview-workbooks.md) provide a customizable way to view and analyze the activity logs. +- [Monitor the status of Azure AD recommendations to improve your tenant's security.](overview-recommendations.md) ++## Identity monitoring and tenant health ++Reviewing Azure AD activity logs is the first step in maintaining and improving the health and security of your tenant. You need to analyze the data, monitor on risky scenarios, and determine where you can make improvements. Azure AD monitoring provides the necessary tools to help you make informed decisions. ++Monitoring Azure AD activity logs requires routing the log data to a monitoring and analysis solution. Endpoints include Azure Monitor logs, Microsoft Sentinel, or a third-party solution third-party Security Information and Event Management (SIEM) tool. ++- [Stream logs to an event hub to integrate with third-party SIEM tools.](howto-stream-logs-to-event-hub.md) +- [Integrate logs with Azure Monitor logs.](howto-integrate-activity-logs-with-log-analytics.md) +- [Analyze logs with Azure Monitor logs and Log Analytics.](howto-analyze-activity-logs-log-analytics.md) +++For an overview of how to access, store, and analyze activity logs, see [How to access activity logs](howto-access-activity-logs.md). +++## Next steps ++- [Learn about the sign-ins logs](concept-all-sign-ins.md) +- [Learn about the audit logs](concept-audit-logs.md) +- [Use Microsoft Graph to access activity logs](quickstart-access-log-with-graph-api.md) +- [Integrate activity logs with SIEM tools](howto-stream-logs-to-event-hub.md) |
active-directory | Overview Monitoring | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-monitoring.md | -- Title: What is Azure Active Directory monitoring? -description: Provides a general overview of Azure Active Directory monitoring. ------- Previously updated : 11/01/2022----# Customer intent: As an Azure AD administrator, I want to understand what monitoring solutions are available for Azure AD activity data and how they can help me manage my tenant. ----# What is Azure Active Directory monitoring? --With Azure Active Directory (Azure AD) monitoring, you can now route your Azure AD activity logs to different endpoints. You can then either retain it for long-term use or integrate it with third-party Security Information and Event Management (SIEM) tools to gain insights into your environment. --Currently, you can route the logs to: --- An Azure storage account.-- An Azure event hub, so you can integrate with your Splunk and Sumologic instances.-- Azure Log Analytics workspace, wherein you can analyze the data, create dashboard and alert on specific events--**Prerequisite role**: Global Administrator --> [!VIDEO https://www.youtube.com/embed/syT-9KNfug8] ---## Licensing and prerequisites for Azure AD reporting and monitoring --You'll need an Azure AD premium license to access the Azure AD sign-in logs. --For detailed feature and licensing information in the [Azure Active Directory pricing guide](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). --To deploy Azure AD monitoring and reporting you'll need a user who is a global administrator or security administrator for the Azure AD tenant. --Depending on the final destination of your log data, you'll need one of the following: --* An Azure storage account that you have ListKeys permissions for. We recommend that you use a general storage account and not a Blob storage account. For storage pricing information, see the [Azure Storage pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=storage). --* An Azure Event Hubs namespace to integrate with third-party SIEM solutions. --* An Azure Log Analytics workspace to send logs to Azure Monitor logs. --## Diagnostic settings configuration --To configure monitoring settings for Azure AD activity logs, first sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. From here, you can access the diagnostic settings configuration page in two ways: --* Select **Diagnostic settings** from the **Monitoring** section. -- ![Diagnostics settings](./media/overview-monitoring/diagnostic-settings.png) - -* Select **Audit Logs** or **Sign-ins**, then select **Export settings**. -- ![Export settings](./media/overview-monitoring/export-settings.png) ---## Route logs to storage account --By routing logs to an Azure storage account, you can retain it for longer than the default retention period outlined in our [retention policies](reference-reports-data-retention.md). Learn how to [route data to your storage account](quickstart-azure-monitor-route-logs-to-storage-account.md). --## Stream logs to event hub --Routing logs to an Azure event hub allows you to integrate with third-party SIEM tools like Sumologic and Splunk. This integration allows you to combine Azure AD activity log data with other data managed by your SIEM, to provide richer insights into your environment. Learn how to [stream logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md). --## Send logs to Azure Monitor logs --[Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) is a solution that consolidates monitoring data from different sources and provides a query language and analytics engine that gives you insights into the operation of your applications and resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor and alert on collected data. Learn how to [send data to Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md). --You can also install the pre-built views for Azure AD activity logs to monitor common scenarios involving sign-ins and audit events. Learn how to [install and use log analytics views for Azure AD activity logs](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md). --## Next steps --* [Activity logs in Azure Monitor](concept-activity-logs-azure-monitor.md) -* [Stream logs to event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md) -* [Send logs to Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md) |
active-directory | Overview Reports | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-reports.md | -- Title: What are Azure Active Directory reports? -description: Provides a general overview of Azure Active Directory reports. ------- Previously updated : 02/03/2023----# Customer intent: As an Azure AD administrator, I want to understand what Azure AD reports are available and how I can use them to gain insights into my environment. ----# What are Azure Active Directory reports? --Azure Active Directory (Azure AD) reports provide a comprehensive view of activity in your environment. The provided data enables you to: --- Determine how your apps and services are utilized by your users-- Detect potential risks affecting the health of your environment-- Troubleshoot issues preventing your users from getting their work done --## Activity reports --Activity reports help you understand the behavior of users in your organization. There are two types of activity reports in Azure AD: --- **Audit logs** - The [audit logs activity report](concept-audit-logs.md) provides you with access to the history of every task performed in your tenant.--- **Sign-ins** - With the [sign-ins activity report](concept-sign-ins.md), you can determine, who has performed the tasks reported by the audit logs report.----> [!VIDEO https://www.youtube.com/embed/ACVpH6C_NL8] --### Audit logs report --The [audit logs report](concept-audit-logs.md) provides you with records of system activities for compliance. This data enables you to address common scenarios such as: --- Someone in my tenant got access to an admin group. Who gave them access? --- I want to know the list of users signing into a specific app since I recently onboarded the app and want to know if itΓÇÖs doing well--- I want to know how many password resets are happening in my tenant---#### What Azure AD license do you need to access the audit logs report? --The audit logs report is available for features for which you have licenses. If you have a license for a specific feature, you also have access to the audit log information for it. A detailed feature comparison as per [different types of licenses](../fundamentals/whatis.md#what-are-the-azure-ad-licenses) can be seen on the [Azure Active Directory pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). For more information, see [Azure Active Directory features and capabilities](../fundamentals/whatis.md#which-features-work-in-azure-ad). --### Sign-ins report --The [sign-ins report](concept-sign-ins.md) enables you to find answers to questions such as: --- What is the sign-in pattern of a user?-- How many users have users signed in over a week?-- WhatΓÇÖs the status of these sign-ins?--#### What Azure AD license do you need to access the sign-ins activity report? --To access the sign-ins activity report, your tenant must have an Azure AD Premium license associated with it. --## Programmatic access --In addition to the user interface, Azure AD also provides you with [programmatic access](./howto-configure-prerequisites-for-reporting-api.md) to the reports data, through a set of REST-based APIs. You can call these APIs from various programming languages and tools. --## Next steps --- [Risky sign-ins report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins)-- [Audit logs report](concept-audit-logs.md)-- [Sign-ins logs report](concept-sign-ins.md) |
active-directory | Overview Service Health Notifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-service-health-notifications.md | - Title: What are Service Health notifications in Azure Active Directory? -description: Learn how Service Health notifications provide you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. ------- Previously updated : 11/01/2022------# What are Service Health notifications in Azure Active Directory? --Azure Service Health has been updated to provide notifications to tenant admins within the Azure portal when there are Service Health events for Azure Active Directory services. Due to the criticality of these events, an alert card in the Azure AD overview page will also be provided to support the discovery of these notifications. --## How it works --When there happens to be a Service Health notification for an Azure Active Directory service, it will be posted to the Service Health page within the Azure portal. Previously these were subscription events that were posted to all the subscription owners/readers of subscriptions within the tenant that had an issue. To improve the targeting of these notifications, they'll now be available as tenant events to the tenant admins of the impacted tenant. For a transition period, these service events will be available as both tenant events and subscription events. --Now that they're available as tenant events, they appear on the Azure AD overview page as alert cards. Any Service Health notification that has been updated within the last three days will be shown in one of the cards. -- -![Screenshot of the alert cards on the Azure AD overview page.](./media/overview-service-health-notifications/service-health-overview.png) ----Each card: --- Represents a currently active event, or a resolved one that will be distinguished by the icon in the card. -- Has a link to the event. You can review the event on the Azure Service Health pages. -- -![Screenshot of the event on the Azure Service Health page.](./media/overview-service-health-notifications/service-health-issues.png) --- --For more information on the new Azure Service Health tenant events, see [Azure Service Health portal updates](../../service-health/service-health-portal-update.md) --## Who will see the notifications --Most of the built-in admin roles will have access to see these notifications. For the complete list of all authorized roles, see [Azure Service Health Tenant Admin authorized roles](../../service-health/admin-access-reference.md). Currently custom roles aren't supported. --## What you should know --Service Health events allow the addition of alerts and notifications to be applied to subscription events. This feature isn't yet supported with tenant events, but will be coming soon. --- ----## Next steps --- [Service Health overview](../../service-health/service-health-overview.md) |
active-directory | Quickstart Azure Monitor Route Logs To Storage Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md | - Title: Tutorial - Archive Azure Active Directory logs to a storage account -description: Learn how to route Azure Active Directory logs to a storage account ------- Previously updated : 07/14/2023----# Customer intent: As an IT administrator, I want to learn how to route Azure AD logs to an Azure storage account so I can retain it for longer than the default retention period. ----# Tutorial: Archive Azure AD logs to an Azure storage account --In this tutorial, you learn how to set up Azure Monitor diagnostics settings to route Azure Active Directory (Azure AD) logs to an Azure storage account. --## Prerequisites --To use this feature, you need: --* An Azure subscription with an Azure storage account. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/). -* An Azure AD tenant. -* A user who's a *Global Administrator* or *Security Administrator* for the Azure AD tenant. -* To export sign-in data, you must have an Azure AD P1 or P2 license. --## Archive logs to an Azure storage account ---1. Sign in to the [Azure portal](https://portal.azure.com). --1. Select **Azure Active Directory** > **Monitoring** > **Audit logs**. --1. Select **Export Data Settings**. --1. You can either create a new setting (up to three settings are allowed) or edit an existing setting. - - To change existing setting, select **Edit setting** next to the diagnostic setting you want to update. - - To add new settings, select **Add diagnostic setting**. -- ![Export settings](./media/quickstart-azure-monitor-route-logs-to-storage-account/ExportSettings.png) --1. Once in the **Diagnostic setting** pane if you're creating a new setting, enter a name for the setting to remind you of its purpose (for example, *Send to Azure storage account*). You can't change the name of an existing setting. --1. Under **Destination Details** select the **Archive to a storage account** check box. Text fields for the retention period appear next to each log category. --1. Select the Azure subscription and storage account for you want to route the logs. --1. Select all the relevant categories in under **Category details**: -- ![Diagnostics settings](./media/quickstart-azure-monitor-route-logs-to-storage-account/DiagnosticSettings.png) --1. In the **Retention days** field, enter the number of days of retention you need of your log data. By default, this value is *0*, which means that logs are retained in the storage account indefinitely. If you set a different value, events older than the number of days selected are automatically cleaned up. - -1. Select **Save**. --1. After the categories have been selected, in the **Retention days** field, type in the number of days of retention you need of your log data. By default, this value is *0*, which means that logs are retained in the storage account indefinitely. If you set a different value, events older than the number of days selected are automatically cleaned up. -- > [!NOTE] - > The Diagnostic settings storage retention feature is being deprecated. For details on this change, see [**Migrate from diagnostic settings storage retention to Azure Storage lifecycle management**](../../azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy.md). --1. Select **Save** to save the setting. --1. Close the window to return to the Diagnostic settings pane. --## Next steps --* [Tutorial: Configure a log analytics workspace](tutorial-log-analytics-wizard.md) -* [Interpret audit logs schema in Azure Monitor](./overview-reports.md) -* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md) |
active-directory | Recommendation Migrate From Adal To Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-migrate-from-adal-to-msal.md | Title: Azure Active Directory recommendation - Migrate from ADAL to MSAL | Microsoft Docs + Title: Migrate from ADAL to MSAL recommendation description: Learn why you should migrate from the Azure Active Directory Library to the Microsoft Authentication Libraries. -+ Previously updated : 08/10/2023 Last updated : 08/15/2023 -- # Azure AD recommendation: Migrate from the Azure Active Directory Library to the Microsoft Authentication Libraries Existing apps that use ADAL will continue to work after the end-of-support date. ## Action plan -The first step to migrating your apps from ADAL to MSAL is to identify all applications in your tenant that are currently using ADAL. You can identify your apps in the Azure portal or programmatically with the Microsoft Graph API or the Microsoft Graph PowerShell SDK. --### [Azure portal](#tab/Azure-portal) --There are four steps to identifying and updating your apps in the Azure portal. The following steps are covered in detail in the [List all apps using ADAL](../develop/howto-get-list-of-all-auth-library-apps.md) article. --1. Send Azure AD sign-in event to Azure Monitor. -1. [Access the sign-ins workbook in Azure AD.](../develop/howto-get-list-of-all-auth-library-apps.md) -1. Identify the apps that use ADAL. -1. Update your code. - - The steps to update your code vary depending on the type of application. - - For example, the steps for .NET and Python applications have separate instructions. - - For a full list of instructions for each scenario, see [How to migrate to MSAL](../develop/msal-migration.md#how-to-migrate-to-msal). +The first step to migrating your apps from ADAL to MSAL is to identify all applications in your tenant that are currently using ADAL. You can identify your apps programmatically with the Microsoft Graph API or the Microsoft Graph PowerShell SDK. The steps for the Microsoft Graph PowerShell SDK are provided in the Recommendation details in the Azure Active Directory portal. ### [Microsoft Graph API](#tab/Microsoft-Graph-API) You can use Microsoft Graph to identify apps that need to be migrated to MSAL. To get started, see [How to use Microsoft Graph with Azure AD recommendations](howto-use-recommendations.md#how-to-use-microsoft-graph-with-azure-active-directory-recommendations). -Run the following query in Microsoft Graph, replacing the `<TENANT_ID>` placeholder with your tenant ID. This query returns a list of the impacted resources in your tenant. +1. Sign in to [Graph Explorer](https://aka.ms/ge). +1. Select **GET** as the HTTP method from the dropdown. +1. Set the API version to **beta**. +1. Run the following query in Microsoft Graph, replacing the `<TENANT_ID>` placeholder with your tenant ID. This query returns a list of the impacted resources in your tenant. ```http https://graph.microsoft.com/beta/directory/recommendations/<TENANT_ID>_Microsoft.Identity.IAM.Insights.AdalToMsalMigration/impactedResources You can run the following set of commands in Windows PowerShell. These commands + ## Frequently asked questions ### Why does it take 30 days to change the status to completed? To reduce false positives, the service uses a 30 day window for ADAL requests. T ### How were ADAL applications identified before the recommendation was released? -The [Azure AD sign-ins workbook](../develop/howto-get-list-of-all-auth-library-apps.md) is an alternative method to identify these apps. The workbook is still available to you, but using the workbook requires streaming sign-in logs to Azure Monitor first. The ADAL to MSAL recommendation works out of the box. Plus, the sign-ins workbook does not capture Service Principal sign-ins, while the recommendation does. +The [Azure AD sign-ins workbook](../develop/howto-get-list-of-all-auth-library-apps.md) was an alternative method to identify these apps. The workbook is still available to you, but using the workbook requires streaming sign-in logs to Azure Monitor first. The ADAL to MSAL recommendation works out of the box. Plus, the sign-ins workbook doesn't capture Service Principal sign-ins, while the recommendation does. ### Why is the number of ADAL applications different in the workbook and the recommendation? |
active-directory | Reference Powershell Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-powershell-reporting.md | |
active-directory | Tutorial Configure Log Analytics Workspace | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/tutorial-configure-log-analytics-workspace.md | + + Title: Configure a log analytics workspace in Azure AD +description: Learn how to configure Log Analytics workspace and run KQL queries on your identity data. +++++ Last updated : 07/28/2023+++++++#Customer intent: As an IT admin, I want to set up log analytics so I can analyze the health of my environment. ++++# Tutorial: Configure a log analytics workspace +++In this tutorial, you learn how to: ++> [!div class="checklist"] +> * Configure a log analytics workspace for your audit and sign-in logs +> * Run queries using the Kusto Query Language (KQL) +> * Create an alert rule that sends alerts when a specific account is used +> * Create a custom workbook using the quickstart template +> * Add a query to an existing workbook template ++## Prerequisites ++- An Azure subscription with at least one P1 licensed admin. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/). ++- An Azure Active Directory (Azure AD) tenant. ++- A user who's a Global Administrator or Security Administrator for the Azure AD tenant. +++Familiarize yourself with these articles: ++- [Tutorial: Collect and analyze resource logs from an Azure resource](../../azure-monitor/essentials/tutorial-resource-logs.md) ++- [How to integrate activity logs with Log Analytics](./howto-integrate-activity-logs-with-log-analytics.md) ++- [Manage emergency access account in Azure AD](../roles/security-emergency-access.md) ++- [KQL quick reference](/azure/data-explorer/kql-quick-reference) ++- [Azure Monitor Workbooks](../../azure-monitor/visualize/workbooks-overview.md) ++++## Configure a workspace +++This procedure outlines how to configure a log analytics workspace for your audit and sign-in logs. +Configuring a log analytics workspace consists of two main steps: + +1. Creating a log analytics workspace +2. Setting diagnostic settings ++**To configure a workspace:** +++1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator. ++2. Search for **log analytics workspaces**. ++ ![Search resources services and docs](./media/tutorial-log-analytics-wizard/search-services.png) ++3. On the log analytics workspaces page, click **Add**. ++ ![Screenshot shows the Add button in the log analytics workspaces page.](./media/tutorial-log-analytics-wizard/add.png) ++4. On the **Create Log Analytics workspace** page, perform the following steps: ++ ![Create log analytics workspace](./media/tutorial-log-analytics-wizard/create-log-analytics-workspace.png) ++ 1. Select your subscription. ++ 2. Select a resource group. + + 3. In the **Name** textbox, type a name (e.g.: MytestWorkspace1). ++ 4. Select your region. ++5. Click **Review + Create**. ++ ![Review and create](./media/tutorial-log-analytics-wizard/review-create.png) ++6. Click **Create** and wait for the deployment to be succeeded. You may need to refresh the page to see the new workspace. ++ ![Create](./media/tutorial-log-analytics-wizard/create-workspace.png) ++7. Search for **Azure Active Directory**. ++ ![Screenshot shows Azure Active Directory in Azure search.](./media/tutorial-log-analytics-wizard/search-azure-ad.png) ++8. In **Monitoring** section, click **Diagnostic setting**. ++ ![Screenshot shows Diagnostic settings selected from Monitoring.](./media/tutorial-log-analytics-wizard/diagnostic-settings.png) ++9. On the **Diagnostic settings** page, click **Add diagnostic setting**. ++ ![Add diagnostic setting](./media/tutorial-log-analytics-wizard/add-diagnostic-setting.png) ++10. On the **Diagnostic setting** page, perform the following steps: ++ ![Select diagnostics settings](./media/tutorial-log-analytics-wizard/select-diagnostics-settings.png) ++ 1. Under **Category details**, select **AuditLogs** and **SigninLogs**. ++ 2. Under **Destination details**, select **Send to Log Analytics**, and then select your new log analytics workspace. + + 3. Click **Save**. ++## Run queries ++This procedure shows how to run queries using the **Kusto Query Language (KQL)**. +++**To run a query:** +++1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator. ++2. Search for **Azure Active Directory**. ++ ![Screenshot shows Azure Active Directory in Azure search.](./media/tutorial-log-analytics-wizard/search-azure-ad.png) ++3. In the **Monitoring** section, click **Logs**. ++4. On the **Logs** page, click **Get Started**. ++5. In the **Search* textbox, type your query. ++6. Click **Run**. +++### KQL query examples ++Take 10 random entries from the input data: ++`SigninLogs | take 10` ++Look at the sign-ins where the Conditional Access was a success ++`SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus` +++Count how many successes there have been ++`SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus | count` +++Aggregate count of successful sign-ins by user by day: ++`SigninLogs | where ConditionalAccessStatus == "success" | summarize SuccessfulSign-ins = count() by UserDisplayName, bin(TimeGenerated, 1d)` +++View how many times a user does a certain operation in specific time period: ++`AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | summarize count() by OperationName, Identity` +++Pivot the results on operation name ++`AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | project OperationName, Identity | evaluate pivot(OperationName)` +++Merge together Audit and Sign in Logs using an inner join: ++`AuditLogs |where OperationName contains "Add User" |extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName) | |project TimeGenerated, UserPrincipalName |join kind = inner (SigninLogs) on UserPrincipalName |summarize arg_min(TimeGenerated, *) by UserPrincipalName |extend SigninDate = TimeGenerated` +++View number of signs ins by client app type: ++`SigninLogs | summarize count() by ClientAppUsed` ++Count the sign ins by day: ++`SigninLogs | summarize NumberOfEntries=count() by bin(TimeGenerated, 1d)` ++Take 5 random entries and project the columns you wish to see in the results: ++`SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated ` +++Take the top 5 in descending order and project the columns you wish to see ++`SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated ` ++Create a new column by combining the values to two other columns: ++`SigninLogs | limit 10 | extend RiskUser = strcat(RiskDetail, "-", Identity) | project RiskUser, ClientAppUsed` ++## Create an alert rule ++This procedure shows how to send alerts when the breakglass account is used. ++**To create an alert rule:** ++1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator. ++2. Search for **Azure Active Directory**. ++ ![Screenshot shows Azure Active Directory in Azure search.](./media/tutorial-log-analytics-wizard/search-azure-ad.png) ++3. In the **Monitoring** section, click **Logs**. ++4. On the **Logs** page, click **Get Started**. ++5. In the **Search** textbox, type: `SigninLogs |where UserDisplayName contains "BreakGlass" | project UserDisplayName` ++6. Click **Run**. ++7. In the toolbar, click **New alert rule**. ++ ![New alert rule](./media/tutorial-log-analytics-wizard/new-alert-rule.png) ++8. On the **Create alert rule** page, verify that the scope is correct. ++9. Under **Condition**, click: **Whenever the average custom log search is greater than `logic undefined` count** ++ ![Default condition](./media/tutorial-log-analytics-wizard/default-condition.png) ++10. On the **Configure signal logic** page, in the **Alert logic** section, perform the following steps: ++ ![Alert logic](./media/tutorial-log-analytics-wizard/alert-logic.png) ++ 1. As **Based on**, select **Number of results**. ++ 2. As **Operator**, select **Greater than**. ++ 3. As **Threshold value**, select **0**. ++11. On the **Configure signal logic** page, in the **Evaluated based on** section, perform the following steps: ++ ![Evaluated based on](./media/tutorial-log-analytics-wizard/evaluated-based-on.png) ++ 1. As **Period (in minutes)**, select **5**. ++ 2. As **Frequency (in minutes)**, select **5**. ++ 3. Click **Done**. ++12. Under **Action group**, click **Select action group**. ++ ![Action group](./media/tutorial-log-analytics-wizard/action-group.png) ++13. On the **Select an action group to attach to this alert rule**, click **Create action group**. ++ ![Create action group](./media/tutorial-log-analytics-wizard/create-action-group.png) ++14. On the **Create action group** page, perform the following steps: ++ ![Instance details](./media/tutorial-log-analytics-wizard/instance-details.png) ++ 1. In the **Action group name** textbox, type **My action group**. ++ 2. In the **Display name** textbox, type **My action**. ++ 3. Click **Review + create**. ++ 4. Click **Create**. +++15. Under **Customize action**, perform the following steps: ++ ![Customize actions](./media/tutorial-log-analytics-wizard/customize-actions.png) ++ 1. Select **Email subject**. ++ 2. In the **Subject line** textbox, type: `Breakglass account has been used` ++16. Under **Alert rule details**, perform the following steps: ++ ![Alert rule details](./media/tutorial-log-analytics-wizard/alert-rule-details.png) ++ 1. In the **Alert rule name** textbox, type: `Breakglass account` ++ 2. In the **Description** textbox, type: `Your emergency access account has been used` ++17. Click **Create alert rule**. +++## Create a custom workbook ++This procedure shows how to create a new workbook using the quickstart template. +++++1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator. ++2. Search for **Azure Active Directory**. ++ ![Screenshot shows Azure Active Directory in Azure search.](./media/tutorial-log-analytics-wizard/search-azure-ad.png) ++3. In the **Monitoring** section, click **Workbooks**. ++ ![Screenshot shows Monitoring in the Azure portal menu with Workbooks selected.](./media/tutorial-log-analytics-wizard/workbooks.png) ++4. In the **Quickstart** section, click **Empty**. ++ ![Quick start](./media/tutorial-log-analytics-wizard/quick-start.png) ++5. Click **Add**. ++ ![Add workbook](./media/tutorial-log-analytics-wizard/add-workbook.png) ++6. Click **Add text**. ++ ![Add text](./media/tutorial-log-analytics-wizard/add-text.png) +++7. In the textbox, type: `# Client apps used in the past week`, and then click **Done Editing**. ++ ![Workbook text](./media/tutorial-log-analytics-wizard/workbook-text.png) ++8. In the new workbook, click **Add**, and then click **Add query**. ++ ![Add query](./media/tutorial-log-analytics-wizard/add-query.png) ++9. In the query textbox, type: `SigninLogs | where TimeGenerated > ago(7d) | project TimeGenerated, UserDisplayName, ClientAppUsed | summarize count() by ClientAppUsed` ++10. Click **Run Query**. ++ ![Screenshot shows the Run Query button.](./media/tutorial-log-analytics-wizard/run-workbook-query.png) ++11. In the toolbar, under **Visualization**, click **Pie chart**. ++ ![Pie chart](./media/tutorial-log-analytics-wizard/pie-chart.png) ++12. Click **Done Editing**. ++ ![Done editing](./media/tutorial-log-analytics-wizard/done-workbook-editing.png) ++++## Add a query to a workbook template ++This procedure shows how to add a query to an existing workbook template. The example is based on a query that shows the distribution of conditional access success to failures. +++1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator. ++2. Search for **Azure Active Directory**. ++ ![Screenshot shows Azure Active Directory in Azure search.](./media/tutorial-log-analytics-wizard/search-azure-ad.png) ++3. In the **Monitoring** section, click **Workbooks**. ++ ![Screenshot shows Monitoring in the menu with Workbooks selected.](./media/tutorial-log-analytics-wizard/workbooks.png) ++4. In the **conditional access** section, click **Conditional Access Insights and Reporting**. ++ ![Screenshot shows the Conditional Access Insights and Reporting option.](./media/tutorial-log-analytics-wizard/conditional-access-template.png) ++5. In the toolbar, click **Edit**. ++ ![Screenshot shows the Edit button.](./media/tutorial-log-analytics-wizard/edit-workbook-template.png) ++6. In the toolbar, click the three dots, then **Add**, and then **Add query**. ++ ![Add workbook query](./media/tutorial-log-analytics-wizard/add-custom-workbook-query.png) ++7. In the query textbox, type: `SigninLogs | where TimeGenerated > ago(20d) | where ConditionalAccessPolicies != "[]" | summarize dcount(UserDisplayName) by bin(TimeGenerated, 1d), ConditionalAccessStatus` ++8. Click **Run Query**. ++ ![Screenshot shows the Run Query button to run this query.](./media/tutorial-log-analytics-wizard/run-workbook-insights-query.png) ++9. Click **Time Range**, and then select **Set in query**. ++10. Click **Visualization**, and then select **Bar chart**. ++11. Click **Advanced Settings**, as chart title, type `Conditional Access status over the last 20 days`, and then click **Done Editing**. ++ ![Set chart title](./media/tutorial-log-analytics-wizard/set-chart-title.png) +++++++++## Next steps ++Advance to the next article to learn how to manage device identities by using the Azure portal. +> [!div class="nextstepaction"] +> [Monitoring](overview-monitoring.md) |
active-directory | Admin Units Assign Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-assign-roles.md | |
active-directory | Admin Units Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-manage.md | |
active-directory | Admin Units Members Dynamic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-dynamic.md | |
active-directory | Admin Units Members List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-list.md | |
active-directory | Admin Units Members Remove | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-members-remove.md | |
active-directory | Assign Roles Different Scopes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/assign-roles-different-scopes.md | |
active-directory | Concept Understand Roles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/concept-understand-roles.md | |
active-directory | Custom Assign Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-assign-powershell.md | |
active-directory | Custom Available Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-available-permissions.md | |
active-directory | Custom Consent Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-consent-permissions.md | |
active-directory | Custom Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-create.md | |
active-directory | Custom Enterprise App Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-enterprise-app-permissions.md | |
active-directory | Custom Enterprise Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-enterprise-apps.md | |
active-directory | Custom Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/custom-overview.md | |
active-directory | Groups Assign Role | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-assign-role.md | |
active-directory | Groups Create Eligible | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-create-eligible.md | |
active-directory | Groups Remove Assignment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-remove-assignment.md | |
active-directory | Groups View Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/groups-view-assignments.md | |
active-directory | Manage Roles Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/manage-roles-portal.md | |
active-directory | Prerequisites | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/prerequisites.md | |
active-directory | Protected Actions Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/protected-actions-overview.md | |
active-directory | Quickstart App Registration Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/quickstart-app-registration-limits.md | |
active-directory | Role Definitions List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/role-definitions-list.md | |
active-directory | Security Planning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/security-planning.md | |
active-directory | View Assignments | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/view-assignments.md | |
active-directory | Azure Databricks With Private Link Workspace Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/azure-databricks-with-private-link-workspace-provisioning-tutorial.md | + + Title: Azure AD on-premises app provisioning to Azure Databricks with Private Link Workspace +description: This article describes how to use the Azure AD provisioning service to provision users into Azure Databricks with Private Link Workspace. ++++++ Last updated : 08/10/2023+++++# Microsoft Entra ID Application Provisioning to Azure Databricks with Private Link Workspace ++The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Azure AD provisioning service to provision users into Azure Databricks workspaces with no public access. ++[ ![Diagram that shows SCIM architecture.](media/azure-databricks-with-private-link-workspace-provisioning-tutorial/scim-architecture.png)](media/azure-databricks-with-private-link-workspace-provisioning-tutorial/scim-architecture.png#lightbox) ++## Prerequisites +* An Azure AD tenant with Microsoft Entra ID Governance and Azure AD Premium P1 or Premium P2 (or EMS E3 or E5). To find the right license for your requirements, see [Compare generally available features of Azure AD](https://www.microsoft.com/security/business/microsoft-entra-pricing). +* Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's either a hybrid administrator or a global administrator. +* Administrator role for configuring the application in the cloud (application administrator, cloud application administrator, global administrator, or a custom role with permissions). +* A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy. ++## Download, install, and configure the Azure AD Connect Provisioning Agent Package ++If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section. ++ 1. In the Azure portal, select **Azure Active Directory**. + 1. On the left, select **Azure AD Connect**. + 1. On the left, select **Cloud sync**. + [![Screenshot of new UX screen.](media/azure-databricks-with-private-link-workspace-provisioning-tutorial/azure-active-directory-connect-new-ux.png)](media/azure-databricks-with-private-link-workspace-provisioning-tutorial/azure-active-directory-connect-new-ux.png#lightbox) ++ 1. On the left, select **Agent**. + 1. Select **Download on-premises agent**, and select **Accept terms & download**. + >[!NOTE] + >Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. + 1. Open the provisioning agent installer, agree to the terms of service, and select **next**. + 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable. + 1. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you're using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. + 1. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role. + 1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer. + +## Provisioning to SCIM-enabled Workspace +Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed from the Azure portal. + + 1. In the Azure portal, navigate to the Enterprise applications and add the **On-premises SCIM app** from the [gallery](../manage-apps/add-application-portal.md). + 1. From the left hand menu, navigate to the **Provisioning** option and select **Get started**. + 1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option. + 1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**. + 1. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection. + 1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is `https://localhost:8585/scim` + ![Screenshot that shows assigning an agent.](media/azure-databricks-with-private-link-workspace-provisioning-tutorial//on-premises-assign-agents.png) ++ 1. Create an Admin Token in Azure Databricks User Settings Console and enter the same in the **Secret Token** field + 1. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test fails. Use the steps [here](../app-provisioning/on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. + >[!NOTE] + > If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above. ++ 1. Configure any [attribute mappings](../app-provisioning/customize-application-attributes.md) or [scoping](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application. + 1. Add users to scope by [assigning users and groups](../manage-apps/add-application-portal-assign-users.md) to the application. + 1. Test provisioning a few users [on demand](../app-provisioning/provision-on-demand.md). + 1. Add more users into scope by assigning them to your application. + 1. Go to the **Provisioning** pane, and select **Start provisioning**. + 1. Monitor using the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md). ++The following video provides an overview of on-premises provisioning. +> [!VIDEO https://www.youtube.com/embed/QdfdpaFolys] ++## More requirements +* Ensure your [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Azure AD SCIM requirements](../app-provisioning/use-scim-to-provision-users-and-groups.md). + Azure AD offers open-source [reference code](https://github.com/AzureAD/SCIMReferenceCode/wiki) that developers can use to bootstrap their SCIM implementation. +* Support the /schemas endpoint to reduce configuration required in the Azure portal. ++## Next steps ++* [App provisioning](../app-provisioning/user-provisioning.md) +* [Generic SQL connector](../app-provisioning/on-premises-sql-connector-configure.md) +* [Tutorial: ECMA Connector Host generic SQL connector](../app-provisioning/tutorial-ecma-sql-connector.md) +* [Known issues](../app-provisioning/known-issues.md) |
active-directory | Canva Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/canva-provisioning-tutorial.md | + + Title: 'Tutorial: Configure Canva for automatic user provisioning with Azure Active Directory' +description: Learn how to automatically provision and de-provision user accounts from Azure AD to Canva. +++writer: twimmers ++ms.assetid: 9bf62920-d9e0-4ed4-a4f6-860cb9563b00 ++++ Last updated : 08/16/2023++++# Tutorial: Configure Canva for automatic user provisioning ++This tutorial describes the steps you need to perform in both Canva and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Canva](https://www.canva.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +++## Supported capabilities +> [!div class="checklist"] +> * Create users in Canva. +> * Remove users in Canva when they do not require access anymore. +> * Keep user attributes synchronized between Azure AD and Canva. +> * Provision groups and group memberships in Canva. +> * [Single sign-on](canva-tutorial.md) to Canva (recommended). ++## Prerequisites ++The scenario outlined in this tutorial assumes that you already have the following prerequisites: ++* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md). +* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). +* An Canva tenant. +* A user account in Canva with Admin permissions. ++## Step 1. Plan your provisioning deployment +1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). +1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). +1. Determine what data to [map between Azure AD and Canva](../app-provisioning/customize-application-attributes.md). ++## Step 2. Configure Canva to support provisioning with Azure AD +Contact Canva support to configure Canva to support provisioning with Azure AD. ++## Step 3. Add Canva from the Azure AD application gallery ++Add Canva from the Azure AD application gallery to start managing provisioning to Canva. If you have previously setup Canva for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ++## Step 4. Define who will be in scope for provisioning ++The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. +++## Step 5. Configure automatic user provisioning to Canva ++This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD. ++### To configure automatic user provisioning for Canva in Azure AD: ++1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. ++ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) ++1. In the applications list, select **Canva**. ++ ![Screenshot of the Canva link in the Applications list.](common/all-applications.png) ++1. Select the **Provisioning** tab. ++ ![Screenshot of Provisioning tab.](common/provisioning.png) ++1. Set the **Provisioning Mode** to **Automatic**. ++ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) ++1. Under the **Admin Credentials** section, input your Canva Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Canva. If the connection fails, ensure your Canva account has Admin permissions and try again. ++ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) ++1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. ++ ![Screenshot of Notification Email.](common/provisioning-notification-email.png) ++1. Select **Save**. ++1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Canva**. ++1. Review the user attributes that are synchronized from Azure AD to Canva in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Canva for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Canva API supports filtering users based on that attribute. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Canva| + ||||| + |userName|String|✓|✓ + |active|Boolean|| + |externalId|String|| + |emails[type eq "work"].value|String||✓ + |name.givenName|String|| + |name.familyName|String|| + |displayName|String|| + +1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Canva**. ++1. Review the group attributes that are synchronized from Azure AD to Canva in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Canva for update operations. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Canva| + ||||| + |displayName|String|✓|✓ + |members|Reference|| + +1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++1. To enable the Azure AD provisioning service for Canva, change the **Provisioning Status** to **On** in the **Settings** section. ++ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) ++1. Define the users and/or groups that you would like to provision to Canva by choosing the desired values in **Scope** in the **Settings** section. ++ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) ++1. When you're ready to provision, click **Save**. ++ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) ++This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. ++## Step 6. Monitor your deployment +Once you've configured provisioning, use the following resources to monitor your deployment: ++* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully +* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion +* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md). ++## More resources ++* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) +* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ++## Next steps ++* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md) |
active-directory | Cloudbees Ci Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cloudbees-ci-tutorial.md | Complete the following steps to enable Azure AD single sign-on in the Azure port | `https://cjoc.<CustomerDomain>/securityRealm/finishLogin` | | `https://<Environment>.<CustomerDomain>/securityRealm/finishLogin` | -1. Perform the following step, if you wish to configure the application in **SP** initiated mode: -- In the **Sign on URL** textbox, type the URL using one of the following patterns: + c. In the **Sign on URL** textbox, type the URL using one of the following patterns: | **Sign on URL** | || |
active-directory | Forcepoint Cloud Security Gateway Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/forcepoint-cloud-security-gateway-provisioning-tutorial.md | + + Title: 'Tutorial: Configure Forcepoint Cloud Security Gateway - User Authentication for automatic user provisioning with Azure Active Directory' +description: Learn how to automatically provision and de-provision user accounts from Azure AD to Forcepoint Cloud Security Gateway - User Authentication. +++writer: twimmers ++ms.assetid: 415b2ba3-a9a5-439a-963a-7c2c0254ced1 ++++ Last updated : 08/16/2023++++# Tutorial: Configure Forcepoint Cloud Security Gateway - User Authentication for automatic user provisioning ++This tutorial describes the steps you need to perform in both Forcepoint Cloud Security Gateway - User Authentication and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Forcepoint Cloud Security Gateway - User Authentication](https://admin.forcepoint.net) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +++## Supported capabilities +> [!div class="checklist"] +> * Create users in Forcepoint Cloud Security Gateway - User Authentication. +> * Remove users in Forcepoint Cloud Security Gateway - User Authentication when they do not require access anymore. +> * Keep user attributes synchronized between Azure AD and Forcepoint Cloud Security Gateway - User Authentication. +> * Provision groups and group memberships in Forcepoint Cloud Security Gateway - User Authentication. +> * [Single sign-on](forcepoint-cloud-security-gateway-tutorial.md) to Forcepoint Cloud Security Gateway - User Authentication (recommended). ++## Prerequisites ++The scenario outlined in this tutorial assumes that you already have the following prerequisites: ++* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md). +* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). +* An Forcepoint Cloud Security Gateway - User Authentication tenant. +* A user account in Forcepoint Cloud Security Gateway - User Authentication with Admin permissions. ++## Step 1. Plan your provisioning deployment +1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). +1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). +1. Determine what data to [map between Azure AD and Forcepoint Cloud Security Gateway - User Authentication](../app-provisioning/customize-application-attributes.md). ++## Step 2. Configure Forcepoint Cloud Security Gateway - User Authentication to support provisioning with Azure AD +Contact Forcepoint Cloud Security Gateway - User Authentication support to configure Forcepoint Cloud Security Gateway - User Authentication to support provisioning with Azure AD. ++## Step 3. Add Forcepoint Cloud Security Gateway - User Authentication from the Azure AD application gallery ++Add Forcepoint Cloud Security Gateway - User Authentication from the Azure AD application gallery to start managing provisioning to Forcepoint Cloud Security Gateway - User Authentication. If you have previously setup Forcepoint Cloud Security Gateway - User Authentication for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ++## Step 4. Define who will be in scope for provisioning ++The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. +++## Step 5. Configure automatic user provisioning to Forcepoint Cloud Security Gateway - User Authentication ++This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD. ++### To configure automatic user provisioning for Forcepoint Cloud Security Gateway - User Authentication in Azure AD: ++1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. ++ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) ++1. In the applications list, select **Forcepoint Cloud Security Gateway - User Authentication**. ++ ![Screenshot of the Forcepoint Cloud Security Gateway - User Authentication link in the Applications list.](common/all-applications.png) ++1. Select the **Provisioning** tab. ++ ![Screenshot of Provisioning tab.](common/provisioning.png) ++1. Set the **Provisioning Mode** to **Automatic**. ++ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) ++1. Under the **Admin Credentials** section, input your Forcepoint Cloud Security Gateway - User Authentication Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Forcepoint Cloud Security Gateway - User Authentication. If the connection fails, ensure your Forcepoint Cloud Security Gateway - User Authentication account has Admin permissions and try again. ++ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) ++1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. ++ ![Screenshot of Notification Email.](common/provisioning-notification-email.png) ++1. Select **Save**. ++1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Forcepoint Cloud Security Gateway - User Authentication**. ++1. Review the user attributes that are synchronized from Azure AD to Forcepoint Cloud Security Gateway - User Authentication in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Forcepoint Cloud Security Gateway - User Authentication for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Forcepoint Cloud Security Gateway - User Authentication API supports filtering users based on that attribute. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Forcepoint Cloud Security Gateway - User Authentication| + ||||| + |userName|String|✓|✓ + |externalId|String||✓ + |displayName|String||✓ + |urn:ietf:params:scim:schemas:extension:forcepoint:2.0:User:ntlmId|String|| + +1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Forcepoint Cloud Security Gateway - User Authentication**. ++1. Review the group attributes that are synchronized from Azure AD to Forcepoint Cloud Security Gateway - User Authentication in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Forcepoint Cloud Security Gateway - User Authentication for update operations. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Forcepoint Cloud Security Gateway - User Authentication| + ||||| + |displayName|String|✓|✓ + |externalId|String|| + |members|Reference|| ++ +1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++1. To enable the Azure AD provisioning service for Forcepoint Cloud Security Gateway - User Authentication, change the **Provisioning Status** to **On** in the **Settings** section. ++ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) ++1. Define the users and/or groups that you would like to provision to Forcepoint Cloud Security Gateway - User Authentication by choosing the desired values in **Scope** in the **Settings** section. ++ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) ++1. When you're ready to provision, click **Save**. ++ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) ++This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. ++## Step 6. Monitor your deployment +Once you've configured provisioning, use the following resources to monitor your deployment: ++* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully +* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion +* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md). ++## More resources ++* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) +* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ++## Next steps ++* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md) |
active-directory | Google Apps Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/google-apps-tutorial.md | To configure the integration of Google Cloud / G Suite Connector by Microsoft in Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) -Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true). - ## Configure and test Azure AD single sign-on for Google Cloud / G Suite Connector by Microsoft Configure and test Azure AD SSO with Google Cloud / G Suite Connector by Microsoft using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Google Cloud / G Suite Connector by Microsoft. |
active-directory | Hive Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hive-tutorial.md | In this section, you'll enable B.Simon to use Azure single sign-on by granting a 1. In a different web browser window, sign in to Hive website as an administrator. -1. Click on the **User Profile** and click **Your workspace**. +1. Click on the **User Profile** and click your workspace **Settings**. ![Screenshot shows the Hive website with Your workspace selected from the menu.](./media/hive-tutorial/profile.png) -1. Click **Auth** and perform the following steps: +1. Click **Enterprise Security** and perform the following steps: - ![Screenshot shows the Auth page where do the tasks described.](./media/hive-tutorial/authentication.png) + [![Screenshot shows the Auth page where do the tasks described.](./media/hive-tutorial/authentication.png)](./media/hive-tutorial/authentication.png#lightbox) a. Copy **Your Workspace ID** and append it to the **SignOn URL** and **Reply URL** in the **Basic SAML Configuration Section** in the Azure portal. In this section, you test your Azure AD single sign-on configuration with follow * Click on **Test this application** in Azure portal and you should be automatically signed in to the Hive for which you set up the SSO. -You can also use Microsoft My Apps to test the application in any mode. When you click the Hive tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hive for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). +You can also use Microsoft My Apps to test the application in any mode. When you click the Hive tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hive for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). ## Next steps |
active-directory | Hornbill Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hornbill-tutorial.md | Follow these steps to enable Azure AD SSO in the Azure portal. 4. On the **Basic SAML Configuration** section, perform the following steps: a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:- `https://sso.hornbill.com/<INSTANCE_NAME>/<SUBDOMAIN>` +`https://sso.hornbill.com/<INSTANCE_NAME>/live` - b. In the **Sign on URL** text box, type a URL using the following pattern: - `https://<SUBDOMAIN>.hornbill.com/<INSTANCE_NAME>/` + > [!NOTE] + > If you are deploying the Hornbill Mobile Catalog to your organization, you will need to add an additional identifier URL, as so: +`https://sso.hornbill.com/hornbill/mcatalog` + + b. In the **Reply URL (Assertion Consumer Service URL)** section, add the following: +`https://<API_SUBDOMAIN>.hornbill.com/<INSTANCE_NAME>/xmlmc/sso/saml2/authorize/user/live` ++ > [!NOTE] + > If you are deploying the Hornbill Mobile Catalog to your organization, you will need to add an additional Reply URL, as so: +`https://<API_SUBDOMAIN>.hornbill.com/hornbill/xmlmc/sso/saml2/authorize/user/mcatalog` + + c. In the **Sign on URL** text box, type a URL using the following pattern: +`https://live.hornbill.com/<INSTANCE_NAME>/` > [!NOTE]- > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Hornbill Client support team](https://www.hornbill.com/support/?request/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. + > These values are not real. Update the <INSTANCE_NAME> and <API_SUBDOMAIN> values with the actual values in the Identifier(s), Reply URL(s) and Sign on URL. These values can be retrieved from the Hornbill Solution Center in your Hornbill instance, under **_Your usage > Support_**. Contact [Hornbill Support](https://www.hornbill.com/support) for assistance in getting these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. +6. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png) |
active-directory | Hypervault Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/hypervault-provisioning-tutorial.md | + + Title: 'Tutorial: Configure Hypervault for automatic user provisioning with Azure Active Directory' +description: Learn how to automatically provision and deprovision user accounts from Azure AD to Hypervault. +++writer: twimmers ++ms.assetid: eca2ff9e-a09d-4bb4-88f6-6021a93d2c9d ++++ Last updated : 08/16/2023++++# Tutorial: Configure Hypervault for automatic user provisioning ++This tutorial describes the steps you need to perform in both Hypervault and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and deprovisions users to [Hypervault](https://hypervault.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +++## Supported capabilities +> [!div class="checklist"] +> * Create users in Hypervault. +> * Remove users in Hypervault when they do not require access anymore. +> * Keep user attributes synchronized between Azure AD and Hypervault. +> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Hypervault (recommended). ++## Prerequisites ++The scenario outlined in this tutorial assumes that you already have the following prerequisites: ++* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md) +* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). +* A user account in Hypervault with Admin permissions. ++## Step 1. Plan your provisioning deployment +1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). +1. Determine who is in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). +1. Determine what data to [map between Azure AD and Hypervault](../app-provisioning/customize-application-attributes.md). ++## Step 2. Configure Hypervault to support provisioning with Azure AD +Contact Hypervault support to configure Hypervault to support provisioning with Azure AD. ++## Step 3. Add Hypervault from the Azure AD application gallery ++Add Hypervault from the Azure AD application gallery to start managing provisioning to Hypervault. If you have previously setup Hypervault for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ++## Step 4. Define who is in scope for provisioning ++The Azure AD provisioning service allows you to scope who is provisioned based on assignment to the application and/or based on attributes of the user. If you choose to scope who is provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who is provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. +++## Step 5. Configure automatic user provisioning to Hypervault ++This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in TestApp based on user assignments in Azure AD. ++### To configure automatic user provisioning for Hypervault in Azure AD: ++1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. ++ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) ++1. In the applications list, select **Hypervault**. ++ ![Screenshot of the Hypervault link in the Applications list.](common/all-applications.png) ++1. Select the **Provisioning** tab. ++ ![Screenshot of Provisioning tab.](common/provisioning.png) ++1. Set the **Provisioning Mode** to **Automatic**. ++ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) ++1. Under the **Admin Credentials** section, input your Hypervault Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Hypervault. If the connection fails, ensure your Hypervault account has Admin permissions and try again. ++ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) ++1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. ++ ![Screenshot of Notification Email.](common/provisioning-notification-email.png) ++1. Select **Save**. ++1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Hypervault**. ++1. Review the user attributes that are synchronized from Azure AD to Hypervault in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Hypervault for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Hypervault API supports filtering users based on that attribute. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Hypervault| + ||||| + |userName|String|✓|✓ + |active|Boolean||✓ + |displayName|String||✓ + |name.givenName|String||✓ + |name.familyName|String||✓ + |emails[type eq "work"].value|String||✓ ++1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++1. To enable the Azure AD provisioning service for Hypervault, change the **Provisioning Status** to **On** in the **Settings** section. ++ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) ++1. Define the users that you would like to provision to Hypervault by choosing the desired values in **Scope** in the **Settings** section. ++ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) ++1. When you're ready to provision, click **Save**. ++ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) ++This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. ++## Step 6. Monitor your deployment +Once you've configured provisioning, use the following resources to monitor your deployment: ++* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully +* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion +* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md). ++## More resources ++* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) +* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ++## Next steps ++* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md) |
active-directory | Oneflow Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/oneflow-provisioning-tutorial.md | + + Title: 'Tutorial: Configure Oneflow for automatic user provisioning with Azure Active Directory' +description: Learn how to automatically provision and de-provision user accounts from Azure AD to Oneflow. +++writer: twimmers ++ms.assetid: 6af89cdd-956c-4cc2-9a61-98afe7814470 ++++ Last updated : 08/16/2023++++# Tutorial: Configure Oneflow for automatic user provisioning ++This tutorial describes the steps you need to perform in both Oneflow and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Oneflow](https://oneflow.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +++## Supported capabilities +> [!div class="checklist"] +> * Create users in Oneflow. +> * Remove users in Oneflow when they do not require access anymore. +> * Keep user attributes synchronized between Azure AD and Oneflow. +> * Provision groups and group memberships in Oneflow. +> * [Single sign-on](oneflow-tutorial.md) to Oneflow (recommended). ++## Prerequisites ++The scenario outlined in this tutorial assumes that you already have the following prerequisites: ++* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md). +* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). +* An Oneflow tenant. +* A user account in Oneflow with Admin permissions. ++## Step 1. Plan your provisioning deployment +1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). +1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). +1. Determine what data to [map between Azure AD and Oneflow](../app-provisioning/customize-application-attributes.md). ++## Step 2. Configure Oneflow to support provisioning with Azure AD +Contact Oneflow support to configure Oneflow to support provisioning with Azure AD. ++## Step 3. Add Oneflow from the Azure AD application gallery ++Add Oneflow from the Azure AD application gallery to start managing provisioning to Oneflow. If you have previously setup Oneflow for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ++## Step 4. Define who will be in scope for provisioning ++The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. +++## Step 5. Configure automatic user provisioning to Oneflow ++This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD. ++### To configure automatic user provisioning for Oneflow in Azure AD: ++1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. ++ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) ++1. In the applications list, select **Oneflow**. ++ ![Screenshot of the Oneflow link in the Applications list.](common/all-applications.png) ++1. Select the **Provisioning** tab. ++ ![Screenshot of Provisioning tab.](common/provisioning.png) ++1. Set the **Provisioning Mode** to **Automatic**. ++ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) ++1. Under the **Admin Credentials** section, input your Oneflow Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Oneflow. If the connection fails, ensure your Oneflow account has Admin permissions and try again. ++ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) ++1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. ++ ![Screenshot of Notification Email.](common/provisioning-notification-email.png) ++1. Select **Save**. ++1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Oneflow**. ++1. Review the user attributes that are synchronized from Azure AD to Oneflow in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Oneflow for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Oneflow API supports filtering users based on that attribute. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Oneflow| + ||||| + |userName|String|✓|✓ + |active|Boolean||✓ + |externalId|String|| + |emails[type eq "work"].value|String|| + |name.givenName|String|| + |name.familyName|String|| + |phoneNumbers[type eq \"work\"].value|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String|| + |nickName|String|| + |title|String|| + |profileUrl|String|| + |displayName|String|| + |addresses[type eq \"work\"].streetAddress|String|| + |addresses[type eq \"work\"].locality|String|| + |addresses[type eq \"work\"].region|String|| + |addresses[type eq \"work\"].postalCode|String|| + |addresses[type eq \"work\"].country|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:adSourceAnchor|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute1|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute2|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute3|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute4|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute5|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:distinguishedName|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:domain|String|| + |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:userPrincipalName|String|| + +1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Oneflow**. ++1. Review the group attributes that are synchronized from Azure AD to Oneflow in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Oneflow for update operations. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Oneflow| + ||||| + |displayName|String|✓|✓ + |externalId|String|✓|✓ + |members|Reference|| + +1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++1. To enable the Azure AD provisioning service for Oneflow, change the **Provisioning Status** to **On** in the **Settings** section. ++ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) ++1. Define the users and/or groups that you would like to provision to Oneflow by choosing the desired values in **Scope** in the **Settings** section. ++ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) ++1. When you're ready to provision, click **Save**. ++ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) ++This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. ++## Step 6. Monitor your deployment +Once you've configured provisioning, use the following resources to monitor your deployment: ++* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully +* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion +* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md). ++## More resources ++* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) +* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ++## Next steps ++* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md) |
active-directory | Postman Provisioning Tutorialy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/postman-provisioning-tutorialy.md | + + Title: 'Tutorial: Configure Postman for automatic user provisioning with Azure Active Directory' +description: Learn how to automatically provision and de-provision user accounts from Azure AD to Postman. +++writer: twimmers ++ms.assetid: f3687101-9bec-4f18-9884-61833f4f58c3 ++++ Last updated : 08/16/2023++++# Tutorial: Configure Postman for automatic user provisioning ++This tutorial describes the steps you need to perform in both Postman and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Postman](https://www.postman.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +++## Supported capabilities +> [!div class="checklist"] +> * Create users in Postman. +> * Remove users in Postman when they do not require access anymore. +> * Keep user attributes synchronized between Azure AD and Postman. +> * Provision groups and group memberships in Postman. +> * [Single sign-on](postman-tutorial.md) to Postman (recommended). ++## Prerequisites ++The scenario outlined in this tutorial assumes that you already have the following prerequisites: ++* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md). +* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). +* An Postman tenant. +* A user account in Postman with Admin permissions. ++## Step 1. Plan your provisioning deployment +1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). +1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). +1. Determine what data to [map between Azure AD and Postman](../app-provisioning/customize-application-attributes.md). ++## Step 2. Configure Postman to support provisioning with Azure AD +Contact Postman support to configure Postman to support provisioning with Azure AD. ++## Step 3. Add Postman from the Azure AD application gallery ++Add Postman from the Azure AD application gallery to start managing provisioning to Postman. If you have previously setup Postman for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ++## Step 4. Define who will be in scope for provisioning ++The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. +++## Step 5. Configure automatic user provisioning to Postman ++This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD. ++### To configure automatic user provisioning for Postman in Azure AD: ++1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. ++ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) ++1. In the applications list, select **Postman**. ++ ![Screenshot of the Postman link in the Applications list.](common/all-applications.png) ++1. Select the **Provisioning** tab. ++ ![Screenshot of Provisioning tab.](common/provisioning.png) ++1. Set the **Provisioning Mode** to **Automatic**. ++ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) ++1. Under the **Admin Credentials** section, input your Postman Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Postman. If the connection fails, ensure your Postman account has Admin permissions and try again. ++ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) ++1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. ++ ![Screenshot of Notification Email.](common/provisioning-notification-email.png) ++1. Select **Save**. ++1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Postman**. ++1. Review the user attributes that are synchronized from Azure AD to Postman in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Postman for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Postman API supports filtering users based on that attribute. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Postman| + ||||| + |userName|String|✓|✓ + |active|Boolean||✓ + |externalId|String||✓ + |name.givenName|String||✓ + |name.familyName|String||✓ + +1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Postman**. ++1. Review the group attributes that are synchronized from Azure AD to Postman in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Postman for update operations. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Postman| + ||||| + |displayName|String|✓|✓ + |externalId|String||✓ + |members|Reference|| + +1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++1. To enable the Azure AD provisioning service for Postman, change the **Provisioning Status** to **On** in the **Settings** section. ++ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) ++1. Define the users and/or groups that you would like to provision to Postman by choosing the desired values in **Scope** in the **Settings** section. ++ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) ++1. When you're ready to provision, click **Save**. ++ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) ++This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. ++## Step 6. Monitor your deployment +Once you've configured provisioning, use the following resources to monitor your deployment: ++* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully +* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion +* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md). ++## More resources ++* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) +* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ++## Next steps ++* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md) |
active-directory | Sap Cloud Platform Identity Authentication Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md | Title: 'Tutorial: Configure SAP Cloud Identity Services for automatic user provisioning with Microsoft Entra ID' -description: Learn how to configure Microsoft Entra ID to automatically provision and de-provision user accounts to SAP Cloud Identity Services. +description: Learn how to configure Microsoft Entra ID to automatically provision and deprovision user accounts to SAP Cloud Identity Services. writer: twimmers-The objective of this tutorial is to demonstrate the steps to be performed in SAP Cloud Identity Services and Microsoft Entra ID (Azure AD) to configure Microsoft Entra ID to automatically provision and de-provision users to SAP Cloud Identity Services. +This tutorial aims to demonstrate the steps for configuring Microsoft Entra ID (Azure AD) and SAP Cloud Identity Services. The goal is to set up Microsoft Entra ID to automatically provision and deprovision users to SAP Cloud Identity Services. > [!NOTE] > This tutorial describes a connector built on top of the Microsoft Entra ID User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md). Before configuring and enabling automatic user provisioning, you should decide w ## Important tips for assigning users to SAP Cloud Identity Services -* It is recommended that a single Microsoft Entra ID user is assigned to SAP Cloud Identity Services to test the automatic user provisioning configuration. Additional users may be assigned later. +* It's recommended that a single Microsoft Entra ID user is assigned to SAP Cloud Identity Services to test the automatic user provisioning configuration. More users may be assigned later. * When assigning a user to SAP Cloud Identity Services, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning. Before configuring and enabling automatic user provisioning, you should decide w ![Screenshot of the SAP Cloud Identity Services Add SCIM.](media/sap-cloud-platform-identity-authentication-provisioning-tutorial/configurationauth.png) -1. You will receive an email to activate your account and set a password for **SAP Cloud Identity Services Service**. +1. You'll get an email to activate your account and set up a password for the **SAP Cloud Identity Services Service**. -1. Copy the **User ID** and **Password**. These values will be entered in the Admin Username and Admin Password fields respectively in the Provisioning tab of your SAP Cloud Identity Services application in the Azure portal. +1. Copy the **User ID** and **Password**. These values are entered in the Admin Username and Admin Password fields respectively. +This is done in the Provisioning tab of your SAP Cloud Identity Services application in the Azure portal. ## Add SAP Cloud Identity Services from the gallery This section guides you through the steps to configure the Microsoft Entra ID pr 1. Review the user attributes that are synchronized from Microsoft Entra ID to SAP Cloud Identity Services in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in SAP Cloud Identity Services for update operations. Select the **Save** button to commit any changes. - ![Screenshot of the SAP Business Technology Platform Identity Authentication User Attributes.](media/sap-cloud-platform-identity-authentication-provisioning-tutorial/userattributes.png) + |Attribute|Type|Supported for filtering|Required by SAP Cloud Identity Services| + ||||| + |userName|String|✓|✓ + |emails[type eq "work"].value|String||✓ + |active|Boolean|| + |displayName|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|Reference|| + |addresses[type eq "work"].country|String|| + |addresses[type eq "work"].locality|String|| + |addresses[type eq "work"].postalCode|String|| + |addresses[type eq "work"].region|String|| + |addresses[type eq "work"].streetAddress|String|| + |name.givenName|String|| + |name.familyName|String|| + |name.honorificPrefix|String|| + |phoneNumbers[type eq "fax"].value|String|| + |phoneNumbers[type eq "mobile"].value|String|| + |phoneNumbers[type eq "work"].value|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String|| + |locale|String|| + |timezone|String|| + |userType|String|| + |company|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute1|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute2|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute3|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute4|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute5|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute6|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute7|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute8|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute9|String|| + |urn:sap:cloud:scim:schemas:extension:custom:2.0:User:attributes:customAttribute10|String|| + |sendMail|String|| + |mailVerified|String|| 1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). This section guides you through the steps to configure the Microsoft Entra ID pr ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) -1. When you are ready to provision, click **Save**. +1. When you're ready to provision, click **Save**. ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) For more information on how to read the Microsoft Entra ID provisioning logs, se * SAP Cloud Identity Services's SCIM endpoint requires certain attributes to be of specific format. You can know more about these attributes and their specific format [here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/b10fc6a9a37c488a82ce7489b1fab64c.html#). -## Additional resources +## More resources * [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) * [What is application access and single sign-on with Microsoft Entra ID?](../manage-apps/what-is-single-sign-on.md) |
active-directory | Sap Fiori Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sap-fiori-tutorial.md | |
active-directory | Sap Netweaver Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sap-netweaver-tutorial.md | |
active-directory | Servicely Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/servicely-provisioning-tutorial.md | + + Title: 'Tutorial: Configure Servicely for automatic user provisioning with Azure Active Directory' +description: Learn how to automatically provision and deprovision user accounts from Azure AD to Servicely. +++writer: twimmers ++ms.assetid: be3af02b-da77-4a88-bec3-e634e2af38b3 ++++ Last updated : 08/16/2023++++# Tutorial: Configure Servicely for automatic user provisioning ++This tutorial describes the steps you need to perform in both Servicely and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and deprovisions users and groups to [Servicely](https://servicely.ai/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). +++## Supported capabilities +> [!div class="checklist"] +> * Create users in Servicely. +> * Remove users in Servicely when they do not require access anymore. +> * Keep user attributes synchronized between Azure AD and Servicely. +> * Provision groups and group memberships in Servicely. ++## Prerequisites ++The scenario outlined in this tutorial assumes that you already have the following prerequisites: ++* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md). +* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). +* An Servicely tenant. +* A user account in Servicely with Admin permissions. ++## Step 1. Plan your provisioning deployment +1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md). +1. Determine who is in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). +1. Determine what data to [map between Azure AD and Servicely](../app-provisioning/customize-application-attributes.md). ++## Step 2. Configure Servicely to support provisioning with Azure AD +Contact Servicely support to configure Servicely to support provisioning with Azure AD. ++## Step 3. Add Servicely from the Azure AD application gallery ++Add Servicely from the Azure AD application gallery to start managing provisioning to Servicely. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). ++## Step 4. Define who is in scope for provisioning ++The Azure AD provisioning service allows you to scope who is provisioned based on assignment to the application and/or based on attributes of the user. If you choose to scope who is provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who is provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles. +++## Step 5. Configure automatic user provisioning to Servicely ++This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD. ++### To configure automatic user provisioning for Servicely in Azure AD: ++1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**. ++ ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) ++1. In the applications list, select **Servicely**. ++ ![Screenshot of the Servicely link in the Applications list.](common/all-applications.png) ++1. Select the **Provisioning** tab. ++ ![Screenshot of Provisioning tab.](common/provisioning.png) ++1. Set the **Provisioning Mode** to **Automatic**. ++ ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) ++1. Under the **Admin Credentials** section, input your Servicely Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Servicely. If the connection fails, ensure your Servicely account has Admin permissions and try again. ++ ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) ++1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. ++ ![Screenshot of Notification Email.](common/provisioning-notification-email.png) ++1. Select **Save**. ++1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Servicely**. ++1. Review the user attributes that are synchronized from Azure AD to Servicely in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Servicely for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Servicely API supports filtering users based on that attribute. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Servicely| + ||||| + |userName|String|✓|✓ + |active|Boolean|| + |externalId|String|| + |emails[type eq "work"].value|String|| + |name.givenName|String|| + |name.familyName|String|| + |title|String|| + |preferredLanguage|String|| + |phoneNumbers[type eq "work"].value|String|| + |phoneNumbers[type eq "mobile"].value|String|| + |timezone|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String|| + |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String|| ++1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Servicely**. ++1. Review the group attributes that are synchronized from Azure AD to Servicely in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Servicely for update operations. Select the **Save** button to commit any changes. ++ |Attribute|Type|Supported for filtering|Required by Servicely| + ||||| + |displayName|String|✓|✓ + |externalId|String|✓|✓ + |members|Reference|| + +1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). ++1. To enable the Azure AD provisioning service for Servicely, change the **Provisioning Status** to **On** in the **Settings** section. ++ ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) ++1. Define the users and/or groups that you would like to provision to Servicely by choosing the desired values in **Scope** in the **Settings** section. ++ ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) ++1. When you're ready to provision, click **Save**. ++ ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) ++This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. ++## Step 6. Monitor your deployment +Once you've configured provisioning, use the following resources to monitor your deployment: ++* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully +* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion +* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md). ++## More resources ++* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md) +* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ++## Next steps ++* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md) |
active-directory | Sharepoint On Premises Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sharepoint-on-premises-tutorial.md | |
active-directory | Tailscale Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tailscale-provisioning-tutorial.md | The scenario outlined in this tutorial assumes that you already have the followi 1. Determine what data to [map between Azure AD and Tailscale](../app-provisioning/customize-application-attributes.md). ## Step 2. Configure Tailscale to support provisioning with Azure AD-Contact Tailscale support to configure Tailscale to support provisioning with Azure AD. ++You need to be an [Owner, Admin, or IT admin](https://tailscale.com/kb/1138/user-roles/) in Tailscale to complete these steps. See [Tailscale plans](https://tailscale.com/pricing/) +to find out which plans make user & group provisioning for Azure AD available. ++### Generate a SCIM API key in Tailscale. ++In the **[User management](https://login.tailscale.com/admin/settings/user-management/)** page of the admin console, ++1. Click **Enable Provisioning**. +1. Copy the generated key to the clipboard. ++Save the key information in a secure spot. This is the Secret Token you will need to use it when you configure provisioning in Azure AD. ## Step 3. Add Tailscale from the Azure AD application gallery The Azure AD provisioning service allows you to scope who is provisioned based o ## Step 5. Configure automatic user provisioning to Tailscale -This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in TestApp based on user assignments in Azure AD. +This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in Tailscale based on user assignments in Azure AD. ### To configure automatic user provisioning for Tailscale in Azure AD: |
active-directory | Tanium Sso Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/tanium-sso-tutorial.md | Complete the following steps to enable Azure AD single sign-on in the Azure port > [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Tanium SSO support team](mailto:integrations@tanium.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal. -1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. + > [!NOTE] + > If deploying Tanium in an on-premises configuration, your values may look different than those shown above. The values to use can be retrieved from the **Administration > SAML Configuration** menu in the Tanium console. Details can be found in the [Tanium Console User Guide: Integrating with a SAML IdP](https://docs.tanium.com/platform_user/platform_user/console_using_saml.html?cloud=false "Integrating with a SAML IdP Guide"). ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. If deploying to Tanium in an on-premises configuration, click the edit button and set the **Response Signing Option** to "Sign response and assertion". [ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate") ](common/copy-metadataurl.png#lightbox) |
active-directory | Vbrick Rev Cloud Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/vbrick-rev-cloud-provisioning-tutorial.md | The scenario outlined in this tutorial assumes that you already have the followi 1. Determine what data to [map between Azure AD and Vbrick Rev Cloud](../app-provisioning/customize-application-attributes.md). ## Step 2. Configure Vbrick Rev Cloud to support provisioning with Azure AD-Contact Vbrick Rev Cloud support to configure Vbrick Rev Cloud to support provisioning with Azure AD. ++1. Sign in to your **Rev Tenant**. Navigate to **Admin > Security Settings > User Security** in the navigation pane. ++ ![Screenshot of Vbrick Rev User Security Settings.](./media/vbrick-rev-cloud-provisioning-tutorial/app-navigations.png) ++1. Navigate to **Microsoft Azure AD SCIM** section of the page. ++ ![Screenshot of the Vbrick Rev User Security Settings with the Microsoft AD SCIM section called out.](./media/vbrick-rev-cloud-provisioning-tutorial/enable-azure-ad-scim.png) ++1. Enable **Microsoft Azure AD SCIM** and click on **Generate Token** button. + ![Screenshot of the Vbrick Rev User Security Settings with the Microsoft AD SCIM enable.](./media/vbrick-rev-cloud-provisioning-tutorial/rev-scim-manage.png) ++1. It will open a popup with the **URL** and the **JWT token**. Copy and save the **JWT token** and **URL** for next steps. ++ ![Screenshot of the Vbrick Rev User Security Settings with the Scim Token section called out.](./media/vbrick-rev-cloud-provisioning-tutorial/copy-token.png) ++1. Once you have a copy of the **JWT token** and **URL**, click **OK** to close the popup and then click on the **Save** button at the bottom of the settings page to enable SCIM for your tenant. ## Step 3. Add Vbrick Rev Cloud from the Azure AD application gallery |
active-directory | Configure Cmmc Level 2 Identification And Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-identification-and-authentication.md | |
active-directory | How To Issuer Revoke | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/how-to-issuer-revoke.md | Verifiable credential data isn't stored by Microsoft. Therefore, the issuer need ## How does revocation work? -Microsoft Entra Verified ID implements the [W3C StatusList2021](https://github.com/w3c-ccg/vc-status-list-2021/tree/343b8b59cddba4525e1ef355356ae760fc75904e). When presentation to the Request Service API happens, the API will do the revocation check for you. The revocation check happens over an anonymous API call to Identity Hub and does not contain any data who is checking if the verifiable credential is still valid or revoked. With the **statusList2021**, Microsoft Entra Verified ID just keeps a flag by the hashed value of the indexed claim to keep track of the revocation status. +Microsoft Entra Verified ID implements the [W3C StatusList2021](https://github.com/w3c/vc-status-list-2021/tree/343b8b59cddba4525e1ef355356ae760fc75904e). When presentation to the Request Service API happens, the API will do the revocation check for you. The revocation check happens over an anonymous API call to Identity Hub and does not contain any data who is checking if the verifiable credential is still valid or revoked. With the **statusList2021**, Microsoft Entra Verified ID just keeps a flag by the hashed value of the indexed claim to keep track of the revocation status. ### Verifiable credential data |
active-directory | Howto Verifiable Credentials Partner Au10tix | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/howto-verifiable-credentials-partner-au10tix.md | For incorporating identity verification into your Apps, using AU10TIX ΓÇ£Govern As a developer you can share these steps with your tenant administrator to obtain the verification request URL, and body for your application or website to request Verified IDs from your users. -1. Go to [Microsoft Entra portal -> Verified ID](https://entra.microsoft.com/#view/Microsoft_AAD_DecentralizedIdentity/ResourceOverviewBlade). +1. Go to [Microsoft Entra admin center -> Verified ID](https://entra.microsoft.com/#view/Microsoft_AAD_DecentralizedIdentity/ResourceOverviewBlade). >[!NOTE] > Make sure this is the tenant you set up for Verified ID per the pre-requisites. |
active-directory | Howto Verifiable Credentials Partner Lexisnexis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/howto-verifiable-credentials-partner-lexisnexis.md | To incorporate identity verification into your Apps using LexisNexis Verified ID As a developer you'll provide the steps below to your tenant administrator. The instructions help them obtain the verification request URL, and application body or website to request verifiable credentials from your users. -1. Go to [Microsoft Entra portal -> Verified ID](https://entra.microsoft.com/#view/Microsoft_AAD_DecentralizedIdentity/ResourceOverviewBlade). +1. Go to [Microsoft Entra admin center -> Verified ID](https://entra.microsoft.com/#view/Microsoft_AAD_DecentralizedIdentity/ResourceOverviewBlade). >[!Note] > Make sure this is the tenant you set up for Verified ID per the pre-requisites. 1. Go to [Quickstart-> Verification Request -> Start](https://entra.microsoft.com/#view/Microsoft_AAD_DecentralizedIdentity/QuickStartVerifierBlade). |
active-directory | Partner Vu | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/partner-vu.md | Follow these steps to incorporate VU Identity Card solution into your Apps. As a developer you can share these steps with your tenant administrator to obtain the verification request URL, and body for your application or website to request Verified IDs from your users. -1. Go to Microsoft Entra portal - [**Verified ID**](https://entra.microsoft.com/#view/Microsoft_AAD_DecentralizedIdentity/ResourceOverviewBlade) +1. Go to Microsoft Entra admin center - [**Verified ID**](https://entra.microsoft.com/#view/Microsoft_AAD_DecentralizedIdentity/ResourceOverviewBlade) >[!NOTE] >Verify that the tenant configured for Verified ID meets the prerequisites. |
active-directory | Whats New | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/whats-new.md | Microsoft Entra Verified ID is now generally available (GA) as the new member of ### Known issues -- Tenants that [opt-out](verifiable-credentials-faq.md?#how-do-i-reset-the-entra-verified-id-service) without issuing any Verifiable Credential gets a `Specified resource does not exist` error from the Admin API and/or the Entra portal. A fix for this issue should be available by August 20, 2022.+- Tenants that [opt-out](verifiable-credentials-faq.md?#how-do-i-reset-the-entra-verified-id-service) without issuing any Verifiable Credential gets a `Specified resource does not exist` error from the Admin API and/or the Microsoft Entra admin center. A fix for this issue should be available by August 20, 2022. ## July 2022 |
active-directory | Workload Identity Federation Create Trust | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identity-federation-create-trust.md | Use the following values from your Azure AD application registration for your Gi The following screenshot demonstrates how to copy the application ID and tenant ID. - ![Screenshot that demonstrates how to copy the application ID and tenant ID from Microsoft Entra portal.](./media/workload-identity-federation-create-trust/copy-client-id.png) + ![Screenshot that demonstrates how to copy the application ID and tenant ID from Microsoft Entra admin center.](./media/workload-identity-federation-create-trust/copy-client-id.png) - `AZURE_SUBSCRIPTION_ID` your subscription ID. To get the subscription ID, open **Subscriptions** in Azure portal and find your subscription. Then, copy the **Subscription ID**. |
ai-services | Cognitive Services Virtual Networks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/cognitive-services-virtual-networks.md | -Azure AI services provides a layered security model. This model enables you to secure your Azure AI services accounts to a specific subset of networksΓÇï. When network rules are configured, only applications requesting data over the specified set of networks can access the account. You can limit access to your resources with request filtering. Allowing only requests originating from specified IP addresses, IP ranges or from a list of subnets in [Azure Virtual Networks](../virtual-network/virtual-networks-overview.md). +Azure AI services provide a layered security model. This model enables you to secure your Azure AI services accounts to a specific subset of networksΓÇï. When network rules are configured, only applications that request data over the specified set of networks can access the account. You can limit access to your resources with *request filtering*, which allows requests that originate only from specified IP addresses, IP ranges, or from a list of subnets in [Azure Virtual Networks](../virtual-network/virtual-networks-overview.md). An application that accesses an Azure AI services resource when network rules are in effect requires authorization. Authorization is supported with [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) credentials or with a valid API key. > [!IMPORTANT]-> Turning on firewall rules for your Azure AI services account blocks incoming requests for data by default. In order to allow requests through, one of the following conditions needs to be met: +> Turning on firewall rules for your Azure AI services account blocks incoming requests for data by default. To allow requests through, one of the following conditions needs to be met: >-> * The request should originate from a service operating within an Azure Virtual Network (VNet) on the allowed subnet list of the target Azure AI services account. The endpoint in requests originated from VNet needs to be set as the [custom subdomain](cognitive-services-custom-subdomains.md) of your Azure AI services account. -> * Or the request should originate from an allowed list of IP addresses. +> - The request originates from a service that operates within an Azure Virtual Network on the allowed subnet list of the target Azure AI services account. The endpoint request that originated from the virtual network needs to be set as the [custom subdomain](cognitive-services-custom-subdomains.md) of your Azure AI services account. +> - The request originates from an allowed list of IP addresses. >-> Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on. +> Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services. [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)] ## Scenarios -To secure your Azure AI services resource, you should first configure a rule to deny access to traffic from all networks (including internet traffic) by default. Then, you should configure rules that grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications. You can also configure rules to grant access to traffic from select public internet IP address ranges, enabling connections from specific internet or on-premises clients. +To secure your Azure AI services resource, you should first configure a rule to deny access to traffic from all networks, including internet traffic, by default. Then, configure rules that grant access to traffic from specific virtual networks. This configuration enables you to build a secure network boundary for your applications. You can also configure rules to grant access to traffic from select public internet IP address ranges and enable connections from specific internet or on-premises clients. -Network rules are enforced on all network protocols to Azure AI services, including REST and WebSocket. To access data using tools such as the Azure test consoles, explicit network rules must be configured. You can apply network rules to existing Azure AI services resources, or when you create new Azure AI services resources. Once network rules are applied, they're enforced for all requests. +Network rules are enforced on all network protocols to Azure AI services, including REST and WebSocket. To access data by using tools such as the Azure test consoles, explicit network rules must be configured. You can apply network rules to existing Azure AI services resources, or when you create new Azure AI services resources. After network rules are applied, they're enforced for all requests. ## Supported regions and service offerings -Virtual networks (VNETs) are supported in [regions where Azure AI services are available](https://azure.microsoft.com/global-infrastructure/services/). Azure AI services supports service tags for network rules configuration. The services listed below are included in the **CognitiveServicesManagement** service tag. +Virtual networks are supported in [regions where Azure AI services are available](https://azure.microsoft.com/global-infrastructure/services/). Azure AI services support service tags for network rules configuration. The services listed here are included in the `CognitiveServicesManagement` service tag. > [!div class="checklist"]-> * Anomaly Detector -> * Azure OpenAI -> * Azure AI Vision -> * Content Moderator -> * Custom Vision -> * Face -> * Language Understanding (LUIS) -> * Personalizer -> * Speech service -> * Language service -> * QnA Maker -> * Translator Text -+> - Anomaly Detector +> - Azure OpenAI +> - Content Moderator +> - Custom Vision +> - Face +> - Language Understanding (LUIS) +> - Personalizer +> - Speech service +> - Language +> - QnA Maker +> - Translator > [!NOTE]-> If you're using, Azure OpenAI, LUIS, Speech Services, or Language services, the **CognitiveServicesManagement** tag only enables you use the service using the SDK or REST API. To access and use Azure OpenAI Studio, LUIS portal , Speech Studio or Language Studio from a virtual network, you will need to use the following tags: +> If you use Azure OpenAI, LUIS, Speech Services, or Language services, the `CognitiveServicesManagement` tag only enables you to use the service by using the SDK or REST API. To access and use Azure OpenAI Studio, LUIS portal, Speech Studio, or Language Studio from a virtual network, you need to use the following tags: >-> * **AzureActiveDirectory** -> * **AzureFrontDoor.Frontend** -> * **AzureResourceManager** -> * **CognitiveServicesManagement** -> * **CognitiveServicesFrontEnd** -+> - `AzureActiveDirectory` +> - `AzureFrontDoor.Frontend` +> - `AzureResourceManager` +> - `CognitiveServicesManagement` +> - `CognitiveServicesFrontEnd` ## Change the default network access rule By default, Azure AI services resources accept connections from clients on any network. To limit access to selected networks, you must first change the default action. > [!WARNING]-> Making changes to network rules can impact your applications' ability to connect to Azure AI services. Setting the default network rule to **deny** blocks all access to the data unless specific network rules that **grant** access are also applied. Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access. If you are allow listing IP addresses for your on-premises network, be sure to add all possible outgoing public IP addresses from your on-premises network. +> Making changes to network rules can impact your applications' ability to connect to Azure AI services. Setting the default network rule to *deny* blocks all access to the data unless specific network rules that *grant* access are also applied. +> +> Before you change the default rule to deny access, be sure to grant access to any allowed networks by using network rules. If you allow listing for the IP addresses for your on-premises network, be sure to add all possible outgoing public IP addresses from your on-premises network. -### Managing default network access rules +### Manage default network access rules You can manage default network access rules for Azure AI services resources through the Azure portal, PowerShell, or the Azure CLI. You can manage default network access rules for Azure AI services resources thro 1. Go to the Azure AI services resource you want to secure. -1. Select the **RESOURCE MANAGEMENT** menu called **Virtual network**. +1. Select **Resource Management** to expand it, then select **Networking**. - ![Virtual network option](media/vnet/virtual-network-blade.png) + :::image type="content" source="media/vnet/virtual-network-blade.png" alt-text="Screenshot shows the Networking page with Selected Networks and Private Endpoints selected." lightbox="media/vnet/virtual-network-blade.png"::: -1. To deny access by default, choose to allow access from **Selected networks**. With the **Selected networks** setting alone, unaccompanied by configured **Virtual networks** or **Address ranges** - all access is effectively denied. When all access is denied, requests attempting to consume the Azure AI services resource aren't permitted. The Azure portal, Azure PowerShell or, Azure CLI can still be used to configure the Azure AI services resource. -1. To allow traffic from all networks, choose to allow access from **All networks**. +1. To deny access by default, under **Firewalls and virtual networks**, select **Selected Networks and Private Endpoints**. - ![Virtual networks deny](media/vnet/virtual-network-deny.png) + With this setting alone, unaccompanied by configured virtual networks or address ranges, all access is effectively denied. When all access is denied, requests that attempt to consume the Azure AI services resource aren't permitted. The Azure portal, Azure PowerShell, or the Azure CLI can still be used to configure the Azure AI services resource. ++1. To allow traffic from all networks, select **All networks**. ++ :::image type="content" source="media/vnet/virtual-network-deny.png" alt-text="Screenshot shows the Networking page with All networks selected." lightbox="media/vnet/virtual-network-deny.png"::: 1. Select **Save** to apply your changes. # [PowerShell](#tab/powershell) -1. Install the [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps), or select **Try it**. +1. Install the [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps), or select **Open Cloudshell**. 1. Display the status of the default rule for the Azure AI services resource. - ```azurepowershell-interactive - $parameters = @{ - "ResourceGroupName"= "myresourcegroup" - "Name"= "myaccount" -} - (Get-AzCognitiveServicesAccountNetworkRuleSet @parameters).DefaultAction - ``` + ```azurepowershell-interactive + $parameters = @{ + "ResourceGroupName" = "myresourcegroup" + "Name" = "myaccount" + } + (Get-AzCognitiveServicesAccountNetworkRuleSet @parameters).DefaultAction + ``` -1. Set the default rule to deny network access by default. + You can get values for your resource group `myresourcegroup` and the name of your Azure services resource `myaccount` from the Azure portal. ++1. Set the default rule to deny network access. ```azurepowershell-interactive $parameters = @{- -ResourceGroupName "myresourcegroup" - -Name "myaccount" - -DefaultAction Deny + "ResourceGroupName" = "myresourcegroup" + "Name" = "myaccount" + "DefaultAction" = "Deny" } Update-AzCognitiveServicesAccountNetworkRuleSet @parameters ``` -1. Set the default rule to allow network access by default. +1. Set the default rule to allow network access. ```azurepowershell-interactive $parameters = @{- -ResourceGroupName "myresourcegroup" - -Name "myaccount" - -DefaultAction Allow + "ResourceGroupName" = "myresourcegroup" + "Name" = "myaccount" + "DefaultAction" = "Allow" } Update-AzCognitiveServicesAccountNetworkRuleSet @parameters ``` # [Azure CLI](#tab/azure-cli) -1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli), or select **Try it**. +1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli), or select **Open Cloudshell**. 1. Display the status of the default rule for the Azure AI services resource. ```azurecli-interactive az cognitiveservices account show \- -g "myresourcegroup" -n "myaccount" \ - --query networkRuleSet.defaultAction + --resource-group "myresourcegroup" --name "myaccount" \ + --query properties.networkAcls.defaultAction ``` +1. Get the resource ID for use in the later steps. ++ ```azurecli-interactive + resourceId=$(az cognitiveservices account show + --resource-group "myresourcegroup" \ + --name "myaccount" --query id --output tsv) + ``` + 1. Set the default rule to deny network access by default. ```azurecli-interactive az resource update \- --ids {resourceId} \ + --ids $resourceId \ --set properties.networkAcls="{'defaultAction':'Deny'}" ``` You can manage default network access rules for Azure AI services resources thro ```azurecli-interactive az resource update \- --ids {resourceId} \ + --ids $resourceId \ --set properties.networkAcls="{'defaultAction':'Allow'}" ``` You can manage default network access rules for Azure AI services resources thro ## Grant access from a virtual network -You can configure Azure AI services resources to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant. +You can configure Azure AI services resources to allow access from specific subnets only. The allowed subnets might belong to a virtual network in the same subscription or in a different subscription. The other subscription can belong to a different Azure AD tenant. ++Enable a *service endpoint* for Azure AI services within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure AI services service. For more information, see [Virtual Network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). -Enable a [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) for Azure AI services within the VNet. The service endpoint routes traffic from the VNet through an optimal path to the Azure AI services service. The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the Azure AI services resource that allow requests to be received from specific subnets in a VNet. Clients granted access via these network rules must continue to meet the authorization requirements of the Azure AI services resource to access the data. +The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the Azure AI services resource to allow requests from specific subnets in a virtual network. Clients granted access by these network rules must continue to meet the authorization requirements of the Azure AI services resource to access the data. -Each Azure AI services resource supports up to 100 virtual network rules, which may be combined with [IP network rules](#grant-access-from-an-internet-ip-range). +Each Azure AI services resource supports up to 100 virtual network rules, which can be combined with IP network rules. For more information, see [Grant access from an internet IP range](#grant-access-from-an-internet-ip-range) later in this article. -### Required permissions +### Set required permissions -To apply a virtual network rule to an Azure AI services resource, the user must have the appropriate permissions for the subnets being added. The required permission is the default *Contributor* role, or the *Cognitive Services Contributor* role. Required permissions can also be added to custom role definitions. +To apply a virtual network rule to an Azure AI services resource, you need the appropriate permissions for the subnets to add. The required permission is the default *Contributor* role or the *Cognitive Services Contributor* role. Required permissions can also be added to custom role definitions. -Azure AI services resource and the virtual networks granted access may be in different subscriptions, including subscriptions that are a part of a different Azure AD tenant. +The Azure AI services resource and the virtual networks that are granted access might be in different subscriptions, including subscriptions that are part of a different Azure AD tenant. > [!NOTE]-> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through PowerShell, CLI and REST APIs. Such rules cannot be configured through the Azure portal, though they may be viewed in the portal. +> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure AD tenant are currently supported only through PowerShell, the Azure CLI, and the REST APIs. You can view these rules in the Azure portal, but you can't configure them. -### Managing virtual network rules +### Configure virtual network rules You can manage virtual network rules for Azure AI services resources through the Azure portal, PowerShell, or the Azure CLI. # [Azure portal](#tab/portal) +To grant access to a virtual network with an existing network rule: + 1. Go to the Azure AI services resource you want to secure. -1. Select the **RESOURCE MANAGEMENT** menu called **Virtual network**. +1. Select **Resource Management** to expand it, then select **Networking**. -1. Check that you've selected to allow access from **Selected networks**. +1. Confirm that you selected **Selected Networks and Private Endpoints**. -1. To grant access to a virtual network with an existing network rule, under **Virtual networks**, select **Add existing virtual network**. +1. Under **Allow access from**, select **Add existing virtual network**. - ![Add existing vNet](media/vnet/virtual-network-add-existing.png) + :::image type="content" source="media/vnet/virtual-network-add-existing.png" alt-text="Screenshot shows the Networking page with Selected Networks and Private Endpoints selected and Add existing virtual network highlighted." lightbox="media/vnet/virtual-network-add-existing.png"::: 1. Select the **Virtual networks** and **Subnets** options, and then select **Enable**. - ![Add existing vNet details](media/vnet/virtual-network-add-existing-details.png) + :::image type="content" source="media/vnet/virtual-network-add-existing-details.png" alt-text="Screenshot shows the Add networks dialog box where you can enter a virtual network and subnet."::: -1. To create a new virtual network and grant it access, select **Add new virtual network**. + > [!NOTE] + > If a service endpoint for Azure AI services wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation. + > + > Currently, only virtual networks that belong to the same Azure AD tenant are available for selection during rule creation. To grant access to a subnet in a virtual network that belongs to another tenant, use PowerShell, the Azure CLI, or the REST APIs. - ![Add new vNet](media/vnet/virtual-network-add-new.png) +1. Select **Save** to apply your changes. ++To create a new virtual network and grant it access: ++1. On the same page as the previous procedure, select **Add new virtual network**. ++ :::image type="content" source="media/vnet/virtual-network-add-new.png" alt-text="Screenshot shows the Networking page with Selected Networks and Private Endpoints selected and Add new virtual network highlighted." lightbox="media/vnet/virtual-network-add-new.png"::: 1. Provide the information necessary to create the new virtual network, and then select **Create**. - ![Create vNet](media/vnet/virtual-network-create.png) + :::image type="content" source="media/vnet/virtual-network-create.png" alt-text="Screenshot shows the Create virtual network dialog box."::: - > [!NOTE] - > If a service endpoint for Azure AI services wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation. - > - > Presently, only virtual networks belonging to the same Azure Active Directory tenant are shown for selection during rule creation. To grant access to a subnet in a virtual network belonging to another tenant, please use PowerShell, CLI or REST APIs. +1. Select **Save** to apply your changes. -1. To remove a virtual network or subnet rule, select **...** to open the context menu for the virtual network or subnet, and select **Remove**. +To remove a virtual network or subnet rule: - ![Remove vNet](media/vnet/virtual-network-remove.png) +1. On the same page as the previous procedures, select **...(More options)** to open the context menu for the virtual network or subnet, and select **Remove**. ++ :::image type="content" source="media/vnet/virtual-network-remove.png" alt-text="Screenshot shows the option to remove a virtual network." lightbox="media/vnet/virtual-network-remove.png"::: 1. Select **Save** to apply your changes. # [PowerShell](#tab/powershell) -1. Install the [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps), or select **Try it**. +1. Install the [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps), or select **Open Cloudshell**. -1. List virtual network rules. +1. List the configured virtual network rules. ```azurepowershell-interactive- $parameters = @{ - "ResourceGroupName"= "myresourcegroup" - "Name"= "myaccount" -} + $parameters = @{ + "ResourceGroupName" = "myresourcegroup" + "Name" = "myaccount" + } (Get-AzCognitiveServicesAccountNetworkRuleSet @parameters).VirtualNetworkRules ``` -1. Enable service endpoint for Azure AI services on an existing virtual network and subnet. +1. Enable a service endpoint for Azure AI services on an existing virtual network and subnet. ```azurepowershell-interactive Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" ` -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" `- -AddressPrefix "10.0.0.0/24" ` + -AddressPrefix "CIDR" ` -ServiceEndpoint "Microsoft.CognitiveServices" | Set-AzVirtualNetwork ``` You can manage virtual network rules for Azure AI services resources through the ```azurepowershell-interactive $subParameters = @{- -ResourceGroupName "myresourcegroup" - -Name "myvnet" + "ResourceGroupName" = "myresourcegroup" + "Name" = "myvnet" } $subnet = Get-AzVirtualNetwork @subParameters | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet" You can manage virtual network rules for Azure AI services resources through the ``` > [!TIP]- > To add a network rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified **VirtualNetworkResourceId** parameter in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name". + > To add a network rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully-qualified `VirtualNetworkResourceId` parameter in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. 1. Remove a network rule for a virtual network and subnet. ```azurepowershell-interactive $subParameters = @{- -ResourceGroupName "myresourcegroup" - -Name "myvnet" + "ResourceGroupName" = "myresourcegroup" + "Name" = "myvnet" } $subnet = Get-AzVirtualNetwork @subParameters | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet" $parameters = @{- -ResourceGroupName "myresourcegroup" - -Name "myaccount" - -VirtualNetworkResourceId $subnet.Id + "ResourceGroupName" = "myresourcegroup" + "Name" = "myaccount" + "VirtualNetworkResourceId" = $subnet.Id } Remove-AzCognitiveServicesAccountNetworkRule @parameters ``` # [Azure CLI](#tab/azure-cli) -1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli), or select **Try it**. +1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli), or select **Open Cloudshell**. -1. List virtual network rules. +1. List the configured virtual network rules. ```azurecli-interactive az cognitiveservices account network-rule list \- -g "myresourcegroup" -n "myaccount" \ + --resource-group "myresourcegroup" --name "myaccount" \ --query virtualNetworkRules ``` -1. Enable service endpoint for Azure AI services on an existing virtual network and subnet. +1. Enable a service endpoint for Azure AI services on an existing virtual network and subnet. ```azurecli-interactive- az network vnet subnet update -g "myresourcegroup" -n "mysubnet" \ + az network vnet subnet update --resource-group "myresourcegroup" --name "mysubnet" \ --vnet-name "myvnet" --service-endpoints "Microsoft.CognitiveServices" ``` 1. Add a network rule for a virtual network and subnet. ```azurecli-interactive- $subnetid=(az network vnet subnet show \ - -g "myresourcegroup" -n "mysubnet" --vnet-name "myvnet" \ + subnetid=$(az network vnet subnet show \ + --resource-group "myresourcegroup" --name "mysubnet" --vnet-name "myvnet" \ --query id --output tsv) # Use the captured subnet identifier as an argument to the network rule addition az cognitiveservices account network-rule add \- -g "myresourcegroup" -n "myaccount" \ + --resource-group "myresourcegroup" --name "myaccount" \ --subnet $subnetid ``` > [!TIP]- > To add a rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified subnet ID in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name". + > To add a rule for a subnet in a virtual network that belongs to another Azure AD tenant, use a fully-qualified subnet ID in the form `/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name`. > - > You can use the **subscription** parameter to retrieve the subnet ID for a VNet belonging to another Azure AD tenant. + > You can use the `--subscription` parameter to retrieve the subnet ID for a virtual network that belongs to another Azure AD tenant. 1. Remove a network rule for a virtual network and subnet. ```azurecli-interactive $subnetid=(az network vnet subnet show \- -g "myresourcegroup" -n "mysubnet" --vnet-name "myvnet" \ + --resource-group "myresourcegroup" --name "mysubnet" --vnet-name "myvnet" \ --query id --output tsv) # Use the captured subnet identifier as an argument to the network rule removal az cognitiveservices account network-rule remove \- -g "myresourcegroup" -n "myaccount" \ + --resource-group "myresourcegroup" --name "myaccount" \ --subnet $subnetid ``` *** > [!IMPORTANT]-> Be sure to [set the default rule](#change-the-default-network-access-rule) to **deny**, or network rules have no effect. +> Be sure to [set the default rule](#change-the-default-network-access-rule) to *deny*, or network rules have no effect. ## Grant access from an internet IP range -You can configure Azure AI services resources to allow access from specific public internet IP address ranges. This configuration grants access to specific services and on-premises networks, effectively blocking general internet traffic. +You can configure Azure AI services resources to allow access from specific public internet IP address ranges. This configuration grants access to specific services and on-premises networks, which effectively block general internet traffic. -Provide allowed internet address ranges using [CIDR notation](https://tools.ietf.org/html/rfc4632) in the form `16.17.18.0/24` or as individual IP addresses like `16.17.18.19`. +You can specify the allowed internet address ranges by using [CIDR format (RFC 4632)](https://tools.ietf.org/html/rfc4632) in the form `192.168.0.0/16` or as individual IP addresses like `192.168.0.1`. > [!Tip]- > Small address ranges using "/31" or "/32" prefix sizes are not supported. These ranges should be configured using individual IP address rules. + > Small address ranges that use `/31` or `/32` prefix sizes aren't supported. Configure these ranges by using individual IP address rules. ++IP network rules are only allowed for *public internet* IP addresses. IP address ranges reserved for private networks aren't allowed in IP rules. Private networks include addresses that start with `10.*`, `172.16.*` - `172.31.*`, and `192.168.*`. For more information, see [Private Address Space (RFC 1918)](https://tools.ietf.org/html/rfc1918#section-3). ++Currently, only IPv4 addresses are supported. Each Azure AI services resource supports up to 100 IP network rules, which can be combined with [virtual network rules](#grant-access-from-a-virtual-network). -IP network rules are only allowed for **public internet** IP addresses. IP address ranges reserved for private networks (as defined in [RFC 1918](https://tools.ietf.org/html/rfc1918#section-3)) aren't allowed in IP rules. Private networks include addresses that start with `10.*`, `172.16.*` - `172.31.*`, and `192.168.*`. +### Configure access from on-premises networks -Only IPV4 addresses are supported at this time. Each Azure AI services resource supports up to 100 IP network rules, which may be combined with [Virtual network rules](#grant-access-from-a-virtual-network). +To grant access from your on-premises networks to your Azure AI services resource with an IP network rule, identify the internet-facing IP addresses used by your network. Contact your network administrator for help. -### Configuring access from on-premises networks +If you use Azure ExpressRoute on-premises for public peering or Microsoft peering, you need to identify the NAT IP addresses. For more information, see [What is Azure ExpressRoute](../expressroute/expressroute-introduction.md). -To grant access from your on-premises networks to your Azure AI services resource with an IP network rule, you must identify the internet facing IP addresses used by your network. Contact your network administrator for help. +For public peering, each ExpressRoute circuit by default uses two NAT IP addresses. Each is applied to Azure service traffic when the traffic enters the Microsoft Azure network backbone. For Microsoft peering, the NAT IP addresses that are used are either customer provided or supplied by the service provider. To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. -If you're using [ExpressRoute](../expressroute/expressroute-introduction.md) on-premises for public peering or Microsoft peering, you need to identify the NAT IP addresses. For public peering, each ExpressRoute circuit by default uses two NAT IP addresses. Each is applied to Azure service traffic when the traffic enters the Microsoft Azure network backbone. For Microsoft peering, the NAT IP addresses that are used are either customer provided or are provided by the service provider. To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. To find your public peering ExpressRoute circuit IP addresses, [open a support ticket with ExpressRoute](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) via the Azure portal. Learn more about [NAT for ExpressRoute public and Microsoft peering.](../expressroute/expressroute-nat.md#nat-requirements-for-azure-public-peering) +To find your public peering ExpressRoute circuit IP addresses, [open a support ticket with ExpressRoute](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) use the Azure portal. For more information, see [NAT requirements for Azure public peering](../expressroute/expressroute-nat.md#nat-requirements-for-azure-public-peering). ### Managing IP network rules You can manage IP network rules for Azure AI services resources through the Azur 1. Go to the Azure AI services resource you want to secure. -1. Select the **RESOURCE MANAGEMENT** menu called **Virtual network**. +1. Select **Resource Management** to expand it, then select **Networking**. -1. Check that you've selected to allow access from **Selected networks**. +1. Confirm that you selected **Selected Networks and Private Endpoints**. -1. To grant access to an internet IP range, enter the IP address or address range (in [CIDR format](https://tools.ietf.org/html/rfc4632)) under **Firewall** > **Address Range**. Only valid public IP (non-reserved) addresses are accepted. |