-> API connectors used in this step are in preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-|token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic` (public preview), `private_key_jwt` (public preview). For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). |

-

- ```XML

- <ValidationTechnicalProfiles>

- ....

- <ValidationTechnicalProfile ReferenceId="REST-AcquireAccessToken" />

- ....

- </ValidationTechnicalProfiles>

- ```

-

- "total": 300000

-You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md)

-[powershell-gallery]: https://www.powershellgallery.com/

-<!-- EXTERNAL LINKS -->

-[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix

-> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory.

-> API-driven inbound provisioning is currently in public preview and is governed by [Preview Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> API-driven inbound provisioning is currently in public preview and is governed by [Preview Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-1. Log in to the [Microsoft Entra portal](<https://entra.microsoft.com>).

-1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials.

-1. Log in to Microsoft Entra portal with application administrator role.

-> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra Portal to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process.

-1. Log in to Microsoft Entra portal (https://entra.microsoft.com) with global administrator or application administrator login credentials.

-You can verify the processing either from the Microsoft Entra portal or using Graph Explorer.

-### Verify processing from Microsoft Entra portal

-1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials.

-You can verify the processing either from the Microsoft Entra portal or using Postman.

-### Verify processing from Microsoft Entra portal

-1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials.

-1. Log in to your Entra portal as *Application Administrator* or *Global Administrator*.

-1. To associate this certificate with a valid service principal, log in to your Entra portal as *Application Administrator*.

-It doesn't refer to the attribute mappings that you perform in the Entra portal provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes.

-description: This document describes how to configure Azure AD to provision users into SAP ECC 7.

-# Configuring Azure AD to provision users into SAP ECC 7.0

-The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC) 7.0. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning.

-Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. Your application must support [SCIM](https://aka.ms/scimoverview). Or, you must build a SCIM gateway to connect to your legacy application. If so, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support these applications as well.

-App provisioning lets you:

-Your users wonΓÇÖt notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so theyΓÇÖll still balance loads automatically.

-This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If youΓÇÖve already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section.

- 1. **Internal URL**: Normally you provide the URL that takes you to the appΓÇÖs sign-in page when youΓÇÖre on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess.

- > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener youΓÇÖve configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners).

-1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the APIs for Windows Azure Active Directory.

-## Other access control considerations

-### Require user assignment

-The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you need:

-> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Azure AD Exporter, or with the Microsoft Graph API.

-

-In some rare instances where the relevant Google or Apple service responsible for push notifications is down, users may not receive their push notifications. In these cases users should manually navigate to the Microsoft Authenticator app (or relevant companion app like Outlook), refresh by either pulling down or hitting the refresh button, and approve the request.

-> [!NOTE]

-> If your organization has staff working in or traveling to China, the *Notification through mobile app* method on Android devices doesn't work in that country/region as Google play services(including push notifications) are blocked in the region. However iOS notification do work. For Android devices ,alternate authentication methods should be made available for those users.

-OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-Then for ContosoΓÇÖs most sensitive resource, the administrator wants to restrict the access to only passwordless authentication methods. The administrator creates a new Conditional Access policy, using the built-in **Passwordless MFA strength**.

-| 239 | Sao Tome and Principe |

-It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken).

-Without any session lifetime settings, there are no persistent cookies in the browser session. Every time a user closes and open the browser, they get a prompt for reauthentication. In Office clients, the default time period is a rolling window of 90 days. With this default Office configuration, if the user has reset their password or there has been inactivity of over 90 days, the user is required to reauthenticate with all required factors (first and second factor).

-Under each sign-in log, go to the **Authentication Details** tab and explore **Session Lifetime Policies Applied**. For more information, see [Authentication details](../reports-monitoring/concept-sign-ins.md#authentication-details).

-| Firefox | &#10060; | &#10060; | &#10060; |

- Click **Authentication details** for [details about the MFA requirements](../reports-monitoring/concept-sign-ins.md#authentication-details).

->This is an important security enhancement for users authenticating via telecom transports. On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ. If you no longer wish for this feature to be enabled, move the state from 'default' toΓÇÿdisabledΓÇÖ or set users to include and exclude groups.

-By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings). On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ

- 2. On the Enable and Target tab, click Yes and All users to enable the Authenticator policy for everyone or add selected users and groups. Set the Authentication mode for these users/groups to Any or Push.

- Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.

-<img width="1112" alt="Entra portal Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png">

-**Phase 3** requires moving all clients that authenticate to the on-premises MFA Server (VPNs, password managers, and so on) to Azure AD federation via SAML/OAUTH. If modern authentication standards arenΓÇÖt supported, you're required to stand up NPS server(s) with the Azure AD MFA extension installed. Once dependencies are migrated, users should no longer use the User portal on the MFA Server, but rather should manage their authentication methods in Azure AD ([aka.ms/mfasetup](https://aka.ms/mfasetup)). Once users begin managing their authentication data in Azure AD, those methods won't be synced back to MFA Server. If you roll back to the on-premises MFA Server after users have made changes to their Authentication Methods in Azure AD, those changes will be lost. After user migrations are complete, change the [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) domain federation setting. The change tells Azure AD to no longer perform MFA on-premises and to perform _all_ MFA requests with Azure AD MFA, regardless of group membership.

-^*When a PIN is used to provide proof-of-presence functionality, the functional equivalent is provided above. PINs that arenΓÇÖt cryptographically tied to a device don't sufficiently protect against scenarios where a device has been compromised. To protect against these scenarios, including [SIM swap attacks](https://wikipedia.org/wiki/SIM_swap_scam), move users to more secure methods according to Microsoft authentication methods [best practices](concept-authentication-methods.md).

-|**Passed Sessions tab**|All authentication method registration flows are managed by Azure AD and donΓÇÖt require configuration|

-For RADIUS deployments that canΓÇÖt be upgraded, youΓÇÖll need to deploy an NPS Server and install the [Azure AD MFA NPS extension](howto-mfa-nps-extension.md).

-For LDAP deployments that canΓÇÖt be upgraded or moved to RADIUS, [determine if Azure Active Directory Domain Services can be used](../architecture/auth-ldap.md). In most cases, LDAP was deployed to support in-line password changes for end users. Once migrated, end users can manage their passwords by using [self-service password reset in Azure AD](tutorial-enable-sspr.md).

-If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfaserver-adfs-windows-server.md#secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server) on any relying party trusts except for the Office 365 relying party trust, youΓÇÖll need to upgrade to [AD FS 3.0](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server) or federate those relying parties directly to Azure AD if they support modern authentication methods. Determine the best plan of action for each of the dependencies.

- - If the Windows API doesnΓÇÖt find the user or the SID isnΓÇÖt found in the MFA Server, then it will use the configured Active Directory attribute to find the user in the on-premises Active Directory, and then use the SID to search the MFA Server user list.

-1. You can migrate users even if they are unchanged. By default, the utility is set to **Only migrate users that have changed**. Click **Migrate all users** to re-migrate previously migrated users that are unchanged. Migrating unchanged users can be useful during testing if an administrator needs to reset a userΓÇÖs Azure MFA settings and wants to re-migrate them.

-MFA Methods will be updated based on what was migrated and the default method will be set. MFA Server will track the last migration timestamp and only migrate the user again if the userΓÇÖs MFA settings change or an admin modifies what to migrate in the **Settings** dialog.

-Ensure users know what to expect when they're moved to Azure MFA, including new authentication flows. You may also wish to instruct users to use the Azure AD Combined Registration portal ([aka.ms/mfasetup](https://aka.ms/mfasetup)) to manage their authentication methods rather than the User portal once migrations are complete. Any changes made to authentication methods in Azure AD won't propagate back to your on-premises environment. In a situation where you had to roll back to MFA Server, any changes users have made in Azure AD wonΓÇÖt be available in the MFA Server User portal.

-If you use third-party solutions that depend on Azure MFA Server for authentication (see [Authentication services](#authentication-services)), youΓÇÖll want users to continue to make changes to their MFA methods in the User portal. These changes will be synced to Azure AD automatically. Once you've migrated these third party solutions, you can move users to the Azure AD combined registration page.

-Once you've completed user migrations, and moved all of your [Authentication services](#authentication-services) off of MFA Server, itΓÇÖs time to update your domain federation settings. After the update, Azure AD no longer sends MFA request to your on-premises federation server.

-Users will no longer be redirected to your on-premises federation server for MFA, whether theyΓÇÖre targeted by the Staged Rollout tool or not. Note this can take up to 24 hours to take effect.

-> Sign-in to Azure AD with email as an alternate login ID is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-To enable **Report suspicious activity** from the Authentication Methods Settings:

-1. Set **Report suspicious activity** to **Enabled**.

-OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms).

-| Turkey | +90 8505404893 |

-1. Sign in to the [Entra portal](https://entra.microsoft.com/#home).

-## What types of identities are supported by Permissions Management?

-Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed.

-## What is the data destruction/decommission process?

-If a customer initiates a free Permissions Management 45-day trial, but does not follow up and convert to a paid license within 45 days of the free trial expiration, we will delete all collected data on or just before 45 days.

-If a customer decides to discontinue licensing the service, we will also delete all previously collected data within 45 days of license termination.

-We also have the ability to remove, export or modify specific data should the Global Administrator using the Entra Permissions Management service file an official Data Subject Request. This can be initiated by opening a ticket in the Azure portal [New support request - Microsoft Entra admin center](https://entra.microsoft.com/#blade/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical), or alternately contacting your local Microsoft representative.

- You have now completed onboarding AWS, and Permissions Management has started collecting and processing your data.

- You have now completed onboarding Azure, and Permissions Management has started collecting and processing your data.

- You've completed onboarding GCP, and Permissions Management has started collecting and processing your data.

-For more information about these authentication protocols and services, see [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities).

-1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**.

-Filter for devices is an option when creating a Conditional Access policy in the Azure portal or using the Microsoft Graph API.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-Target resources (formerly Cloud apps, actions, and authentication context) are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, actions, or authentication context.

-

-The following key applications are affected by the Office 365 cloud app:

-Other Microsoft admin portals will be added over time.

-> Microsoft Admin Poratls (preview) is not currently supported in Government clouds.

-Authentication contexts are managed in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Authentication context**.

-

-Create new authentication context definitions by selecting **New authentication context** in the Azure portal. Organizations are limited to a total of 25 authentication context definitions. Configure the following attributes:

-| Visual Studio Team Services app | Visual Studio Team Services | Windows 10, Windows 8.1, Windows 7, iOS, and Android |

-Find these templates in the **[Microsoft Entra admin center](https://entra.microsoft.com)** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category.

-> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. Simply navigate to **Microsoft Entra admin center** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Policies**, select the policy to open the editor and modify the excluded users and groups to select accounts you want to exclude.

-If you do find yourself locked out, see [What to do if you're locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal)

-1. Sign in to the **Azure portal** as at least a Global Reader.

-1. Browse to **Azure Active Directory** > **Sign-ins**.

-1. Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process.

-Customers who have configured CAE settings under Security before have to migrate settings to a new Conditional Access policy. Use the steps that follow to migrate your CAE settings to a Conditional Access policy.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Continuous access evaluation**.

-1. You have the option to **Migrate** your policy. This action is the only one that you have access to at this point.

-1. Browse to **Conditional Access** and you find a new policy named **Conditional Access policy created from CAE settings** with your settings configured. Administrators can choose to customize this policy or create their own to replace it.

-> Filter for applications is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

- For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Enterprise applications**.

-> Token protection is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Sign-in logs**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **Azure portal**.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Insights and reporting**.

-1. Sign into the **Azure portal** as a Conditional Access Administrator, security administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-In order to access the workbook, you need the proper Azure AD permissions and Log Analytics workspace permissions. To test whether you have the proper workspace permissions by running a sample log analytics query:

-1. Sign in to the **Azure portal**.

-1. Browse to **Azure Active Directory** > **Log Analytics**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-> Misconfiguration of a block policy can lead to organizations being locked out of the Azure portal.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Named locations**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

- > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane in the Azure portal for the same user if you have configured both policies.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Sign-in logs**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Workbooks**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-Locations exist in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions.

-

-

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-description: Learn how Conditional Access is at the heart of the new identity-driven control plane.

-Microsoft is providing Conditional Access templates to organizations in report-only mode starting in January of 2023. We may add more policies as new threats emerge.

-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4MwZs]

-Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multifactor authentication to access it.

- - Users attempting to access specific applications can trigger different Conditional Access policies.

- - Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify and remediate risky users and sign-in behavior.

-Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies in Azure AD.

-Conditional Access is found in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access**.

-Risk-based policies require access to [Identity Protection](../identity-protection/overview-identity-protection.md), which is an Azure AD P2 feature.

-> Be very careful in using block and all apps in a single policy. This could lock admins out of the Azure portal, and exclusions cannot be configured for important endpoints such as Microsoft Graph.

-This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies in the Azure portal](policy-migration.md) before you start migrating your classic policies.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Navigate to **Azure Active Directory** > **Security** > **Conditional Access**.

-For examples of common policies and their configuration in the Azure portal, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) as your test user.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or a Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

- :::image type="content" source="media/require-tou/terms-of-use-azure-ad-conditional-access.png" alt-text="Screenshot of terms of use shown in the Azure portal highlighting the new terms button." lightbox="media/require-tou/terms-of-use-azure-ad-conditional-access.png":::

- :::image type="content" source="media/require-tou/new-terms-of-use-creation.png" alt-text="Screenshot that shows creating a new terms of use policy in the Azure portal." lightbox="media/require-tou/new-terms-of-use-creation.png":::

-1. Navigate to the **Azure portal** > **Security** > **Conditional Access**

-1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. In the **Name** box, enter a name for the terms of use policy used in the Azure portal.

-1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou).

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**.

-1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Global Reader.

-1. Browse to **Azure Active Directory** > **Sign-ins**.

-## What to do if you're locked out of the Azure portal?

-If you're locked out of the Azure portal due to an incorrect setting in a Conditional Access policy:

-1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-1. Browse to **Azure Active Directory** > **Audit logs**.

-You can find the **What If** tool in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**.

-Conditional Access policies have historically applied only to users when they access apps and services like SharePoint online or the Azure portal. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

-1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

-1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service principal sign-ins**.

-1. Browse to the **Azure portal** > **Azure Active Directory** > **Enterprise Applications**, find the application you registered.

-description: How to configure the permissions you need to access a particular API in your custom developed Azure AD application

-# How to find a specific API needed for a custom-developed application

-Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration.

-## Configuring a resource application to expose web APIs

-When you expose your web API, the API be displayed in the **Select an API** list when adding permissions to an app registration. To add access scopes, follow the steps outlined in [Configure an application to expose web APIs](quickstart-configure-app-expose-web-apis.md).

-## Configuring a client application to access web APIs

-When you add permissions to your app registration, you can **add API access** to exposed web APIs. To access web APIs, follow the steps outlined in [Configure a client application to access web APIs](quickstart-configure-app-access-web-apis.md).

-## Next steps

-#Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform.

-# Authentication flows and application scenarios

-Tokens can be acquired from several types of applications, including:

-## Application scenarios

-Applications running on a device without a browser can still call an API on behalf of a user. To authenticate, the user must sign in on another device that has a web browser. This scenario requires that you use the [device code flow](https://aka.ms/msal-net-device-code-flow).

-Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL can now interact with brokers. For more information about brokers, see [Leveraging brokers on Android and iOS](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS).

-description: An overview of the authentication protocols supported by the Microsoft identity platform

-# Microsoft identity platform authentication protocols

-The Microsoft identity platform supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Microsoft identity platform. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section.

-## Authentication protocols articles and reference

-* [Important Information About Signing Key Rollover in Microsoft identity platform](./signing-key-rollover.md) ΓÇô Learn about Microsoft identity platformΓÇÖs signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios.

-* [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that the Microsoft identity platform issues.

-* [OAuth 2.0 in Microsoft identity platform](v2-oauth2-auth-code-flow.md) - Learn about the implementation of OAuth 2.0 in Microsoft identity platform.

-* [OpenID Connect 1.0](v2-protocols-oidc.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication.

-* [Service to Service Calls with Client Credentials](v2-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls.

-* [Service to Service Calls with On-Behalf-Of Flow](v2-oauth2-on-behalf-of-flow.md) - Learn how to use OAuth 2.0 On-Behalf-Of flow for service to service calls.

-* [SAML Protocol Reference](./saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Microsoft identity platform.

-## See also

-* [Microsoft identity platform overview](v2-overview.md)

-* [Active Directory Code Samples](sample-v2-code.md)

-description: Learn more about how the Azure AD consent framework works to see how you can use it when developing applications on Azure AD

-# How application consent works

-This article is to help you learn more about how the Azure AD consent framework works so you can develop applications more effectively.

-## Recommended documents

-## Next steps

-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

-This article describes how to configure and setup a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token.

-Create an Application Registration to authenticate your custom authentication extension to your Azure Function.

-1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in.

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/applications`

-1. Select **Request Body** and paste the following JSON:

- ```json

- "displayName": "authenticationeventsAPI"

-1. Select **Run Query** to submit the request.

-1. Copy the **Application ID** value (*appId*) from the response. You need this value later, which is referred to as the `{authenticationeventsAPI_AppId}`. Also get the object ID of the app (*ID*), which is referred to as `{authenticationeventsAPI_ObjectId}` from the response.

-Create a service principal in the tenant for the authenticationeventsAPI app registration:

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals`

-1. Select **Request Body** and paste the following JSON:

- ```json

- {

- "appId": "{authenticationeventsAPI_AppId}"

- }

- ```

-1. Select **Run Query** to submit the request.

-1. Set the HTTP method to **PATCH**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId}`

-1. Select **Request Body** and paste the following JSON:

- Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier.

-

- Set the `{authenticationeventsAPI_AppId}` value with the App ID generated from the app registration created in the previous step.

-

- An example value would be `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as it is used in following steps and is referenced as `{functionApp_IdentifierUri}`.

-

- ```json

- "identifierUris": [

- "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}"

- ],

- "api": {

- "requestedAccessTokenVersion": 2,

- "acceptMappedClaims": null,

- "knownClientApplications": [],

- "oauth2PermissionScopes": [],

- "preAuthorizedApplications": []

- },

- "requiredResourceAccess": [

- "resourceAppId": "00000003-0000-0000-c000-000000000000",

- "resourceAccess": [

- {

- "id": "214e810f-fda8-4fd7-a475-29461495eb00",

- "type": "Role"

- }

- ]

- ```

-1. Select **Run Query** to submit the request.

-Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the App Registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`.

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/beta/identity/customAuthenticationExtensions`

-1. Select **Request Body** and paste the following JSON:

- Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step.

- ```json

-1. Select **Run Query** to submit the request.

-Record the ID value of the created custom claims provider object. The ID is needed in a later step and is referred to as the `{customExtensionObjectId}`.

-After your custom authentication extension is created, you'll be taken to the **Overview** tab of the new custom authentication extension.

-In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps.

-First create an event listener to trigger a custom authentication extension using the token issuance start event:

-1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in.

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/beta/identity/authenticationEventListeners`

-1. Select **Request Body** and paste the following JSON:

- Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier.

- ```json

-1. Select **Run Query** to submit the request.

-Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider:

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/policies/claimsmappingpolicies`

-1. Select **Request Body** and paste the following JSON:

- ```json

-1. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`.

-1. Select **Run Query** to submit the request.

-Get the `servicePrincipal` objectId:

-1. Set the HTTP method to **GET**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}')/claimsMappingPolicies/$ref`. Replace `{App_to_enrich_ID}` with *My Test Application* App ID.

-1. Record the `id` value, later it's referred to as `{test_App_Service_Principal_ObjectId}`.

-Assign the claims mapping policy to the `servicePrincipal` of *My Test Application*:

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref`

-1. Select **Request Body** and paste the following JSON:

- ```json

-1. Select **Run Query** to submit the request.

-description: Learn about delegated and application permissions, how they are used by clients and exposed by resources for applications you are developing with Azure AD

-# How to recognize differences between delegated and application permissions

-## Recommended documents

-## Next steps

-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the left pane, select **Azure Active Directory**.

-1. Select **Enterprise applications**, and then select **All applications**.

- :::image type="content" source="media/enterprise-app-role-management/record-objectid.png" alt-text="Screenshot that shows how to locate and record the object identifier for the application.":::

-1. Locate the application in the Azure portal, and then select **Single sign-on** in the left menu.

- :::image type="content" source="media/enterprise-app-role-management/attributes-summary.png" alt-text="Screenshot that shows a display of the list of attributes and claims defined for the application.":::

-1. In the Azure portal, locate the application to which the role was added.

- :::image type="content" source="media/enterprise-app-role-management/assign-role.png" alt-text="Screenshot that shows how to assign a role to a user of an application.":::

-# How to configure app instance property lock for your applications (Preview)

-In an elevated PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate.

-[auth-fund-01-img]: ./media/identity-videos/aad-auth-fund-01.jpg

-[auth-fund-02-img]: ./media/identity-videos/aad-auth-fund-02.jpg

-[auth-fund-03-img]: ./media/identity-videos/aad-auth-fund-03.jpg

-[auth-fund-04-img]: ./media/identity-videos/aad-auth-fund-04.jpg

-[auth-fund-05-img]: ./media/identity-videos/aad-auth-fund-05.jpg

-[auth-fund-06-img]: ./media/identity-videos/aad-auth-fund-06.jpg

-To view or edit the claims issued in the JWT to the application, open the application in Azure portal. Then select **Single sign-on** blade in the left-hand menu and open the **Attributes & Claims** section.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the **Attributes & Claims** section, Select **Edit** to edit the claims.

-1. Select the required claim that you want to modify.

- :::image type="content" source="./media/jwt-claims-customization/sso-saml-multiple-claims-transformation.png" alt-text="Screenshot of claims transformation.":::

-| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with "000", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.employeeid<br/>*Value*: "000"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 |

-| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with "US", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.country<br/>*Value*: "US"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 |

-Applications that receive tokens rely on claim values that are authoritatively issued by Azure AD and can't be tampered with. When you modify the token contents through claims customization, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the customization to protect themselves from customizations created by malicious actors. This can be done in one the following ways:

-For multi-tenant apps, a custom signing key should be used. Don't set `acceptMappedClaims` in the app manifest. when setting up an app in the Azure portal, you get an app registration object and a service principal in your tenant. That app is using the Azure global sign-in key, which can't be used for customizing claims in tokens. To get custom claims in tokens, create a custom sign-in key from a certificate and add it to service principal. For testing purposes, you can use a self-signed certificate. After configuring the custom signing key, your application code needs to validate the token signing key.

-The following example shows the format of the HTTP PATCH request to add a custom signing key to a service principal. The "key" value in the `keyCredentials` property is shortened for readability. The value is base-64 encoded. For the private key, the property usage is "Sign". For the public key, the property usage is "Verify".

-Use PowerShell to [instantiate an MSAL Public Client Application](msal-net-initializing-client-applications.md#initializing-a-public-client-application-from-code) and use the [Authorization Code Grant](v2-oauth2-auth-code-flow.md) flow to obtain a delegated permission access token for Microsoft Graph. Use the access token to call Microsoft Graph and configure a custom signing key for the service principal. After configuring the custom signing key, your application code needs to [validate the token signing key](#validate-token-signing-key).

-To run this script you need:

-For single tenant apps, you can set the `acceptMappedClaims` property to `true` in the [application manifest](reference-app-manifest.md). As documented on the [apiApplication resource type](/graph/api/resources/apiapplication?view=graph-rest-1.0&preserve-view=true#properties), this allows an application to use claims mapping without specifying a custom signing key.

-description: Describes how to mark an app as publisher verified. When an application is marked as publisher verified, it means that the publisher (application developer) has verified the authenticity of their organization using a Microsoft Partner Network (MPN) account that has completed the verification process and has associated this MPN account with that application registration.

-When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process.

-If you are already enrolled in the Microsoft Partner Network (MPN) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away:

-1. Click **Add MPN ID to verify publisher** and review the listed requirements.

-1. Enter your MPN ID and click **Verify and save**.

-1. Sign in using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) to an organizational (Azure AD) account authorized to make changes to the app you want to mark as Publisher Verified and on the MPN Account in Partner Center.

- - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): MPN Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Azure AD).

-1. Ensure that either the publisher domain or a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your MPN account.

-1. Click **Add MPN ID to verify publisher** near the bottom of the page.

-1. Enter the **MPN ID** for:

- - A valid Microsoft Partner Network account that has completed the verification process.

-For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Leveraging-the-broker-on-iOS).

-The methods for pop-up experience (`loginPopup`, `acquireTokenPopup`) return promises, so you can use the promise pattern (.then and .catch) to handle them as shown:

-> Public preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory** > **App registrations** > your registered app

-The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopeToConsent` builder method.

-You should use the `.WithExtraScopeToConsent` modifier which has the *extraScopesToConsent* parameter as shown in the following example:

- .WithExtraScopeToConsent(scopesForVendorApi)

-This will get you an access token for the first web API. Then, to access the second web API you can silently acquire the token from the token cache:

-AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync();

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**.

-1. Select the application you want to configure optional claims for in the list.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page.

-1. Search for and select **Azure Active Directory**.

-1. Select the application you want to configure optional claims for in the list.

- - idToken for the OIDC ID token

- - accessToken for the OAuth access token

- - Saml2Token for SAML tokens.

- The Saml2Token type applies to both SAML1.1 and SAML2.0 format tokens.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**.

-1. Find the application you want to configure optional claims for in the list and select it.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page.

-1. Search for and select **Azure Active Directory**.

-1. Find the application you want to configure optional claims for in the list and select it.

-## Next steps

-description: Learn about how permissions requests work for client and resource applications for applications you are developing

-# How to select permissions for a given API

-## Recommended documents

-## Next steps

-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

-When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (MCPP), formerly known as Microsoft Partner Network (MPN), account that's been [verified](/partner-center/verification-responses) and associating the verified PartnerID with an app registration.

- > The MPN account you use for publisher verification can't be your partner location MPN ID. Currently, location MPN IDs aren't supported for the publisher verification process.

- - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): MPN Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD).

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/JavaDaemonQuickstartPage/sourceType/docs) quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-[preview-tos]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/

-description: How to find the authentication endpoints for a custom application you're developing or registering with Azure AD.

-# How to discover endpoints

-You can find the authentication endpoints for your application in the [Azure portal](https://portal.azure.com).

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu.

- The **Endpoints** page is displayed, showing the authentication endpoints for your tenant.

-

- Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application.

-**National clouds** (for example Azure AD China, Germany, and US Government) have their own app registration portal and Azure AD authentication endpoints. Learn more in the [National clouds overview](authentication-national-cloud.md).

-## Next steps

-For more information about endpoints in the different Azure environments, see the [National clouds overview](authentication-national-cloud.md).

-description: Guidance for registering a custom developed application with Azure AD

-# Azure portal registration fields for custom-developed apps

-This article gives you a brief description of all the available fields in the application registration form in the [Azure portal](https://portal.azure.com).

-## Register a new application

-## Fields in the application registration form

-| Field | Description |

-|||

-| Name | The name of the application. It should have a minimum of four characters. |

-| Supported account types| Select which accounts you would like your application to support: accounts in this organizational directory only, accounts in any organizational directory, or accounts in any organizational directory and personal Microsoft accounts. |

-| Redirect URI (optional) | Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application. For web applications, provide the base URL of your app. For example, http://localhost:31544 might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as myapp://auth. To see specific examples for web applications or native applications, check out our [quickstarts](./index.yml).|

-Once you have filled the above fields, the application is registered in the Azure portal, and you are redirected to the application overview page. The settings pages in the left pane under **Manage** have more fields for you to customize your application. The tables below describe all the fields. You would only see a subset of these fields, depending on whether you created a web application or a public client application.

-### Overview

-| Field | Description |

-|--|--|

-| Application ID | When you register an application, Azure AD assigns your application an Application ID. The application ID can be used to uniquely identify your application in authentication requests to Azure AD, as well as to access resources like the Graph API. |

-| App ID URI | This should be a unique URI, usually of the form **https://&lt;tenant\_name&gt;/&lt;application\_name&gt;.** This is used during the authorization grant flow, as a unique identifier to specify the resource that the token should be issued for. It also becomes the 'aud' claim in the issued access token. |

-### Branding

-| Field | Description |

-|--|--|

-| Upload new logo | You can use this to upload a logo for your application. The logo must be in .bmp, .jpg or .png format, and the file size should be less than 100 KB. The dimensions for the image should be 215x215 pixels, with central image dimensions of 94x94 pixels.|

-| Home page URL | This is the sign-on URL specified during application registration.|

-### Authentication

-| Field | Description |

-|--|--|

-| Front-channel logout URL | This is the single sign-out logout URL. Azure AD sends a logout request to this URL when the user clears their session with Azure AD using any other registered application.|

-| Supported account types | This switch specifies whether the application can be used by multiple tenants. Typically, this means that external organizations can use your application by registering it in their tenant and granting access to their organization's data.|

-| Redirect URLs | The redirect, or reply, URLs are the endpoints where Azure AD returns any tokens that your application requests. For native applications, this is where the user is sent after successful authorization. Azure AD checks that the redirect URI your application supplies in the OAuth 2.0 request matches one of the registered values in the portal.|

-### Certificates and secrets

-| Field | Description |

-|--|--|

-| Client secrets | You can create client secrets, or keys, to programmatically access web APIs secured by Azure AD without any user interaction. From the **New client secret** page, enter a key description and the expiration date and save to generate the key. Make sure to save it somewhere secure, as you won't be able to access it later. |

-## Next steps

-[Managing Applications with Azure Active Directory](../manage-apps/what-is-application-management.md)

-description: How to configure single sign-on for a custom application you are developing and registering with Azure AD.

-# How to configure single sign-on for an application

-Enabling federated single sign-on (SSO) in your app is automatically enabled when federating through Azure AD for OpenID Connect, SAML 2.0, or WS-Fed. If your end users are having to sign in despite already having an existing session with Azure AD, itΓÇÖs likely your app may be misconfigured.

-* If youΓÇÖre using Microsoft Authentication Library (MSAL), make sure you have **PromptBehavior** set to **Auto** rather than **Always**.

-* If youΓÇÖre building a mobile app, you may need additional configurations to enable brokered or non-brokered SSO.

-For Android, see [Enabling Cross App SSO in Android](msal-android-single-sign-on.md).

-For iOS, see [Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md).

-## Next steps

-[Azure AD SSO](../manage-apps/what-is-single-sign-on.md)<br>

-[Enabling Cross App SSO in Android](msal-android-single-sign-on.md)<br>

-[Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md)<br>

-[Integrating Apps to AzureAD](./quickstart-register-app.md)<br>

-[Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md)<br>

-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

-The maximum number of redirect URIS can't be raised for [security reasons](#restrictions-on-wildcards-in-redirect-uris). If your scenario requires more redirect URIs than the maximum limit allowed, consider the following [state parameter approach](#use-a-state-parameter) as the solution.

-To view or edit the claims issued in the SAML token to the application, open the application in Azure portal. Then open the **Attributes & Claims** section.

- :::image type="content" source="./media/saml-claims-customization/saml-sso-manage-user-claims.png" alt-text="Screenshot of editing the nameID (name identifier) value in the Azure portal.":::

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the **User Attributes & Claims** section, select **Edit** to edit the claims.

-1. Select the required claim that you want to modify.

-1. Enter the constant value without quotes in the **Source attribute** as per your organization and select **Save**.

- :::image type="content" source="./media/saml-claims-customization/organization-attribute.png" alt-text="Screenshot of the organization Attributes & Claims section in the Azure portal.":::

-1. The constant value is displayed as shown in the following image.

- :::image type="content" source="./media/saml-claims-customization/edit-attributes-claims.png" alt-text="Screenshot of editing in the Attributes & Claims section in the Azure portal.":::

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the **User Attributes & Claims** section, select **Edit** to edit the claims.

-1. Select **Add new claim** or edit an existing claim.

- :::image type="content" source="./media/saml-claims-customization/mv-extension-1.jpg" alt-text="Screenshot of the MultiValue extension configuration section in the Azure portal.":::

- :::image type="content" source="./media/saml-claims-customization/mv-extension-2.jpg" alt-text="Screenshot of the source application selection in MultiValue extension configuration section in the Azure portal.":::

-1. In **User Attributes & Claims**, select **Add new claim** to open the **Manage user claims** page.

- :::image type="content" source="./media/saml-claims-customization/mv-extension-4.png" alt-text="Screenshot of claims transformation.":::

-*Microsoft.Identity.Web* adds extension methods to the Controller that provide convenience services to call Microsoft Graph or a downstream web API, or to get an authorization header, or even a token. The methods used to call an API directly are explained in detail in [A web app that calls web APIs: Call an API](scenario-web-app-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token.

-If, however, you do want to manually acquire a token or build an authorization header, the following code shows how to use *Microsoft.Identity.Web* to do so in a controller. It calls an API (Microsoft Graph) using the REST API instead of the Microsoft Graph SDK.

-The controller methods are protected by an `[Authorize]` attribute that ensures only authenticated users can use the web app.

-In the Java sample, the code that calls an API is in the getUsersFromGraph method in [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62).

-In the Node.js sample, the code that acquires a token is in the *acquireToken* method of the **AuthProvider** class.

-In the Python sample, the code that calls the API is in `app.py`.

-description: Learn how to configure an application as multi-tenant, and how multi-tenant applications work

-# How to configure a new multi-tenant application

-Here is a list of recommended topics to learn more about multi-tenant applications:

-## Next steps

-[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html)

-| ID | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. |

-| Version | Required | This parameter should be set to **2.0**. |

-| IssueInstant | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. |

-| AssertionConsumerServiceURL | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. |

-| ForceAuthn | Optional | This is a boolean value. If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Azure AD. |

-| IsPassive | Optional | This is a boolean value that specifies whether Azure AD should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Azure AD will attempt to authenticate the user using the session cookie. |

-All other `AuthnRequest` attributes, such as Consent, Destination, AssertionConsumerServiceIndex, AttributeConsumerServiceIndex, and ProviderName are **ignored**.

-| API permissions (`requiredResourceAccess`) | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs. | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs. | Maximum of 50 resources per application and 30 permissions per resource (for example, Microsoft Graph). Total limit of 200 per application (resources x permissions). |

-1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

-2. Go to **Users**.

-3. Click on **New guest user** and invite your work account email address.

-4. Repeat for other members of the development and/or testing team for your application.

-1. Sign in to the [Azure portal](https://portal.azure.com), then select on **Azure Active Directory**.

-2. Go to **Users**.

-3. Click **New user** and create some new test users in your directory.

-1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account.

-1. Go to **Azure Active Directory** > **Enterprise applications** > **Conditional Access**.

-1. Click on **New policy**

-1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account.

-1. Click on **Azure Active Directory**.

-1. Go to **Enterprise applications**.

-1. From your production tenant, go to **Azure Active Directory** > **Enterprise applications** > **Consent and permissions** > **User consent** settings. Copy the settings there to your test tenant.

-1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

-2. Go to **Users**.

-3. Select **New user** and create some new test users in your directory.

-1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

-2. Go to **Groups**.

-3. Click **New group**.

-4. Select either **Security** or **Microsoft 365** for group type.

-5. Name your group.

-6. Add the test users created in the previous step.

-2. Review the instructions to [mark an app as publisher verified](mark-app-as-publisher-verified.md) and ensure all steps have been performed successfully.

-3. Review the list of [common issues](#common-issues).

-4. Reproduce the request using [Graph Explorer](#making-microsoft-graph-api-calls) to gather more info and rule out any issues in the UI.

- 1. Navigate to the [MPN enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new).

- 2. Sign in with a user account in the org's primary Azure AD tenant.

- 3. If an MPN account already exists, this is recognized and you are added to the account.

- 4. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed.

- 1. Sign in to the [Azure portal](https://portal.azure.com) using a user account in your organization's primary tenant.

- 1. Browse to **Azure Active Directory** > [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators).

- 3. Select the desired admin role.

- 4. The list of users assigned that role will be displayed.

- Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles.

-> *verifiedPublisherID* is your MPN ID.

-The MPN ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid MPN ID and try again.

-Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Partner Center- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. Can also be caused by the tenant the app is registered in not being added to the MPN account, or an invalid MPN ID.

- - The MPN ID is correct.

- - There are no errors or ΓÇ£pending actionsΓÇ¥ shown, and the verification status under Legal business profile and Partner info both say ΓÇ£authorizedΓÇ¥ or ΓÇ£successΓÇ¥.

-2. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the [multi-tenant-account instructions](/partner-center/multi-tenant-account). All Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account.

-3. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions for [creating user accounts and setting permissions](/partner-center/create-user-accounts-and-set-permissions).

-The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

-Most commonly caused when an MPN ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details.

-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab

-2. Use the Partner ID with type PartnerGlobal

-The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

-Most commonly caused by the wrong MPN ID being provided.

-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab

-2. Use the Partner ID with type PartnerGlobal

-The MPN ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again.

-Most commonly caused by when the MPN account hasn't completed the [verification](/partner-center/verification-responses) process.

-2. If not, view pending action items in Partner Center and troubleshoot with [here](/partner-center/verification-responses)

-The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

-Most commonly caused by the wrong MPN ID being provided.

-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab

-2. Use the Partner ID with type PartnerGlobal

-The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again.

-Most commonly caused by the wrong MPN ID being provided.

-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab

-2. Use the Partner ID with type PartnerGlobal

-The target application (`AppId`) canΓÇÖt be found. Provide a valid application ID and try again.

-1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application)

-2. Log in to [Azure Active Directory](https://aad.portal.azure.com/) with a user account in your organization's primary tenant > Azure Active Directory > App Registrations blade

-3. Find your app's registration to view the Object ID

-1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application)

-2. Log in to [Azure Active Directory](https://aad.portal.azure.com/) with a user account in your organization's primary tenant > Azure Active Directory > App Registrations blade

-3. Find your app's registration to view the Object ID

-1. Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain

-2. The domain used to perform email verification in Partner Center is the portion after the ΓÇ£@ΓÇ¥ in the Primary ContactΓÇÖs email

-3. Log in to [Azure Active Directory](https://aad.portal.azure.com/) > Azure Active Directory > App Registrations blade > (`Your App`) > Branding and Properties

-4. Select **Update Publisher Domain** and follow the instructions to **Verify a New Domain**.

-5. Add the domain used to perform email verification in Partner Center as a New Domain

-Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information.

-1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant.

-2. Navigate to [Role Management](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators).

-3. Select the desired admin role and click ΓÇ£Add AssignmentΓÇ¥ if you have sufficient permissions.

-4. If you do not have sufficient permissions, contact an admin role for assistance

-The MPN ID wasn't provided in the request body or the request content type wasn't "application/json".

-Most commonly caused when the verification is being performed via Graph API, and the MPN ID wasnΓÇÖt provided in the request.

-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab

-2. Use the Partner ID with type PartnerGlobal in the request

-2. Retry Publisher Verification

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. Back in the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, under **Manage**, select **Authentication** > **Add a platform**, and then select **Mobile and desktop applications**.

-1. Under **Manage**, select **API permissions** > **Add a permission**.

-3. In the app registration portal, add the returned value in **RedirectUri** in the **Authentication** pane.

-The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios).

-# Microsoft identity platform and implicit grant flow

-> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned: `The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'`

-| `response_type` | required |Must include `id_token` for OpenID Connect sign-in. It may also include the response_type `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, user.read on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This id_token+code response is sometimes called the hybrid flow. |

-| `redirect_uri` | recommended |The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be URL-encoded. |

-| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (id_tokens), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. |

-| `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. |

-| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. |

-| `token_type` |Included if `response_type` includes `token`. Will always be `Bearer`. |

-| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token reference`](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested and `response_type` included `id_tokens`. |

->`https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=fragment&state=12345&nonce=678910&prompt=none&login_hint={your-username}`

-| `token_type` | Will always be `Bearer`. |

-| `scope` | Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). |

-The implicit grant does not provide refresh tokens. Both `id_token`s and `access_token`s will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new `id_token`, be sure to use `id_token` in the `response_type` and `scope=openid`, as well as a `nonce` parameter.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations > New registration**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations > New registration**.

-By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been *only* assigned the device administrator role to manage a device.

-## Manage the global administrators role

-To view and update the membership of the Global Administrator role, see:

-## Manage the device administrator role

-In the Azure portal, you can manage the device administrator role from **Device settings**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.

-1. Browse to **Azure Active Directory** > **Devices** > **Device settings**.

-To modify the device administrator role, configure **Additional local administrators on all Azure AD joined devices**.

-Device administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen:

-Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token.

-Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.

- 1. Windows registers the device in the organizationΓÇÖs directory in Azure AD and enrolls it in mobile device management, if applicable.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Browse to **Azure Active Directory** > **Devices** > **Enterprise State Roaming**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Browse to **Azure Active Directory** > **Users** > **All users**.

-**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.

-1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices).

-2. Information on how to locate a device can be found in [How to manage device identities using the Azure portal](./manage-device-identities.md).

-3. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle.

-4. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-1. Sign in to the **Azure portal** as a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator).

-1. Browse to **Azure Active Directory** > **Devices** > **Device settings**

- 

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Browse to **Azure Active Directory** > **Enterprise applications**.

-> If a device object with the same displayMame as the hostname of a VM where an extension is installed exists, the VM fails to join Azure AD with a hostname duplication error. Avoid duplication by [modifying the hostname](../../virtual-network/virtual-networks-viewing-and-modifying-hostnames.md#modify-a-hostname).

- 

- > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID** in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Browse to **Azure Active Directory** > **Enterprise applications**.

-* If you have multiple verified domain names (as shown in the Azure portal or via the **Get-MsolDomain** cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule:

-Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. If installing the required version of Azure AD Connect isn't an option for you, see [how to manually configure device registration](hybrid-join-manual.md).

-[](./media/manage-device-identities/devices-azure-portal.png#lightbox)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-[](./media/manage-device-identities/all-devices-azure-portal.png#lightbox)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Go to **Azure Active Directory** > **Devices** > **All devices**.

-3. Select the **Preview features** button.

-4. Turn on the toggle that says **Enhanced devices list experience**. Select **Apply**.

-5. Refresh your browser.

-You must be assigned one of the following roles to view device settings in the Azure portal:

-You must be assigned one of the following roles to manage device settings in the Azure portal:

-#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data.

- :::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot of a page in the Azure portal listing the name, owner, and other information on devices. One column lists the activity time stamp." border="false":::

-To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md)

-1. Sign in to the **Azure portal**.

-1. Browse to **Azure Active Directory** > **Devices** > **Diagnose and solve problems**.

-| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled in the Azure portal. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. |

-If the device wasn't hybrid Azure AD joined, you can attempt to do hybrid Azure AD join by clicking on the "Join" button. If the attempt to do hybrid Azure AD join fails, the details about the failure will be shown.

- - If your organization uses Azure AD Seamless Single Sign-On, `https://autologon.microsoftazuread-sso.com` or `https://aadg.windows.net.nsatc.net` aren't present on the device's IE intranet settings.

-Re-register the device based on the device join type. For instructions, see [I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on the device says it's still registered. What should I do?](./faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do).

-Microsoft 365 group writeback is a public preview feature of Azure Active Directory (Azure AD) and is available with any paid Azure AD license plan. For some legal information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-Import-Module Microsoft.Graph

-# Connect to the Microsoft Graph

-Connect-MgGraph

-# Get the group to be processed

-$groupId = "48ca647b-7e4d-41e5-aa66-40cab1e19101"

-# Get the license to be removed - Office 365 E3

-$skuId = "contoso:ENTERPRISEPACK"

-# Minimum set of service plans we know are inherited by this group

-$expectedDisabledPlans = @("Exchange Online", "SharePoint Online", "Lync Online")

-# Get the users in the group

-$users = Get-MgUser -GroupObjectId $groupId

-# For each user, get the license for the specified SKU

-foreach ($user in $users) {

- $license = GetUserLicense $user $skuId

- # If the user has the license assigned directly, continue to the next user

- if (UserHasLicenseAssignedDirectly $user $skuId) {

- continue

- }

- # If the user is inheriting the license from the specified group, continue to the next user

- if (UserHasLicenseAssignedFromThisGroup $user $skuId $groupId) {

- continue

- }

- # Get the list of disabled service plans for the SKU

- $disabledPlans = GetDisabledPlansForSKU $skuId $expectedDisabledPlans

- # Get the list of unexpected enabled plans for the user

- $extraPlans = GetUnexpectedEnabledPlansForUser $user $skuId $expectedDisabledPlans

- # If there are any unexpected enabled plans, print them to the console

- if ($extraPlans.Count -gt 0) {

- Write-Warning "The user $user has the following unexpected enabled plans for the $skuId SKU: $extraPlans"

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user.

- 

-1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**.

-1. Select **Applications** > **App registrations**.

-1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**.

-1. Select **Applications** > **App registrations**.

-1. Sign in to your organization's [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. From the left menu, select **Azure Active Directory** > **Overview**.

-1. On the overview page, select **Manage tenants**

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. In the search bar, type and select **Company branding**.

-1. Under **Default sign-in** select **Edit**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1.If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.

-1. In the search bar, type and select **Company branding**.

-1. Under **Default sign-in experience**, select **Edit**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. In the search bar, type and select **Company branding**.

-1. Under **Browser language customizations**, select **Add browser language**.

- - Turkish (Turkey)

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-3. In the left menu, select **Azure Active Directory** > **External Identities**.

-4. Select **User flows**.

-1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**.

-1. Select **External Identities** > **Overview**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**.

-1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**.

-1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. In the navigation pane, select **Azure Active Directory**.

-1. Select **External Identities** > **User flows**.

- 1. Select **Protect & secure** from the sidebar under **Azure Active Directory** and then **Authentication methods** > **Policies**.

- 1. Under **Method** select **Email OTP (preview)**.

- > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as the global administrator of your customer tenant.

-1. Go to **Azure Active Directory** > **External Identities** > **All identity providers**.

-1. In your customer tenant, go to **Azure Active Directory** > **External Identities** > **User flows**.

- > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as the global administrator of your customer tenant.

-1. Go to **Azure Active Directory** > **External Identities** > **All identity providers**.

-1. In your customer tenant, go to **Azure Active Directory** > **External Identities** > **User flows**.

-1. Browse to **Azure Active Directory** > **Protect & secure** > **Security Center**.

-1. In the [Microsoft Entra admin center](https://entra.microsoft.com), browse to **Azure Active Directory** > **Protect & secure** > **Security Center**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Roles & admins** > **Roles & admins**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions.

-1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**.

-1. Under **Azure Active Directory**, select **Users** > **All users**.

-1. Make sure you're using the directory that contains your Azure AD customer tenant: Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar and find your customer tenant in the list. If it's not the current directory, select **Switch**.

-1. Browse to **Azure Active Directory** > **Protect & secure** > **Security Center**.

-1. Sign in to your customer tenant in the [Microsoft Entra admin center](https://entra.microsoft.com).

-1. Browse to **Azure Active Directory** > **Protect & secure** > **Authentication Methods**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant:

-

- 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

-

- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**.

-1. On the sidebar menu, select **Azure Active Directory**.

-1. Select **Applications**, then select **App Registrations**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant:

-

- 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

-

- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**.

-1. On the sidebar menu, select **Azure Active Directory**.

-1. Select **Applications**, then select **App Registrations**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant:

-

- 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

-

- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**.

-1. On the sidebar menu, select **Azure Active Directory**.

-1. Select **Applications**, then select **App Registrations**.

-description: Learn how to configure authentication for a vanilla JavaScript single-page app (SPA) with your Azure Active Directory (AD) for customers tenant.

-#Customer intent: As a developer, I want to learn how to configure vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant.

-# Tutorial: Handle authentication flows in a vanilla JavaScript single-page app

-In the [previous article](./how-to-single-page-app-vanillajs-prepare-app.md), you created a vanilla JavaScript (JS) single-page application (SPA) and a server to host it. This tutorial demonstrates how to configure the application to authenticate and authorize users to access protected resources.

-In this tutorial;

-> [!div class="checklist"]

-> * Configure the settings for the application

-> * Add code to *authRedirect.js* to handle the authentication flow

-> * Add code to *authPopup.js* to handle the authentication flow

-## Prerequisites

-* Completion of the prerequisites and steps in [Prepare a single-page application for authentication](how-to-single-page-app-vanillajs-prepare-app.md).

-## Edit the authentication configuration file

-The application uses the [Implicit Grant Flow](../../develop/v2-oauth2-implicit-grant-flow.md) to authenticate users. The Implicit Grant Flow is a browser-based flow that doesn't require a back-end server. The flow redirects the user to the sign-in page, where the user signs in and consents to the permissions that are being requested by the application. The purpose of *authConfig.js* is to configure the authentication flow.

-1. Open *public/authConfig.js* and add the following code snippet:

- ```javascript

- /**

- * Configuration object to be passed to MSAL instance on creation.

- * For a full list of MSAL.js configuration parameters, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md

- */

- const msalConfig = {

- auth: {

- clientId: 'Enter_the_Application_Id_Here', // This is the ONLY mandatory field that you need to supply.

- authority: 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace "Enter_the_Tenant_Subdomain_Here" with your tenant subdomain

- redirectUri: '/', // You must register this URI on Azure Portal/App Registration. Defaults to window.location.href e.g. http://localhost:3000/

- navigateToLoginRequestUrl: true, // If "true", will navigate back to the original request location before processing the auth code response.

- },

- cache: {

- cacheLocation: 'sessionStorage', // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO.

- storeAuthStateInCookie: false, // set this to true if you have to support IE

- },

- system: {

- loggerOptions: {

- loggerCallback: (level, message, containsPii) => {

- if (containsPii) {

- return;

- }

- switch (level) {

- case msal.LogLevel.Error:

- console.error(message);

- return;

- case msal.LogLevel.Info:

- console.info(message);

- return;

- case msal.LogLevel.Verbose:

- console.debug(message);

- return;

- case msal.LogLevel.Warning:

- console.warn(message);

- return;

- }

- },

- },

- },

- };

-

- /**

- * An optional silentRequest object can be used to achieve silent SSO

- * between applications by providing a "login_hint" property.

- */

-

- // const silentRequest = {

- // scopes: ["openid", "profile"],

- // loginHint: "example@domain.net"

- // };

-

- // exporting config object for jest

- if (typeof exports !== 'undefined') {

- module.exports = {

- msalConfig: msalConfig,

- loginRequest: loginRequest,

- };

- }

- ```

-1. Replace the following values with the values from the Azure portal:

- - Find the `Enter_the_Application_Id_Here` value and replace it with the **Application ID (clientId)** of the app you registered in the Microsoft Entra admin center.

- - In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, [learn how to read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

-2. Save the file.

-## Adding code to the redirection file

-A redirection file is required to handle the response from the sign-in page. It is used to extract the access token from the URL fragment and use it to call the protected API. It is also used to handle errors that occur during the authentication process.

-1. Open *public/authRedirect.js* and add the following code snippet:

- ```javascript

- // Create the main myMSALObj instance

- // configuration parameters are located at authConfig.js

- const myMSALObj = new msal.PublicClientApplication(msalConfig);

-

- let username = "";

-

- /**

- * A promise handler needs to be registered for handling the

- * response returned from redirect flow. For more information, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/initialization.md#redirect-apis

- */

- myMSALObj.handleRedirectPromise()

- .then(handleResponse)

- .catch((error) => {

- console.error(error);

- });

-

- function selectAccount() {

-

- /**

- * See here for more info on account retrieval:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md

- */

-

- const currentAccounts = myMSALObj.getAllAccounts();

-

- if (!currentAccounts) {

- return;

- } else if (currentAccounts.length > 1) {

- // Add your account choosing logic here

- console.warn("Multiple accounts detected.");

- } else if (currentAccounts.length === 1) {

- welcomeUser(currentAccounts[0].username);

- updateTable(currentAccounts[0]);

- }

- }

-

- function handleResponse(response) {

-

- /**

- * To see the full list of response object properties, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response

- */

-

- if (response !== null) {

- welcomeUser(response.account.username);

- updateTable(response.account);

- } else {

- selectAccount();

- }

- }

-

- function signIn() {

-

- /**

- * You can pass a custom request object below. This will override the initial configuration. For more information, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request

- */

-

- myMSALObj.loginRedirect(loginRequest);

- }

-

- function signOut() {

-

- /**

- * You can pass a custom request object below. This will override the initial configuration. For more information, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request

- */

-

- // Choose which account to logout from by passing a username.

- const logoutRequest = {

- account: myMSALObj.getAccountByUsername(username),

- postLogoutRedirectUri: '/signout', // remove this line if you would like navigate to index page after logout.

-

- };

-

- myMSALObj.logoutRedirect(logoutRequest);

- }

- ```

-1. Save the file.

-## Adding code to the *authPopup.js* file

-The application uses *authPopup.js* to handle the authentication flow when the user signs in using the pop-up window. The pop-up window is used when the user is already signed in and the application needs to get an access token for a different resource.

-1. Open *public/authPopup.js* and add the following code snippet:

- ```javascript

- // Create the main myMSALObj instance

- // configuration parameters are located at authConfig.js

- const myMSALObj = new msal.PublicClientApplication(msalConfig);

-

- let username = "";

-

- function selectAccount () {

-

- /**

- * See here for more info on account retrieval:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md

- */

-

- const currentAccounts = myMSALObj.getAllAccounts();

-

- if (!currentAccounts || currentAccounts.length < 1) {

- return;

- } else if (currentAccounts.length > 1) {

- // Add your account choosing logic here

- console.warn("Multiple accounts detected.");

- } else if (currentAccounts.length === 1) {

- username = currentAccounts[0].username

- welcomeUser(currentAccounts[0].username);

- updateTable(currentAccounts[0]);

- }

- }

-

- function handleResponse(response) {

-

- /**

- * To see the full list of response object properties, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response

- */

-

- if (response !== null) {

- username = response.account.username

- welcomeUser(username);

- updateTable(response.account);

- } else {

- selectAccount();

- }

- }

-

- function signIn() {

-

- /**

- * You can pass a custom request object below. This will override the initial configuration. For more information, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request

- */

-

- myMSALObj.loginPopup(loginRequest)

- .then(handleResponse)

- .catch(error => {

- console.error(error);

- });

- }

-

- function signOut() {

-

- /**

- * You can pass a custom request object below. This will override the initial configuration. For more information, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request

- */

-

- // Choose which account to logout from by passing a username.

- const logoutRequest = {

- account: myMSALObj.getAccountByUsername(username),

- mainWindowRedirectUri: '/signout'

- };

-

- myMSALObj.logoutPopup(logoutRequest);

- }

-

- selectAccount();

- ```

-1. Save the file.

-## Next steps

-> [!div class="nextstepaction"]

-> [Sign in and sign out of the vanilla JS SPA](./how-to-single-page-app-vanillajs-sign-in-sign-out.md)

-description: Learn how to prepare a vanilla JavaScript single-page app (SPA) for authentication and authorization with your Azure Active Directory (AD) for customers tenant.

-#Customer intent: As a developer, I want to learn how to configure vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure AD for customers tenant.

-# Tutorial: Prepare a vanilla JavaScript single-page app for authentication in a customer tenant

-In the [previous article](./how-to-single-page-app-vanillajs-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (AD) for customers tenant. This article shows you how to create a vanilla JavaScript (JS) single-page app (SPA) and configure it to sign in and sign out users with your customer tenant.

-In this tutorial;

-> [!div class="checklist"]

-> * Create a vanilla JavaScript project in Visual Studio Code

-> * Install required packages

-> * Add code to *server.js* to create a server

-## Prerequisites

-* Completion of the prerequisites and steps in [Prepare your customer tenant to authenticate a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-prepare-tenant.md).

-* Although any integrated development environment (IDE) that supports vanilla JS applications can be used, **Visual Studio Code** is recommended for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page.

-* [Node.js](https://nodejs.org/en/download/).

-## Create a new vanilla JS project and install dependencies

-1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project.

-1. Open a new terminal by selecting **Terminal** > **New Terminal**.

-1. Run the following command to create a new vanilla JS project:

- ```powershell

- npm init -y

- ```

-1. Create additional folders and files to achieve the following project structure:

- ```

- ΓööΓöÇΓöÇ public

- ΓööΓöÇΓöÇ authConfig.js

- ΓööΓöÇΓöÇ authPopup.js

- ΓööΓöÇΓöÇ authRedirect.js

- ΓööΓöÇΓöÇ https://docsupdatetracker.net/index.html

- ΓööΓöÇΓöÇ signout.html

- ΓööΓöÇΓöÇ styles.css

- ΓööΓöÇΓöÇ ui.js

- ΓööΓöÇΓöÇ server.js

- ```

-

-## Install app dependencies

-1. In the **Terminal**, run the following command to install the required dependencies for the project:

- ```powershell

- npm install express morgan @azure/msal-browser

- ```

-## Edit the *server.js* file

-**Express** is a web application framework for **Node.js**. It's used to create a server that hosts the application. **Morgan** is the middleware that logs HTTP requests to the console. The server file is used to host these dependencies and contains the routes for the application. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview/).

-1. Add the following code snippet to the *server.js* file:

- ```javascript

- const express = require('express');

- const morgan = require('morgan');

- const path = require('path');

-

- const DEFAULT_PORT = process.env.PORT || 3000;

-

- // initialize express.

- const app = express();

-

- // Configure morgan module to log all requests.

- app.use(morgan('dev'));

-

- // serve public assets.

- app.use(express.static('public'));

-

- // serve msal-browser module

- app.use(express.static(path.join(__dirname, "node_modules/@azure/msal-browser/lib")));

-

- // set up a route for signout.html

- app.get('/signout', (req, res) => {

- res.sendFile(path.join(__dirname + '/public/signout.html'));

- });

-

- // set up a route for redirect.html

- app.get('/redirect', (req, res) => {

- res.sendFile(path.join(__dirname + '/public/redirect.html'));

- });

-

- // set up a route for https://docsupdatetracker.net/index.html

- app.get('/', (req, res) => {

- res.sendFile(path.join(__dirname + '/https://docsupdatetracker.net/index.html'));

- });

-

- app.listen(DEFAULT_PORT, () => {

- console.log(`Sample app listening on port ${DEFAULT_PORT}!`);

- });

- ```

-In this code, the **app** variable is initialized with the **express** module and **express** is used to serve the public assets. **Msal-browser** is served as a static asset and is used to initiate the authentication flow.

-## Next steps

-> [!div class="nextstepaction"]

-> [Configure SPA for authentication](how-to-single-page-app-vanillajs-configure-authentication.md)

-description: Learn how to configure your Azure Active Directory (AD) for customers tenant for authentication with a Vanilla JavaScript single-page app (SPA).

-#Customer intent: As a developer, I want to learn how to configure a vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant.

-# Tutorial: Prepare your customer tenant to authenticate a vanilla JavaScript single-page app

-This tutorial series demonstrates how to build a vanilla JavaScript single-page application (SPA) and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for JavaScript](/javascript/api/overview/msal-overview) library to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences.

-In this tutorial;

-> [!div class="checklist"]

-> * Register a SPA in the Microsoft Entra admin center, and record its identifiers

-> * Define the platform and URLs

-> * Grant permissions to the SPA to access the Microsoft Graph API

-> * Create a sign in and sign out user flow in the Microsoft Entra admin center

-> * Associate your SPA with the user flow

-## Prerequisites

- * Application administrator

- * Application developer

- * Cloud application administrator

-## Register the SPA and record identifiers

-## Add a platform redirect URL

-## Grant API permissions

-## Create a user flow

-## Associate the SPA with the user flow

-## Next steps

-> [!div class="nextstepaction"]

-> [Prepare your Vanilla JS SPA](how-to-single-page-app-vanillajs-prepare-app.md)

-description: Learn how to configure a Vanilla JavaScript single-page app (SPA) to sign in and sign out users with your Azure Active Directory (AD) for customers tenant.

-#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant.

-# Tutorial: Add sign-in and sign-out to a vanilla JavaScript single-page app for a customer tenant

-In the [previous article](how-to-single-page-app-vanillajs-configure-authentication.md), you edited the popup and redirection files that handle the sign-in page response. This tutorial demonstrates how to build a responsive user interface (UI) that contains a **Sign-In** and **Sign-Out** button and run the project to test the sign-in and sign-out functionality.

-In this tutorial;

-> [!div class="checklist"]

-> * Add code to the *https://docsupdatetracker.net/index.html* file to create the user interface

-> * Add code to the *signout.html* file to create the sign-out page

-> * Sign in and sign out of the application

-## Prerequisites

-* Completion of the prerequisites and steps in [Create components for authentication and authorization](how-to-single-page-app-vanillajs-configure-authentication.md).

-## Add code to the *https://docsupdatetracker.net/index.html* file

-The main page of the SPA, *https://docsupdatetracker.net/index.html*, is the first page that is loaded when the application is started. It's also the page that is loaded when the user selects the **Sign-Out** button.

-1. Open *public/https://docsupdatetracker.net/index.html* and add the following code snippet:

- ```html

- <!DOCTYPE html>

- <html lang="en">

-

- <head>

- <meta charset="UTF-8">

- <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">

- <title>Microsoft identity platform</title>

- <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon">

- <link rel="stylesheet" href="./styles.css">

-

- <!-- adding Bootstrap 5 for UI components -->

- <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/css/bootstrap.min.css" rel="stylesheet"

- integrity="sha384-Zenh87qX5JnK2Jl0vWa8Ck2rdkQ2Bzep5IDxbcnCeuOxjzrPF/et3URy9Bv1WTRi" crossorigin="anonymous">

-

- <!-- msal.min.js can be used in the place of msal-browser.js -->

- <script src="/msal-browser.min.js"></script>

- </head>

-

- <body>

- <nav class="navbar navbar-expand-sm navbar-dark bg-primary navbarStyle">

- <a class="navbar-brand" href="/">Microsoft identity platform</a>

- <div class="navbar-collapse justify-content-end">

- <button type="button" id="signIn" class="btn btn-secondary" onclick="signIn()">Sign-in</button>

- <button type="button" id="signOut" class="btn btn-success d-none" onclick="signOut()">Sign-out</button>

- </div>

- </nav>

- <br>

- <h5 id="title-div" class="card-header text-center">Vanilla JavaScript single-page application secured with MSAL.js

- </h5>

- <h5 id="welcome-div" class="card-header text-center d-none"></h5>

- <br>

- <div class="table-responsive-ms" id="table">

- <table id="table-div" class="table table-striped d-none">

- <thead id="table-head-div">

- <tr>

- <th>Claim Type</th>

- <th>Value</th>

- <th>Description</th>

- </tr>

- </thead>

- <tbody id="table-body-div">

- </tbody>

- </table>

- </div>

- <!-- importing bootstrap.js and supporting js libraries -->

- <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"

- integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous">

- </script>

- <script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.6/dist/umd/popper.min.js"

- integrity="sha384-oBqDVmMz9ATKxIep9tiCxS/Z9fNfEXiDAYTujMAeBAsjFuCZSmKbSSUnQlmh/jp3"

- crossorigin="anonymous"></script>

- <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/js/bootstrap.bundle.min.js"

- integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"

- crossorigin="anonymous"></script>

-

- <!-- importing app scripts (load order is important) -->

- <script type="text/javascript" src="./authConfig.js"></script>

- <script type="text/javascript" src="./ui.js"></script>

- <script type="text/javascript" src="./claimUtils.js"></script>

- <!-- <script type="text/javascript" src="./authRedirect.js"></script> -->

- <!-- uncomment the above line and comment the line below if you would like to use the redirect flow -->

- <script type="text/javascript" src="./authPopup.js"></script>

- </body>

-

- </html>

- ```

-1. Save the file.

-## Add code to the *signout.html* file

-1. Open *public/signout.html* and add the following code snippet:

- ```html

- <!DOCTYPE html>

- <html lang="en">

- <head>

- <meta charset="UTF-8">

- <meta name="viewport" content="width=device-width, initial-scale=1.0">

- <title>Azure AD | Vanilla JavaScript SPA</title>

- <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon">

-

- <!-- adding Bootstrap 4 for UI components -->

- <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">

- </head>

- <body>

- <div class="jumbotron" style="margin: 10%">

- <h1>Goodbye!</h1>

- <p>You have signed out and your cache has been cleared.</p>

- <a class="btn btn-primary" href="/" role="button">Take me back</a>

- </div>

- </body>

- </html>

- ```

-1. Save the file.

-## Add code to the *ui.js* file

-When authorization has been configured, the user interface can be created to allow users to sign in and sign out when the project is run. To build the user interface (UI) for the application, [Bootstrap](https://getbootstrap.com/) is used to create a responsive UI that contains a **Sign-In** and **Sign-Out** button.

-1. Open *public/ui.js* and add the following code snippet:

- ```javascript

- // Select DOM elements to work with

- const signInButton = document.getElementById('signIn');

- const signOutButton = document.getElementById('signOut');

- const titleDiv = document.getElementById('title-div');

- const welcomeDiv = document.getElementById('welcome-div');

- const tableDiv = document.getElementById('table-div');

- const tableBody = document.getElementById('table-body-div');

-

- function welcomeUser(username) {

- signInButton.classList.add('d-none');

- signOutButton.classList.remove('d-none');

- titleDiv.classList.add('d-none');

- welcomeDiv.classList.remove('d-none');

- welcomeDiv.innerHTML = `Welcome ${username}!`;

- };

-

- function updateTable(account) {

- tableDiv.classList.remove('d-none');

-

- const tokenClaims = createClaimsTable(account.idTokenClaims);

-

- Object.keys(tokenClaims).forEach((key) => {

- let row = tableBody.insertRow(0);

- let cell1 = row.insertCell(0);

- let cell2 = row.insertCell(1);

- let cell3 = row.insertCell(2);

- cell1.innerHTML = tokenClaims[key][0];

- cell2.innerHTML = tokenClaims[key][1];

- cell3.innerHTML = tokenClaims[key][2];

- });

- };

- ```

-1. Save the file.

-## Add code to the *styles.css* file

-1. Open *public/styles.css* and add the following code snippet:

- ```css

- .navbarStyle {

- padding: .5rem 1rem !important;

- }

-

- .table-responsive-ms {

- max-height: 39rem !important;

- padding-left: 10%;

- padding-right: 10%;

- }

- ```

-1. Save the file.

-## Run your project and sign in

-Now that all the required code snippets have been added, the application can be called and tested in a web browser.

-1. Open a new terminal and run the following command to start your express web server.

- ```powershell

- npm start

- ```

-1. Open a new private browser, and enter the application URI into the browser, `http://localhost:3000/`.

-1. Select **No account? Create one**, which starts the sign-up flow.

-1. In the **Create account** window, enter the email address registered to your Azure Active Directory (AD) for customers tenant, which starts the sign-up flow as a user for your application.

-1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed.

- 1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**.

-1. The SPA will now display a button saying **Request Profile Information**. Select it to display profile data.

- :::image type="content" source="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png" alt-text="Screenshot of sign in into a vanilla JS SPA." lightbox="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png":::

-## Sign out of the application

-1. To sign out of the application, select **Sign out** in the navigation bar.

-1. A window appears asking which account to sign out of.

-1. Upon successful sign out, a final window appears advising you to close all browser windows.

-## Next steps

-1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory** > **External Identities** > **User flows**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant.

-1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**.

-1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**.

-1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**.

-In production, you should purchase a certificate signed by a well-known certificate authority, and use [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) to manage certificate access and lifetime for you. However, for testing purposes, you can create a self-signed certificate and configure your apps to authenticate with it.

-In this article, you learn to generate a self-signed certificate by using [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) on the Azure portal, OpenSSL or Windows PowerShell.

-1. Locate the file that contains your MSAL configuration object, such as `msalConfig` in *authConfig.js*, then update it to look similar to the following code:

- //clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app registration in Azure portal

-1. Locate the file that contains your MSAL configuration object, such as `msalConfig` in *authConfig.js*, then comment the `clientSecret` property:

- //clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app registration in Azure portal

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant:

- 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**.

-1. On the sidebar menu, select **Azure Active Directory**.

-1. Select **Applications**, then select **App Registrations**.

-1. Sign in to your organization's [Microsoft Entra admin center](https://entra.microsoft.com/).

-1. From the left menu, select **Azure Active Directory** > **Overview**.

-1. Select **Manage tenants** at the top of the page.

-1. Ensure that you're signed in to the directory that you want to delete through the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the Azure portal. Switch to the target directory if needed.

-1. From the left menu, select **Azure Active Directory** > **Overview**.

-1. Select **Manage tenants** at the top of the page.

-description: Learn how to configure a sample JavaSCript single-page application (SPA) to sign in and sign out users.

-1. Select **No account? Create one**, which starts the sign-up flow.

-1. In the **Create account** window, enter the email address registered to your customer tenant, which starts the sign-up flow as a user for your application.

-1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed.

-1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**.

-> | JavaScript, Vanilla | &#8226; [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | &#8226; [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) |

-> | Single-page application | &#8226; [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | &#8226; [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) |

-# Customer intent: As a tenant administrator, I want to customize the invitation process with the API.

-# Customer intent: As a tenant administrator, I want to set up Facebook as an identity provider for guest user login.

-> The **Tenant restrictions** settings, which are included with cross-tenant access settings, are preview features of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-| | |

-|||

- - **Select external applications**: Lets you choose the external applications you want the action under **Access status** to apply to. To select applications, choose **Add Microsoft applications** or **Add other applications**. Then search by the application name or the application ID (either the *client app ID* or the *resource app ID*) and select the app. ([See a list of IDs for commonly used Microsoft applications.](https://learn.microsoft.com/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)) If you want to add more apps, use the **Add** button. When you're done, select **Submit**.

- - In the search box, type the application name or the application ID (either the *client app ID* or the *resource app ID*). ([See a list of IDs for commonly used Microsoft applications.](https://learn.microsoft.com/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)) For our Microsoft Learn example, we enter the application ID `18fbca16-2224-45f6-85b0-f7bf2b39b3f3`.

-# Customer intent: As a tenant administrator, I want to learn about B2B collaboration guest user properties and states before and after invitation redemption.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-* **Reason for customer data egress** - Some forms of communication rely on a network that is operated by global providers, such as phone calls and SMS. Device vendor-specific services such Apple Push Notifications, may be outside of Europe.

-The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-# What is the identity secure score in Azure Active Directory?

-How secure is your Azure AD tenant? If you don't know how to answer this question, this article explains how the identity secure score helps you to monitor and improve your identity security posture.

-## What is an identity secure score?

-The identity secure score is percentage that functions as an indicator for how aligned you are with Microsoft's best practice recommendations for security. Each improvement action in identity secure score is tailored to your specific configuration.

-The score helps you to:

-The identity secure score is available in all editions of Azure AD. Organizations can access their identity secure score from the **Azure portal** > **Azure Active Directory** > **Security** > **Identity Secure Score**.

-Every 48 hours, Azure looks at your security configuration and compares your settings with the recommended best practices. Based on the outcome of this evaluation, a new score is calculated for your directory. ItΓÇÖs possible that your security configuration isnΓÇÖt fully aligned with the best practice guidance and the improvement actions are only partially met. In these scenarios, you will only be awarded a portion of the max score available for the control.

-Each recommendation is measured based on your Azure AD configuration. If you are using third-party products to enable a best practice recommendation, you can indicate this configuration in the settings of an improvement action. You also have the option to set recommendations to be ignored if they don't apply to your environment. An ignored recommendation does not contribute to the calculation of your score.

-* Global administrator

-* Security administrator

-* Exchange administrator

-* SharePoint administrator

-* Helpdesk administrator

-* User administrator

-* Service support administrator

-* Security reader

-* Security operator

-* Global reader

-Controls can be scored in two ways. Some are scored in a binary fashion - you get 100% of the score if you have the feature or setting configured based on our recommendation. Other scores are calculated as a percentage of the total configuration. For example, if the improvement recommendation states youΓÇÖll get a maximum of 10.71% if you protect all your users with MFA and you only have 5 of 100 total users protected, you would be given a partial score around 0.53% (5 protected / 100 total * 10.71% maximum = 0.53% partial score).

-Actions labeled as [Not Scored] are ones you can perform in your organization but won't be scored because they aren't hooked up in the tool (yet!). So, you can still improve your security, but you won't get credit for those actions right now.

-In addition, the recommended actions:

-* Protect all users with a user risk policy

-* Protect all users with a sign-in risk policy

-Also won't give you credits when configured using Conditional Access Policies, yet, for the same reason as above. For now, these actions give credits only when configured through Identity Protection policies.

-Head over to the [Microsoft 365 Defender portal](https://security.microsoft.com/), where youΓÇÖll find your complete Microsoft secure score. You can easily see all the changes to your secure score by reviewing the in-depth changes on the history tab.

-In short, no. The secure score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted features that can offset the risk of being breached. No service can guarantee that you will not be breached, and the secure score should not be interpreted as a guarantee in any way.

-To unify the [Microsoft Entra](/entra) product family, reflect the progression to modern multicloud identity security, and simplify secure access experiences for all, we're renaming Azure Active Directory (Azure AD) to Microsoft Entra ID.

-## No action is required from you

-## Only the name is changing

-## Identity developer and devops experiences aren't impacted by the rename

-To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling.

-Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts.

-Naming is also not changing for:

-The name change will start appearing across Microsoft experiences after a 30-day notification period, which started July 11, 2023. Display names for SKUs and service plans will change on October 1, 2023. We expect most naming text string changes in Microsoft experiences to be completed by the end of 2023.

-All features and capabilities remain unchanged aside from the name. Customers can continue to use all features without any interruption.

-### How and when are customers being notified?

-The name changes are publicly announced as of July 11, 2023.

-Banners, alerts, and message center posts will notify users of the name change. These will be displayed on the tenant overview page, portals including Azure, Microsoft 365, and Microsoft Entra admin center, and Microsoft Learn.

-### What if I use the Azure AD name in my content or app?

-We'd like your help spreading the word about the name change and implementing it in your own experiences. If you're a content creator, author of internal documentation for IT or identity security admins, developer of Azure ADΓÇôenabled apps, independent software vendor, or Microsoft partner, we hope you use the naming guidance outlined in the following section ([Azure AD name changes and exceptions](#azure-ad-name-changes-and-exceptions)) to make the name change in your content and product experiences by the end of 2023.

-## Azure AD name changes and exceptions

-We encourage content creators, organizations with internal documentation for IT or identity security admins, developers of Azure AD-enabled apps, independent software vendors, or partners of Microsoft to stay current with the new naming guidance by updating copy by the end of 2023. We recommend changing the name in customer-facing experiences, prioritizing highly visible surfaces.

-### Product name

-Replace the product name "Azure Active Directory" or "Azure AD" or "AAD" with Microsoft Entra ID.

-*Microsoft Entra* is the correct name for the family of identity and network access solutions, one of which is *Microsoft Entra ID.*

-### Logo/icon

-Azure AD is becoming Microsoft Entra ID, and the product icon is also being updated. Work with your Microsoft partner organization to obtain the new product icon.

-### Feature names

-Capabilities or services formerly known as "Azure Active Directory &lt;feature name&gt;" or "Azure AD &lt;feature name&gt;" will be branded as Microsoft Entra product family features. For example:

-### Exceptions to Azure AD name change

-Products or features that are being deprecated aren't being renamed. These products or features include:

-Names that don't have "Azure AD" also aren't changing. These products or features include Active Directory Federation Services (AD FS), Microsoft identity platform, and Windows Server Active Directory Domain Services (AD DS).

-End users shouldn't be exposed to the Azure AD or Microsoft Entra ID name. For sign-ins and account user experiences, follow guidance for work and school accounts in [Sign in with Microsoft branding guidelines](../develop/howto-add-branding-in-apps.md).

-| [CF](https://www.cloudfoundry.org/) | Cloud Foundry. Cloud Foundry is the environment on which SAP built their multi-cloud offering for BTP (AWS, Azure, GCP, Alibaba). |

-Organization | <ul><li>Read all company information<li>Read all domains<li>Read configuration of certificate-based authentication<li>Read all partner contracts</li></ul> | <ul><li>Read company display name<li>Read all domains<li>Read configuration of certificate-based authentication</li></ul> | <ul><li>Read company display name<li>Read all domains</li></ul>

-This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a Windows 10+ device that is having an issue(s) and suggests remediation steps to resolve the issue(s). Admins can work with end user to collect client-side logs, and then upload them to this troubleshooter in the Entra Portal. For more information, see: [Troubleshooting Windows devices in Azure AD](../devices/troubleshoot-device-windows-joined.md).

-We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md).

-With this feature, IT administrators can now allow or restrict external identities to leave an organization by Microsoft provided self-service controls via Azure Active Directory in the Microsoft Entra portal. In order to restrict users to leave an organization, customers need to include "Global privacy contact" and "Privacy statement URL" under tenant properties.

-[Albourne Castle](https://village.albourne.com/castle), [Adra by Trintech](../saas-apps/adra-by-trintech-tutorial.md), [workhub](../saas-apps/workhub-tutorial.md), [4DX](../saas-apps/4dx-tutorial.md), [Ecospend IAM V1](https://iamapi.sb.ecospend.com/account/login), [TigerGraph](../saas-apps/tigergraph-tutorial.md), [Sketch](../saas-apps/sketch-tutorial.md), [Lattice](../saas-apps/lattice-tutorial.md), [snapADDY Single Sign On](https://app.snapaddy.com/login), [RELAYTO Content Experience Platform](https://relayto.com/signin), [oVice](https://tour.ovice.in/login), [Arena](../saas-apps/arena-tutorial.md), [QReserve](../saas-apps/qreserve-tutorial.md), [Curator](../saas-apps/curator-tutorial.md), [NetMotion Mobility](../saas-apps/netmotion-mobility-tutorial.md), [HackNotice](../saas-apps/hacknotice-tutorial.md), [ERA_EHS_CORE](../saas-apps/era-ehs-core-tutorial.md), [AnyClip Teams Connector](https://videomanager.anyclip.com/login), [Wiz SSO](../saas-apps/wiz-sso-tutorial.md), [Tango Reserve by AgilQuest (EU Instance)](../saas-apps/tango-reserve-tutorial.md), [valid8Me](../saas-apps/valid8me-tutorial.md), [Ahrtemis](../saas-apps/ahrtemis-tutorial.md), [KPMG Leasing Tool](../saas-apps/kpmg-tool-tutorial.md) [Mist Cloud Admin SSO](../saas-apps/mist-cloud-admin-tutorial.md), [Work-Happy](https://live.work-happy.com/?azure=true), [Ediwin SaaS EDI](../saas-apps/ediwin-saas-edi-tutorial.md), [LUSID](../saas-apps/lusid-tutorial.md), [Next Gen Math](https://nextgenmath.com/), [Total ID](https://www.tokyo-shoseki.co.jp/ict/), [Cheetah For Benelux](../saas-apps/cheetah-for-benelux-tutorial.md), [Live Center Australia](https://au.livecenter.com/), [Shop Floor Insight](https://www.dmsiworks.com/apps/shop-floor-insight), [Warehouse Insight](https://www.dmsiworks.com/apps/warehouse-insight), [myAOS](../saas-apps/myaos-tutorial.md), [Hero](https://admin.linc-ed.com/), [FigBytes](../saas-apps/figbytes-tutorial.md), [VerosoftDesign](https://verosoft-design.vercel.app/), [ViewpointOne - UK](https://identity-uk.team.viewpoint.com/), [EyeRate Reviews](https://azure-login.eyeratereviews.com/), [Lytx DriveCam](../saas-apps/lytx-drivecam-tutorial.md)

-## February 2022

-

-

-### General Availability - France digital accessibility requirement

-**Type:** Plan for change

-**Service category:** Other

-**Product capability:** End User Experiences

-

-This change provides users who are signing into Azure Active Directory on iOS, Android, and Web UI flavors information about the accessibility of Microsoft's online services via a link on the sign-in page. This ensures that the France digital accessibility compliance requirements are met. The change will only be available for French language experiences.[Learn more](https://www.microsoft.com/fr-fr/accessibility/accessibilite/accessibility-statement)

-

-

-### General Availability - Downloadable access review history report

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-

-With Azure Active Directory (Azure AD) Access Reviews, you can create a downloadable review history to help your organization gain more insight. The report pulls the decisions that were taken by reviewers when a report is created. These reports can be constructed to include specific access reviews, for a specific time frame, and can be filtered to include different review types and review results.[Learn more](../governance/access-reviews-downloadable-review-history.md)

-

-

-### Public Preview of Identity Protection for Workload Identities

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-

-Azure AD Identity Protection is extending its core capabilities of detecting, investigating, and remediating identity-based risk to workload identities. This allows organizations to better protect their applications, service principals, and managed identities. We're also extending Conditional Access so you can block at-risk workload identities. [Learn more](../identity-protection/concept-workload-identity-risk.md)

-

-

-### Public Preview - Cross-tenant access settings for B2B collaboration

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** Collaboration

-

-Cross-tenant access settings enable you to control how users in your organization collaborate with members of external Azure AD organizations. Now you have granular inbound and outbound access control settings that work on a per org, user, group, and application basis. These settings also make it possible for you to trust security claims from external Azure AD organizations like multi-factor authentication (MFA), device compliance, and hybrid Azure AD joined devices. [Learn more](../external-identities/cross-tenant-access-overview.md)

-

-

-### Public preview - Create Azure AD access reviews with multiple stages of reviewers

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-

-Use multi-stage reviews to create Azure AD access reviews in sequential stages, each with its own set of reviewers and configurations. Supports multiple stages of reviewers to satisfy scenarios such as: independent groups of reviewers reaching quorum, escalations to other reviewers, and reducing burden by allowing for later stage reviewers to see a filtered-down list. For public preview, multi-stage reviews are only supported on reviews of groups and applications. [Learn more](../governance/create-access-review.md)

-

-

-### New Federated Apps available in Azure AD Application gallery - February 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** Third Party Integration

-

-In February 2022 we added the following 20 new applications in our App gallery with Federation support:

-[Embark](../saas-apps/embark-tutorial.md), [FENCE-Mobile RemoteManager SSO](../saas-apps/fence-mobile-remotemanager-sso-tutorial.md), [カオナビ](../saas-apps/kao-navi-tutorial.md), [Adobe Identity Management (OIDC)](../saas-apps/adobe-identity-management-tutorial.md), [AppRemo](../saas-apps/appremo-tutorial.md), [Live Center](https://livecenter.norkon.net/Login), [Offishall](https://app.offishall.io/), [MoveWORK Flow](https://www.movework-flow.fm/login), [Cirros SL](https://www.cirros.net/), [ePMX Procurement Software](https://azure.epmxweb.com/admin/index.php?), [Vanta O365](https://app.vanta.com/connections), [Hubble](../saas-apps/hubble-tutorial.md), [Medigold Gateway](https://gateway.medigoldcore.com), [クラウドログ](../saas-apps/crowd-log-tutorial.md),[Amazing People Schools](../saas-apps/amazing-people-schools-tutorial.md), [XplicitTrust Network Access](https://console.xplicittrust.com/#/dashboard), [Spike Email - Mail & Team Chat](https://spikenow.com/web/), [AltheaSuite](https://planmanager.altheasuite.com/), [Balsamiq Wireframes](../saas-apps/balsamiq-wireframes-tutorial.md).

-You can also find the documentation of all the applications from here: [https://aka.ms/AppsTutorial](../saas-apps/tutorial-list.md),

-For listing your application in the Azure AD app gallery, please read the details here: [https://aka.ms/AzureADAppRequest](../manage-apps/v2-howto-app-gallery-listing.md)

-

-

-### Two new MDA detections in Identity Protection

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-

-Identity Protection has added two new detections from Microsoft Defender for Cloud Apps, (formerly MCAS). The Mass Access to Sensitive Files detection detects anomalous user activity, and the Unusual Addition of Credentials to an OAuth app detects suspicious service principal activity.[Learn more](../identity-protection/concept-identity-protection-risks.md)

-

-

-### Public preview - New provisioning connectors in the Azure AD Application Gallery - February 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-

-

-### General Availability - Privileged Identity Management (PIM) role activation for SharePoint Online enhancements

-**Type:** Changed feature

-**Service category:** Privileged Identity Management

-**Product capability:** Privileged Identity Management

-

-We've improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change rolls out in stages, so you might not yet see these improvements in your organization. [Learn more](../privileged-identity-management/pim-how-to-activate-role.md)

-

-We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md).

-## February 2023

-### General Availability - Expanding Privileged Identity Management Role Activation across the Azure portal

-**Type:** New feature

-**Service category:** Privileged Identity Management

-**Product capability:** Privileged Identity Management

-Privileged Identity Management (PIM) role activation has been expanded to the Billing and AD extensions in the Azure portal. Shortcuts have been added to Subscriptions (billing) and Access Control (AD) to allow users to activate PIM roles directly from these settings. From the Subscriptions settings, select **View eligible subscriptions** in the horizontal command menu to check your eligible, active, and expired assignments. From there, you can activate an eligible assignment in the same pane. In Access control (IAM) for a resource, you can now select **View my access** to see your currently active and eligible role assignments and activate directly. By integrating PIM capabilities into different Azure portal blades, this new feature allows users to gain temporary access to view or edit subscriptions and resources more easily.

-For more information Microsoft cloud settings, see: [Activate my Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-activate-your-roles.md).

-### General Availability - Follow Azure AD best practices with recommendations

-**Type:** New feature

-**Service category:** Reporting

-**Product capability:** Monitoring & Reporting

-Azure AD recommendations help you improve your tenant posture by surfacing opportunities to implement best practices. On a daily basis, Azure AD analyzes the configuration of your tenant. During this analysis, Azure AD compares the data of a recommendation with the actual configuration of your tenant. If a recommendation is flagged as applicable to your tenant, the recommendation appears in the Recommendations section of the Azure AD Overview.

-This release includes our first 3 recommendations:

-For more information, see:

-### Public Preview - Azure AD PIM + Conditional Access integration

-**Type:** New feature

-**Service category:** Privileged Identity Management

-**Product capability:** Privileged Identity Management

-Now you can require users who are eligible for a role to satisfy Conditional Access policy requirements for activation: use specific authentication method enforced through Authentication Strengths, activate from Intune compliant device, comply with Terms of Use, and use 3rd party MFA and satisfy location requirements.

-For more information, see: [Configure Azure AD role settings in Privileged Identity Management](../privileged-identity-management/pim-how-to-change-default-settings.md).

-### General Availability - More information on why a sign-in was flagged as "unfamiliar"

-**Type:** Changed feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-Unfamiliar sign-in properties risk detection now provides risk reasons as to which properties are unfamiliar for customers to better investigate that risk.

-Identity Protection now surfaces the unfamiliar properties in the Azure portal on UX and in API as *Additional Info* with a user-friendly description explaining that *the following properties are unfamiliar for this sign-in of the given user*.

-There's no additional work to enable this feature, the unfamiliar properties are shown by default. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md).

-### General Availability - New Federated Apps available in Azure AD Application gallery - February 2023

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In February 2023 we've added the following 10 new applications in our App gallery with Federation support:

-[PROCAS](https://accounting.procas.com/), [Tanium Cloud SSO](../saas-apps/tanium-sso-tutorial.md), [LeanDNA](../saas-apps/leandna-tutorial.md), [CalendarAnything LWC](https://silverlinecrm.com/calendaranything/), [courses.work](../saas-apps/courseswork-tutorial.md), [Udemy Business SAML](../saas-apps/udemy-business-saml-tutorial.md), [Canva](../saas-apps/canva-tutorial.md), [Kno2fy](../saas-apps/kno2fy-tutorial.md), [IT-Conductor](../saas-apps/it-conductor-tutorial.md), [ナレッジワーク(Knowledge Work)](../saas-apps/knowledge-work-tutorial.md), [Valotalive Digital Signage Microsoft 365 integration](https://store.valotalive.com/#main), [Priority Matrix HIPAA](https://hipaa.prioritymatrix.com/), [Priority Matrix Government](https://hipaa.prioritymatrix.com/), [Beable](../saas-apps/beable-tutorial.md), [Grain](https://grain.com/app?dialog=integrations&integration=microsoft+teams), [DojoNavi](../saas-apps/dojonavi-tutorial.md), [Global Validity Access Manager](https://myaccessmanager.com/), [FieldEquip](https://app.fieldequip.com/), [Peoplevine](https://control.peoplevine.com/), [Respondent](../saas-apps/respondent-tutorial.md), [WebTMA](../saas-apps/webtma-tutorial.md), [ClearIP](https://clearip.com/login), [Pennylane](../saas-apps/pennylane-tutorial.md), [VsimpleSSO](https://app.vsimple.com/login), [Compliance Genie](../saas-apps/compliance-genie-tutorial.md), [Dataminr Corporate](https://dmcorp.okta.com/), [Talon](../saas-apps/talon-tutorial.md).

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

-### Public Preview - New provisioning connectors in the Azure AD Application Gallery - February 2023

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, under **Access Reviews** select **Review history**.

-| AccessReviewSeriesId | Object ID of the review series, if the review is an instance of a recurring review. If the review is one time, the value is am empty GUID. |

-| [SAP ECC 7.0](../../active-directory/app-provisioning/on-premises-sap-connector-configure.md) | ΓùÅ | |

-| SAP R/3 | ΓùÅ | |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** and then select **Identity Governance**.

-1. On the left menu, select **Lifecycle Workflows**.

-1. On the Lifecycle Workflows overview page, select **Workflows**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Type in **Identity Governance** on the search bar near the top of the page and select it.

-1. In the left menu, select **Lifecycle workflows**.

-1. Sign in to the [Azure portal](https://portal.azure.com) and open the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/).

-

-1. In the left menu, select **Access reviews**.

-1. Sign in to the [Azure portal](https://portal.azure.com) and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.

-2. On the left menu, select **Access reviews**.

-3. Select **New access review** to create a new access review.

-4. In the **Select what to review** box, select **Teams + Groups**.

-5. Select **Teams + Groups** and then select **Select Teams + groups** under **Review Scope**. A list of groups to choose from appears on the right.

-1. Sign in to the [Azure portal](https://portal.azure.com) and open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.

-2. On the left menu, select **Access reviews**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator, User Admin or Identity Governance Admin.

-

-1. Open the [Identity Governance](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) page.

-1. On the left menu, select **Access reviews**.

-1. Sign in to the [Azure portal](https://portal.azure.com) and open the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/).

-1. On the menu on the left, under **Access reviews**, select **Settings**.

-You can create and customize workflows for common scenarios by using templates, or you can build a workflow from scratch without using a template. Currently, if you use the Azure portal, any workflow that you create must be based on a template. If you want to create a workflow without using a template, use Microsoft Graph.

-## Create a lifecycle workflow by using a template in the Azure portal

-If you're using the Azure portal to create a workflow, you can customize existing templates to meet your organization's needs. These templates include one for pre-hire common scenarios.

-To create a workflow based on a template:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Lifecycle Workflows**.

-1. Select **Workflows**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. On the search bar near the top of the page, enter **Identity Governance** and select the result.

-1. On the left menu, select **Lifecycle workflows**.

-1. On the left menu, select **Workflows**.

-1. Select **Tasks**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. On the search bar near the top of the page, enter **Identity Governance** and select the result.

-1. On the left menu, select **Lifecycle workflows**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. On the search bar near the top of the page, enter **Identity Governance**. Then select **Identity Governance** in the results.

-1. On the left menu, select **Lifecycle Workflows**.

-1. Select **Workflows**.

-Each access package must have one or more access package assignment policies, before a user can be assigned access. When an access package is created in the Entra portal, the Entra portal automatically creates the first access package assignment policy for that access package. The policy determines who can request access, and who if anyone must approve access.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-In order to make sure users are getting access to the right access packages, you can require requestors to answer custom text field or Multiple Choice questions at the time of request. There's a limit of 20 questions per policy and a limit of 25 answers for Multiple Choice questions. The questions will then be shown to approvers to help them make a decision.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-You can perform this query in PowerShell with the `Get-MgEntitlementManagementAccessPackageAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. This script illustrates using the Graph `beta` profile and Microsoft Graph PowerShell cmdlets module version 1.x.x. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet.

-Select-MgProfile -Name "beta"

-$accesspackage = Get-MgEntitlementManagementAccessPackage -DisplayNameEq "Marketing Campaign"

-$assignments = Get-MgEntitlementManagementAccessPackageAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop

-$assignments | ft Id,AssignmentState,TargetId,{$_.Target.DisplayName}

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package in which you want to add a user.

-You can assign a user to an access package in PowerShell with the `New-MgEntitlementManagementAccessPackageAssignmentRequest` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. This script illustrates using the Graph `beta` profile and Microsoft Graph PowerShell cmdlets module version 1.x.x. This cmdlet takes as parameters

-* the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet,

-* the access package assignment policy ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackageAssignmentPolicy`cmdlet,

-* the object ID of the target user, if the user is already present in your directory.

-Select-MgProfile -Name "beta"

-$accesspackage = Get-MgEntitlementManagementAccessPackage -DisplayNameEq "Marketing Campaign" -ExpandProperty "accessPackageAssignmentPolicies"

-$policy = $accesspackage.AccessPackageAssignmentPolicies[0]

-$req = New-MgEntitlementManagementAccessPackageAssignmentRequest -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -TargetId "a43ee6df-3cc5-491a-ad9d-ea964ef8e464"

-You can also assign multiple users that are in your directory to an access package using PowerShell with the `New-MgEntitlementManagementAccessPackageAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.6.1 or later. This cmdlet takes as parameters

-Select-MgProfile -Name "beta"

-$members = Get-MgGroupMember -GroupId "a34abd69-6bf8-4abd-ab6b-78218b77dc15"

-$accesspackage = Get-MgEntitlementManagementAccessPackage -DisplayNameEq "Marketing Campaign" -ExpandProperty "accessPackageAssignmentPolicies"

-$policy = $accesspackage.AccessPackageAssignmentPolicies[0]

-$req = New-MgEntitlementManagementAccessPackageAssignment -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -RequiredGroupMember $members

-If you wish to add an assignment for a user who is not yet in your directory, you can use the `New-MgEntitlementManagementAccessPackageAssignmentRequest` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. This script illustrates using the Graph `beta` profile and Microsoft Graph PowerShell cmdlets module version 1.x.x. This cmdlet takes as parameters

-Select-MgProfile -Name "beta"

-$accesspackage = Get-MgEntitlementManagementAccessPackage -DisplayNameEq "Marketing Campaign" -ExpandProperty "accessPackageAssignmentPolicies"

-$policy = $accesspackage.AccessPackageAssignmentPolicies[0]

-$req = New-MgEntitlementManagementAccessPackageAssignmentRequest -AccessPackageId $accesspackage.Id -AssignmentPolicyId $policy.Id -TargetEmail "sample@example.com"

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-You can remove a user's assignment in PowerShell with the `New-MgEntitlementManagementAccessPackageAssignmentRequest` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. This script illustrates using the Graph `beta` profile and Microsoft Graph PowerShell cmdlets module version 1.x.x.

-Select-MgProfile -Name "beta"

-$assignments = Get-MgEntitlementManagementAccessPackageAssignment -Filter "accessPackageId eq '9f573551-f8e2-48f4-bf48-06efbb37c7b8' and assignmentState eq 'Delivered'" -All -ErrorAction Stop

-$toRemove = $assignments | Where-Object {$_.targetId -eq '76fd6e6a-c390-42f0-879e-93ca093321e7'}

-$req = New-MgEntitlementManagementAccessPackageAssignmentRequest -AccessPackageAssignmentId $toRemove.Id -RequestType "AdminRemove"

-To create a policy for an access package, you need to start from the access package's policy tab. Follow these steps to create a new policy for an access package.

-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.

-1. In the left menu, click **Access packages** and then open the access package.

-1. Click **Policies** and then **Add auto-assignment policy** to create a new policy.

-1. In the first tab, you'll specify the rule. Click **Edit**.

- > The rule builder might not be able to display some rules constructed in the text box, and validating a rule currently requires the you to be in the Global administrator role. For more information, see [rule builder in the Azure portal](../enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).

-1. Click **Save** to close the dynamic membership rule editor, then click **Next** to open the **Custom Extensions** tab.

-1. Click **Create** to save the policy.

-description: Learn how to create an access package of resources that you want to share in Azure Active Directory entitlement management.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, and then select **Identity Governance**.

-1. On the left menu, select **Access packages**.

- 

-You can also create an access package in PowerShell by using the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. This script illustrates using the Graph `beta` profile and Microsoft Graph PowerShell cmdlets module version 1.x.x.

-First, retrieve the ID of the catalog (and of the resources and their roles in that catalog) that you want to include in the access package. Use a script similar to the following example:

-Select-MgProfile -Name "beta"

-$catalog = Get-MgEntitlementManagementAccessPackageCatalog -Filter "displayName eq 'Marketing'"

-$rsc = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResource -AccessPackageCatalogId $catalog.Id -Filter "resourceType eq 'Application'" -ExpandProperty "accessPackageResourceScopes"

-$filt = "(originSystem eq 'AadApplication' and accessPackageResource/id eq '" + $rsc[0].Id + "')"

-$rr = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResourceRole -AccessPackageCatalogId $catalog.Id -Filter $filt -ExpandProperty "accessPackageResource"

-$ap = New-MgEntitlementManagementAccessPackage -BodyParameter $params

-After you create the access package, assign the resource roles to it. For example, if you want to include the second resource role of the first resource returned earlier as a resource role of the new access package, you can use a script similar to this one:

- Id = $rsc[0].Id

- ResourceType = $rsc[0].ResourceType

- OriginId = $rsc[0].OriginId

- OriginSystem = $rsc[0].OriginSystem

- OriginId = $rsc[0].OriginId

- OriginSystem = $rsc[0].OriginSystem

-New-MgEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $ap.Id -BodyParameter $rparams

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-description: Step-by-step tutorial for how to create your first access package using the Azure portal in entitlement management.

-For a step-by-step demonstration of the process of deploying Azure Active Directory entitlement management, including creating your first access package, view the following video:

-This rest of this article uses the Azure portal to configure and demonstrate entitlement management.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global administrator or User administrator.

-1. In the left navigation, select **Azure Active Directory**.

-1. In the Azure portal, in the left navigation, select **Azure Active Directory**.

-1. In the left menu, select **Identity Governance**

-1. In the left menu, select **Access packages**. If you see **Access denied**, ensure that a Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance license is present in your directory.

-1. Sign out of the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com) as **Admin1**.

-1. Select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left navigation, select **Azure Active Directory**.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In Azure Active Directory, delete any users you created such as **Requestor1** and **Admin1**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package which users will request.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package where you've configured another access package as incompatible.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package where you'll be configuring incompatible assignments.

-1. In the **Status** field, ensure that **Delivered** status is selected.

-1. Select the **Download** button and save the resulting CSV file as the first file with a list of assignments.

-1. In the navigation bar, select **Identity Governance**.

-1. In the **Status** field, ensure that the **Delivered** status is selected.

-1. Select the **Download** button and save the resulting CSV file as the second file with a list of assignments.

-1. Use a spreadsheet program such as Excel to open the two files.

-1. Users who are listed in both files will have already-existing incompatible assignments.

-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.

-1. In the left menu, click **Access packages** and then open the access package.

-1. Click **Policies** and then click the policy that has the lifecycle settings you want to edit.

-1. Click **Edit** to edit the policy.

-1. Click the **Lifecycle** tab to open the lifecycle settings.

-> When a guest user is set as **Governed**, based on ELM tenant settings their account will be deleted or disabled in specified days after their last access package assignment expires. Learn more about ELM settings here: [Manage external access with Azure Active Directory entitlement management](../architecture/6-secure-access-entitlement-managment.md).

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.

-1. In the left menu, click **Access packages** and then open the access package.

-1. Click **Policies** and then **Add policy**.

-1. Click **Next** to open the **Requests** tab.

-1. Select one of the following options:

- | **All configured connected organizations** | Choose this option if all users from all your configured connected organizations can request this access package. Only users from configured connected organizations can request access packages that are shown to users from all configured organizations. |

- A connected organization is an external Azure AD directory or domain that you have a relationship with.

-1. If you want to require approval, use the steps in [Change approval settings for an access package in entitlement management](entitlement-management-access-package-approval-policy.md) to configure approval settings.

-1. In the **Users who can request access** section, click **None (administrator direct assignments only**.

-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.

-1. In the left menu, click **Access packages** and then open the access package.

-1. Click **Policies** and then click the policy you want to edit.

-1. Click **Edit** to edit the policy.

-1. Click the **Requests** tab to open the request settings.

-1. Click **Next**.

-1. If you are editing a policy click **Update**. If you are adding a new policy, click **Create**.

-You can also create an access package in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. This script illustrates using the Graph `beta` profile and Microsoft Graph PowerShell cmdlets module version 1.x.x.

-This script below illustrates using the `beta` profile, to create a policy for direct assignment to an access package. In this policy, only the administrator can assign access, and there are no access reviews. See [Create an automatic assignment policy](entitlement-management-access-package-auto-assignment-policy.md#create-an-access-package-assignment-policy-through-powershell) for an example of how to create an automatic assignment policy, and [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for more examples.

-Select-MgProfile -Name "beta"

-$pparams = @{

- AccessPackageId = $apid

- DisplayName = "direct"

- Description = "direct assignments by administrator"

- AccessReviewSettings = $null

- RequestorSettings = @{

- ScopeType = "NoSubjects"

- AcceptRequests = $true

- AllowedRequestors = @(

- )

- }

- RequestApprovalSettings = @{

- IsApprovalRequired = $false

- IsApprovalRequiredForExtension = $false

- IsRequestorJustificationRequired = $false

- ApprovalMode = "NoApproval"

- ApprovalStages = @(

- )

- }

-New-MgEntitlementManagementAccessPackageAssignmentPolicy -BodyParameter $pparams

-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.

-1. In the left menu, click **Access packages** and then open the access package.

-1. Click **Requests**.

-1. Click a specific request to see additional details.

-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.

-1. In the left menu, click **Access packages** and then open the access package.

-1. Click **Requests**.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-You can also create an access package in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. This script illustrates using the Graph `beta` profile and Microsoft Graph PowerShell cmdlets module version 1.x.x.

-First, you would retrieve the ID of the catalog, and of the resources and their roles in that catalog that you wish to include in the access package, using a script similar to the following.

-Select-MgProfile -Name "beta"

-$catalog = Get-MgEntitlementManagementAccessPackageCatalog -Filter "displayName eq 'Marketing'"

-$rsc = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResource -AccessPackageCatalogId $catalog.Id -Filter "resourceType eq 'Application'" -ExpandProperty "accessPackageResourceScopes"

-$filt = "(originSystem eq 'AadApplication' and accessPackageResource/id eq '" + $rsc[0].Id + "')"

-$rr = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResourceRole -AccessPackageCatalogId $catalog.Id -Filter $filt -ExpandProperty "accessPackageResource"

-Then, assign the resource roles to the access package. For example, if you wished to include the second resource role of the first resource returned earlier as a resource role of an access package, you would use a script similar to the following.

- Id = $rsc[0].Id

- ResourceType = $rsc[0].ResourceType

- OriginId = $rsc[0].OriginId

- OriginSystem = $rsc[0].OriginSystem

- OriginId = $rsc[0].OriginId

- OriginSystem = $rsc[0].OriginSystem

-New-MgEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $apid -BodyParameter $rparams

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. To create a new access policy, in the left menu, select **Access packages**, then select **New access** package.

-1. In the Azure portal, select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Catalogs**.

- 

-1. In the Azure portal, select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Catalogs** and then open the catalog you want to add resources to.

-You can also add a resource to a catalog in PowerShell with the `New-MgEntitlementManagementAccessPackageResourceRequest` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.6.0 or a later 1.x.x module version, or Microsoft Graph PowerShell cmdlets beta module version 2.1.x or later beta module version. The following example shows how to add a group to a catalog as a resource using Microsoft Graph beta and Microsoft Graph PowerShell cmdlets module version 1.x.x.

-Select-MgProfile -Name "beta"

-Import-Module Microsoft.Graph.Identity.Governance

-$catalog = Get-MgEntitlementManagementAccessPackageCatalog -Filter "displayName eq 'Marketing'"

-$nr = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageResource

-$nr.OriginId = $g.Id

-$nr.OriginSystem = "AadGroup"

-$rr = New-MgEntitlementManagementAccessPackageResourceRequest -CatalogId $catalog.Id -AccessPackageResource $nr

-$ar = Get-MgEntitlementManagementAccessPackageCatalog -AccessPackageCatalogId $catalog.Id -ExpandProperty accessPackageResources

-$ar.AccessPackageResources

-1. In the Azure portal, select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Catalogs** and then open the catalog you want to remove resources from.

-1. In the Azure portal, select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Catalogs** and then open the catalog you want to add administrators to.

-1. In the Azure portal, select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Catalogs** and then open the catalog you want to edit.

-1. In the Azure portal, select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Catalogs** and then open the catalog you want to delete.

-1. Navigate To Entra portal [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement)

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, in the **Entitlement management** section, select **Settings**.

-## Allow delegated roles to access the Azure portal

-To allow delegated roles, such as catalog creators and access package managers, to access the Azure portal to manage access packages, you should check the administration portal setting.

-**Prerequisite role:** Global administrator or User administrator

-1. In the Azure portal, select **Azure Active Directory** and then select **Users**.

-1. In the left menu, select **User settings**.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Catalogs** and then open the catalog you want to add administrators to.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Catalogs** and then open the catalog you want to add administrators to.

-* An access package with that policy will allow users in scope to be able to request access, including users not already in your directory. If their request is approved, or does not require approval, then the user will be automatically be added to your directory.

-You can view the list of catalogs currently enabled for external users in the Azure portal.

-1. In the Azure portal, select **Azure Active Directory** > **Identity Governance**.

-1. On the left menu, select **Catalogs**.

-1. Depending on the lifecycle of external users settings, when the external user no longer has any access package assignments, the external user is blocked from signing in and the guest user account is removed from your directory.

- If you're an administrator or catalog owner, you can view the list of catalogs currently enabled for external users in the Azure portal list of catalogs, by changing the filter setting for **Enabled for external users** to **Yes**. If any of those catalogs shown in that filtered view have a non-zero number of access packages, those access packages may have a policy [for users not in your directory](entitlement-management-access-package-request-policy.md#for-users-not-in-your-directory) that allow external users to request.

-> The Entitlement Management app includes the entitlement management side of MyAccess, the Entitlement Management side of Azure portal and the Entitlement Management part of MS graph. The latter two require additional permissions for access, hence won't be accessed by guests unless explicit permission is provided.

-You can select what happens when an external user, who was invited to your directory through making an access package request, no longer has any access package assignments. This can happen if the user relinquishes all their access package assignments, or their last access package assignment expires. By default, when an external user no longer has any access package assignments, they're blocked from signing in to your directory. After 30 days, their guest user account is removed from your directory.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, in the **Entitlement management** section, select **Settings**.

- > If a user is blocked from signing in to this directory, then the user will be unable to re-request the access package or request additional access in this directory. Do not configure blocking them from signing in if they will subsequently need to request access to other access packages.

- > Entitlement management only removes accounts that were invited through entitlement management. Also, note that a user will be blocked from signing in and removed from this directory even if that user was added to resources in this directory that were not access package assignments. If the guest was present in this directory prior to receiving access package assignments, they will remain. However, if the guest was invited through an access package assignment, and after being invited was also assigned to a OneDrive for Business or SharePoint Online site, they will still be removed.

-1. If you want to remove the guest user account in this directory, you can set the number of days before it's removed. If you want to remove the guest user account as soon as they lose their last assignment to any access packages, set **Number of days before removing external user from this directory** to **0**.

-1. In the Azure portal, on the left pane, select **Azure Active Directory**.

-2. Under **Manage**, select **Identity Governance**.

-3. Under **Entitlement Management**, select **Access packages**.

-4. Select **New access package**.

-5. On the **Basics** tab, in the **Name** box, enter **Office Licenses**. In the **Description** box, enter **Access to licenses for Office applications**.

-6. You can leave **General** in the **Catalog** list.

-2. On this tab, you select the resources and the resource role to include in the access package. In this scenario, select **Groups and Teams** and search for your group that has assigned [Office licenses](../enterprise-users/licensing-groups-assign.md).

-3. In the **Role** list, select **Member**.

-3. In the **Users who can request access** section, select **For users in your directory** and then select **All members (excluding guests)**. These settings make it so that only members of your directory can request Office licenses.

-4. Ensure that **Require approval** is set to **Yes**.

-5. Leave **Require requestor justification** set to **Yes**.

-6. Leave **How many stages** set to **1**.

-7. Under **Approver**, select **Manager as approver**. This option allows the requestor's manager to approve the request. You can select a different person to be the fallback approver if the system can't find the manager.

-8. Leave **Decision must be made in how many days?** set to **14**.

-9. Leave **Require approver justification** set to **Yes**.

-10. Under **Enable new requests and assignments**, select **Yes** to enable employees to request the access package as soon as it's created.

-2. On this tab, you can ask questions to collect more information from the requestor. The questions are shown on the request form and can be either required or optional. In this scenario, you haven't been asked to include requestor information for the access package, so you can leave these boxes empty.

-2. In the **Expiration** section, for **Access package assignments expire**, select **Number of days**.

-3. In **Assignments expire after**, enter **365**. This box specifies when members who have access to the access package needs to renew their access.

-4. You can also configure access reviews, which allow periodic checks of whether the employee still needs access to the access package. A review can be a self-review performed by the employee. Or you can set the employee's manager or another person as the reviewer. For more information, see [Access reviews](entitlement-management-access-reviews-create.md).

- 2. You can leave **Starting on** set to the current date. This date is when the access review starts. After you create an access review, you can't update its start date.

- 3. Under **Review frequency**, select **Annually**, because the review occurs once per year. The **Review frequency** box is where you determine how often the access review runs.

- 4. Specify a **Duration (in days)**. The duration box is where you indicate how many days each occurrence of the access review series runs.

- 5. Under **Reviewers**, select **Manager**.

-3. When you're happy with your configuration, select **Create**. After a moment, you should see a notification stating that the access package is created.

-4. After the access package is created, you'll see the **Overview** page for the package. You'll find the **My Access portal link** here. Copy the link and share it with your team so your team members can request the access package to be assigned licenses for Office.

-1. In the Azure portal, on the left pane, select **Azure Active Directory**.

-2. Under **Manage**, select **Identity Governance**.

-3. Under **Entitlement Management**, select **Access packages**.

-4. Open the **Office Licenses** access package.

-5. Select **Resource Roles**.

-6. Select the group you added to the access package. On the details pane, select **Remove resource role**. In the message box that appears, select **Yes**.

-7. Open the list of access packages.

-8. For **Office Licenses**, select the ellipsis button (...) and then select **Delete**. In the message box that appears, select **Yes**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Catalogs**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a user who is a Global Administrator. Make sure you have access to the resource group containing the Azure Monitor workspace.

-1. Select **Azure Active Directory** then select **Diagnostic settings** under Monitoring in the left navigation menu. Check if there's already a setting to send the audit logs to that workspace.

- 1. Select **Azure Active Directory** then select **Workbooks**.

-1. In the Azure portal, select **Azure Active Directory** then select **Workbooks**. If you only have one subscription, move on to step 3.

-## Create custom Azure Monitor queries using the Azure portal

-1. In Azure Active Directory of the Azure portal, select **Logs** under the Monitoring section in the left navigation menu to create a new query page.

-1. In the Azure portal, in the left navigation, select **Azure Active Directory**.

-2. In the left menu, select **Identity Governance**.

-3. In the left menu, select **Access packages**. If you see Access denied, ensure that a Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance license is present in your directory.

-1. In the **Azure portal**, in the left navigation, select **Azure Active Directory**.

-2. In the left menu, select **Identity Governance**.

-3. In the left menu, select **Access Packages**.

-With entitlement management, you can collaborate with people outside your organization. If you frequently collaborate with users in an external Azure AD directory or domain, you can add them as a connected organization. This article describes how to add a connected organization so that you can allow users outside your organization to request resources in your directory.

-* users with a Microsoft Account, such as from the domain *live.com*, if you have a business need for collaboration with users which have no common organization.

-In this case, you can configure one access package, with one policy, and two connected organizations. You create one connected organization for Graphic Design Institute and one for Contoso. If you then specify the two connected organizations in a policy for **users not yet in your directory**, users from each organization, with a user principal name that matches one of the connected organizations, can request the access package. Users with a user principal name that has a domain of contoso.com would match the Contoso-connected organization and would also be allowed to request the package. Users with a user principal name that has a domain of *graphicdesigninstitute.com* and are using an organizational account would match the Graphic Design Institute-connected organization and be allowed to submit requests. And, because Graphic Design Institute uses Azure AD, any users with a principal name that matches another [verified domain](../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) that's added to the Graphic Design Institute tenant, such as *graphicdesigninstitute.example*, would also be able to request access packages by using the same policy. If you have [email one-time passcode (OTP) authentication](../external-identities/one-time-passcode.md) turned on, that includes users from those domains that aren't yet part of Azure AD directories who'll authenticate using email OTP when accessing your resources.

-1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left pane, select **Connected organizations**.

-1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left pane, select **Connected organizations**, and then select **Add connected organization**.

-1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left pane, select **Connected organizations**, and then select the connected organization to open it.

-1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left pane, select **Connected organizations**, and then select the connected organization to open it.

-1. Select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package of interest.

-1. Select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Reports**.

-1. Select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Reports**.

-1. Select **Azure Active Directory** and then select **Audit logs**.

-1. In the Azure portal, select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left pane, select **Connected organizations**, and then select **Download**.

-1. In the Azure portal, select **Azure Active Directory** then select **Workbooks**. If you only have one subscription, move on to step 3.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package with the user assignment you want to reprocess.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Click **Azure Active Directory**, and then click **Identity Governance**.

-1. In the left menu, click **Access packages** and then open the access package.

-1. Underneath **Manage** on the left side, click **Requests**.

-1. Click **Reprocess**.

-description: Learn how to use the My Access portal to request access to an access package in Azure Active Directory entitlement management.

-description: Learn how to use the My Access portal to approve or deny requests to an access package in Azure Active Directory entitlement management.

-description: Learn the high-level steps you should follow for common scenarios in Azure Active Directory entitlement management.

-1. Navigate To Entra portal [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select Azure Active Directory.

-1. Navigate to the Entra portal [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement)

- 1. Enter the Client Name, ID, Client Secret, Authorization URL, Token URL that were generated when you registered the Azure Active Directory application in the Azure portal.

- The Azure portal may also show service principals for services that can't be selected as applications. In particular, **Exchange Online** and **SharePoint Online** are services, not applications that have resource roles in the directory, so they can't be included in an access package. Instead, use group-based licensing to establish an appropriate license for a user who needs access to those services.

-* If a user is blocked from signing in to the resource directory, they won't be able to request access in the My Access portal. Before the user can request access, you must remove the sign-in block from the user's profile. To remove the sign-in block, in the Azure portal, select **Azure Active Directory**, select **Users**, select the user, and then select **Profile**. Edit the **Settings** section and change **Block sign in** to **No**. For more information, see [Add or update a user's profile information using Azure Active Directory](../fundamentals/how-to-manage-user-profile-info.md). You can also check if the user was blocked due to an [Identity Protection policy](../identity-protection/howto-identity-protection-remediate-unblock.md).

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then open the access package.

-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Access packages** and then select **+ New access package**.

-If done via the Azure portal, the new version is created automatically. If done using Microsoft Graph, you must manually create a new version of the workflow. For more information, see [Edit the properties of a workflow using Microsoft Graph](#edit-the-properties-of-a-workflow-using-microsoft-graph).

-## Edit the properties of a workflow using the Azure portal

-To edit the properties of a workflow using the Azure portal, you do the following steps:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Type in **Identity Governance** on the search bar near the top of the page and select it.

-1. On the left menu, select **Lifecycle workflows**.

-1. On the left menu, select **Workflows**.

-Changing a workflow's tasks or execution conditions requires the creation of a new version of that workflow. Tasks within workflows can be added, reordered, and removed at will. Updating a workflow's tasks or execution conditions within the Azure portal will trigger the creation of a new version of the workflow automatically. Making these updates in Microsoft Graph will require the new workflow version to be created manually.

-## Edit the tasks of a workflow using the Azure portal

-Tasks within workflows can be added, edited, reordered, and removed at will. To edit the tasks of a workflow using the Azure portal, you complete the following steps:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Type in **Identity Governance** on the search bar near the top of the page and select it.

-1. In the left menu, select **Lifecycle workflows**.

-1. In the left menu, select **workflows**.

-1. On the left side of the screen, select **Tasks**.

-## Edit the execution conditions of a workflow using the Azure portal

-To edit the execution conditions of a workflow using the Azure portal, you do the following steps:

-## See versions of a workflow using the Azure portal

-## Run a workflow on-demand in the Azure portal

-Use the following steps to run a workflow on-demand.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Type in **Identity Governance** on the search bar near the top of the page and select it.

-1. On the left menu, select **Lifecycle workflows**.

-1. select **Workflows**

-> The next stage of the review won't become active until the duration specified during the access review setup has passed. If the administrator believes a stage is done but the review duration for this stage has not expired yet, they can use the **Stop current stage** button in the overview of the access review in the Azure portal. This action will close the active stage and start the next stage.

-Customers who have yet to transition from applications such as SAP ERP Central Component (SAP ECC) to SAP S/4HANA can still rely on the Azure AD provisioning service to provision user accounts. Within SAP ECC, you expose the necessary Business Application Programming Interfaces (BAPIs) for creating, updating, and deleting users. Within Azure AD, you have two options:

-* Use the lightweight Azure AD provisioning agent and [web services connector](/azure/active-directory/app-provisioning/on-premises-web-services-connector) to [provision users into apps such as SAP ECC](/azure/active-directory/app-provisioning/on-premises-sap-connector-configure?branch=pr-en-us-243167).

-## Create a custom task extension using the Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** and then select **Identity Governance**.

-1. In the left menu, select **Lifecycle Workflows**.

-description: Learn how to remove users from an organization in real time on their last day of work by using lifecycle workflows in the Azure portal.

-This tutorial provides a step-by-step guide on how to execute a real-time employee termination by using lifecycle workflows in the Azure portal.

-Use the following steps to create a leaver on-demand workflow that will execute a real-time employee termination by using lifecycle workflows in the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. On the right, select **Azure Active Directory**.

-3. Select **Identity Governance**.

-4. Select **Lifecycle workflows**.

-5. On the **Overview** tab, select **New workflow**.

-6. From the collection of templates, choose **Select** under **Real-time employee termination**.

-7. Configure basic information about the workflow, and then select **Next: Review tasks**.

-8. Inspect the tasks if you want, but no additional configuration is needed. Select **Next: Select users** when you're finished.

-9. Choose the **Select users to run now** option. It allows you to select users for which the workflow will be executed immediately after creation. Regardless of the selection, you can run the workflow on demand later at any time, as needed.

-10. Select **Add users** to designate the users for this workflow.

-11. A panel with the list of available users appears on the right side of the window. Choose **Select** when you're done with your selection.

-12. Select **Next: Review and create** when you're satisfied with your selection of users.

-13. Verify that the information is correct, and then select **Create**.

-To run a workflow on demand for users by using the Azure portal:

-description: Tutorial for onboarding users to an organization using Lifecycle workflows with Azure portal.

-# Automate employee onboarding tasks before their first day of work with Azure portal

-This tutorial provides a step-by-step guide on how to automate prehire tasks with Lifecycle workflows using the Azure portal.

- - **Prerequisite:** Editing the attributes required for this scenario in the portal

-Use the following steps to create a pre-hire workflow that generates a TAP and send it via email to the user's manager using the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. On the right, select **Azure Active Directory**.

-3. Select **Identity Governance**.

-4. Select **Lifecycle workflows**.

-5. On the **Overview** page, select **New workflow**.

-6. From the templates, select **select** under **Onboard pre-hire employee**.

-7. Next, you configure the basic information about the workflow. This information includes when the workflow triggers, known as **Days from event**. So in this case, the workflow triggers two days before the employee's hire date. On the onboard pre-hire employee screen, add the following settings and then select **Next: Configure Scope**.

-8. Next, you configure the scope. The scope determines which users this workflow runs against. In this case, it is on all users in the Sales department. On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**. For a full list of supported user properties, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta&preserve-view=true#supported-user-properties-and-query-parameters).

-9. On the following page, you may inspect the task if desired but no additional configuration is needed. Select **Next: Review + Create** when you're finished.

-10. On the review blade, verify the information is correct and select **Create**.

-To run a workflow on-demand, for users using the Azure portal, do the following steps: