-The GitHub Action for deploying Azure AD B2C custom policies uses the secret to acquire an access token that is used to interact with the Microsoft Graph API. For more information, see [Creating encrypted secrets for a repository](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository).

-The workflow you created is triggered by the [push](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push) event. If you prefer, you can choose another event to trigger the workflow, for example a [pull request](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request).

-You can also schedule a workflow to run at specific UTC times using [POSIX cron syntax](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). The schedule event allows you to trigger a workflow at a scheduled time. For more information, see [Scheduled events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#scheduled-events).

-| client-id | client-id |N/A |

-| redirect-uri | redirect-uri | N/A|

-| response-type | response-type | N/A|

-| client-secret | client-secret |N/A |

-| client-id | client-id | N/A|

-| redirect-uri | redirect-uri |N/A |

-| response-type |response-type |N/A |

-1. In the Azure portal, search for and select **Network security groups**.

-1. In the Azure portal, search for and select **Network security groups**.

-1. In the Azure portal, search for and select **Network security groups**.

-1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.

-1. Select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.

-1. In the Azure portal, search for and select **Subscriptions**.

-This article shows you how to change the SKU for an existing Azure AD DS managed domain using the Azure portal.

-To change the SKU for a managed domain using the Azure portal, complete the following steps:

-1. At the top of the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain from the list, such as *aaddscontoso.com*.

- 

- 

-description: Learn how to check the health of an Azure Active Directory Domain Services (Azure AD DS) managed domain and understand status messages using the Azure portal.

-Azure Active Directory Domain Services (Azure AD DS) runs some background tasks to keep the managed domain healthy and up-to-date. These tasks include taking backups, applying security updates, and synchronizing data from Azure AD. If there are issues with the Azure AD DS managed domain, these tasks may not successfully complete. To review and resolve any issues, you can check the health status of a managed domain using the Azure portal.

-The health status for a managed domain is viewed using the Azure portal. Information on the last backup time and synchronization with Azure AD can be seen, along with any alerts that indicate a problem with the managed domain's health. To view the health status for a managed domain, complete the following steps:

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

- 

-* **Azure Active Directory (Azure AD)** - Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Microsoft 365, the Azure portal, or SaaS applications.

-> [To get started, create an Azure AD DS managed domain using the Azure portal][tutorial-create]

-To get started with using Azure AD DS, [create an Azure AD DS managed domain using the Azure portal][tutorial-create].

-A managed domain forest supports up to five one-way outbound forest trusts to on-premises forests. The outbound forest trust for Azure AD Domain Services is created in the Azure portal. You don't manually create the trust with the managed domain itself. The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory.

-## Sign in to the Azure portal

-In this article, you create and configure the outbound forest trust from a managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com* and wait for the status to report as **Running**.

-The on-premises AD DS domain needs an incoming forest trust for the managed domain. This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

-1. Choose to create the trust for **This domain only**. In the next step, you create the trust in the Azure portal for the managed domain.

-1. Choose to use **Forest-wide authentication**, then enter and confirm a trust password. This same password is also entered in the Azure portal in the next section.

-1. Sign in to your management VM. For steps on how to connect using the Azure portal, see [Connect to a Windows Server VM][connect-windows-server-vm].

-To get started, [enroll in the Azure CSP program](/partner-center/enrolling-in-the-csp-program). You can then enable Azure AD Domain Services using the [Azure portal](tutorial-create-instance.md) or [Azure PowerShell](powershell-create-instance.md).

-description: Learn how to disable, or delete, an Azure Active Directory Domain Services managed domain using the Azure portal

-# Delete an Azure Active Directory Domain Services managed domain using the Azure portal

-This article shows you how to use the Azure portal to delete a managed domain.

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

-1. Sign in to the [Azure portal](https://portal.azure.com) with a user account that has *Enterprise administrator* permissions in Azure AD.

-1. Search for and select **Azure Active Directory** at the top of the portal, then choose **Enterprise applications**.

-With a VM ready to be used as the Azure AD Application Proxy connector, now copy and run the setup file downloaded from the Azure portal.

-1. On the Application proxy page in the Azure portal, the new connector is listed with a status of *Active*, as shown in the following example:

- 

-1. Sign in to the [Azure portal](https://portal.azure.com/) in the User Administrator role for the organization.

-1. Search for and select *Azure Active Directory* from any page.

-1. Select **Users**, and then select **New user**.

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-1. Select the *Hostname/DNS* tab, then enter the IP address(es) of the managed domain into the text box *Name Server 1*. These IP addresses are shown on the *Properties* window in the Azure portal for your managed domain, such as *10.0.2.4* and *10.0.2.5*.

-1. Configure Network Time Protocol (NTP) time synchronization for your managed domain by selecting *NTP Configuration*. Enter the IP addresses of the managed domain. These IP addresses are shown on the *Properties* window in the Azure portal for your managed domain, such as *10.0.2.4* and *10.0.2.5*.

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-## Sign in to the Azure portal

-In this tutorial, you create a Windows Server VM to join to your managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. From the Azure portal menu or from the **Home** page, select **Create a resource**.

- 

- RDP should only be enabled when required, and limited to a set of authorized IP ranges. This configuration helps improve the security of the VM and reduces the area for potential attack. Or, create and use an Azure Bastion host that allows access only through the Azure portal over TLS. In the next step of this tutorial, you use an Azure Bastion host to securely connect to the VM.

- 

- 

- 

-It takes a few minutes to create the VM. The Azure portal shows the status of the deployment. Once the VM is ready, select **Go to resource**.

-

-To securely connect to your VMs, use an Azure Bastion host. With Azure Bastion, a managed host is deployed into your virtual network and provides web-based RDP or SSH connections to VMs. No public IP addresses are required for the VMs, and you don't need to open network security group rules for external remote traffic. You connect to VMs using the Azure portal from your web browser. If needed, [create an Azure Bastion host][azure-bastion].

- 

- 

-1. Sign in to your management VM. For steps on how to connect using the Azure portal, see [Connect to a Windows Server VM][connect-windows-server-vm].

-1. Sign in to your management VM. For steps on how to connect using the Azure portal, see [Connect to a Windows Server VM][connect-windows-server-vm].

-For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md).

-Note that the **CorpNetSaw** service tag isn't available by using Azure portal, and the network security group rule for **CorpNetSaw** has to be added by using [PowerShell](powershell-create-instance.md#create-a-network-security-group).

-The health of an Azure Active Directory Domain Services (Azure AD DS) managed domain is monitored by the Azure platform. The health status page in the Azure portal shows any alerts for the managed domain. To make sure issues are responded to in a timely manner, email notifications can be configured to report on health alerts as soon as they're detected in the Azure AD DS managed domain.

-To alert you of issues with a managed domain, you can configure email notifications. These email notifications specify the managed domain that the alert is present on, as well as giving the time of detection and a link to the health page in the Azure portal. You can then follow the provided troubleshooting advice to resolve the issues.

-Azure AD DS sends email notifications for important updates about the managed domain. These notifications are only for urgent issues that impact the service and should be addressed immediately. Each email notification is triggered by an alert on the managed domain. The alerts also appear in the Azure portal and can be viewed on the [Azure AD DS health page][check-health].

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

-### I received an email notification for an alert but when I logged on to the Azure portal there was no alert. What happened?

-If an alert is resolved, the alert is cleared from the Azure portal. The most likely reason is that someone else who receives email notifications resolved the alert on the managed domain, or it was autoresolved by Azure platform.

-If you're unable to access the notification settings page in the Azure portal, you don't have the permissions to edit the managed domain. Contact a global administrator to either get permissions to edit Azure AD DS resource or be removed from the recipient list.

-> [To get started, create an Azure AD DS managed domain using the Azure portal][tutorial-create]

-* **Simplified deployment experience:** Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.

-To get started, [create a managed domain using the Azure portal][tutorial-create].

-The name of each built-in policy definition links to the policy definition in the Azure portal. Use

-It takes a few minutes to create the resource and return control to the PowerShell prompt. The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the **Overview** page for your managed domain shows the current status throughout this deployment stage.

-When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

-It takes a few minutes to create the resource and return control to the PowerShell prompt. The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the **Overview** page for your managed domain shows the current status throughout this deployment stage.

-When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

-This article shows you how to create a managed domain that uses scoped synchronization and then change or disable the set of scoped users using Azure AD PowerShell. You can also [complete these steps using the Azure portal][scoped-sync].

-description: Learn how to use the Azure portal to configure scoped synchronization from Azure AD to an Azure Active Directory Domain Services managed domain

-# Configure scoped synchronization from Azure AD to Azure Active Directory Domain Services using the Azure portal

-This article shows you how to configure scoped synchronization and then change or disable the set of scoped users using the Azure portal. You can also [complete these steps using PowerShell][scoped-sync-powershell].

-To enable scoped synchronization in the Azure portal, complete the following steps:

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-You can archive events into Azure storage and stream events into security information and event management (SIEM) software (or equivalent) using Azure Event Hubs, or do your own analysis and using Azure Log Analytics workspaces from the Azure portal.

-> You need to create the target resource before you enable Azure AD DS security audits. You can create these resources using the Azure portal, Azure PowerShell, or the Azure CLI.

-|Azure Event Hubs| This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.<br /><br />Before you enable Azure AD DS security audit events, [Create an event hub using Azure portal](../event-hubs/event-hubs-create.md)|

-|Azure Log Analytics Workspace| This target should be used when your primary need is to analyze and review secure audits from the Azure portal directly.<br /><br />Before you enable Azure AD DS security audit events, [Create a Log Analytics workspace in the Azure portal.](../azure-monitor/logs/quick-create-workspace.md)|

-## Enable security audit events using the Azure portal

-To enable Azure AD DS security audit events using the Azure portal, complete the following steps.

-1. Sign in to the Azure portal.

-1. At the top of the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-You see an [alert][resolve-alerts] on the Azure AD DS Health page in the Azure portal that notes the domain is suspended. The state of the domain also shows *Suspended*.

-1. In the Azure portal, search for and select **Domain services**.

-This template can be deployed using your preferred deployment method, such as the [Azure portal][portal-deploy], [Azure PowerShell][powershell-deploy], or a CI/CD pipeline. The following example uses the [New-AzResourceGroupDeployment][New-AzResourceGroupDeployment] cmdlet. Specify your own resource group name and template filename:

-It takes a few minutes to create the resource and return control to the PowerShell prompt. The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the **Overview** page for your managed domain shows the current status throughout this deployment stage.

-When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

-1. To update the virtual network IP address range, search for and select *Virtual network* in the Azure portal. Select the virtual network for Azure AD DS that incorrectly has a public IP address range set.

-1. In the Azure portal, search for and select **Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-1. Read about [Azure role-based access control and how to grant access to applications in the Azure portal](../role-based-access-control/role-assignments-portal.md).

-1. To update the virtual network IP address range, search for and select *Virtual network* in the Azure portal. Select the virtual network for the managed domain that has the small IP address range.

-1. For each of the managed domain's network components in your resource group, such as virtual network, network interface, or public IP address, check the operation logs in the Azure portal. These operation logs should indicate why an operation is failing and where a resource lock is applied.

-1. For each of the managed domain's network components in your resource group, such as virtual network, NIC, or public IP address, check the operation logs in the Azure portal. These operation logs should indicate why an operation is failing and where a restrictive policy is applied.

-1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.

-1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.

-1. Select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.

-## Sign in to the Azure portal

-In this tutorial, you configure secure LDAP for the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the [Azure portal](https://portal.azure.com), enter *domain services* in the **Search resources** box. Select **Azure AD Domain Services** from the search result.

- 

-1. To apply the replacement certificate to Azure AD DS, in the left menu for Azure AD DS in the Azure portal, select **Secure LDAP**, and then select **Change Certificate**.

-1. In the Azure portal, select *Resource groups* on the left-hand side navigation.

-

-description: In this tutorial, you learn how to create and configure an Azure virtual network subnet or network peering for an Azure Active Directory Domain Services managed domain using the Azure portal.

-## Sign in to the Azure portal

-In this tutorial, you create and configure the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, select the resource group of your managed domain, such as *myResourceGroup*. From the list of resources, choose the default virtual network, such as *aadds-vnet*.

- 

- 

- 

- 

-1. In the Azure portal, select the resource group of the peered virtual network, such as *myResourceGroup*. From the list of resources, choose the peered virtual network, such as *myVnet*.

-description: Learn how to create a one-way outbound forest to an on-premises AD DS domain in the Azure portal for Azure AD Domain Services

-## Sign in to the Azure portal

-In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com). You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to modify an Azure AD DS instance.

-The on-premises AD DS domain needs an incoming forest trust for the managed domain. This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

-1. Choose to create the trust for **This domain only**. In the next step, you create the trust in the Azure portal for the managed domain.

-1. Choose to use **Forest-wide authentication**, then enter and confirm a trust password. This same password is also entered in the Azure portal in the next section.

-To create the outbound trust for the managed domain in the Azure portal, complete the following steps:

-1. In the Azure portal, search for and select **Azure AD Domain Services**, then select your managed domain, such as *aaddscontoso.com*.

- 

-1. In the Azure portal, search for and select **Azure AD Domain Services**, then select your managed domain, such as *aaddscontoso.com*.

-description: In this tutorial, you learn how to create and configure a customized Azure Active Directory Domain Services managed domain and specify advanced configuration options using the Azure portal.

-You can [create a managed domain using default configuration options][tutorial-create-instance] for networking and synchronization, or manually define these settings. This tutorial shows you how to define those advanced configuration options to create and configure an Azure AD DS managed domain using the Azure portal.

-## Sign in to the Azure portal

-In this tutorial, you create and configure the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

-Complete the fields in the *Basics* window of the Azure portal to create a managed domain:

- 

-> If you selected an existing virtual network in the previous steps, any VMs connected to the network only get the new DNS settings after a restart. You can restart VMs using the Azure portal, Azure PowerShell, or the Azure CLI.

-A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory.

-description: In this tutorial, you learn how to create and configure an Azure Active Directory Domain Services managed domain using the Azure portal.

-You can create a managed domain using default configuration options for networking and synchronization, or [manually define these settings][tutorial-create-instance-advanced]. This tutorial shows you how to use default options to create and configure an Azure AD DS managed domain using the Azure portal.

-## Sign in to the Azure portal

-In this tutorial, you create and configure the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

-Complete the fields in the *Basics* window of the Azure portal to create a managed domain:

- 

-> If you selected an existing virtual network in the previous steps, any VMs connected to the network only get the new DNS settings after a restart. You can restart VMs using the Azure portal, Azure PowerShell, or the Azure CLI.

-A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory.

-## Sign in to the Azure portal

-In this tutorial, you create and configure a management VM using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, select **Resource groups** on the left-hand side. Choose the resource group where your VM was created, such as *myResourceGroup*, then select the VM, such as *myVM*.

- 

- 

-description: Learn how to create and use replica sets in the Azure portal for service resiliency with Azure AD Domain Services

-## Sign in to the Azure portal

-In this tutorial, you create and manage replica sets using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-> When you create a replica set in the Azure portal, the network peerings between virtual networks is created for you.

-> If needed, you can create a virtual network and subnet when you add a replica set in the Azure portal. Or, you can choose existing virtual network resources in the destination region for a replica set and let the peerings be created automatically if they don't already exist.

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

- 

- 

-

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

- 

-1. In the Azure portal, select **Azure Active Directory**.

-2. Select **Enterprise applications** and then select your application.

-3. Select **Provisioning** and then on the provisioning page select **Edit provisioning**.

-2. Select **Cross-tenant synchronization** > **Configurations** and then select your configuration.

-3. Select **Provisioning**.

-4. Under **Settings**, select the **Prevent accidental deletions** check box and specify a deletion

-5. Ensure the **Notification Email** address is completed.

-6. Select **Save** to save the changes.

-You can access the provisioning logs in the Azure portal by selecting **Azure Active Directory** &gt; **Enterprise Apps** &gt; **Provisioning logs (preview)** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).

-If you set the **Provisioning Status** to be **On** in the **Azure Active Directory &gt; Enterprise Apps &gt; \[Application Name\] &gt;Provisioning** section of the Azure portal. However no other status details are shown on that page after subsequent reloads, it is likely that the service is running but has not completed an initial cycle yet. Check the **Provisioning logs (preview)** described above to determine what operations the service is performing, and if there are any errors.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the **Azure Active Directory > Enterprise Applications** section of the Azure portal, locate and select your existing SCIM application.

-3. In the **Properties** section of your existing SCIM app, copy the **Object ID**.

-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.

-5. In the Graph Explorer, run the command below to locate the ID of your provisioning job. Replace "[object-id]" with the service principal ID (object ID) copied from the third step.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the **Azure Active Directory > Enterprise Applications > Create application** section of the Azure portal, create a new **Non-gallery** application.

-3. In the **Properties** section of your new custom app, copy the **Object ID**.

-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.

-5. In the Graph Explorer, run the command below to initialize the provisioning configuration for your app.

-Configuring [automatic user provisioning](user-provisioning.md) for an app (where supported), requires that specific instructions be followed to prepare the application for automatic provisioning. Then you can use the Azure portal to configure the provisioning service to synchronize user accounts to the application.

-If you set the **Provisioning Status** to be **On** in the **Azure Active Directory &gt; Enterprise Apps &gt; \[Application Name\] &gt;Provisioning** section of the Azure portal. However no other status details are shown on that page after subsequent reloads. It is likely that the service is running but has not completed an initial cycle yet. Check the **Provisioning logs** described above to determine what operations the service is performing, and if there are any errors.

-The Azure portal is a convenient way to configure provisioning for individual apps one at a time. But if you're creating severalΓÇöor even hundredsΓÇöof instances of an application, it can be easier to automate app creation and configuration with the Microsoft Graph APIs. This article outlines how to automate provisioning configuration through APIs. This method is commonly used for applications like [Amazon Web Services](../saas-apps/amazon-web-service-tutorial.md#configure-azure-ad-sso).

-Test the connection with the third-party application. The following example is for an application that requires a client secret and secret token. Each application has its own requirements. Applications often use a base address in place of a client secret. To determine what credentials your app requires, go to the provisioning configuration page for your application, and in developer mode, click **test connection**. The network traffic will show the parameters used for credentials. For a full list of credentials, see [synchronizationJob: validateCredentials](/graph/api/synchronization-synchronizationjob-validatecredentials?tabs=http&view=graph-rest-beta&preserve-view=true). Most applications, such as Azure Databricks, rely on a BaseAddress and SecretToken. The BaseAddress is referred to as a tenant URL in the Azure portal.

-In all the above scenarios, the integration is greatly simplified as Azure AD provisioning service takes over the responsibility of performing identity profile comparison, restricting the data sync to scoping logic configured by the IT admin and executing rule-based attribute flow and transformation managed in the Microsoft Entra admin portal.

-To complete the steps in this tutorial, you need access to Microsoft Entra admin portal with the following roles:

-* Global administrator OR

-* Application administrator (if you're configuring inbound user provisioning to Azure AD) OR

-* Application administrator + Hybrid identity administrator (if you're configuring inbound user provisioning to on-premises Active Directory)

-2. Browse to **Azure Active Directory -> Applications -> Enterprise applications**.

-1. Open the provisioning application's **Provisioning** -> **Overview** page.

-1. Download [Postman](https://www.getpostman.com/downloads/) and start the application.

-|Username and password (not recommended or supported by Azure AD)|Easy to implement|Insecure - [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984)|Not supported for new gallery or non-gallery apps.|

-> * Create or update your marketing pages/website (e.g. integration page, partner page, pricing page, etc.) to include the availability of the joint integration. [Example: Pingboard integration Page](https://pingboard.com/org-chart-for), [Smartsheet integration page](https://www.smartsheet.com/marketplace/apps/microsoft-azure-ad), [Monday.com pricing page](https://monday.com/pricing/)

-> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure AD integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/)

-Azure AD features preintegrated support for many popular SaaS apps and human resources systems, and generic support for apps that implement specific parts of the [SCIM 2.0 standard](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/Provisioning-with-SCIM-getting-started/ba-p/880010).

-1. On the Application proxy page in the Azure portal, the new connector is listed with a status of *Active*, as shown in the following example:

- 

-1. After successful installation, go back to the Azure portal.

-description: Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. This tutorial shows you how to prepare your environment for use with Application Proxy. Then, it uses the Azure portal to add an on-premises application to your Azure AD tenant.

-You can use the Azure portal or your Windows server to confirm that a new connector installed correctly.

-### Verify the installation through Azure portal

- | **Name** | The name of the application that appears on My Apps and in the Azure portal. |

-This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure WAF on Application Gateway. In this guide we'll be using the Azure portal. The reference architecture for this deployment is represented below.

-Some steps of the Application Gateway configuration will be omitted in this article. For a detailed guide on how to create and configure an Application Gateway, see [Quickstart: Direct web traffic with Azure Application Gateway - Azure portal][appgw_quick].

-This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure Front Door. In this guide we'll be using the Azure portal. The reference architecture for this deployment is represented below.

- 

-For details on configuring Connectors, see [Enable Application Proxy in the Azure portal](application-proxy-add-on-premises-application.md).

-

-description: How to troubleshoot issues creating Application Proxy applications in the Azure portal

-[Enable Application Proxy in the Azure portal](application-proxy-add-on-premises-application.md)

-To configure SSO, first make sure that your application is configured for Pre-Authentication through Azure Active Directory. To do this configuration, go to **Azure Active Directory** -&gt; **Enterprise Applications** -&gt; **All Applications** -&gt; Your application **-&gt; Application Proxy**. On this page, you see the ΓÇ£Pre AuthenticationΓÇ¥ field, and make sure that is set to ΓÇ£Azure Active Directory.

- 

-## Set the cookie settings - Azure portal

-To set the cookie settings using the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Navigate to **Azure Active Directory**ΓÇ»>ΓÇ»**Enterprise applications**ΓÇ»>ΓÇ»**All applications**.

-3. Select the application for which you want to enable a cookie setting.

-4. Click **Application Proxy**.

-1. In Azure Active Directory, select **Custom domain names** in the left navigation, and then select **Add custom domain**.

-For more detailed instructions, see [Add your custom domain name using the Azure portal](../fundamentals/add-custom-domain.md).

-1. For a new app, in Azure Active Directory, select **Enterprise applications** in the left navigation. Select **New application**. In the **On-premises applications** section, select **Add an on-premises application**.

-10. Follow the instructions at [Manage DNS records and record sets by using the Azure portal](../../dns/dns-operations-recordsets-portal.md) to add a DNS record that redirects the new external URL to the *msappproxy.net* domain in Azure DNS. If a different DNS provider is used, please contact the vendor for the instructions.

-You can set the home page URL either through the Azure portal or by using PowerShell.

-## Change the home page in the Azure portal

-To change the home page URL of your app through the Azure portal, follow these steps:

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-1. Select **Azure Active Directory**, and then **App registrations**. The list of registered apps appears.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-2. Go to **Azure Active Directory** > **Enterprise applications** > **All applications** > select the app you want to manage > **Application proxy**.

-3. Turn **Translate URLs in application body** to **Yes**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Browse to **Azure Active Directory** > **App registrations**. The list of all app registrations appears.

- 

-The required info in the sample code can be found in the Azure portal, as follows:

-| Info required | How to find it in the Azure portal |

-1. In the Azure portal, select **Azure Active Directory > Enterprise applications** and select **New application**.

-1. With the application still open in the Azure portal, select **Application Proxy**. Provide the **Internal URL** for the application. If you're using a custom domain, you also need to upload the TLS/SSL certificate for your application.

-1. With the application still open in the Azure portal, select **Single sign-on**.

-description: Turn on single sign-on for your published on-premises applications with Azure Active Directory Application Proxy in the Azure portal.

-Azure Active Directory Application Proxy helps you improve productivity by publishing on-premises applications so that remote employees can securely access them, too. In the Azure portal, you can also set up single sign-on (SSO) to these apps. Your users only need to authenticate with Azure AD, and they can access your enterprise application without having to sign in again.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-1. Select **Azure Active Directory** > **Enterprise applications** > **All applications**.

-1. The Admin customizes the attribute mappings required by the application in the Azure portal.

- 

- 

- 

-Each Application Proxy connector is assigned to a connector group. All the connectors that belong to the same connector group act as a separate unit for high-availability and load balancing. All connectors belong to a connector group. If you don't create groups, then all your connectors are in a default group. Your admin can create new groups and assign connectors to them in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Enterprise applications** > **Application proxy**.

-You can monitor your connectors from the machine they are running on, using either the event log and performance counters. Or you can view their status from the Application Proxy page of the Azure portal:

- * Before using custom domains in Application Proxy you must create a CNAME record in public DNS, allowing clients to resolve the custom defined external URL to the pre-defined Application Proxy address. Failing to create a CNAME record for an application that uses a custom domain will prevent remote users from connecting to the application. Steps required to add CNAME records can vary from DNS provider to provider, so learn how to [manage DNS records and record sets by using the Azure portal](../../dns/dns-operations-recordsets-portal.md).

-1. Navigate to **Azure Active Directory** > **Enterprise applications** > **All applications** and choose the app you want to manage.

-Azure AD provides additional insights into your organizationΓÇÖs application usage and operational health through [audit logs and reports](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). Application Proxy also makes it very easy to monitor connectors from the Azure portal and Windows Event Logs.

-These logs provide detailed information about logins to applications configured with Application Proxy and the device and the user accessing the application. [Audit logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are located in the Azure portal and in [Audit API](/graph/api/resources/directoryaudit) for export. Additionally, [usage and insights reports](../reports-monitoring/concept-usage-insights-report.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are also available for your application.

-The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Azure portal. For more information about connector maintenance see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).

-1. From the Azure portal, open **Azure Active Directory**

-2. Select the **App Registrations** menu item from the navigation pane

- 

-3. From the *App Registrations* window, select the **All applications** tab option

-4. Navigate to the application with a matching name to your deployed App Proxy application. For example, if you deployed *Sample App 1* as an Enterprise Application, click the **Sample App 1** registration item

-5. From the *Sample App 1* detail page, take note of the *Application (client) ID* and *Directory (tenant) ID* fields. These will be used later.

-6. Select the **API permissions** menu item from the navigation pane

-7. From the *API permissions* page:

-8. Select the **Certificates & secrets** menu item from the navigation pane

-9. From the *Certificates & secrets* page:

-1. Go to **Azure Active Directory** and then **App Registrations**.

-4. Select **Azure Active Directory**, and then **App Registrations**. Choose your app from the list.

-To publish Tableau, you need to publish an application in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator.

-2. Select **Azure Active Directory > Enterprise applications**.

-3. Select **Add** at the top of the blade.

-Your application is now ready to test. Access the external URL you used to publish Tableau, and login as a user assigned to both applications.

-If you already have your apps published but don't remember their external URLs, look them up in the [Azure portal](https://portal.azure.com). Sign in, then navigate to **Azure Active Directory** > **Enterprise applications** > **All applications** > select your app > **Application proxy**.

-Once one member of a team adds the tab, it shows up for everyone in the channel. Any users who have access to the app get single sign-on access with the credentials they use for Microsoft Teams. Any users who don't have access to the app can see the tab in Teams, but are blocked until you give them permissions to the on-premises app and the Azure portal published version of the app.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.

-1. In left navigation panel, select **Azure Active Directory**.

-1. Under **Manage**, select **Application proxy**.

-1. Next, under **Advanced Settings** and select the drop down under Optimize for a specific region and select the region closest to the connectors.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

-1. Browse to **Azure Active Directory** > **Application proxy** > **Download connector service**. The **Application Proxy Connector Download** page appears.

-There are two actions you need to take in the Azure portal. First, you need to publish your application with Application Proxy. Then, you need to collect some information about the application that you can use during the PingAccess steps.

-1. If you didn't in the previous section, sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

-1. From the **Azure portal**, browse to **Azure Active Directory** > **App registrations**. A list of applications appears.

-1. Select your application.

-1. From the **Azure portal**, browse to **Azure Active Directory** > **App registrations**. A list of applications appears.

-1. Select your application. The **App registrations** page for your application appears.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

-1. Browse to **Azure Active Directory** > **App registrations**. A list of applications appears.

-1. Select your application.

-Those steps help you install PingAccess and set up a PingAccess account (if you don't already have one). Then, to create an Azure AD OpenID Connect (OIDC) connection, you set up a token provider with the **Directory (tenant) ID** value that you copied from the Azure portal. Next, to create a web session on PingAccess, you use the **Application (client) ID** and `PingAccess key` values. After that, you can set up identity mapping and create a virtual host, site, and application.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.

-2. Select **Azure Active Directory** > **Enterprise applications**.

-3. Select **Add** at the top of the blade.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, then select **Enterprise applications**.

-1. On the Azure Active Directory **Overview** page, select **App registrations**, and at the top of the **App registrations** pane, select **New registration**.

-1. On the Azure Active Directory **Overview** > **App Registrations** page, select the **AppProxyNativeAppSample** app.

-1. Open the application in the portal by going to **Azure Active Directory**, clicking on **Enterprise Applications**, then **All Applications.** Open the application, then select **Application Proxy** from the left menu.

-|Forbidden: This corporate app can't be accessed OR The user could not be authorized. Make sure the user is defined in your on-premises AD and that the user has access to the app in your on-premises AD. | This could be a problem with access to authorization information, see [Some applications and APIs require access to authorization information on account objects]( https://support.microsoft.com/help/331951/some-applications-and-apis-require-access-to-authorization-information). In a nutshell, add the app proxy connector machine account to the "Windows Authorization Access Group" builtin domain group to resolve. |

-| Blue | Applications explicitly published and visible in the Azure portal. |

-Application Proxy is an Azure AD service you configure in the Azure portal. It enables you to publish an external public HTTP/HTTPS URL endpoint in the Azure Cloud, which connects to an internal application server URL in your organization. These on-premises web apps can be integrated with Azure AD to support single sign-on. Users can then access on-premises web apps in the same way they access Microsoft 365 and other SaaS apps.

-2. The admin signs into the Azure portal and runs an executable to install the connector on an on-premises Windows server.

-Each Application Proxy connector is assigned to a [connector group](./application-proxy-connector-groups.md). Connectors in the same connector group act as a single unit for high availability and load balancing. You can create new groups, assign connectors to them in the Azure portal, then assign specific connectors to serve specific applications. It's recommended to have at least two connectors in each connector group for high availability.

-

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-3. Select **New policy**.

-4. Enter a policy a name.

-5. Under **Assignments**, select **Users or workload identities**.

-6. Under **Include**, select **All guests and external users**.

-7. Under **Exclude**, select **Users and groups**.

-8. Select emergency access accounts.

-9. Select **Done**.

-10. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

-11. Under **Exclude**, select applications you want to exclude.

-12. Under **Access controls** > **Grant**, select **Block access**.

-13. Select **Select**.

-14. Select **Enable policy** to **Report-only**.

-15. Select **Create**.

-> You can confirm settings in **report only** mode. See, Configure a Conditional Access policy in repory-only mode, in [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-3. Select **New policy**.

-4. Enter a policy name.

-5. Under **Assignments**, select **Users or workload identities**.

-6. Under **Include**, select **All guests and external users**.

-7. Under **Exclude**, select **Users and groups**

-8. Select emergency access accounts.

-9. Select the external users security group.

-10. Select **Done**.

-11. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

-12. Under **Exclude**, select applications you want to exclude.

-13. Under **Access controls** > **Grant**, select **Block access**.

-14. Select **Select**.

-15. Select **Create**.

-> You can confirm settings in **report only** mode. See, Configure a Conditional Access policy in repory-only mode, in [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).

-* [Configure password based SSO for cloud applications ](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md)

-| [RADIUS authentication]( auth-radius.md)| | | |  |

-The [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items by using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?tabs=http).

-The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing and which applications in your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.

-* [How provisioning works in Azure AD ](../app-provisioning/how-provisioning-works.md)

-* [Managing user account provisioning for enterprise apps in the Azure portal ](../app-provisioning/configure-automatic-user-provisioning-portal.md)

-* [Build a SCIM endpoint and configure user provisioning with Azure AD ](../app-provisioning/use-scim-to-provision-users-and-groups.md)

-No changes in configurations are required in Microsoft Authenticator or the Azure portal to enable FIPS 140 compliance. Beginning with Microsoft Authenticator for iOS version 6.6.8, Azure AD authentications will be FIPS 140 compliant by default.

-To manage the Authentication methods policy in the Azure AD portal, click **Security** > **Authentication methods** > **Policies**.

->Hardware OATH tokens and security questions can only be enabled today by using these legacy policies. In the future, these methods will be available in the Authentication methods policy. If you use hardware OATH tokens, which are currently in preview, you should hold off on migrating OATH tokens and don't complete the migration process. If you're using security questions, and don't want to disable them, make sure to keep them enabled in the legacy SSPR policy until the new control is available in the future.

-Tenants are set to either Pre-migration or Migration in Progress by default, depending on their tenant's current state. At any time, you can change to another option. If you move to Migration Complete, and then choose to roll back to an earlier state, we'll ask why so we can evaluate performance of the product.

-All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).

-Administrators can view user authentication methods in the Azure portal. Usable methods are listed first, followed by non-usable methods.

-Once properly formatted as a CSV file, a Global Administrator can then sign in to the Azure portal, navigate to **Azure Active Directory** > **Security** > **Multifactor authentication** > **OATH tokens**, and upload the resulting CSV file.

-You can check the status of this feature in your own tenant by navigating to the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade), then in the left pane, click **Security** > **MFA** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**.

- * Have an Azure AD administrator unblock the user in the Azure portal.

-

-1. In the Azure portal, browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths**.

-If a user from a federated domain has multifactor authentication settings in scope for Staged Rollout, the user can complete multifactor authentication in the cloud and satisfy any of the **Federated single-factor + something you have** combinations. For more information about staged rollout, see [Enable Staged Rollout using Azure portal](how-to-mfa-server-migration-utility.md#enable-staged-rollout-using-azure-portal).

-## Update certificate user IDs in the Azure portal

-Tenant admins can use the following steps Azure portal to update certificate user IDs for a user account:

-1. In the Azure portal, click **All users (preview)**.

-1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

-1. Search for and select **Azure Active Directory**.

-1. From the left menu, select **Azure AD Connect**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Security** > **Multifactor authentication** > **Additional cloud-based multifactor authentication settings**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as the test user by using CBA. The authentication policy is set where Issuer subject rule satisfies single-factor authentication.

-1. After sign-in was succeeds, click **Azure Active Directory** > **Sign-in logs**.

-1. Sign in to the [Azure portal](https://portal.azure.com) using CBA. Since the policy was set to satisfy multifactor authentication, the user sign-in is successful without a second factor.

-1. Click **Azure Active Directory** > **Sign-ins**.

-Authentication providers can be found in the **Azure portal** > **Azure Active Directory** > **Security** > **MFA** > **Providers**. Click on listed providers to see details and configurations associated with that provider.

-Azure MFA Servers linked to providers will need to be reactivated using credentials generated under **Azure portal** > **Azure Active Directory** > **Security** > **MFA** > **Server settings**. Before reactivating, the following files must be deleted from the `\Program Files\Multi-Factor Authentication Server\Data\` directory on Azure MFA Servers in your environment:

-

-After you confirm that all settings are migrated, you can browse to the **Azure portal** > **Azure Active Directory** > **Security** > **MFA** > **Providers** and select the ellipses **...** and select **Delete**.

-Organizational data is tenant-level information that can expose configuration or environment setup. Tenant settings from the following Azure portal multifactor authentication pages might store organizational data such as lockout thresholds or caller ID information for incoming phone authentication requests:

-For MFA Server, the following Azure portal pages might contain organizational data:

-A user has not set up all required security info and goes to the Azure portal. After the user enters the user name and password, the user is prompted to set up security info. The user then follows the steps shown in the wizard to set up the required security info. If your settings allow it, the user can choose to set up methods other than those shown by default. After users complete the wizard, they review the methods they set up and their default method for multifactor authentication. To complete the setup process, the user confirms the info and continues to the Azure portal.

-To switch the directory in the Azure portal, click the user account name in the upper right corner and click **Switch directory**.

-To unlock admin access to your tenant, you should create emergency access accounts. These emergency access accounts, also known as *break glass* accounts, allow access to manage Azure AD configuration when normal privileged account access procedures arenΓÇÖt available. At least two emergency access accounts should be created following the [emergency access account recommendations]( ../users-groups-roles/directory-emergency-access.md).

-* Azure portal

-![Registration options for SSPR in the Azure portal][Registration]

-![Authentication methods selection in the Azure portal][Authentication]

-Azure AD checks your current hybrid connectivity and provides one of the following messages in the Azure portal:

-You can enable password writeback using the Azure portal. You can also temporarily disable password writeback without having to reconfigure Azure AD Connect.

-* **Supports password writeback when an admin resets them from the Azure portal**: When an admin resets a user's password in the [Azure portal](https://portal.azure.com), if that user is federated or password hash synchronized, the password is written back to on-premises. This functionality is currently not supported in the Office admin portal.

- * Any administrator-initiated end-user password reset from the [Azure portal](https://portal.azure.com).

-## Enable system-preferred MFA in the Azure portal

-1. In the Azure portal, click **Security** > **Authentication methods** > **Settings**.

-1. In the Azure portal, search for and select *Azure Active Directory*.

-1. Select **Company Branding**, then for each locale, choose **Show option to remain signed in**.

-1. In the Azure portal, search for and select *Azure Active Directory*.

-1. Select **Security**, then **MFA**.

-1. In the Azure portal, search for and select *Azure Active Directory*.

-1. Select **Security**, then **Conditional Access**.

-| Verification code from mobile app or hardware token | Third party software OATH tokens<br>Hardware OATH tokens (not yet available)<br>Microsoft Authenticator |

-The Authentication methods policy has granular control with separate controls for each type of OATH token. Use of OTP from Microsoft Authenticator is controlled by the **Allow use of Microsoft Authenticator OTP** control in the **Microsoft Authenticator** section of the policy. Third-party apps are controlled by the **Third party software OATH tokens** section of the policy.

-Another control for **Hardware OATH tokens** is coming soon. If you're using hardware OATH tokens, now in public preview, you should hold off on migrating OATH tokens and don't complete the migration process.

-Email notifications and Azure portal Service Health notifications (portal toasts) were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. If you've already completed the following steps, no action is necessary.

-||[Staged Rollout](#enable-staged-rollout-using-azure-portal) |

-The script will instruct you to grant admin consent to the newly created application. Navigate to the URL provided, or within the Azure portal, click **Application Registrations**, find and select the **MFA Server Migration Utility** app, click on **API permissions** and then granting the appropriate permissions.

-Once you've successfully migrated user data, you can validate the end-user experience using Staged Rollout before making the global tenant change. The following process will allow you to target specific Azure AD group(s) for Staged Rollout for MFA. Staged Rollout tells Azure AD to perform MFA by using Azure AD MFA for users in the targeted groups, rather than sending them on-premises to perform MFA. You can validate and testΓÇöwe recommend using the Azure portal, but if you prefer, you can also use Microsoft Graph.

-#### Enable Staged Rollout using Azure portal

-1. Navigate to the following url: [Enable staged rollout features - Microsoft Azure](https://portal.azure.com/?mfaUIEnabled=true%2F#view/Microsoft_AAD_IAM/StagedRolloutEnablementBladeV2).

-You can remove keys in the Azure portal by navigating to the **Security info** page and removing the FIDO2 security key.

-* SMS-based authentication has reached general availability, and we're working to remove the **(Preview)** label in the Azure portal.

- * This phone number can be assigned in the Azure portal (which is shown in this article), and in *My Staff* or *My Account*.

-Users are now enabled for SMS-based authentication, but their phone number must be associated with the user profile in Azure AD before they can sign-in. The user can [set this phone number themselves](https://support.microsoft.com/account-billing/set-up-sms-sign-in-as-a-phone-verification-method-0aa5b3b3-a716-4ff2-b0d6-31d2bcfbac42) in *My Account*, or you can assign the phone number using the Azure portal. Phone numbers can be set by *global admins*, *authentication admins*, or *privileged authentication admins*.

- Enter the user's phone number, including the country code, such as *+1 xxxxxxxxx*. The Azure portal validates the phone number is in the correct format.

- :::image type="content" source="media/howto-authentication-sms-signin/set-user-phone-number.png" alt-text="Set a phone number for a user in the Azure portal to use with SMS-based authentication":::

-If you receive an error when you try to set a phone number for a user account in the Azure portal, review the following troubleshooting steps:

-1. Make sure you set the phone number with the proper formatting, as validated in the Azure portal (such as *+1 4251234567*).

-This article shows you how to enable and use a Temporary Access Pass in Azure AD using the the [Microsoft Entra admin center](https://entra.microsoft.com).

-1. Enter the Temporary Access Pass that was displayed in the Azure portal.

-1. In the Azure portal, browse to **Users**, select a user, such as *Tap User*, then choose **Authentication methods**.

-In the Azure portal, you configure Conditional Access policies under **Azure Active Directory** > **Security** > **Conditional Access**.

-To learn more about creating Conditional Access policies, see [Conditional Access policy to prompt for Azure AD Multi-Factor Authentication when a user signs in to the Azure portal](tutorial-enable-azure-mfa.md). This helps you to:

-

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-1. Go to **Azure Active Directory** > **Security** > **Multifactor authentication** > **Account lockout**.

- 

-1. In the Azure portal, click **Azure Active Directory** > **Security** > **Authentication Methods** > **Settings**.

-An administrator can sign in to the Azure portal, go to **Azure Active Directory** > **Security** > **Multifactor authentication** > **OATH tokens**, and upload the CSV file.

-Settings for app passwords, trusted IPs, verification options, and remembering multi-factor authentication on trusted devices are available in the service settings. This is a legacy portal. It isn't part of the regular Azure portal.

-You can access service settings from the Azure portal by going to **Azure Active Directory** > **Security** > **Multifactor authentication** > **Getting started** > **Configure** > **Additional cloud-based MFA settings**. A window or tab opens with additional service settings options.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then go to **Security** > **Conditional Access** > **Named locations**.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then go to **Security** > **Conditional Access** > **Named locations**.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then select **Users**.

-1. Select **Per-user MFA**.

-1. Under **multi-factor authentication** at the top of the page, select **service settings**.

-1. On the **service settings** page, under **Trusted IPs**, choose one or both of the following options:

-1. In the Azure portal, search for and select **Azure Active Directory**, and then select **Users**.

-1. Under **multi-factor authentication** at the top of the page, select **service settings**.

-1. On the **service settings** page, under **verification options**, select or clear the appropriate checkboxes.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then select **Users**.

-1. Under **multi-factor authentication** at the top of the page, select **service settings**.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Export.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Account Close to delete all MFA cloud service information collected for this user.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Export.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Account Close to delete all MFA cloud service information collected for this user.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Export.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Account Close to delete all MFA cloud service information collected for this user.

-This article shows you how to view the Azure AD sign-ins report in the Azure portal, and then the MSOnline V1 PowerShell module.

-To view the sign-in activity report in the [Azure portal](https://portal.azure.com), complete the following steps. You can also query data using the [reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**, then choose **Users** from the menu on the left-hand side.

- [](media/howto-mfa-reporting/sign-in-report.png#lightbox)

-description: Describes how to get started with Azure MFA and AD FS 2.0.

-> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

-4. In the Edit LDAP Configuration dialog box, populate the fields with the information required to connect to the AD domain controller. Descriptions of the fields are included in the Azure Multi-Factor Authentication Server help file.

-4. Open the registry editor and go to HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Positive Networks/PhoneFactor on a 64-bit server. If on a 32-bit server, take the "Wow6432Node" out of the path. Create a DWORD registry key called "UsernameCxz_stripPrefixDomain" and set the value to 1. Azure Multi-Factor Authentication is now securing the AD FS proxy.

-Ensure that users have been imported from Active Directory into the Server. See the Trusted IPs section if you would like to allow internal IP addresses so that two-step verification isn't required when signing in to the website from those locations.

-description: Step-by-step get started with Azure MFA Server on-premises

-> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

-Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Azure MFA Server. When you install your first Azure MFA Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.

-When a master Azure MFA Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted.

-¹If Azure MFA Server fails to activate on an Azure VM that runs Windows Server 2019 or later, try using an earlier version of Windows Server.

-### Azure MFA Server Components

-There are three web components that make up Azure MFA Server:

-* Web Service SDK - Enables communication with the other components and is installed on the Azure MFA application server

-All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Azure MFA application server and the User portal and Mobile App Web Service are installed on an internet-facing server.

-Follow these steps to download the Azure AD Multi-Factor Authentication Server from the Azure portal:

-> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-2. Search for and select *Azure Active Directory*. Select **Security** > **MFA**.

-3. Under **Manager MFA Server**, select **Server settings**.

- 

-5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Azure MFA Server in the boxes provided and click **Activate**.

-> Only global administrators are able to generate activation credentials in the Azure portal.

-1. In the Azure MFA Server, on the left, select **Users**.

-1. In the Azure MFA Server, on the left, select **Directory Integration**.

-When you use the Multi-Factor Authentication (MFA) Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Azure MFA cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are:

-## Back up and restore Azure MFA Server

-To back up Azure MFA Server, ensure that you have a copy of the **C:\Program Files\Multi-Factor Authentication Server\Data** folder including the **PhoneFactor.pfdata** file.

-1. Reinstall Azure MFA Server on a new server.

-2. Activate the new Azure MFA Server.

-Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list.

->In addition, other endpoints are required for Azure portal authentication. For more information, see [Azure portal URLs for proxy bypass](/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-urls-for-proxy-bypass).

- > To make this change, search for and select **Azure Active Directory** in the Azure portal, then select **Devices > Device Settings**. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.

- > To make this change, search for and select **Azure Active Directory** in the Azure portal, then select **Devices > Device Settings**. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.

-To enable on-prem Azure AD Password Protection from the Azure portal or configure custom banned passwords, see [Enable on-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-operations.md).

-Now that you've installed the services that you need for Azure AD Password Protection on your on-premises servers, [enable on-prem Azure AD Password Protection in the Azure portal](howto-password-ban-bad-on-premises-operations.md) to complete your deployment.

-To protect your on-premises Active Directory Domain Services (AD DS) environment, you can install and configure Azure AD Password Protection to work with your on-prem DC. This article shows you how to enable Azure AD Password Protection for your on-premises environment.

-1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Password protection**.

- [](media/howto-password-ban-bad-on-premises-operations/enable-configure-custom-banned-passwords.png#lightbox)

-To monitor on-prem events, see [Monitoring on-prem Azure AD Password Protection](howto-password-ban-bad-on-premises-monitor.md).

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).

-1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**.

-

-1. In the **Azure portal**, browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-On the **Authentication methods** page for an Azure AD user in the Azure portal, a Global Administrator can manually set the authentication contact information. You can review existing methods under the *Usable authentication methods* section, or **+Add authentication methods**, as shown in the following example screenshot:

-To make things look more user-friendly, you can change organization name in the portal and in the automated communications. To change the directory name attribute in the Azure portal, browse to **Azure Active Directory** > **Properties**. This friendly organization name option is the most visible in automated emails, as in the following examples:

-While SSPR does not typically create user issues, it is important to prepare support staff to deal with issues that may arise. While an administrator can reset the password for end users through the Azure portal, it is better to help resolve the issue via a self-service support process.

-To enable your support team's success, you can create a FAQ based on questions you receive from your users. Here are a few examples:

-You can use pre-built reports on Azure portal to measure the SSPR performance. If you're appropriately licensed, you can also create custom queries. For more information, see [Reporting options for Azure AD password management](./howto-sspr-reporting.md)

-> You must be [a global administrator](../roles/permissions-reference.md), and you must opt-in for this data to be gathered for your organization. To opt in, you must visit the Reporting tab or the audit logs on the Azure portal at least once. Until then, the data doesn't collect for your organization.

-The following questions can be answered by the reports that exist in the [Azure portal](https://portal.azure.com):

-> You must be [a global administrator](../roles/permissions-reference.md), and you must opt-in for this data to be gathered on behalf of your organization. To opt in, you must visit the **Reporting** tab or the audit logs at least once. Until then, data is not collected for your organization.

-## How to view password management reports in the Azure portal

-In the Azure portal experience, we have improved the way that you can view password reset and password reset registration activity. Use the following the steps to find the password reset and password reset registration events:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Select **All services** in the left pane.

-3. Search for **Azure Active Directory** in the list of services and select it.

-4. Select **Users** from the Manage section.

-## Description of the report columns in the Azure portal

-The following list explains each of the report columns in the Azure portal in detail:

-## Description of the report values in the Azure portal

-The following table describes the different values that are you can set for each column in the Azure portal:

-* [Reset password (by admin)](#activity-type-reset-password-by-admin): Indicates that an administrator performed a password reset on behalf of a user from the Azure portal.

-* [Reset password (self-service)](#activity-type-reset-password-self-service): Indicates that a user successfully reset their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com).

-* [Unlock user account (self-service)](#activity-type-unlock-a-user-account-self-service)): Indicates that a user successfully unlocked their Active Directory account without resetting their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com) by using the Active Directory feature of account unlock without reset.

-* **Activity description**: Indicates that an administrator performed a password reset on behalf of a user from the Azure portal.

-* **Activity description**: Indicates that a user successfully reset their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com).

- See the following table for [all the permissible reset activity status reasons](#description-of-the-report-columns-in-the-azure-portal).

-* **Activity description**: Indicates that a user successfully unlocked their Active Directory account without resetting their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com) by using the Active Directory feature of account unlock without reset.

-## Windows 11 and 10 password reset

-To configure a Windows 11 or 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.

-### Windows 11 and 10 prerequisites

-### Enable for Windows 11 and 10 using Microsoft Intune

-### Enable for Windows 11 and 10 using the Registry

-### Troubleshooting Windows 11 and 10 password reset

-## SSPR configuration in the Azure portal

-If you have problems seeing or configuring SSPR options in the Azure portal, review the following troubleshooting steps:

-### I don't see the **Password reset** section under Azure AD in the Azure portal.

-You won't see if **Password reset** menu option if you don't have an Azure AD license assigned to the administrator performing the operation.

-If you have problems with SSPR reporting in the Azure portal, review the following troubleshooting steps:

-You can enable SSPR for all users, no users, or for selected groups of users. Only one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the group(s) you choose have the appropriate licenses assigned.

-In the Azure portal, change the **Self-service password reset enabled** configuration to *Selected* or *All* and then select **Save**.

-Only one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the group(s) you choose have the appropriate licenses assigned. Review the previous troubleshooting step to enable SSPR as required.

-Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. If you continue to see this generic error when you retry the SSPR registration process, [contact Microsoft support](#contact-microsoft-support) for additional assistance.

-| The directory isn't enabled for password reset. | In the Azure portal, change the **Self-service password reset enabled** configuration to *Selected* or *All* and then select **Save**. |

-| There's an error processing the request. | Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. If you continue to see this generic error when you re-try the SSPR registration process, [contact Microsoft support](#contact-microsoft-support) for additional assistance. |

-| TenantSSPRFlagDisabled = 9 | We're sorry, you can't reset your password at this time because your administrator has disabled password reset for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to enable this feature.<br /><br />To learn more, see [Help, I forgot my Azure AD password](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e#common-problems-and-their-solutions). | SSPR_0009: We've detected that password reset has not been enabled by your administrator. Please contact your admin and ask them to enable password reset for your organization. |

-| WritebackNotEnabled = 10 |We're sorry, you can't reset your password at this time because your administrator has not enabled a necessary service for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your organization's configuration.<br /><br />To learn more about this necessary service, see [Configuring password writeback](./tutorial-enable-sspr-writeback.md). | SSPR_0010: We've detected that password writeback has not been enabled. Please contact your admin and ask them to enable password writeback. |

-| SsprNotEnabledInUserPolicy = 11 | We're sorry, you can't reset your password at this time because your administrator has not configured password reset for your organization. There is no further action you can take to resolve this situation. Contact your admin and ask them to configure password reset.<br /><br />To learn more about password reset configuration, see [Quickstart: Azure AD self-service password reset](./tutorial-enable-sspr.md). | SSPR_0011: Your organization has not defined a password reset policy. Please contact your admin and ask them to define a password reset policy. |

-| UserNotLicensed = 12 | We're sorry, you can't reset your password at this time because required licenses are missing from your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your license assignment.<br /><br />To learn more about licensing, see [Licensing requirements for Azure AD self-service password reset](./concept-sspr-licensing.md). | SSPR_0012: Your organization does not have the required licenses necessary to perform password reset. Please contact your admin and ask them to review the license assignments. |

-| UserNotMemberOfScopedAccessGroup = 13 | We're sorry, you can't reset your password at this time because your administrator has not configured your account to use password reset. There is no further action you can take to resolve this situation. Please contact your admin and ask them to configure your account for password reset.<br /><br />To learn more about account configuration for password reset, see [Roll out password reset for users](./howto-sspr-deployment.md). | SSPR_0013: You are not a member of a group enabled for password reset. Contact your admin and request to be added to the group. |

-| UserNotProperlyConfigured = 14 | We're sorry, you can't reset your password at this time because necessary information is missing from your account. There is no further action you can take to resolve this situation. Please contact you admin and ask them to reset your password for you. After you have access to your account again, you need to register the necessary information.<br /><br />To register information, follow the steps in the [Register for self-service password reset](https://support.microsoft.com/account-billing/register-the-password-reset-verification-method-for-a-work-or-school-account-47a55d4a-05b0-4f67-9a63-f39a43dbe20a) article. | SSPR_0014: Additional security info is needed to reset your password. To proceed, contact your admin and ask them to reset your password. After you have access to your account, you can register additional security info at https://aka.ms/ssprsetup. Your admin can add additional security info to your account by following the steps in [Set and read authentication data for password reset](howto-sspr-authenticationdata.md). |

-| OnPremisesAdminActionRequired = 29 | We're sorry, we can't reset your password at this time because of a problem with your organization's password reset configuration. There is no further action you can take to resolve this situation. Please contact your admin and ask them to investigate. <br /><br />Or<br /><br />We cannot reset your password at this time because of a problem with your organization's password reset configuration. There is no further action you can take to resolve this issue. Please contact your admin and ask them to investigate.<br /><br />To learn more about the potential problem, see [Troubleshoot password writeback](troubleshoot-sspr-writeback.md). | SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration. Please contact your admin and ask them to investigate. |

-| OnPremisesConnectivityError = 30 | We're sorry, we can't reset your password at this time because of connectivity issues to your organization. There is no action to take right now, but the problem might be resolved if you try again later. If the problem persists, please contact your admin and ask them to investigate.<br /><br />To learn more about connectivity issues, see [Troubleshoot password writeback connectivity](troubleshoot-sspr-writeback.md). | SSPR_0030: We can't reset your password due to a poor connection with your on-premises environment. Contact your admin and ask them to investigate.|

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

-1. Under the **Manage** menu header, select **Authentication methods**, then **Password protection**.

- [  ](media/tutorial-configure-custom-password-protection/enable-configure-custom-banned-passwords.png#lightbox)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

-1. Under the **Manage** menu header, select **Authentication methods**, then **Password protection**.

-In this tutorial, we create a basic Conditional Access policy to prompt for MFA when a user signs in to the Azure portal. In a later tutorial in this series, we configure Azure AD Multi-Factor Authentication by using a risk-based Conditional Access policy.

-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**. Then select **Security** from the menu on the left-hand side.

-1. Select **Conditional Access**, select **+ New policy**, and then select **Create new policy**.

-For this tutorial, configure the Conditional Access policy to require multi-factor authentication when a user signs in to the Azure portal.

-1. Browse the list of available sign-in events that can be used. For this tutorial, select **Microsoft Azure Management** so that the policy applies to sign-in events to the Azure portal. Then choose **Select**.

-In this tutorial, configure the access controls to require multi-factor authentication during a sign-in event to the Azure portal.

-You configured the Conditional Access policy to require additional authentication for the Azure portal. Because of that configuration, you're prompted to use Azure AD Multi-Factor Authentication or to configure a method if you haven't yet done so. Test this new requirement by signing in to the Azure portal:

-1. Open a new browser window in InPrivate or incognito mode and sign in to the [Azure portal](https://portal.azure.com).

-1. Close the browser window, and sign in to the [Azure portal](https://portal.azure.com) again to test the authentication method that you configured. For example, if you configured a mobile app for authentication, you should see a prompt like the following.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, and then select **Security** from the menu on the left-hand side.

-1. Select **Conditional Access**, and then select the policy that you created, such as **MFA Pilot**.

-You can enable Azure AD connect cloud sync provisioning directly in Azure portal or through PowerShell.

-#### Enable password writeback in Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account.

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Check the option for **Enable password write back for synced users** .

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-| End users | Any end-user self-service voluntary change password operation.<br>Any end-user self-service force change password operation, for example, password expiration.<br>Any end-user self-service password reset that originates from the password reset portal. |

-| Administrators | Any administrator self-service voluntary change password operation.<br>Any administrator self-service force change password operation, for example, password expiration.<br>Any administrator self-service password reset that originates from the password reset portal.<br> Any administrator-initiated end-user password reset from the Azure portal.<br>Any administrator-initiated end-user password reset from the Microsoft Graph API. |

-| Admin reset user password | Have two users disconnected domains and forests reset their password from the Azure Admin Portal or Frontline worker portal. You could also have Azure AD Connect and cloud sync side by side and have one user in the scope of cloud sync config and another in scope of Azure AD Connect |

-With password writeback enabled in Azure AD Connect, now configure Azure AD SSPR for writeback. SSPR can be configured to writeback through Azure AD Connect sync agents and Azure AD Connect provisioning agents (cloud sync). When you enable SSPR to use password writeback, users who change or reset their password have that updated password synchronized back to the on-premises AD DS environment as well.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Hybrid Identity Administrator account.

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-> Currently, you can only enable one Azure AD group for SSPR using the Azure portal. As part of a wider deployment of SSPR, Azure AD supports nested groups.

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* or *authentication policy administrator* permissions.

-1. Search for and select **Azure Active Directory**, then select **Password reset** from the menu on the left side.

- [](media/tutorial-enable-sspr/enable-sspr-for-group.png#lightbox)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, then select **Password reset** from the menu on the left side.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a global administrator account.

-1. Search for and select **Azure Active Directory**, select **Security**, then under the *Protect* menu heading choose **Identity Protection**.

-1. Select the **MFA registration policy** from the menu on the left-hand side.

- 

- 

- 

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).

-1. From the Azure Active Directory tile, select **Go to Azure Active Directory**.

-1. Sign in to the Microsoft [Entra admin center](https://entra.microsoft.com/#home).

-1. From the Azure Active Directory tile, select **Go to Azure Active Directory**.

-> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

-Ensure you're a *Global Administrator*. Learn more about [Permissions Management roles and permissions](product-roles-permissions.md).

- 

-You can associate the certificate credential with the client application in the Microsoft identity platform through the Azure portal using any of the following methods:

-You can manage [application objects](app-objects-and-service-principals.md#application-object) in the Azure portal through the [App registrations](https://aka.ms/appregistrations) experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings. The application object will only exist in its home directory, even if it's a multi-tenant application supporting service principals in other directories. The application object may include (but not limited to) any of the following:

-You can manage [service principals](app-objects-and-service-principals.md#service-principal-object) in the Azure portal through the [Enterprise Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/) experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory), and one or more service principal objects representing instances of the application in every directory in which it acts.

- 1. In the Azure portal, go to the [User settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings) section under **App registrations**

-You define app roles by using the [Azure portal](https://portal.azure.com) during the [app registration process](quickstart-register-app.md). App roles are defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a `roles` claim for each role that the user or service principal has been granted. This can be used to implement [claim-based authorization](./claims-validation.md). App roles can be assigned [to a user or a group of users](../manage-apps/add-application-portal-assign-users.md). App roles can also be assigned to the service principal for another application, or [to the service principal for a managed identity](../managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md).

-App roles are declared using App roles UI in the Azure portal:

-To create an app role by using the Azure portal's user interface:

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**, and then select the application you want to define app roles in.

-1. Select **App roles**, and then select **Create app role**.

-To assign users and groups to roles by using the Azure portal:

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. In **Azure Active Directory**, select **Enterprise applications** in the left-hand navigation menu.

-Once you've added app roles in your application, you can assign an app role to a client app by using the Azure portal or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments).

-To assign app roles to an application by using the Azure portal:

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. In **Azure Active Directory**, select **App registrations** in the left-hand navigation menu.

-## Set a publisher domain in the Azure portal

-To set a publisher domain for your app by using the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In Azure Active Directory, go to [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908). Search for and select the app you want to configure.

-To delete an application, be listed as an owner of the application or have admin privileges.

-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which the app is registered.

-1. Search and select the **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** and select the application that you want to configure. Once you've selected the app, you see the application's **Overview** page.

-You can view your deleted applications, restore a deleted application, or permanently delete an application using the **App registrations** experience under Azure Active Directory (Azure AD) in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

-1. Search and select **Azure Active Directory**, select **App registrations**, and then select the **Deleted applications** tab.

-To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be assigned one of **Global administrator**, **Application administrator**, or **Cloud application administrator** directory roles.

-1. Sign in to the [Azure portal](https://portal.azure.com)

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch the tenant in which you want to register an application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **Enterprise Applications** then select **All applications**.

-The redirect URI should be in this format: `msauth.<app.bundle.id>://auth`. Replace `<app.bundle.id>` with your application's bundle ID. Specify the redirect URI in the [Azure portal](https://aka.ms/MobileAppReg).

-For iOS only, to support cert-based authentication, an additional redirect URI needs to be registered in your application and the Azure portal in the following format: `msauth://code/<broker-redirect-uri-in-url-encoded-form>`. For example, `msauth://code/msauth.com.microsoft.mybundleId%3A%2F%2Fauth`

-If you'd like to continue using your existing app registration for your applications, use the Azure portal to update the registration's redirect URIs to the SPA platform. Doing so enables the authorization code flow with PKCE and CORS support for apps that use the registration (you still need to update your application's code to MSAL.js v2.x).

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a> and select your **Azure Active Directory** tenant.

-1. In **App registrations**, select your application, and then **Authentication**.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of these fields.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of the various fields.

-Set the `redirect_uri` property on config to a simple page, that does not require authentication. You have to make sure that it matches with the `redirect_uri` registered in Azure portal. This will not affect user's login experience as MSAL saves the start page when user begins the login process and redirects back to the exact location after login is completed.

-Before initializing an application, you first need to [register it with the Azure portal](scenario-spa-app-registration.md), establishing a trust relationship between your application and the Microsoft identity platform.

-After registering your app, you'll need some or all of the following values that can be found in the Azure portal.

-Initialize the MSAL.js authentication context by instantiating a [PublicClientApplication][msal-js-publicclientapplication] with a [Configuration][msal-js-configuration] object. The minimum required configuration property is the `clientID` of the application, shown as **Application (client) ID** on the **Overview** page of the app registration in the Azure portal.

-Initialize the MSAL 1.x authentication context by instantiating a UserAgentApplication with a configuration object. The minimum required configuration property is the `clientID` of your application, shown as **Application (client) ID** on the **Overview** page of the app registration in the Azure portal.

-If you have a Xamarin Android app currently using the Azure Active Directory Authentication Library for .NET (ADAL.NET) and an [authentication broker](msal-android-single-sign-on.md), it's time to migrate to the [Microsoft Authentication Library for .NET ](msal-overview.md) (MSAL.NET).

-For more information about Android-specific considerations when using MSAL.NET with Xamarin, see [Configuration requirements and troubleshooting tips for Xamarin Android with MSAL.NET](msal-net-xamarin-android-considerations.md).

-When accessing the Microsoft Graph, the managed identity needs to have proper permissions for the operation it wants to perform. Currently, there's no option to assign such permissions through the Azure portal. The following script will add the requested Microsoft Graph API permissions to the managed identity service principal object.

-After executing the script, you can verify in the [Azure portal](https://portal.azure.com) that the requested API permissions are assigned to the managed identity.

-Go to **Azure Active Directory**, and then select **Enterprise applications**. This pane displays all the service principals in your tenant. In **Managed Identities**, select the service principal for the managed identity.

-In the [Azure portal](https://portal.azure.com) menu, select **Azure Active Directory** or search for and select **Azure Active Directory** from any page.

-*AzureAd* specifies the configuration for the Microsoft.Identity.Web library. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** from the portal menu and then select **App registrations**. Select the app registration created when you enabled the App Service authentication/authorization module. (The app registration should have the same name as your web app.) You can find the tenant ID and client ID in the app registration overview page. The domain name can be found in the Azure AD overview page for your tenant.

- "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",

- "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",

- "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory** > **App registrations**, and then select your client application (*not* your web API).

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory** > **App registrations**, and then select your client application.

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory** > **App registrations**, and then select your client application.

-1. Go to the [Azure portal page for app registration](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/DotNetCoreDaemonQuickstartPage/sourceType/docs).

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. In *appsettings.json*, replace the values of `Tenant`, `ClientId`, and `ClientSecret`. The value for the application (client) ID and the directory (tenant) ID, can be found in the app's **Overview** page on the Azure portal.

-For a global tenant administrator, go to **Enterprise applications** in the Azure portal. Select the app registration, and select **Permissions** from the **Security** section of the left pane. Then select the large button labeled **Grant admin consent for {Tenant Name}** (where **{Tenant Name}** is the name of the directory).

- | `ClientSecret` | The client secret created for the application in the Azure portal. |

- | `ClientId` | The application (client) ID for the application registered in the Azure portal. This value can be found on the app's **Overview** page in the Azure portal. |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-> To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal. To generate a new key, go to **Certificates & secrets** page.

-If you're a global tenant administrator, go to **API Permissions** page in **App registrations** in the Azure portal and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).

-| `config["secret"]` | Is the client secret created for the application in Azure portal. |

-| `config["client_id"]` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |

-| `config["scope"]` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations** in the Azure portal.|

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/UwpQuickstartPage/sourceType/docs) quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

- You can find the **Application (client) ID** on the app's **Overview** pane in the Azure portal (**Azure Active Directory** > **App registrations** > *{Your app registration}*).

-The value of `ClientId` is the **Application (client) ID** of the app you registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/WinDesktopQuickstartPage/sourceType/docs)quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

- To find the value of **Application (client) ID**, go to the app's **Overview** page in the Azure portal.

- To find the values of **Directory (tenant) ID** and **Supported account types**, go to the app's **Overview** page in the Azure portal.

-| `ClientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |

-See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of these fields.

-See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of the various fields.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of these fields.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of the various fields.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. In *appsettings.json*, replace the values of `ClientId`, and `TenantId`. The value for the application (client) ID and the directory (tenant) ID, can be found in the app's **Overview** page on the Azure portal.

-| `ClientId` | Application (client) ID of the application registered in the Azure portal. |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.

-1. Find and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. Go to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

- - `Enter_the_Application_Id_here` is the application (client) ID of the app registration that you created earlier. Find the application (client) ID on the app's **Overview** page in **App registrations** in the Azure portal.

- - If your application supports **My organization only**, replace this value with the directory (tenant) ID or tenant name (for example, `contoso.onmicrosoft.com`). Find the directory (tenant) ID on the app's **Overview** page in **App registrations** in the Azure portal.

- - `redirectUri` is the **Redirect URI** you entered earlier in **App registrations** in the Azure portal.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**.

-1. Select **New registration**.

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Under **Manage**, select **App registrations** > **New registration**.

-Follow these steps to register your application in the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.

-1. Navigate to the portal's [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page, and select **New registration**.

-The Microsoft identity platform uses the cloud service's **Metadata URI** to retrieve the signing key and the logout URI. This way the Microsoft identity platform can send the response to the correct URL. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>;

-# [.NET (low level) ](#tab/dotnet)

-Specify the redirect URI for your app by [configuring the platform settings](quickstart-register-app.md#add-a-redirect-uri) for the app in **App registrations** in the Azure portal.

- 1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, select your app in **App registrations**, and then select **Authentication**.

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. In the Azure portal, select the app registration you created earlier in [Create the app registration](#create-the-app-registration).

-1. In the Azure portal, select the app registration you created earlier in [Create the app registration](#create-the-app-registration).

-When all your production single-page applications represented by an app registration are using MSAL.js 2.0 and the authorization code flow, uncheck the implicit grant settings on the app registration's **Authentication** pane in the Azure portal. Applications using MSAL.js 1.x and the implicit flow can continue to function, however, if you leave the implicit flow enabled (checked).

-To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register a single-page application (SPA) in a tenant on the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations > New registration**.

-1. Replace the following values with the values from the Azure portal.

-1. Replace the following values with the values from the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

-1. Go to **Users**.

-ROPC is a public client flow, so you need to enable your app for public client flows. From your app registration in the [Azure portal](https://portal.azure.com), go to **Authentication** > **Advanced settings** > **Allow public client flows**. Set the toggle to **Yes**.

-From your app registration in the [Azure portal](https://portal.azure.com), go to **API Permissions** > **Add a permission**. Add the permissions you need to call the APIs you'll be using. A test example further in this article uses the `https://graph.microsoft.com/User.Read` and `https://graph.microsoft.com/User.ReadBasic.All` permissions.

-If you plan on testing your app in the same tenant you registered it in and you are an administrator in that tenant, you can consent to the permissions from the [Azure portal](https://portal.azure.com). In your app registration in the Azure portal, go to **API Permissions** and select the **Grant admin consent for <your_tenant_name>** button next to the **Add a permission** button and then **Yes** to confirm.

-If you do not plan on testing your app in the same tenant you registered it in, or you are not an administrator in your tenant, you cannot consent to the permissions from the [Azure portal](https://portal.azure.com). You can still consent to some permissions, however, by triggering a sign-in prompt in a web browser.

-In your app registration in the [Azure portal](https://portal.azure.com), go to **Authentication** > **Platform configurations** > **Add a platform** > **Web**. Add the redirect URI "https://localhost" and select **Configure**.

-1. Sign in to the [Azure portal](https://portal.azure.com) to access your tenant. Select **Azure Active Directory**. Select **Security** in the left navigation pane and then select **Conditional Access**.

-Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain.

-The Microsoft Graph API requires the *user.read* scope to read a user's profile. By default, this scope is automatically added in every application that's registered in the Azure portal. Other APIs for Microsoft Graph, as well as custom APIs for your back-end server, might require additional scopes. For example, the Microsoft Graph API requires the *Mail.Read* scope in order to list the user's email.

-> * Register the application in the Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to **Azure Active Directory**.

-1. On the left panel, under **Manage**, select **App registrations**. Then, on the top menu bar, select **New registration**.

-To customize the information returned by the identity platform during authentication and authorization, use [claims mapping]( active-directory-claims-mapping.md) and [optional claims]( active-directory-optional-claims.md) to modify security token configuration.

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-| `client_id` | Required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-To use app roles (application permissions) with your own API (as opposed to Microsoft Graph), you must first [expose the app roles](./howto-add-app-roles-in-apps.md) in the API's app registration in the Azure portal. Then, [configure the required app roles](./howto-add-app-roles-in-apps.md#assign-app-roles-to-applications) by selecting those permissions in your client application's app registration. If you haven't exposed any app roles in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned:

-| `client_id` | required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | Required | The application (client) ID that [the Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page has assigned to your app. |

-| `client_secret` | Required | The client secret that you generated for your app in the Azure portal - App registrations page. The Basic auth pattern of instead providing credentials in the Authorization header, per [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) is also supported. |

-| `client_id` | Required | The application (client) ID that [the Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page has assigned to your app. |

-| client_id |required | The app ID assigned to the calling service during registration with Azure AD. To find the app ID in the Azure portal, select **Active Directory**, choose the directory, and then select the application name. |

-1. Sign in to the [Azure portal](https://portal.azure.com) and select **Azure Active Directory** > **App registrations** > *\<your application\>* > **Authentication**.

-To find the OIDC configuration document in the Azure portal, sign in to the [Azure portal](https://portal.azure.com) and then:

-1. Select **Azure Active Directory** > **App registrations** > *\<your application\>* > **Endpoints**.

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-Knowing about OAuth or OpenID Connect (OIDC) at the protocol level isn't required to use the Microsoft identity platform. However, you'll encounter protocol terms and concepts as you use the identity platform to add authentication to your apps. As you work with the Azure portal, our documentation, and authentication libraries, knowing some fundamentals can assist your integration and overall experience.

-To find the endpoints for an application you've registered, in the [Azure portal](https://portal.azure.com) navigate to:

-1. Sign in to the [app registration page of the portal](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) (Please note that we are using the v2.0 endpoints for Graph API and hence need to register the application in Azure portal. Otherwise we could have used the registrations in Azure AD).

-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that has Global Administrator, Intune Administrator, or User Administrator role permissions.

-1. Select **Azure Active Directory** > **Groups**, and then select **New group**.

-[Customize your sign-in branding](../fundamentals/add-custom-domain.md)

-7. Complete one of the following set of steps:

- - *If the guest user isn't currently in the directory:*

-

- a. On the **Add members** page, type the user's full email address in the search box, type a **Personal message** (optional), and then choose **Invite** to send an invitation.

-

- b. Choose **Select**.

-

- c. Now add the user to the group: On the **Members** page, choose **Add members**. Type the user's name or email address in the search box, choose the user in the results, and then choose **Select**.

-8. Complete one of the following set of steps:

- - *If the guest user isn't currently in the directory:*

-

- a. On the **Users** page, type the user's full email address in the search box, type a **Personal message** (optional), and then choose **Invite**.

-

- b. Choose **Select**.

-

- c. Now add the invited user to the application: On the **Add Assignment** page, choose the link under **Users**. Type the invited user's name or email address in the search box, choose the user in the results, and then choose **Select**.

-

- d. On the **Add Assignment** page, choose **Assign**.

-### To select the layout of the attribute collection page (optional)

-You can choose the order in which the attributes are displayed on the sign-up page.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).

-1. Browse to **Identity** > **External Identities** > **User flows**.

-1. From the list, select your user flow.

-1. Under **Customize**, select **Page layouts**.

- The attributes you chose to collect are listed. You can change the attribute label, type, and whether itΓÇÖs required. You can also change the order of display by selecting an attribute, and then select **Move up**, **Move down**, **Move to the top**, or **Move to the bottom**.

- :::image type="content" source="media/how-to-user-flow-sign-up-sign-in-customers/page-layouts.png" alt-text="Screenshot of page layout options for a user flow.":::

-1. Select **Save**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

-2. Under **Azure services**, select **Azure Active Directory**.

-3. In the left menu, select **External Identities**.

-4. Select **User flows**.

-3. Select the user flow that you want to enable for translations.

-4. Select **Languages**.

-5. On the **Languages** page for the user flow, select the language that you want to customize.

-6. Expand **Attribute collection page**.

-7. Select **Download defaults** (or **Download overrides** if you've previously edited this language).

- 

-To communicate the multicloud, multiplatform functionality of the products, alleviate confusion with Windows Server Active Directory, and unify the [Microsoft Entra](/entra) product family, we're renaming Azure Active Directory (Azure AD) to Microsoft Entra ID.

-If you're using Azure AD today or are currently deploying Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations will continue to function as they do today without any action from you.

-Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô will continue to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra).

-## Guide to Azure AD name changes and exceptions

-We encourage content creators, organizations with internal documentation for IT or identity security admins, developers of Azure AD-enabled apps, independent software vendors, or partners of Microsoft to update your experiences and use the new name by the end of 2023. We recommend changing the name in customer-facing experiences, prioritizing highly visible surfaces.

-Microsoft Entra ID is the new name for Azure AD. Please replace the product names Azure Active Directory, Azure AD, and AAD with Microsoft Entra ID.

-Please change the Azure AD product icon in your experiences. The Azure AD icons are now at end-of-life.

-You can download the new Microsoft Entra ID icon here: [Microsoft Entra architecture icons](../architecture/architecture-icons.md)

-Capabilities or services formerly known as "Azure Active Directory &lt;feature name&gt;" or "Azure AD &lt;feature name&gt;" will be branded as Microsoft Entra product family features. This is done across our portfolio to avoid naming length and complexity, and because many features work across all the products. For example:

-See the [Glossary of updated terminology](#glossary-of-updated-terminology) later in this article for more examples.

-### Exceptions and clarifications to the Azure AD name change

-Names aren't changing for Active Directory, developer tools, Azure AD B2C, nor deprecated or retired functionality, features, or services.

-Don't rename the following features, functionality, or services.

-#### Azure AD renaming exceptions and clarifications

-| Authentication library <br/><br/>&#8226; Azure AD Authentication Library (ADAL) <br/>&#8226; Microsoft Authentication Library (MSAL) | Azure Active Directory Authentication Library (ADAL) is deprecated. While existing apps that use ADAL will continue to work, Microsoft will no longer release security fixes on ADAL. Migrate applications to the Microsoft Authentication Library (MSAL) to avoid putting your app's security at risk. <br/><br/>[Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) - Provides security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. |

-| B2C <br/><br/>&#8226; Azure Active Directory B2C <br/>&#8226; Azure AD B2C | [Azure Active Directory B2C](/azure/active-directory-b2c) isn't being renamed. Microsoft Entra External ID for customers is Microsoft's new customer identity and access management (CIAM) solution. |

-| Graph <br/><br/>&#8226; Azure Active Directory Graph <br/>&#8226; Azure AD Graph <br/>&#8226; Microsoft Graph | Azure Active Directory (Azure AD) Graph is deprecated. Going forward, we will make no further investment in Azure AD Graph, and Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.<br/><br/>[Microsoft Graph](/graph) - Grants programmatic access to organization, user, and application data stored in Microsoft Entra ID. |

-| Microsoft identity platform | The Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts. |

-## Glossary of updated terminology

-Features of the identity and network access products are attributed to Microsoft EntraΓÇöthe product family, not the individual product name.

-You're not required to use the Microsoft Entra attribution with features. Only use if needed to clarify whether you're talking about a concept versus the feature in a specific product, or when comparing a Microsoft Entra feature with a competing feature.

-Only official product names are capitalized, plus Conditional Access and My * apps.

-| **Category** | **Old terminology** | **Correct name as of July 2023** |

-|-||-|

-| **Microsoft Entra product family** | Microsoft Azure Active Directory<br/> Azure Active Directory<br/> Azure Active Directory (Azure AD)<br/> Azure AD<br/> AAD | Microsoft Entra ID<br/> (Second use: Microsoft Entra ID is preferred, ID is acceptable in product/UI experiences, ME-ID if abbreviation is necessary) |

-| | Azure Active Directory External Identities<br/> Azure AD External Identities | Microsoft Entra External ID<br/> (Second use: External ID) |

-| | Azure Active Directory Identity Governance<br/> Azure AD Identity Governance<br/> Microsoft Entra Identity Governance | Microsoft Entra ID Governance<br/> (Second use: ID Governance) |

-| | *New* | Microsoft Entra Internet Access<br/> (Second use: Internet Access) |

-| | Cloud Knox | Microsoft Entra Permissions Management<br/> (Second use: Permissions Management) |

-| | *New* | Microsoft Entra Private Access<br/> (Second use: Private Access) |

-| | Azure Active Directory Verifiable Credentials<br/> Azure AD Verifiable Credentials | Microsoft Entra Verified ID<br/> (Second use: Verified ID) |

-| | Azure Active Directory Workload Identities<br/> Azure AD Workload Identities | Microsoft Entra Workload ID<br/> (Second use: Workload ID) |

-| | Azure Active Directory Domain Services<br/> Azure AD Domain Services | Microsoft Entra Domain Services<br/> (Second use: Domain Services) |

-| **Microsoft Entra ID SKUs** | Azure Active Directory Premium P1 | Microsoft Entra ID P1 |

-| | Azure Active Directory Premium P1 for faculty | Microsoft Entra ID P1 for faculty |

-| | Azure Active Directory Premium P1 for students | Microsoft Entra ID P1 for students |

-| | Azure Active Directory Premium P1 for government | Microsoft Entra ID P1 for government |

-| | Azure Active Directory Premium P2 | Microsoft Entra ID P2 |

-| | Azure Active Directory Premium P2 for faculty | Microsoft Entra ID P2 for faculty |

-| | Azure Active Directory Premium P2 for students | Microsoft Entra ID P2 for students |

-| | Azure Active Directory Premium P2 for government | Microsoft Entra ID P2 for government |

-| | Azure Active Directory Premium F2 | Microsoft Entra ID F2 |

-| **Microsoft Entra ID service plans** | Azure Active Directory Free | Microsoft Entra ID Free |

-| | Azure Active Directory Premium P1 | Microsoft Entra ID P1 |

-| | Azure Active Directory Premium P2 | Microsoft Entra ID P2 |

-| | Azure Active Directory for education | Microsoft Entra ID for education |

-| **Features and functionality** | Azure AD access token authentication<br/> Azure Active Directory access token authentication | Microsoft Entra access token authenticationΓÇ»|

-| | Azure AD account<br/> Azure Active Directory account | Microsoft Entra account<br/><br/> This terminology is only used with IT admins and developers. End users authenticate with a work or school account. |

-| | Azure AD activity logs | Microsoft Entra activity logs |

-| | Azure AD admin<br/> Azure Active Directory admin | Microsoft Entra admin |

-| | Azure AD admin center<br/> Azure Active Directory admin center | Replace with Microsoft Entra admin center and update link to entra.microsoft.com |

-| | Azure AD application proxy<br/> Azure Active Directory application proxy | Microsoft Entra application proxy |

-| | Azure AD audit log | Microsoft Entra audit log |

-| | Azure AD authentication<br/> authenticate with an Azure AD identity<br/> authenticate with Azure AD<br/> authentication to Azure AD | Microsoft Entra authentication<br/> authenticate with a Microsoft Entra identity<br/> authenticate with Microsoft Entra<br/> authentication to Microsoft Entra<br/><br/> This terminology is only used with administrators. End users authenticate with a work or school account. |

-| | Azure AD B2B<br/> Azure Active Directory B2B | Microsoft Entra B2B |

-| | Azure AD built-in roles<br/> Azure Active Directory built-in roles | Microsoft Entra built-in roles |

-| | Azure AD Conditional Access<br/> Azure Active Directory Conditional Access | Microsoft Entra Conditional Access<br/> (Second use: Conditional Access) |

-| | Azure AD cloud-only identities<br/> Azure Active Directory cloud-only identities | Microsoft Entra cloud-only identities |

-| | Azure AD Connect<br/> Azure Active Directory Connect | Microsoft Entra Connect |

-| | Azure AD Connect Sync<br/> Azure Active Directory Connect Sync | Microsoft Entra Connect Sync |

-| | Azure AD domain<br/> Azure Active Directory domain | Microsoft Entra domain |

-| | Azure AD Domain Services<br/> Azure Active Directory Domain Services | Microsoft Entra Domain Services |

-| | Azure AD enterprise application<br/> Azure Active Directory enterprise application | Microsoft Entra enterprise application |

-| | Azure AD federation services<br/> Azure Active Directory federation services | Active Directory Federation Services |

-| | Azure AD groups<br/> Azure Active Directory groups | Microsoft Entra groups |

-| | Azure AD hybrid identities<br/> Azure Active Directory hybrid identities | Microsoft Entra hybrid identities |

-| | Azure AD identities<br/> Azure Active Directory identities | Microsoft Entra identities |

-| | Azure AD identity protection<br/> Azure Active Directory identity protection | Microsoft Entra ID Protection |

-| | Azure AD integrated authentication<br/> Azure Active Directory integrated authentication | Microsoft Entra integrated authentication |

-| | Azure AD join<br/> Azure AD joined<br/> Azure Active Directory join<br/> Azure Active Directory joined | Microsoft Entra join<br/> Microsoft Entra joined |

-| | Azure AD login<br/> Azure Active Directory login | Microsoft Entra login |

-| | Azure AD managed identities<br/> Azure Active Directory managed identities | Microsoft Entra managed identities |

-| | Azure AD multifactor authentication (MFA)<br/> Azure Active Directory multifactor authentication (MFA) | Microsoft Entra multifactor authentication (MFA)<br/> (Second use: MFA) |

-| | Azure AD OAuth and OpenID Connect<br/> Azure Active Directory OAuth and OpenID Connect | Microsoft Entra ID OAuth and OpenID Connect |

-| | Azure AD object<br/> Azure Active Directory object | Microsoft Entra object |

-| | Azure Active Directory-only authentication<br/> Azure AD-only authentication | Microsoft Entra-only authentication |

-| | Azure AD pass-through authentication (PTA)<br/> Azure Active Directory pass-through authentication (PTA) | Microsoft Entra pass-through authentication |

-| | Azure AD password authentication<br/> Azure Active Directory password authentication | Microsoft Entra password authentication |

-| | Azure AD password hash synchronization (PHS)<br/> Azure Active Directory password hash synchronization (PHS) | Microsoft Entra password hash synchronization |

-| | Azure AD password protection<br/> Azure Active Directory password protection | Microsoft Entra password protection |

-| | Azure AD principal ID<br/> Azure Active Directory principal ID | Microsoft Entra principal ID |

-| | Azure AD Privileged Identity Management (PIM)<br/> Azure Active Directory Privileged Identity Management (PIM) | Microsoft Entra Privileged Identity Management (PIM) |

-| | Azure AD registered<br/> Azure Active Directory registered | Microsoft Entra registered |

-| | Azure AD reporting and monitoring<br/> Azure Active Directory reporting and monitoring | Microsoft Entra reporting and monitoring |

-| | Azure AD role<br/> Azure Active Directory role | Microsoft Entra role |

-| | Azure AD schema<br/> Azure Active Directory schema | Microsoft Entra schema |

-| | Azure AD Seamless single sign-on (SSO)<br/> Azure Active Directory Seamless single sign-on (SSO) | Microsoft Entra seamless single sign-on (SSO)<br/> (Second use: SSO) |

-| | Azure AD self-service password reset (SSPR)<br/> Azure Active Directory self-service password reset (SSPR) | Microsoft Entra self-service password reset (SSPR) |

-| | Azure AD service principal<br/> Azure Active Directory service principal | Microsoft Entra service principal |

-| | Azure AD tenant<br/> Azure Active Directory tenant | Microsoft Entra tenant |

-| | Create a user in Azure AD<br/> Create a user in Azure Active Directory | Create a user in Microsoft Entra |

-| | Federated with Azure AD<br/> Federated with Azure Active Directory | Federated with Microsoft Entra |

-| | Hybrid Azure AD Join<br/> Hybrid Azure AD Joined | Microsoft Entra hybrid join<br/> Microsoft Entra hybrid joined |

-| | Managed identities in Azure AD for Azure SQL | Managed identities in Microsoft Entra for Azure SQL |

-| **Acronym usage** | AAD | ME-ID<br/><br/> Note that this isn't an official abbreviation for the product but may be used in code or when absolute shortest form is required. |

-See the [Glossary of updated terminology](#glossary-of-updated-terminology) for more examples.

-Customers currently using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription will continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>.

-Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô will continue to be available within Microsoft 365 enterprise and business premium offers. Office 365 was renamed Microsoft 365 in 2022. Unique capabilities in the Azure AD for Office 365 apps (such as company branding and self-service sign-in activity search) will now be available to all Microsoft customers in Microsoft Entra ID Free.

-In addition to the capabilities they already have, Microsoft 365 E5 customers will also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra P2, currently known as Azure AD Premium P2.

-Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts.

-We'd like your help spreading the word about the name change and implementing it in your own experiences. If you're a content creator, author of internal documentation for IT or identity security admins, developer of Azure ADΓÇôenabled apps, independent software vendor, or Microsoft partner, we hope you use the naming guidance outlined in the ([Glossary of updated terminology](#glossary-of-updated-terminology)) to make the name change in your content and product experiences by the end of 2023.

-| August 29, 2023 | <br/>&#8226; In the [glossary](#glossary-of-updated-terminology), corrected the entry for "Azure AD activity logs" to separate "Azure AD audit log", which is a distinct type of activity log. <br/>&#8226; Added Azure AD Sync and DirSync to the [Azure AD renaming exceptions and clarifications](#azure-ad-renaming-exceptions-and-clarifications) section. |

-

-## April 2022

-### General Availability - Entitlement management separation of duties checks for incompatible access packages

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Identity Governance

-In Azure AD entitlement management, an administrator can now configure the incompatible access packages and groups of an access package in the Azure portal. This prevents a user who already has one of those incompatible access rights from being able to request further access. For more information, see: [Configure separation of duties checks for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-incompatible.md).

-### General Availability - Microsoft Defender for Endpoint Signal in Identity Protection

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-

-Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against PRT theft detection. To learn more, see: [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md).

-

-### General Availability - Entitlement management 3 stages of approval

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Entitlement Management

-

-This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This is able to be configured via the Azure portal or Microsoft Graph. For more information, see: [Change approval and requestor information settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md).

-

-### General Availability - Improvements to Azure AD Smart Lockout

-**Type:** Changed feature

-**Service category:** Identity Protection

-**Product capability:** User Management

-

-With a recent improvement, Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: [Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md).

-

-### Public Preview - Integration of Microsoft 365 App Certification details into Azure Active Directory UX and Consent Experiences

-**Type:** New feature

-**Service category:** User Access Management

-**Product capability:** AuthZ/Access Delegation

-Microsoft 365 Certification status for an app is now available in Azure AD consent UX, and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps. For more information, see: [Understanding Azure AD application consent experiences](../develop/application-consent-experience.md).

-### Public preview - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: [Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews (preview)](../governance/create-access-review.md#include-b2b-direct-connect-users-and-teams-accessing-teams-shared-channels-in-access-reviews).

-### Public Preview - New MS Graph APIs to configure federated settings when federated with Azure AD

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Identity Security & Protection

-We're announcing the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:

-|Action |MS Graph API |PowerShell cmdlet |

-||||

-|Get federation settings for a federated domain | [Get internalDomainFederation](/graph/api/internaldomainfederation-get?view=graph-rest-beta&preserve-view=true) | [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-|Create federation settings for a federated domain | [Create internalDomainFederation](/graph/api/domain-post-federationconfiguration?view=graph-rest-beta&preserve-view=true) | [New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-|Remove federation settings for a federated domain | [Delete internalDomainFederation](/graph/api/internaldomainfederation-delete?view=graph-rest-beta&preserve-view=true) | [Remove-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/remove-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-|Update federation settings for a federated domain | [Update internalDomainFederation](/graph/api/internaldomainfederation-update?view=graph-rest-beta&preserve-view=true) | [Update-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-For more information, see [internalDomainFederation resource type - Microsoft Graph beta](/graph/api/resources/internaldomainfederation?view=graph-rest-beta&preserve-view=true).

-### Public Preview ΓÇô Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

-**Type:** New feature

-**Service category:** RBAC role

-**Product capability:** AuthZ/Access Delegation

-Added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune. For more information, see [Configure authentication session management with conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).

-### Public Preview ΓÇô Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Identity Security & Protection

-We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true).

-We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).

-### New Federated Apps available in Azure AD Application gallery - April 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** Third Party Integration

-In April 2022 we added the following 24 new applications in our App gallery with Federation support:

-[X-1FBO](https://www.x1fbo.com/), [select Armor](https://app.clickarmor.c)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-### General Availability - Customer data storage for Japan customers in Japanese data centers

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** GoLocal

-From April 15, 2022, Microsoft began storing Azure ADΓÇÖs Customer Data for new tenants with a Japan billing address within the Japanese data centers. For more information, see: [Customer data storage for Japan customers in Azure Active Directory](./data-storage-japan.md).

-### Public Preview - New provisioning connectors in the Azure AD Application Gallery - April 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Third Party Integration

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md)

-Recently we [announced](../fundamentals/whats-new.md#modernizing-terms-of-use-experiences) the modernization of terms of use end-user experiences as part of ongoing service improvements. As previously communicated the end user experiences will be updated with a new PDF viewer and are moving from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com.

-## March 2023

-### Public Preview - New provisioning connectors in the Azure AD Application Gallery - March 2023

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-### General Availability - Workload identity Federation for Managed Identities

-**Type:** New feature

-**Service category:** Managed identities for Azure resources

-**Product capability:** Developer Experience

-Workload Identity Federation enables developers to use managed identities for their software workloads running anywhere and access Azure resources without needing secrets. Key scenarios include:

-For more information, see:

-### Public Preview - New My Groups Experience

-**Type:** Changed feature

-**Service category:** Group Management

-**Product capability:** End User Experiences

-A new and improved My Groups experience is now available at `https://www.myaccount.microsoft.com/groups`. My Groups enables end users to easily manage groups, such as finding groups to join, managing groups they own, and managing existing group memberships. Based on customer feedback, the new My Groups support sorting and filtering on lists of groups and group members, a full list of group members in large groups, and an actionable overview page for membership requests.

-This experience replaces the existing My Groups experience at `https://www.mygroups.microsoft.com` in May.

-For more information, see: [Update your Groups info in the My Apps portal](https://support.microsoft.com/account-billing/update-your-groups-info-in-the-my-apps-portal-bc0ca998-6d3a-42ac-acb8-e900fb1174a4).

-### Public preview - Customize tokens with Custom Claims Providers

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** Extensibility

-A custom claims provider lets you call an API and map custom claims into the token during the authentication flow. The API call is made after the user has completed all their authentication challenges, and a token is about to be issued to the app. For more information, see: [Custom authentication extensions (preview)](../develop/custom-claims-provider-overview.md).

-### General Availability - Converged Authentication Methods

-**Type:** New feature

-**Service category:** MFA

-**Product capability:** User Authentication

-The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in your tenant. For more information, see: [Manage authentication methods](../authentication/concept-authentication-methods-manage.md).

-### General Availability - Provisioning Insights Workbook

-**Type:** New feature

-**Service category:** Provisioning

-**Product capability:** Monitoring & Reporting

-This new workbook makes it easier to investigate and gain insights into your provisioning workflows in a given tenant. This includes HR-driven provisioning, cloud sync, app provisioning, and cross-tenant sync.

-Some key questions this workbook can help answer are:

-For more information, see: [Provisioning insights workbook](../app-provisioning/provisioning-workbook.md).

-### General Availability - Number Matching for Microsoft Authenticator notifications

-**Type:** Plan for Change

-**Service category:** Microsoft Authenticator App

-**Product capability:** User Authentication

-Microsoft Authenticator appΓÇÖs number matching feature has been Generally Available since Nov 2022! If you haven't already used the rollout controls (via Azure portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We previously announced that we'll remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we'll extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8, 2023. We'll also remove the rollout controls for number matching after that date.

-If customers donΓÇÖt enable number match for all Microsoft Authenticator push notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-ins while the services are rolling out this change. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.

-For more information, see: [How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy](../authentication/how-to-mfa-number-match.md)

-### Public Preview - IPv6 coming to Azure AD

-**Type:** Plan for Change

-**Service category:** Identity Protection

-**Product capability:** Platform

-Earlier, we announced our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD), enabling our customers to reach the Azure AD services over IPv4, IPv6 or dual stack endpoints. This is just a reminder that we have started introducing IPv6 support into Azure AD services in a phased approach in late March 2023.

-

-If you utilize Conditional Access or Identity Protection, and have IPv6 enabled on any of your devices, you likely must take action to avoid impacting your users. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to deprioritize IPv4 in any Azure AD features or services. We continue to share additional guidance on IPv6 enablement in Azure AD at this link: [IPv6 support in Azure Active Directory](/troubleshoot/azure/active-directory/azure-ad-ipv6-support).

-### General Availability - Microsoft cloud settings for Azure AD B2B

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:

-For more information about Microsoft cloud settings for B2B collaboration, see [Microsoft cloud settings](../external-identities/cross-tenant-access-overview.md#microsoft-cloud-settings).

-### Modernizing Terms of Use Experiences

-**Type:** Plan for Change

-**Service category:** Terms of use

-**Product capability:** AuthZ/Access Delegation

-Starting July 2023, we're modernizing the following Terms of Use end user experiences with an updated PDF viewer, and moving the experiences from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com:

-No functionalities are removed. The new PDF viewer adds functionality and the limited visual changes in the end-user experiences will be communicated in a future update. If your organization has allow-listed only certain domains, you must ensure your allowlist includes the domains ΓÇÿmyaccount.microsoft.comΓÇÖ and ΓÇÿ*.myaccount.microsoft.comΓÇÖ for Terms of Use to continue working as expected.

-* Some applications may use delegated user consent to control access to Microsoft Graph or other resources. As consents by each user aren't controlled by an approval process, consents aren't reviewable in Azure AD. Instead, you can review who is able to connect to the application through Conditional Access policies, that could be based on application role assignments or group memberships.

-Now that you have identified the integration pattern for the application, check the application as represented in Azure AD is ready for review.

-1. In the Azure portal, click **Azure Active Directory**, click **Enterprise Applications**, and check whether your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) in your Azure AD tenant.

-1. In the Azure portal experience for Azure AD, click **Groups**, and then search for and select each group from the list.

-| Azure AD role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal |

-| Azure resource role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal |

-| [SAP SuccessFactors Writeback ](../../active-directory/saas-apps/sap-successfactors-writeback-tutorial.md) | ΓùÅ | ΓùÅ |

-## Run workflow history using the Azure portal

-You're able to retrieve run information of a workflow using Lifecycle Workflows. To check the runs of a workflow using the Azure portal, you would do the following steps:

-## User workflow history using the Azure portal

-To get further information than just the runs summary for a workflow, you're also able to get information about users processed by a workflow. To check the status of users a workflow has processed using the Azure portal, you would do the following steps:

-## Check execution user scope of a workflow using the Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the left navigation, select **Azure Active Directory** and then select **Groups**.

-3. On the top menu, select **New Group** to open the group pane.

-4. In the **Group type** list, select **Security**. Specify a name and description.

-5. Make sure to set the **Membership** type to **Assigned**.

-6. Select the users that should be part of this exclusion group and then select **Create**.

-1. In the left navigation, select **Azure Active Directory** and then select **Conditional Access** to open the **Policies** blade.

-2. Select **New policy** to open the **New** pane.

-3. Specify a name.

-4. Under Assignments select **Users and groups**.

-5. On the **Include** tab, select **All Users**.

-6. On the **Exclude** tab, add a checkmark to **Users and groups** and then

- select **Select excluded users**.

-7. Select the exclusion group you created.

- > [!NOTE]

-8. Continue with setting up the Conditional Access policy based on your organizational requirements.

-> A Global administrator or User administrator role is required to create access reviews.

-2. Will never end in order to make sure you're keeping this exclusion group the most up to date.

-3. All members of this group will be in scope for the review.

-4. Each user will need to self-attest that they still need access from these blocked countries/regions, therefore they still need to be a member of the

-5. If the user doesn't respond to the review request, they'll be automatically removed from the group, and they'll no longer have access to the tenant while traveling to these countries/regions.

-6. Enable email notifications to let users know about the start and completion of the access review.

- 

-1. This review would need to be a recurring review.

-2. Everyone in the group would need to be reviewed.

-3. It could be configured to list the business unit owners as the selected reviewers.

-4. Auto-apply the results and remove users that have not been approved to continue using legacy authentication methods.

-5. It might be beneficial to enable recommendations so reviewers of large groups can easily make their decisions.

-6. Enable mail notifications so users are notified about the start and completion of the access review.

- 

-1. In the Azure portal, open the **Access reviews** blade.

-2. Open the control and program you have created for managing the exclusion group.

-3. Select **Results** to see who was approved to stay on the list and who was removed.

-4. Then select **Audit logs** to see the actions that were taken during this review.

-1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.

-1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.

-## Customize email by using the Azure portal

-When you're customizing an email sent via lifecycle workflows, you can choose to customize either a new task or an existing task. You do these customizations the same way whether the task is new or existing, but the following steps walk you through updating an existing task. To customize emails sent from tasks within workflows by using the Azure portal:

-## Customize the schedule of workflows by using the Azure portal

-## Delete a workflow by using the Azure portal

-## View deleted workflows in the Azure portal

-| Group or application| Global administrator <p>User administrator<p>Identity Governance administrator<p>Privileged Role administrator (only does reviews for Azure AD role-assignable groups)<p>Group owner ([if enabled by an admin]( create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups))| Global administrator<p>Global reader<p>User administrator<p>Identity Governance administrator<p>Privileged Role administrator<p>Security reader<p>Group owner ([if enabled by an admin]( create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups)) |

-* Groups created manually in the Azure portal or via scripting through Microsoft Graph might not necessarily have owners defined. Define them either through the Azure portal in the group's **Owners** section or via Microsoft Graph.

-## Manage guest user lifecycle in the Azure portal

-If you want the users to also be assigned to the access package, you can [directly assign users](entitlement-management-access-package-assignments.md#directly-assign-a-user) to an access package using the Azure portal, or in bulk via Graph or PowerShell. The users will then also receive access to the other resource roles in the access package. However, as those users already have access prior to being added to the access package, when their access package assignment is removed, they remain in the resource role. For example, if a user was a member of a group, and was assigned to an access package that included group membership for that group as a resource role, and then that user's access package assignment was removed, the user would retain their group membership.

-For more information on creating logic app workflows, see [Quickstart: Create an example Consumption workflow in multi-tenant Azure Logic Apps with the Azure portal](../../logic-apps/quickstart-create-example-consumption-workflow.md).

-1. Sign in to the [Microsoft Entra admin center](https://portal.azure.com) as a Global Administrator. Make sure you have access to the resource group containing the Azure Monitor workspace.

-1. In the Azure portal, locate the [Log Analytics workspace](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fworkspaces).

-If you have multiple Log Analytics workspaces in that subscription, then the cmdlet [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) returns the list of workspaces. Then you can find the one that has the Azure AD logs. The `CustomerId` field returned by this cmdlet is the same as the value of the "Workspace ID" displayed in the Azure portal in the Log Analytics workspace overview.

- Sponsors are internal or external users already in your directory that are the point of contact for the relationship with this connected organization. Internal sponsors are member users in your directory. External sponsors are guest users from the connected organization that were previously invited and are already in your directory. Sponsors can be utilized as approvers when users in this connected organization request access to this access package. For information about how to invite a guest user to your directory, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../external-identities/add-users-administrator.md).

-When Azure AD receives a new request, it writes an audit record, in which the **Category** is `EntitlementManagement` and the **Activity** is typically `User requests access package assignment`. In the case of a direct assignment created in the Azure portal, the **Activity** field of the audit record is `Administrator directly assigns user to access package`, and the user performing the assignment is identified by the **ActorUserPrincipalName**.

- 

-## Register an application with secrets in Azure portal

-With Azure, you're able to use [Azure Key Vault](/azure/key-vault/secrets/about-secrets) to store application secrets such as passwords. To register an application with secrets within the Azure portal, follow these steps:

-1. In the Azure portal, in App registrations, select your application.

-1. **Add assignments of existing users, who already have access to the application, to the access packages.** For each access package, assign existing users of the application in that role, or members of that group, to the access package. You can [directly assign a user](entitlement-management-access-package-assignments.md) to an access package using the Azure portal, or in bulk via Graph or PowerShell.

-* An administrator, or a catalog owner, can [retrieve the list of users who have access package assignments](entitlement-management-access-package-assignments.md), via the Azure portal, Graph or PowerShell.

-* You can also send the audit logs to Azure Monitor and view a history of [changes to the access package](entitlement-management-logs-and-reporting.md#view-events-for-an-access-package), in the Azure portal, or via PowerShell.

-* You can view the last 30 days of sign-ins to an application in the [sign-ins report](../reports-monitoring/reference-basic-info-sign-in-logs.md) in the Azure portal, or via [Graph](/graph/api/signin-list?view=graph-rest-1.0&tabs=http&preserve-view=true).

-At regular intervals, such as weekly, monthly or quarterly, based on the volume of application access assignment changes for your application, use the Azure portal to ensure that access is being granted in accordance with the policies. You can also ensure that the identified users for approval and review are still the correct individuals for these tasks.

-1. Check the provisioning log through the [Azure portal](../reports-monitoring/concept-provisioning-logs.md) or [Graph APIs](../app-provisioning/application-provisioning-configuration-api.md#monitor-provisioning-events-using-the-provisioning-logs). Filter the log to the status **Failure**. If there are failures with an ErrorCode of **DuplicateTargetEntries**, this indicates an ambiguity in your provisioning matching rules, and you'll need to update the Azure AD users or the mappings that are used for matching to ensure each Azure AD user matches one application user. Then filter the log to the action **Create** and status **Skipped**. If users were skipped with the SkipReason code of **NotEffectivelyEntitled**, this may indicate that the user accounts in Azure AD were not matched because the user account status was **Disabled**.

-* **Check that Azure AD is already sending its audit log, and optionally other logs, to Azure Monitor.** Azure Monitor is optional, but useful for governing access to apps, as Azure AD only stores audit events for up to 30 days in its audit log. You can keep the audit data for longer than the default retention period, outlined in [How long does Azure AD store reporting data?](../reports-monitoring/reference-reports-data-retention.md), and use Azure Monitor workbooks and custom queries and reports on historical audit data. You can check the Azure AD configuration to see if it's using Azure Monitor, in **Azure Active Directory** in the Azure portal, by clicking on **Workbooks**. If this integration isn't configured, and you have an Azure subscription and are in the `Global Administrator` or `Security Administrator` roles, you can [configure Azure AD to use Azure Monitor](../governance/entitlement-management-logs-and-reporting.md).