-The GitHub Action for deploying Azure AD B2C custom policies uses the secret to acquire an access token that is used to interact with the Microsoft Graph API. For more information, see [Creating encrypted secrets for a repository](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-encrypted-secrets-for-a-repository).

-The workflow you created is triggered by the [push](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push) event. If you prefer, you can choose another event to trigger the workflow, for example a [pull request](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request).

-You can also schedule a workflow to run at specific UTC times using [POSIX cron syntax](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). The schedule event allows you to trigger a workflow at a scheduled time. For more information, see [Scheduled events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#scheduled-events).

-| client-id | client-id |N/A |

-| redirect-uri | redirect-uri | N/A|

-| response-type | response-type | N/A|

-| client-secret | client-secret |N/A |

-| client-id | client-id | N/A|

-| redirect-uri | redirect-uri |N/A |

-| response-type |response-type |N/A |

-1. In the Azure portal, search for and select **Network security groups**.

-1. In the Azure portal, search for and select **Network security groups**.

-1. In the Azure portal, search for and select **Network security groups**.

-1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.

-1. Select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.

-1. In the Azure portal, search for and select **Subscriptions**.

-This article shows you how to change the SKU for an existing Azure AD DS managed domain using the Azure portal.

-To change the SKU for a managed domain using the Azure portal, complete the following steps:

-1. At the top of the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain from the list, such as *aaddscontoso.com*.

- 

- 

-description: Learn how to check the health of an Azure Active Directory Domain Services (Azure AD DS) managed domain and understand status messages using the Azure portal.

-Azure Active Directory Domain Services (Azure AD DS) runs some background tasks to keep the managed domain healthy and up-to-date. These tasks include taking backups, applying security updates, and synchronizing data from Azure AD. If there are issues with the Azure AD DS managed domain, these tasks may not successfully complete. To review and resolve any issues, you can check the health status of a managed domain using the Azure portal.

-The health status for a managed domain is viewed using the Azure portal. Information on the last backup time and synchronization with Azure AD can be seen, along with any alerts that indicate a problem with the managed domain's health. To view the health status for a managed domain, complete the following steps:

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

- 

-* **Azure Active Directory (Azure AD)** - Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Microsoft 365, the Azure portal, or SaaS applications.

-> [To get started, create an Azure AD DS managed domain using the Azure portal][tutorial-create]

-To get started with using Azure AD DS, [create an Azure AD DS managed domain using the Azure portal][tutorial-create].

-A managed domain forest supports up to five one-way outbound forest trusts to on-premises forests. The outbound forest trust for Azure AD Domain Services is created in the Azure portal. You don't manually create the trust with the managed domain itself. The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory.

-## Sign in to the Azure portal

-In this article, you create and configure the outbound forest trust from a managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com* and wait for the status to report as **Running**.

-The on-premises AD DS domain needs an incoming forest trust for the managed domain. This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

-1. Choose to create the trust for **This domain only**. In the next step, you create the trust in the Azure portal for the managed domain.

-1. Choose to use **Forest-wide authentication**, then enter and confirm a trust password. This same password is also entered in the Azure portal in the next section.

-1. Sign in to your management VM. For steps on how to connect using the Azure portal, see [Connect to a Windows Server VM][connect-windows-server-vm].

-To get started, [enroll in the Azure CSP program](/partner-center/enrolling-in-the-csp-program). You can then enable Azure AD Domain Services using the [Azure portal](tutorial-create-instance.md) or [Azure PowerShell](powershell-create-instance.md).

-description: Learn how to disable, or delete, an Azure Active Directory Domain Services managed domain using the Azure portal

-# Delete an Azure Active Directory Domain Services managed domain using the Azure portal

-This article shows you how to use the Azure portal to delete a managed domain.

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

-1. Sign in to the [Azure portal](https://portal.azure.com) with a user account that has *Enterprise administrator* permissions in Azure AD.

-1. Search for and select **Azure Active Directory** at the top of the portal, then choose **Enterprise applications**.

-With a VM ready to be used as the Azure AD Application Proxy connector, now copy and run the setup file downloaded from the Azure portal.

-1. On the Application proxy page in the Azure portal, the new connector is listed with a status of *Active*, as shown in the following example:

- 

-1. Sign in to the [Azure portal](https://portal.azure.com/) in the User Administrator role for the organization.

-1. Search for and select *Azure Active Directory* from any page.

-1. Select **Users**, and then select **New user**.

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-1. Select the *Hostname/DNS* tab, then enter the IP address(es) of the managed domain into the text box *Name Server 1*. These IP addresses are shown on the *Properties* window in the Azure portal for your managed domain, such as *10.0.2.4* and *10.0.2.5*.

-1. Configure Network Time Protocol (NTP) time synchronization for your managed domain by selecting *NTP Configuration*. Enter the IP addresses of the managed domain. These IP addresses are shown on the *Properties* window in the Azure portal for your managed domain, such as *10.0.2.4* and *10.0.2.5*.

-* [Azure portal](../virtual-machines/linux/quick-create-portal.md)

-## Sign in to the Azure portal

-In this tutorial, you create a Windows Server VM to join to your managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. From the Azure portal menu or from the **Home** page, select **Create a resource**.

- 

- RDP should only be enabled when required, and limited to a set of authorized IP ranges. This configuration helps improve the security of the VM and reduces the area for potential attack. Or, create and use an Azure Bastion host that allows access only through the Azure portal over TLS. In the next step of this tutorial, you use an Azure Bastion host to securely connect to the VM.

- 

- 

- 

-It takes a few minutes to create the VM. The Azure portal shows the status of the deployment. Once the VM is ready, select **Go to resource**.

-

-To securely connect to your VMs, use an Azure Bastion host. With Azure Bastion, a managed host is deployed into your virtual network and provides web-based RDP or SSH connections to VMs. No public IP addresses are required for the VMs, and you don't need to open network security group rules for external remote traffic. You connect to VMs using the Azure portal from your web browser. If needed, [create an Azure Bastion host][azure-bastion].

- 

- 

-1. Sign in to your management VM. For steps on how to connect using the Azure portal, see [Connect to a Windows Server VM][connect-windows-server-vm].

-1. Sign in to your management VM. For steps on how to connect using the Azure portal, see [Connect to a Windows Server VM][connect-windows-server-vm].

-For more information on using virtual private networking, read [Configure a VNet-to-VNet VPN gateway connection by using the Azure portal](../vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal.md).

-Note that the **CorpNetSaw** service tag isn't available by using Azure portal, and the network security group rule for **CorpNetSaw** has to be added by using [PowerShell](powershell-create-instance.md#create-a-network-security-group).

-The health of an Azure Active Directory Domain Services (Azure AD DS) managed domain is monitored by the Azure platform. The health status page in the Azure portal shows any alerts for the managed domain. To make sure issues are responded to in a timely manner, email notifications can be configured to report on health alerts as soon as they're detected in the Azure AD DS managed domain.

-To alert you of issues with a managed domain, you can configure email notifications. These email notifications specify the managed domain that the alert is present on, as well as giving the time of detection and a link to the health page in the Azure portal. You can then follow the provided troubleshooting advice to resolve the issues.

-Azure AD DS sends email notifications for important updates about the managed domain. These notifications are only for urgent issues that impact the service and should be addressed immediately. Each email notification is triggered by an alert on the managed domain. The alerts also appear in the Azure portal and can be viewed on the [Azure AD DS health page][check-health].

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

-### I received an email notification for an alert but when I logged on to the Azure portal there was no alert. What happened?

-If an alert is resolved, the alert is cleared from the Azure portal. The most likely reason is that someone else who receives email notifications resolved the alert on the managed domain, or it was autoresolved by Azure platform.

-If you're unable to access the notification settings page in the Azure portal, you don't have the permissions to edit the managed domain. Contact a global administrator to either get permissions to edit Azure AD DS resource or be removed from the recipient list.

-> [To get started, create an Azure AD DS managed domain using the Azure portal][tutorial-create]

-* **Simplified deployment experience:** Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.

-To get started, [create a managed domain using the Azure portal][tutorial-create].

-The name of each built-in policy definition links to the policy definition in the Azure portal. Use

-It takes a few minutes to create the resource and return control to the PowerShell prompt. The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the **Overview** page for your managed domain shows the current status throughout this deployment stage.

-When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

-It takes a few minutes to create the resource and return control to the PowerShell prompt. The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the **Overview** page for your managed domain shows the current status throughout this deployment stage.

-When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

-This article shows you how to create a managed domain that uses scoped synchronization and then change or disable the set of scoped users using Azure AD PowerShell. You can also [complete these steps using the Azure portal][scoped-sync].

-description: Learn how to use the Azure portal to configure scoped synchronization from Azure AD to an Azure Active Directory Domain Services managed domain

-# Configure scoped synchronization from Azure AD to Azure Active Directory Domain Services using the Azure portal

-This article shows you how to configure scoped synchronization and then change or disable the set of scoped users using the Azure portal. You can also [complete these steps using PowerShell][scoped-sync-powershell].

-To enable scoped synchronization in the Azure portal, complete the following steps:

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-1. In the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-You can archive events into Azure storage and stream events into security information and event management (SIEM) software (or equivalent) using Azure Event Hubs, or do your own analysis and using Azure Log Analytics workspaces from the Azure portal.

-> You need to create the target resource before you enable Azure AD DS security audits. You can create these resources using the Azure portal, Azure PowerShell, or the Azure CLI.

-|Azure Event Hubs| This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.<br /><br />Before you enable Azure AD DS security audit events, [Create an event hub using Azure portal](../event-hubs/event-hubs-create.md)|

-|Azure Log Analytics Workspace| This target should be used when your primary need is to analyze and review secure audits from the Azure portal directly.<br /><br />Before you enable Azure AD DS security audit events, [Create a Log Analytics workspace in the Azure portal.](../azure-monitor/logs/quick-create-workspace.md)|

-## Enable security audit events using the Azure portal

-To enable Azure AD DS security audit events using the Azure portal, complete the following steps.

-1. Sign in to the Azure portal.

-1. At the top of the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-You see an [alert][resolve-alerts] on the Azure AD DS Health page in the Azure portal that notes the domain is suspended. The state of the domain also shows *Suspended*.

-1. In the Azure portal, search for and select **Domain services**.

-This template can be deployed using your preferred deployment method, such as the [Azure portal][portal-deploy], [Azure PowerShell][powershell-deploy], or a CI/CD pipeline. The following example uses the [New-AzResourceGroupDeployment][New-AzResourceGroupDeployment] cmdlet. Specify your own resource group name and template filename:

-It takes a few minutes to create the resource and return control to the PowerShell prompt. The managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the **Overview** page for your managed domain shows the current status throughout this deployment stage.

-When the Azure portal shows that the managed domain has finished provisioning, the following tasks need to be completed:

-1. To update the virtual network IP address range, search for and select *Virtual network* in the Azure portal. Select the virtual network for Azure AD DS that incorrectly has a public IP address range set.

-1. In the Azure portal, search for and select **Domain Services**. Choose your managed domain, such as *aaddscontoso.com*.

-1. Read about [Azure role-based access control and how to grant access to applications in the Azure portal](../role-based-access-control/role-assignments-portal.md).

-1. To update the virtual network IP address range, search for and select *Virtual network* in the Azure portal. Select the virtual network for the managed domain that has the small IP address range.

-1. For each of the managed domain's network components in your resource group, such as virtual network, network interface, or public IP address, check the operation logs in the Azure portal. These operation logs should indicate why an operation is failing and where a resource lock is applied.

-1. For each of the managed domain's network components in your resource group, such as virtual network, NIC, or public IP address, check the operation logs in the Azure portal. These operation logs should indicate why an operation is failing and where a restrictive policy is applied.

-1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.

-1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.

-1. Select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.

-## Sign in to the Azure portal

-In this tutorial, you configure secure LDAP for the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the [Azure portal](https://portal.azure.com), enter *domain services* in the **Search resources** box. Select **Azure AD Domain Services** from the search result.

- 

-1. To apply the replacement certificate to Azure AD DS, in the left menu for Azure AD DS in the Azure portal, select **Secure LDAP**, and then select **Change Certificate**.

-1. In the Azure portal, select *Resource groups* on the left-hand side navigation.

-

-description: In this tutorial, you learn how to create and configure an Azure virtual network subnet or network peering for an Azure Active Directory Domain Services managed domain using the Azure portal.

-## Sign in to the Azure portal

-In this tutorial, you create and configure the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, select the resource group of your managed domain, such as *myResourceGroup*. From the list of resources, choose the default virtual network, such as *aadds-vnet*.

- 

- 

- 

- 

-1. In the Azure portal, select the resource group of the peered virtual network, such as *myResourceGroup*. From the list of resources, choose the peered virtual network, such as *myVnet*.

-description: Learn how to create a one-way outbound forest to an on-premises AD DS domain in the Azure portal for Azure AD Domain Services

-## Sign in to the Azure portal

-In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com). You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to modify an Azure AD DS instance.

-The on-premises AD DS domain needs an incoming forest trust for the managed domain. This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

-1. Choose to create the trust for **This domain only**. In the next step, you create the trust in the Azure portal for the managed domain.

-1. Choose to use **Forest-wide authentication**, then enter and confirm a trust password. This same password is also entered in the Azure portal in the next section.

-To create the outbound trust for the managed domain in the Azure portal, complete the following steps:

-1. In the Azure portal, search for and select **Azure AD Domain Services**, then select your managed domain, such as *aaddscontoso.com*.

- 

-1. In the Azure portal, search for and select **Azure AD Domain Services**, then select your managed domain, such as *aaddscontoso.com*.

-description: In this tutorial, you learn how to create and configure a customized Azure Active Directory Domain Services managed domain and specify advanced configuration options using the Azure portal.

-You can [create a managed domain using default configuration options][tutorial-create-instance] for networking and synchronization, or manually define these settings. This tutorial shows you how to define those advanced configuration options to create and configure an Azure AD DS managed domain using the Azure portal.

-## Sign in to the Azure portal

-In this tutorial, you create and configure the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

-Complete the fields in the *Basics* window of the Azure portal to create a managed domain:

- 

-> If you selected an existing virtual network in the previous steps, any VMs connected to the network only get the new DNS settings after a restart. You can restart VMs using the Azure portal, Azure PowerShell, or the Azure CLI.

-A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory.

-description: In this tutorial, you learn how to create and configure an Azure Active Directory Domain Services managed domain using the Azure portal.

-You can create a managed domain using default configuration options for networking and synchronization, or [manually define these settings][tutorial-create-instance-advanced]. This tutorial shows you how to use default options to create and configure an Azure AD DS managed domain using the Azure portal.

-## Sign in to the Azure portal

-In this tutorial, you create and configure the managed domain using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. On the Azure portal menu or from the **Home** page, select **Create a resource**.

-Complete the fields in the *Basics* window of the Azure portal to create a managed domain:

- 

-> If you selected an existing virtual network in the previous steps, any VMs connected to the network only get the new DNS settings after a restart. You can restart VMs using the Azure portal, Azure PowerShell, or the Azure CLI.

-A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. These user accounts aren't synchronized from an on-premises directory.

-## Sign in to the Azure portal

-In this tutorial, you create and configure a management VM using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-1. In the Azure portal, select **Resource groups** on the left-hand side. Choose the resource group where your VM was created, such as *myResourceGroup*, then select the VM, such as *myVM*.

- 

- 

-description: Learn how to create and use replica sets in the Azure portal for service resiliency with Azure AD Domain Services

-## Sign in to the Azure portal

-In this tutorial, you create and manage replica sets using the Azure portal. To get started, first sign in to the [Azure portal](https://portal.azure.com).

-> When you create a replica set in the Azure portal, the network peerings between virtual networks is created for you.

-> If needed, you can create a virtual network and subnet when you add a replica set in the Azure portal. Or, you can choose existing virtual network resources in the destination region for a replica set and let the peerings be created automatically if they don't already exist.

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

- 

- 

-

-1. In the Azure portal, search for and select **Azure AD Domain Services**.

- 

-1. In the Azure portal, select **Azure Active Directory**.

-2. Select **Enterprise applications** and then select your application.

-3. Select **Provisioning** and then on the provisioning page select **Edit provisioning**.

-2. Select **Cross-tenant synchronization** > **Configurations** and then select your configuration.

-3. Select **Provisioning**.

-4. Under **Settings**, select the **Prevent accidental deletions** check box and specify a deletion

-5. Ensure the **Notification Email** address is completed.

-6. Select **Save** to save the changes.

-You can access the provisioning logs in the Azure portal by selecting **Azure Active Directory** &gt; **Enterprise Apps** &gt; **Provisioning logs (preview)** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).

-If you set the **Provisioning Status** to be **On** in the **Azure Active Directory &gt; Enterprise Apps &gt; \[Application Name\] &gt;Provisioning** section of the Azure portal. However no other status details are shown on that page after subsequent reloads, it is likely that the service is running but has not completed an initial cycle yet. Check the **Provisioning logs (preview)** described above to determine what operations the service is performing, and if there are any errors.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the **Azure Active Directory > Enterprise Applications** section of the Azure portal, locate and select your existing SCIM application.

-3. In the **Properties** section of your existing SCIM app, copy the **Object ID**.

-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.

-5. In the Graph Explorer, run the command below to locate the ID of your provisioning job. Replace "[object-id]" with the service principal ID (object ID) copied from the third step.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the **Azure Active Directory > Enterprise Applications > Create application** section of the Azure portal, create a new **Non-gallery** application.

-3. In the **Properties** section of your new custom app, copy the **Object ID**.

-4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.

-5. In the Graph Explorer, run the command below to initialize the provisioning configuration for your app.

-Configuring [automatic user provisioning](user-provisioning.md) for an app (where supported), requires that specific instructions be followed to prepare the application for automatic provisioning. Then you can use the Azure portal to configure the provisioning service to synchronize user accounts to the application.

-If you set the **Provisioning Status** to be **On** in the **Azure Active Directory &gt; Enterprise Apps &gt; \[Application Name\] &gt;Provisioning** section of the Azure portal. However no other status details are shown on that page after subsequent reloads. It is likely that the service is running but has not completed an initial cycle yet. Check the **Provisioning logs** described above to determine what operations the service is performing, and if there are any errors.

-The Azure portal is a convenient way to configure provisioning for individual apps one at a time. But if you're creating severalΓÇöor even hundredsΓÇöof instances of an application, it can be easier to automate app creation and configuration with the Microsoft Graph APIs. This article outlines how to automate provisioning configuration through APIs. This method is commonly used for applications like [Amazon Web Services](../saas-apps/amazon-web-service-tutorial.md#configure-azure-ad-sso).

-Test the connection with the third-party application. The following example is for an application that requires a client secret and secret token. Each application has its own requirements. Applications often use a base address in place of a client secret. To determine what credentials your app requires, go to the provisioning configuration page for your application, and in developer mode, click **test connection**. The network traffic will show the parameters used for credentials. For a full list of credentials, see [synchronizationJob: validateCredentials](/graph/api/synchronization-synchronizationjob-validatecredentials?tabs=http&view=graph-rest-beta&preserve-view=true). Most applications, such as Azure Databricks, rely on a BaseAddress and SecretToken. The BaseAddress is referred to as a tenant URL in the Azure portal.

-In all the above scenarios, the integration is greatly simplified as Azure AD provisioning service takes over the responsibility of performing identity profile comparison, restricting the data sync to scoping logic configured by the IT admin and executing rule-based attribute flow and transformation managed in the Microsoft Entra admin portal.

-To complete the steps in this tutorial, you need access to Microsoft Entra admin portal with the following roles:

-* Global administrator OR

-* Application administrator (if you're configuring inbound user provisioning to Azure AD) OR

-* Application administrator + Hybrid identity administrator (if you're configuring inbound user provisioning to on-premises Active Directory)

-2. Browse to **Azure Active Directory -> Applications -> Enterprise applications**.

-1. Open the provisioning application's **Provisioning** -> **Overview** page.

-1. Download [Postman](https://www.getpostman.com/downloads/) and start the application.

-|Username and password (not recommended or supported by Azure AD)|Easy to implement|Insecure - [Your Pa$$word doesn't matter](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984)|Not supported for new gallery or non-gallery apps.|

-> * Create or update your marketing pages/website (e.g. integration page, partner page, pricing page, etc.) to include the availability of the joint integration. [Example: Pingboard integration Page](https://pingboard.com/org-chart-for), [Smartsheet integration page](https://www.smartsheet.com/marketplace/apps/microsoft-azure-ad), [Monday.com pricing page](https://monday.com/pricing/)

-> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure AD integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/)

-Azure AD features preintegrated support for many popular SaaS apps and human resources systems, and generic support for apps that implement specific parts of the [SCIM 2.0 standard](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/Provisioning-with-SCIM-getting-started/ba-p/880010).

-1. On the Application proxy page in the Azure portal, the new connector is listed with a status of *Active*, as shown in the following example:

- 

-1. After successful installation, go back to the Azure portal.

-description: Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. This tutorial shows you how to prepare your environment for use with Application Proxy. Then, it uses the Azure portal to add an on-premises application to your Azure AD tenant.

-You can use the Azure portal or your Windows server to confirm that a new connector installed correctly.

-### Verify the installation through Azure portal

- | **Name** | The name of the application that appears on My Apps and in the Azure portal. |

-This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure WAF on Application Gateway. In this guide we'll be using the Azure portal. The reference architecture for this deployment is represented below.

-Some steps of the Application Gateway configuration will be omitted in this article. For a detailed guide on how to create and configure an Application Gateway, see [Quickstart: Direct web traffic with Azure Application Gateway - Azure portal][appgw_quick].

-This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure Front Door. In this guide we'll be using the Azure portal. The reference architecture for this deployment is represented below.

- 

-For details on configuring Connectors, see [Enable Application Proxy in the Azure portal](application-proxy-add-on-premises-application.md).

-

-description: How to troubleshoot issues creating Application Proxy applications in the Azure portal

-[Enable Application Proxy in the Azure portal](application-proxy-add-on-premises-application.md)

-To configure SSO, first make sure that your application is configured for Pre-Authentication through Azure Active Directory. To do this configuration, go to **Azure Active Directory** -&gt; **Enterprise Applications** -&gt; **All Applications** -&gt; Your application **-&gt; Application Proxy**. On this page, you see the ΓÇ£Pre AuthenticationΓÇ¥ field, and make sure that is set to ΓÇ£Azure Active Directory.

- 

-## Set the cookie settings - Azure portal

-To set the cookie settings using the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Navigate to **Azure Active Directory**ΓÇ»>ΓÇ»**Enterprise applications**ΓÇ»>ΓÇ»**All applications**.

-3. Select the application for which you want to enable a cookie setting.

-4. Click **Application Proxy**.

-1. In Azure Active Directory, select **Custom domain names** in the left navigation, and then select **Add custom domain**.

-For more detailed instructions, see [Add your custom domain name using the Azure portal](../fundamentals/add-custom-domain.md).

-1. For a new app, in Azure Active Directory, select **Enterprise applications** in the left navigation. Select **New application**. In the **On-premises applications** section, select **Add an on-premises application**.

-10. Follow the instructions at [Manage DNS records and record sets by using the Azure portal](../../dns/dns-operations-recordsets-portal.md) to add a DNS record that redirects the new external URL to the *msappproxy.net* domain in Azure DNS. If a different DNS provider is used, please contact the vendor for the instructions.

-You can set the home page URL either through the Azure portal or by using PowerShell.

-## Change the home page in the Azure portal

-To change the home page URL of your app through the Azure portal, follow these steps:

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-1. Select **Azure Active Directory**, and then **App registrations**. The list of registered apps appears.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-2. Go to **Azure Active Directory** > **Enterprise applications** > **All applications** > select the app you want to manage > **Application proxy**.

-3. Turn **Translate URLs in application body** to **Yes**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Browse to **Azure Active Directory** > **App registrations**. The list of all app registrations appears.

- 

-The required info in the sample code can be found in the Azure portal, as follows:

-| Info required | How to find it in the Azure portal |

-1. In the Azure portal, select **Azure Active Directory > Enterprise applications** and select **New application**.

-1. With the application still open in the Azure portal, select **Application Proxy**. Provide the **Internal URL** for the application. If you're using a custom domain, you also need to upload the TLS/SSL certificate for your application.

-1. With the application still open in the Azure portal, select **Single sign-on**.

-description: Turn on single sign-on for your published on-premises applications with Azure Active Directory Application Proxy in the Azure portal.

-Azure Active Directory Application Proxy helps you improve productivity by publishing on-premises applications so that remote employees can securely access them, too. In the Azure portal, you can also set up single sign-on (SSO) to these apps. Your users only need to authenticate with Azure AD, and they can access your enterprise application without having to sign in again.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-1. Select **Azure Active Directory** > **Enterprise applications** > **All applications**.

-1. The Admin customizes the attribute mappings required by the application in the Azure portal.

- 

- 

- 

-Each Application Proxy connector is assigned to a connector group. All the connectors that belong to the same connector group act as a separate unit for high-availability and load balancing. All connectors belong to a connector group. If you don't create groups, then all your connectors are in a default group. Your admin can create new groups and assign connectors to them in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Enterprise applications** > **Application proxy**.

-You can monitor your connectors from the machine they are running on, using either the event log and performance counters. Or you can view their status from the Application Proxy page of the Azure portal:

- * Before using custom domains in Application Proxy you must create a CNAME record in public DNS, allowing clients to resolve the custom defined external URL to the pre-defined Application Proxy address. Failing to create a CNAME record for an application that uses a custom domain will prevent remote users from connecting to the application. Steps required to add CNAME records can vary from DNS provider to provider, so learn how to [manage DNS records and record sets by using the Azure portal](../../dns/dns-operations-recordsets-portal.md).

-1. Navigate to **Azure Active Directory** > **Enterprise applications** > **All applications** and choose the app you want to manage.

-Azure AD provides additional insights into your organizationΓÇÖs application usage and operational health through [audit logs and reports](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). Application Proxy also makes it very easy to monitor connectors from the Azure portal and Windows Event Logs.

-These logs provide detailed information about logins to applications configured with Application Proxy and the device and the user accessing the application. [Audit logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are located in the Azure portal and in [Audit API](/graph/api/resources/directoryaudit) for export. Additionally, [usage and insights reports](../reports-monitoring/concept-usage-insights-report.md?context=azure/active-directory/manage-apps/context/manage-apps-context) are also available for your application.

-The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Azure portal. For more information about connector maintenance see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).

-1. From the Azure portal, open **Azure Active Directory**

-2. Select the **App Registrations** menu item from the navigation pane

- 

-3. From the *App Registrations* window, select the **All applications** tab option

-4. Navigate to the application with a matching name to your deployed App Proxy application. For example, if you deployed *Sample App 1* as an Enterprise Application, click the **Sample App 1** registration item

-5. From the *Sample App 1* detail page, take note of the *Application (client) ID* and *Directory (tenant) ID* fields. These will be used later.

-6. Select the **API permissions** menu item from the navigation pane

-7. From the *API permissions* page:

-8. Select the **Certificates & secrets** menu item from the navigation pane

-9. From the *Certificates & secrets* page:

-1. Go to **Azure Active Directory** and then **App Registrations**.

-4. Select **Azure Active Directory**, and then **App Registrations**. Choose your app from the list.

-To publish Tableau, you need to publish an application in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator.

-2. Select **Azure Active Directory > Enterprise applications**.

-3. Select **Add** at the top of the blade.

-Your application is now ready to test. Access the external URL you used to publish Tableau, and login as a user assigned to both applications.

-If you already have your apps published but don't remember their external URLs, look them up in the [Azure portal](https://portal.azure.com). Sign in, then navigate to **Azure Active Directory** > **Enterprise applications** > **All applications** > select your app > **Application proxy**.

-Once one member of a team adds the tab, it shows up for everyone in the channel. Any users who have access to the app get single sign-on access with the credentials they use for Microsoft Teams. Any users who don't have access to the app can see the tab in Teams, but are blocked until you give them permissions to the on-premises app and the Azure portal published version of the app.

-1. Sign in to the [Azure portal](https://portal.azure.com/) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.

-1. In left navigation panel, select **Azure Active Directory**.

-1. Under **Manage**, select **Application proxy**.

-1. Next, under **Advanced Settings** and select the drop down under Optimize for a specific region and select the region closest to the connectors.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

-1. Browse to **Azure Active Directory** > **Application proxy** > **Download connector service**. The **Application Proxy Connector Download** page appears.

-There are two actions you need to take in the Azure portal. First, you need to publish your application with Application Proxy. Then, you need to collect some information about the application that you can use during the PingAccess steps.

-1. If you didn't in the previous section, sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

-1. From the **Azure portal**, browse to **Azure Active Directory** > **App registrations**. A list of applications appears.

-1. Select your application.

-1. From the **Azure portal**, browse to **Azure Active Directory** > **App registrations**. A list of applications appears.

-1. Select your application. The **App registrations** page for your application appears.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

-1. Browse to **Azure Active Directory** > **App registrations**. A list of applications appears.

-1. Select your application.

-Those steps help you install PingAccess and set up a PingAccess account (if you don't already have one). Then, to create an Azure AD OpenID Connect (OIDC) connection, you set up a token provider with the **Directory (tenant) ID** value that you copied from the Azure portal. Next, to create a web session on PingAccess, you use the **Application (client) ID** and `PingAccess key` values. After that, you can set up identity mapping and create a virtual host, site, and application.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.

-2. Select **Azure Active Directory** > **Enterprise applications**.

-3. Select **Add** at the top of the blade.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**, then select **Enterprise applications**.

-1. On the Azure Active Directory **Overview** page, select **App registrations**, and at the top of the **App registrations** pane, select **New registration**.

-1. On the Azure Active Directory **Overview** > **App Registrations** page, select the **AppProxyNativeAppSample** app.

-1. Open the application in the portal by going to **Azure Active Directory**, clicking on **Enterprise Applications**, then **All Applications.** Open the application, then select **Application Proxy** from the left menu.

-|Forbidden: This corporate app can't be accessed OR The user could not be authorized. Make sure the user is defined in your on-premises AD and that the user has access to the app in your on-premises AD. | This could be a problem with access to authorization information, see [Some applications and APIs require access to authorization information on account objects]( https://support.microsoft.com/help/331951/some-applications-and-apis-require-access-to-authorization-information). In a nutshell, add the app proxy connector machine account to the "Windows Authorization Access Group" builtin domain group to resolve. |

-| Blue | Applications explicitly published and visible in the Azure portal. |

-Application Proxy is an Azure AD service you configure in the Azure portal. It enables you to publish an external public HTTP/HTTPS URL endpoint in the Azure Cloud, which connects to an internal application server URL in your organization. These on-premises web apps can be integrated with Azure AD to support single sign-on. Users can then access on-premises web apps in the same way they access Microsoft 365 and other SaaS apps.

-2. The admin signs into the Azure portal and runs an executable to install the connector on an on-premises Windows server.

-Each Application Proxy connector is assigned to a [connector group](./application-proxy-connector-groups.md). Connectors in the same connector group act as a single unit for high availability and load balancing. You can create new groups, assign connectors to them in the Azure portal, then assign specific connectors to serve specific applications. It's recommended to have at least two connectors in each connector group for high availability.

-

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-3. Select **New policy**.

-4. Enter a policy a name.

-5. Under **Assignments**, select **Users or workload identities**.

-6. Under **Include**, select **All guests and external users**.

-7. Under **Exclude**, select **Users and groups**.

-8. Select emergency access accounts.

-9. Select **Done**.

-10. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

-11. Under **Exclude**, select applications you want to exclude.

-12. Under **Access controls** > **Grant**, select **Block access**.

-13. Select **Select**.

-14. Select **Enable policy** to **Report-only**.

-15. Select **Create**.

-> You can confirm settings in **report only** mode. See, Configure a Conditional Access policy in repory-only mode, in [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or Global Administrator.

-2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-3. Select **New policy**.

-4. Enter a policy name.

-5. Under **Assignments**, select **Users or workload identities**.

-6. Under **Include**, select **All guests and external users**.

-7. Under **Exclude**, select **Users and groups**

-8. Select emergency access accounts.

-9. Select the external users security group.

-10. Select **Done**.

-11. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

-12. Under **Exclude**, select applications you want to exclude.

-13. Under **Access controls** > **Grant**, select **Block access**.

-14. Select **Select**.

-15. Select **Create**.

-> You can confirm settings in **report only** mode. See, Configure a Conditional Access policy in repory-only mode, in [Conditional Access insights and reporting](../conditional-access/howto-conditional-access-insights-reporting.md).

-* [Configure password based SSO for cloud applications ](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md)

-| [RADIUS authentication]( auth-radius.md)| | | |  |

-The [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items by using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?tabs=http).

-The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing and which applications in your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.

-* [How provisioning works in Azure AD ](../app-provisioning/how-provisioning-works.md)

-* [Managing user account provisioning for enterprise apps in the Azure portal ](../app-provisioning/configure-automatic-user-provisioning-portal.md)

-* [Build a SCIM endpoint and configure user provisioning with Azure AD ](../app-provisioning/use-scim-to-provision-users-and-groups.md)

-No changes in configurations are required in Microsoft Authenticator or the Azure portal to enable FIPS 140 compliance. Beginning with Microsoft Authenticator for iOS version 6.6.8, Azure AD authentications will be FIPS 140 compliant by default.

-To manage the Authentication methods policy in the Azure AD portal, click **Security** > **Authentication methods** > **Policies**.

->Hardware OATH tokens and security questions can only be enabled today by using these legacy policies. In the future, these methods will be available in the Authentication methods policy. If you use hardware OATH tokens, which are currently in preview, you should hold off on migrating OATH tokens and don't complete the migration process. If you're using security questions, and don't want to disable them, make sure to keep them enabled in the legacy SSPR policy until the new control is available in the future.

-Tenants are set to either Pre-migration or Migration in Progress by default, depending on their tenant's current state. At any time, you can change to another option. If you move to Migration Complete, and then choose to roll back to an earlier state, we'll ask why so we can evaluate performance of the product.

-All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).

-Administrators can view user authentication methods in the Azure portal. Usable methods are listed first, followed by non-usable methods.

-Once properly formatted as a CSV file, a Global Administrator can then sign in to the Azure portal, navigate to **Azure Active Directory** > **Security** > **Multifactor authentication** > **OATH tokens**, and upload the resulting CSV file.

-You can check the status of this feature in your own tenant by navigating to the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade), then in the left pane, click **Security** > **MFA** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**.

- * Have an Azure AD administrator unblock the user in the Azure portal.

-

-1. In the Azure portal, browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths**.

-If a user from a federated domain has multifactor authentication settings in scope for Staged Rollout, the user can complete multifactor authentication in the cloud and satisfy any of the **Federated single-factor + something you have** combinations. For more information about staged rollout, see [Enable Staged Rollout using Azure portal](how-to-mfa-server-migration-utility.md#enable-staged-rollout-using-azure-portal).

-## Update certificate user IDs in the Azure portal

-Tenant admins can use the following steps Azure portal to update certificate user IDs for a user account:

-1. In the Azure portal, click **All users (preview)**.

-1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

-1. Search for and select **Azure Active Directory**.

-1. From the left menu, select **Azure AD Connect**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Security** > **Multifactor authentication** > **Additional cloud-based multifactor authentication settings**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as the test user by using CBA. The authentication policy is set where Issuer subject rule satisfies single-factor authentication.

-1. After sign-in was succeeds, click **Azure Active Directory** > **Sign-in logs**.

-1. Sign in to the [Azure portal](https://portal.azure.com) using CBA. Since the policy was set to satisfy multifactor authentication, the user sign-in is successful without a second factor.

-1. Click **Azure Active Directory** > **Sign-ins**.

-Authentication providers can be found in the **Azure portal** > **Azure Active Directory** > **Security** > **MFA** > **Providers**. Click on listed providers to see details and configurations associated with that provider.

-Azure MFA Servers linked to providers will need to be reactivated using credentials generated under **Azure portal** > **Azure Active Directory** > **Security** > **MFA** > **Server settings**. Before reactivating, the following files must be deleted from the `\Program Files\Multi-Factor Authentication Server\Data\` directory on Azure MFA Servers in your environment:

-

-After you confirm that all settings are migrated, you can browse to the **Azure portal** > **Azure Active Directory** > **Security** > **MFA** > **Providers** and select the ellipses **...** and select **Delete**.

-Organizational data is tenant-level information that can expose configuration or environment setup. Tenant settings from the following Azure portal multifactor authentication pages might store organizational data such as lockout thresholds or caller ID information for incoming phone authentication requests:

-For MFA Server, the following Azure portal pages might contain organizational data:

-A user has not set up all required security info and goes to the Azure portal. After the user enters the user name and password, the user is prompted to set up security info. The user then follows the steps shown in the wizard to set up the required security info. If your settings allow it, the user can choose to set up methods other than those shown by default. After users complete the wizard, they review the methods they set up and their default method for multifactor authentication. To complete the setup process, the user confirms the info and continues to the Azure portal.

-To switch the directory in the Azure portal, click the user account name in the upper right corner and click **Switch directory**.

-To unlock admin access to your tenant, you should create emergency access accounts. These emergency access accounts, also known as *break glass* accounts, allow access to manage Azure AD configuration when normal privileged account access procedures arenΓÇÖt available. At least two emergency access accounts should be created following the [emergency access account recommendations]( ../users-groups-roles/directory-emergency-access.md).

-* Azure portal

-![Registration options for SSPR in the Azure portal][Registration]

-![Authentication methods selection in the Azure portal][Authentication]

-Azure AD checks your current hybrid connectivity and provides one of the following messages in the Azure portal:

-You can enable password writeback using the Azure portal. You can also temporarily disable password writeback without having to reconfigure Azure AD Connect.

-* **Supports password writeback when an admin resets them from the Azure portal**: When an admin resets a user's password in the [Azure portal](https://portal.azure.com), if that user is federated or password hash synchronized, the password is written back to on-premises. This functionality is currently not supported in the Office admin portal.

- * Any administrator-initiated end-user password reset from the [Azure portal](https://portal.azure.com).

-## Enable system-preferred MFA in the Azure portal

-1. In the Azure portal, click **Security** > **Authentication methods** > **Settings**.

-1. In the Azure portal, search for and select *Azure Active Directory*.

-1. Select **Company Branding**, then for each locale, choose **Show option to remain signed in**.

-1. In the Azure portal, search for and select *Azure Active Directory*.

-1. Select **Security**, then **MFA**.

-1. In the Azure portal, search for and select *Azure Active Directory*.

-1. Select **Security**, then **Conditional Access**.

-| Verification code from mobile app or hardware token | Third party software OATH tokens<br>Hardware OATH tokens (not yet available)<br>Microsoft Authenticator |

-The Authentication methods policy has granular control with separate controls for each type of OATH token. Use of OTP from Microsoft Authenticator is controlled by the **Allow use of Microsoft Authenticator OTP** control in the **Microsoft Authenticator** section of the policy. Third-party apps are controlled by the **Third party software OATH tokens** section of the policy.

-Another control for **Hardware OATH tokens** is coming soon. If you're using hardware OATH tokens, now in public preview, you should hold off on migrating OATH tokens and don't complete the migration process.

-Email notifications and Azure portal Service Health notifications (portal toasts) were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. If you've already completed the following steps, no action is necessary.

-||[Staged Rollout](#enable-staged-rollout-using-azure-portal) |

-The script will instruct you to grant admin consent to the newly created application. Navigate to the URL provided, or within the Azure portal, click **Application Registrations**, find and select the **MFA Server Migration Utility** app, click on **API permissions** and then granting the appropriate permissions.

-Once you've successfully migrated user data, you can validate the end-user experience using Staged Rollout before making the global tenant change. The following process will allow you to target specific Azure AD group(s) for Staged Rollout for MFA. Staged Rollout tells Azure AD to perform MFA by using Azure AD MFA for users in the targeted groups, rather than sending them on-premises to perform MFA. You can validate and testΓÇöwe recommend using the Azure portal, but if you prefer, you can also use Microsoft Graph.

-#### Enable Staged Rollout using Azure portal

-1. Navigate to the following url: [Enable staged rollout features - Microsoft Azure](https://portal.azure.com/?mfaUIEnabled=true%2F#view/Microsoft_AAD_IAM/StagedRolloutEnablementBladeV2).

-You can remove keys in the Azure portal by navigating to the **Security info** page and removing the FIDO2 security key.

-* SMS-based authentication has reached general availability, and we're working to remove the **(Preview)** label in the Azure portal.

- * This phone number can be assigned in the Azure portal (which is shown in this article), and in *My Staff* or *My Account*.

-Users are now enabled for SMS-based authentication, but their phone number must be associated with the user profile in Azure AD before they can sign-in. The user can [set this phone number themselves](https://support.microsoft.com/account-billing/set-up-sms-sign-in-as-a-phone-verification-method-0aa5b3b3-a716-4ff2-b0d6-31d2bcfbac42) in *My Account*, or you can assign the phone number using the Azure portal. Phone numbers can be set by *global admins*, *authentication admins*, or *privileged authentication admins*.

- Enter the user's phone number, including the country code, such as *+1 xxxxxxxxx*. The Azure portal validates the phone number is in the correct format.

- :::image type="content" source="media/howto-authentication-sms-signin/set-user-phone-number.png" alt-text="Set a phone number for a user in the Azure portal to use with SMS-based authentication":::

-If you receive an error when you try to set a phone number for a user account in the Azure portal, review the following troubleshooting steps:

-1. Make sure you set the phone number with the proper formatting, as validated in the Azure portal (such as *+1 4251234567*).

-This article shows you how to enable and use a Temporary Access Pass in Azure AD using the the [Microsoft Entra admin center](https://entra.microsoft.com).

-1. Enter the Temporary Access Pass that was displayed in the Azure portal.

-1. In the Azure portal, browse to **Users**, select a user, such as *Tap User*, then choose **Authentication methods**.

-In the Azure portal, you configure Conditional Access policies under **Azure Active Directory** > **Security** > **Conditional Access**.

-To learn more about creating Conditional Access policies, see [Conditional Access policy to prompt for Azure AD Multi-Factor Authentication when a user signs in to the Azure portal](tutorial-enable-azure-mfa.md). This helps you to:

-

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-1. Go to **Azure Active Directory** > **Security** > **Multifactor authentication** > **Account lockout**.

- 

-1. In the Azure portal, click **Azure Active Directory** > **Security** > **Authentication Methods** > **Settings**.

-An administrator can sign in to the Azure portal, go to **Azure Active Directory** > **Security** > **Multifactor authentication** > **OATH tokens**, and upload the CSV file.

-Settings for app passwords, trusted IPs, verification options, and remembering multi-factor authentication on trusted devices are available in the service settings. This is a legacy portal. It isn't part of the regular Azure portal.

-You can access service settings from the Azure portal by going to **Azure Active Directory** > **Security** > **Multifactor authentication** > **Getting started** > **Configure** > **Additional cloud-based MFA settings**. A window or tab opens with additional service settings options.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then go to **Security** > **Conditional Access** > **Named locations**.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then go to **Security** > **Conditional Access** > **Named locations**.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then select **Users**.

-1. Select **Per-user MFA**.

-1. Under **multi-factor authentication** at the top of the page, select **service settings**.

-1. On the **service settings** page, under **Trusted IPs**, choose one or both of the following options:

-1. In the Azure portal, search for and select **Azure Active Directory**, and then select **Users**.

-1. Under **multi-factor authentication** at the top of the page, select **service settings**.

-1. On the **service settings** page, under **verification options**, select or clear the appropriate checkboxes.

-1. In the Azure portal, search for and select **Azure Active Directory**, and then select **Users**.

-1. Under **multi-factor authentication** at the top of the page, select **service settings**.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Export.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Account Close to delete all MFA cloud service information collected for this user.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Export.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Account Close to delete all MFA cloud service information collected for this user.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Export.

-Use the [Microsoft Privacy Portal](https://portal.azure.com/#blade/Microsoft_Azure_Policy/UserPrivacyMenuBlade/Overview) to make a request for Account Close to delete all MFA cloud service information collected for this user.

-This article shows you how to view the Azure AD sign-ins report in the Azure portal, and then the MSOnline V1 PowerShell module.

-To view the sign-in activity report in the [Azure portal](https://portal.azure.com), complete the following steps. You can also query data using the [reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**, then choose **Users** from the menu on the left-hand side.

- [](media/howto-mfa-reporting/sign-in-report.png#lightbox)

-description: Describes how to get started with Azure MFA and AD FS 2.0.

-> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

-4. In the Edit LDAP Configuration dialog box, populate the fields with the information required to connect to the AD domain controller. Descriptions of the fields are included in the Azure Multi-Factor Authentication Server help file.

-4. Open the registry editor and go to HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Positive Networks/PhoneFactor on a 64-bit server. If on a 32-bit server, take the "Wow6432Node" out of the path. Create a DWORD registry key called "UsernameCxz_stripPrefixDomain" and set the value to 1. Azure Multi-Factor Authentication is now securing the AD FS proxy.

-Ensure that users have been imported from Active Directory into the Server. See the Trusted IPs section if you would like to allow internal IP addresses so that two-step verification isn't required when signing in to the website from those locations.

-description: Step-by-step get started with Azure MFA Server on-premises

-> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

-Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Azure MFA Server. When you install your first Azure MFA Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.

-When a master Azure MFA Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted.

-¹If Azure MFA Server fails to activate on an Azure VM that runs Windows Server 2019 or later, try using an earlier version of Windows Server.

-### Azure MFA Server Components

-There are three web components that make up Azure MFA Server:

-* Web Service SDK - Enables communication with the other components and is installed on the Azure MFA application server

-All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Azure MFA application server and the User portal and Mobile App Web Service are installed on an internet-facing server.

-Follow these steps to download the Azure AD Multi-Factor Authentication Server from the Azure portal:

-> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

-2. Search for and select *Azure Active Directory*. Select **Security** > **MFA**.

-3. Under **Manager MFA Server**, select **Server settings**.

- 

-5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Azure MFA Server in the boxes provided and click **Activate**.

-> Only global administrators are able to generate activation credentials in the Azure portal.

-1. In the Azure MFA Server, on the left, select **Users**.

-1. In the Azure MFA Server, on the left, select **Directory Integration**.

-When you use the Multi-Factor Authentication (MFA) Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Azure MFA cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are:

-## Back up and restore Azure MFA Server

-To back up Azure MFA Server, ensure that you have a copy of the **C:\Program Files\Multi-Factor Authentication Server\Data** folder including the **PhoneFactor.pfdata** file.

-1. Reinstall Azure MFA Server on a new server.

-2. Activate the new Azure MFA Server.

-Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list.

->In addition, other endpoints are required for Azure portal authentication. For more information, see [Azure portal URLs for proxy bypass](/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-urls-for-proxy-bypass).

- > To make this change, search for and select **Azure Active Directory** in the Azure portal, then select **Devices > Device Settings**. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.

- > To make this change, search for and select **Azure Active Directory** in the Azure portal, then select **Devices > Device Settings**. Set **Require Multi-Factor Auth to join devices** to *No*. Be sure to reconfigure this setting back to *Yes* once registration is complete.

-To enable on-prem Azure AD Password Protection from the Azure portal or configure custom banned passwords, see [Enable on-premises Azure AD Password Protection](howto-password-ban-bad-on-premises-operations.md).

-Now that you've installed the services that you need for Azure AD Password Protection on your on-premises servers, [enable on-prem Azure AD Password Protection in the Azure portal](howto-password-ban-bad-on-premises-operations.md) to complete your deployment.

-To protect your on-premises Active Directory Domain Services (AD DS) environment, you can install and configure Azure AD Password Protection to work with your on-prem DC. This article shows you how to enable Azure AD Password Protection for your on-premises environment.

-1. Sign in to the [Azure portal](https://portal.azure.com) and browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Password protection**.

- [](media/howto-password-ban-bad-on-premises-operations/enable-configure-custom-banned-passwords.png#lightbox)

-To monitor on-prem events, see [Monitoring on-prem Azure AD Password Protection](howto-password-ban-bad-on-premises-monitor.md).

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).

-1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**.

-

-1. In the **Azure portal**, browse to **Azure Active Directory** > **Security** > **Conditional Access**.

-On the **Authentication methods** page for an Azure AD user in the Azure portal, a Global Administrator can manually set the authentication contact information. You can review existing methods under the *Usable authentication methods* section, or **+Add authentication methods**, as shown in the following example screenshot:

-To make things look more user-friendly, you can change organization name in the portal and in the automated communications. To change the directory name attribute in the Azure portal, browse to **Azure Active Directory** > **Properties**. This friendly organization name option is the most visible in automated emails, as in the following examples:

-While SSPR does not typically create user issues, it is important to prepare support staff to deal with issues that may arise. While an administrator can reset the password for end users through the Azure portal, it is better to help resolve the issue via a self-service support process.

-To enable your support team's success, you can create a FAQ based on questions you receive from your users. Here are a few examples:

-You can use pre-built reports on Azure portal to measure the SSPR performance. If you're appropriately licensed, you can also create custom queries. For more information, see [Reporting options for Azure AD password management](./howto-sspr-reporting.md)

-> You must be [a global administrator](../roles/permissions-reference.md), and you must opt-in for this data to be gathered for your organization. To opt in, you must visit the Reporting tab or the audit logs on the Azure portal at least once. Until then, the data doesn't collect for your organization.

-The following questions can be answered by the reports that exist in the [Azure portal](https://portal.azure.com):

-> You must be [a global administrator](../roles/permissions-reference.md), and you must opt-in for this data to be gathered on behalf of your organization. To opt in, you must visit the **Reporting** tab or the audit logs at least once. Until then, data is not collected for your organization.

-## How to view password management reports in the Azure portal

-In the Azure portal experience, we have improved the way that you can view password reset and password reset registration activity. Use the following the steps to find the password reset and password reset registration events:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Select **All services** in the left pane.

-3. Search for **Azure Active Directory** in the list of services and select it.

-4. Select **Users** from the Manage section.

-## Description of the report columns in the Azure portal

-The following list explains each of the report columns in the Azure portal in detail:

-## Description of the report values in the Azure portal

-The following table describes the different values that are you can set for each column in the Azure portal:

-* [Reset password (by admin)](#activity-type-reset-password-by-admin): Indicates that an administrator performed a password reset on behalf of a user from the Azure portal.

-* [Reset password (self-service)](#activity-type-reset-password-self-service): Indicates that a user successfully reset their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com).

-* [Unlock user account (self-service)](#activity-type-unlock-a-user-account-self-service)): Indicates that a user successfully unlocked their Active Directory account without resetting their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com) by using the Active Directory feature of account unlock without reset.

-* **Activity description**: Indicates that an administrator performed a password reset on behalf of a user from the Azure portal.

-* **Activity description**: Indicates that a user successfully reset their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com).

- See the following table for [all the permissible reset activity status reasons](#description-of-the-report-columns-in-the-azure-portal).

-* **Activity description**: Indicates that a user successfully unlocked their Active Directory account without resetting their password from the [Azure AD password reset portal](https://passwordreset.microsoftonline.com) by using the Active Directory feature of account unlock without reset.

-## Windows 11 and 10 password reset

-To configure a Windows 11 or 10 device for SSPR at the sign-in screen, review the following prerequisites and configuration steps.

-### Windows 11 and 10 prerequisites

-### Enable for Windows 11 and 10 using Microsoft Intune

-### Enable for Windows 11 and 10 using the Registry

-### Troubleshooting Windows 11 and 10 password reset

-## SSPR configuration in the Azure portal

-If you have problems seeing or configuring SSPR options in the Azure portal, review the following troubleshooting steps:

-### I don't see the **Password reset** section under Azure AD in the Azure portal.

-You won't see if **Password reset** menu option if you don't have an Azure AD license assigned to the administrator performing the operation.

-If you have problems with SSPR reporting in the Azure portal, review the following troubleshooting steps:

-You can enable SSPR for all users, no users, or for selected groups of users. Only one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the group(s) you choose have the appropriate licenses assigned.

-In the Azure portal, change the **Self-service password reset enabled** configuration to *Selected* or *All* and then select **Save**.

-Only one Azure AD group can currently be enabled for SSPR using the Azure portal. As part of a wider deployment of SSPR, nested groups are supported. Make sure that the users in the group(s) you choose have the appropriate licenses assigned. Review the previous troubleshooting step to enable SSPR as required.

-Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. If you continue to see this generic error when you retry the SSPR registration process, [contact Microsoft support](#contact-microsoft-support) for additional assistance.

-| The directory isn't enabled for password reset. | In the Azure portal, change the **Self-service password reset enabled** configuration to *Selected* or *All* and then select **Save**. |

-| There's an error processing the request. | Generic SSPR registration errors can be caused by many issues, but generally this error is caused by either a service outage or a configuration issue. If you continue to see this generic error when you re-try the SSPR registration process, [contact Microsoft support](#contact-microsoft-support) for additional assistance. |

-| TenantSSPRFlagDisabled = 9 | We're sorry, you can't reset your password at this time because your administrator has disabled password reset for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to enable this feature.<br /><br />To learn more, see [Help, I forgot my Azure AD password](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e#common-problems-and-their-solutions). | SSPR_0009: We've detected that password reset has not been enabled by your administrator. Please contact your admin and ask them to enable password reset for your organization. |

-| WritebackNotEnabled = 10 |We're sorry, you can't reset your password at this time because your administrator has not enabled a necessary service for your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your organization's configuration.<br /><br />To learn more about this necessary service, see [Configuring password writeback](./tutorial-enable-sspr-writeback.md). | SSPR_0010: We've detected that password writeback has not been enabled. Please contact your admin and ask them to enable password writeback. |

-| SsprNotEnabledInUserPolicy = 11 | We're sorry, you can't reset your password at this time because your administrator has not configured password reset for your organization. There is no further action you can take to resolve this situation. Contact your admin and ask them to configure password reset.<br /><br />To learn more about password reset configuration, see [Quickstart: Azure AD self-service password reset](./tutorial-enable-sspr.md). | SSPR_0011: Your organization has not defined a password reset policy. Please contact your admin and ask them to define a password reset policy. |

-| UserNotLicensed = 12 | We're sorry, you can't reset your password at this time because required licenses are missing from your organization. There is no further action you can take to resolve this situation. Please contact your admin and ask them to check your license assignment.<br /><br />To learn more about licensing, see [Licensing requirements for Azure AD self-service password reset](./concept-sspr-licensing.md). | SSPR_0012: Your organization does not have the required licenses necessary to perform password reset. Please contact your admin and ask them to review the license assignments. |

-| UserNotMemberOfScopedAccessGroup = 13 | We're sorry, you can't reset your password at this time because your administrator has not configured your account to use password reset. There is no further action you can take to resolve this situation. Please contact your admin and ask them to configure your account for password reset.<br /><br />To learn more about account configuration for password reset, see [Roll out password reset for users](./howto-sspr-deployment.md). | SSPR_0013: You are not a member of a group enabled for password reset. Contact your admin and request to be added to the group. |

-| UserNotProperlyConfigured = 14 | We're sorry, you can't reset your password at this time because necessary information is missing from your account. There is no further action you can take to resolve this situation. Please contact you admin and ask them to reset your password for you. After you have access to your account again, you need to register the necessary information.<br /><br />To register information, follow the steps in the [Register for self-service password reset](https://support.microsoft.com/account-billing/register-the-password-reset-verification-method-for-a-work-or-school-account-47a55d4a-05b0-4f67-9a63-f39a43dbe20a) article. | SSPR_0014: Additional security info is needed to reset your password. To proceed, contact your admin and ask them to reset your password. After you have access to your account, you can register additional security info at https://aka.ms/ssprsetup. Your admin can add additional security info to your account by following the steps in [Set and read authentication data for password reset](howto-sspr-authenticationdata.md). |

-| OnPremisesAdminActionRequired = 29 | We're sorry, we can't reset your password at this time because of a problem with your organization's password reset configuration. There is no further action you can take to resolve this situation. Please contact your admin and ask them to investigate. <br /><br />Or<br /><br />We cannot reset your password at this time because of a problem with your organization's password reset configuration. There is no further action you can take to resolve this issue. Please contact your admin and ask them to investigate.<br /><br />To learn more about the potential problem, see [Troubleshoot password writeback](troubleshoot-sspr-writeback.md). | SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration. Please contact your admin and ask them to investigate. |

-| OnPremisesConnectivityError = 30 | We're sorry, we can't reset your password at this time because of connectivity issues to your organization. There is no action to take right now, but the problem might be resolved if you try again later. If the problem persists, please contact your admin and ask them to investigate.<br /><br />To learn more about connectivity issues, see [Troubleshoot password writeback connectivity](troubleshoot-sspr-writeback.md). | SSPR_0030: We can't reset your password due to a poor connection with your on-premises environment. Contact your admin and ask them to investigate.|

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

-1. Under the **Manage** menu header, select **Authentication methods**, then **Password protection**.

- [  ](media/tutorial-configure-custom-password-protection/enable-configure-custom-banned-passwords.png#lightbox)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

-1. Under the **Manage** menu header, select **Authentication methods**, then **Password protection**.

-In this tutorial, we create a basic Conditional Access policy to prompt for MFA when a user signs in to the Azure portal. In a later tutorial in this series, we configure Azure AD Multi-Factor Authentication by using a risk-based Conditional Access policy.

-1. Sign in to the [Azure portal](https://portal.azure.com) by using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**. Then select **Security** from the menu on the left-hand side.

-1. Select **Conditional Access**, select **+ New policy**, and then select **Create new policy**.

-For this tutorial, configure the Conditional Access policy to require multi-factor authentication when a user signs in to the Azure portal.

-1. Browse the list of available sign-in events that can be used. For this tutorial, select **Microsoft Azure Management** so that the policy applies to sign-in events to the Azure portal. Then choose **Select**.

-In this tutorial, configure the access controls to require multi-factor authentication during a sign-in event to the Azure portal.

-You configured the Conditional Access policy to require additional authentication for the Azure portal. Because of that configuration, you're prompted to use Azure AD Multi-Factor Authentication or to configure a method if you haven't yet done so. Test this new requirement by signing in to the Azure portal:

-1. Open a new browser window in InPrivate or incognito mode and sign in to the [Azure portal](https://portal.azure.com).

-1. Close the browser window, and sign in to the [Azure portal](https://portal.azure.com) again to test the authentication method that you configured. For example, if you configured a mobile app for authentication, you should see a prompt like the following.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, and then select **Security** from the menu on the left-hand side.

-1. Select **Conditional Access**, and then select the policy that you created, such as **MFA Pilot**.

-You can enable Azure AD connect cloud sync provisioning directly in Azure portal or through PowerShell.

-#### Enable password writeback in Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account.

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Check the option for **Enable password write back for synced users** .

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-| End users | Any end-user self-service voluntary change password operation.<br>Any end-user self-service force change password operation, for example, password expiration.<br>Any end-user self-service password reset that originates from the password reset portal. |

-| Administrators | Any administrator self-service voluntary change password operation.<br>Any administrator self-service force change password operation, for example, password expiration.<br>Any administrator self-service password reset that originates from the password reset portal.<br> Any administrator-initiated end-user password reset from the Azure portal.<br>Any administrator-initiated end-user password reset from the Microsoft Graph API. |

-| Admin reset user password | Have two users disconnected domains and forests reset their password from the Azure Admin Portal or Frontline worker portal. You could also have Azure AD Connect and cloud sync side by side and have one user in the scope of cloud sync config and another in scope of Azure AD Connect |

-With password writeback enabled in Azure AD Connect, now configure Azure AD SSPR for writeback. SSPR can be configured to writeback through Azure AD Connect sync agents and Azure AD Connect provisioning agents (cloud sync). When you enable SSPR to use password writeback, users who change or reset their password have that updated password synchronized back to the on-premises AD DS environment as well.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Hybrid Identity Administrator account.

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

-> Currently, you can only enable one Azure AD group for SSPR using the Azure portal. As part of a wider deployment of SSPR, Azure AD supports nested groups.

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* or *authentication policy administrator* permissions.

-1. Search for and select **Azure Active Directory**, then select **Password reset** from the menu on the left side.

- [](media/tutorial-enable-sspr/enable-sspr-for-group.png#lightbox)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**, then select **Password reset** from the menu on the left side.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a global administrator account.

-1. Search for and select **Azure Active Directory**, select **Security**, then under the *Protect* menu heading choose **Identity Protection**.

-1. Select the **MFA registration policy** from the menu on the left-hand side.

- 

- 

- 

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. On the Entra home page, select the **Remediation** tab, and then select the **Permissions** subtab.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).

-1. From the Azure Active Directory tile, select **Go to Azure Active Directory**.

-1. Sign in to the Microsoft [Entra admin center](https://entra.microsoft.com/#home).

-1. From the Azure Active Directory tile, select **Go to Azure Active Directory**.

-> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

-Ensure you're a *Global Administrator*. Learn more about [Permissions Management roles and permissions](product-roles-permissions.md).

- 

-You can associate the certificate credential with the client application in the Microsoft identity platform through the Azure portal using any of the following methods:

-You can manage [application objects](app-objects-and-service-principals.md#application-object) in the Azure portal through the [App registrations](https://aka.ms/appregistrations) experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings. The application object will only exist in its home directory, even if it's a multi-tenant application supporting service principals in other directories. The application object may include (but not limited to) any of the following:

-You can manage [service principals](app-objects-and-service-principals.md#service-principal-object) in the Azure portal through the [Enterprise Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/) experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory), and one or more service principal objects representing instances of the application in every directory in which it acts.

- 1. In the Azure portal, go to the [User settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings) section under **App registrations**

-You define app roles by using the [Azure portal](https://portal.azure.com) during the [app registration process](quickstart-register-app.md). App roles are defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a `roles` claim for each role that the user or service principal has been granted. This can be used to implement [claim-based authorization](./claims-validation.md). App roles can be assigned [to a user or a group of users](../manage-apps/add-application-portal-assign-users.md). App roles can also be assigned to the service principal for another application, or [to the service principal for a managed identity](../managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md).

-App roles are declared using App roles UI in the Azure portal:

-To create an app role by using the Azure portal's user interface:

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**, and then select the application you want to define app roles in.

-1. Select **App roles**, and then select **Create app role**.

-To assign users and groups to roles by using the Azure portal:

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. In **Azure Active Directory**, select **Enterprise applications** in the left-hand navigation menu.

-Once you've added app roles in your application, you can assign an app role to a client app by using the Azure portal or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments).

-To assign app roles to an application by using the Azure portal:

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. In **Azure Active Directory**, select **App registrations** in the left-hand navigation menu.

-## Set a publisher domain in the Azure portal

-To set a publisher domain for your app by using the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In Azure Active Directory, go to [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908). Search for and select the app you want to configure.

-To delete an application, be listed as an owner of the application or have admin privileges.

-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which the app is registered.

-1. Search and select the **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** and select the application that you want to configure. Once you've selected the app, you see the application's **Overview** page.

-You can view your deleted applications, restore a deleted application, or permanently delete an application using the **App registrations** experience under Azure Active Directory (Azure AD) in the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

-1. Search and select **Azure Active Directory**, select **App registrations**, and then select the **Deleted applications** tab.

-To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be assigned one of **Global administrator**, **Application administrator**, or **Cloud application administrator** directory roles.

-1. Sign in to the [Azure portal](https://portal.azure.com)

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch the tenant in which you want to register an application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **Enterprise Applications** then select **All applications**.

-The redirect URI should be in this format: `msauth.<app.bundle.id>://auth`. Replace `<app.bundle.id>` with your application's bundle ID. Specify the redirect URI in the [Azure portal](https://aka.ms/MobileAppReg).

-For iOS only, to support cert-based authentication, an additional redirect URI needs to be registered in your application and the Azure portal in the following format: `msauth://code/<broker-redirect-uri-in-url-encoded-form>`. For example, `msauth://code/msauth.com.microsoft.mybundleId%3A%2F%2Fauth`

-If you'd like to continue using your existing app registration for your applications, use the Azure portal to update the registration's redirect URIs to the SPA platform. Doing so enables the authorization code flow with PKCE and CORS support for apps that use the registration (you still need to update your application's code to MSAL.js v2.x).

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a> and select your **Azure Active Directory** tenant.

-1. In **App registrations**, select your application, and then **Authentication**.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of these fields.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of the various fields.

-Set the `redirect_uri` property on config to a simple page, that does not require authentication. You have to make sure that it matches with the `redirect_uri` registered in Azure portal. This will not affect user's login experience as MSAL saves the start page when user begins the login process and redirects back to the exact location after login is completed.

-Before initializing an application, you first need to [register it with the Azure portal](scenario-spa-app-registration.md), establishing a trust relationship between your application and the Microsoft identity platform.

-After registering your app, you'll need some or all of the following values that can be found in the Azure portal.

-Initialize the MSAL.js authentication context by instantiating a [PublicClientApplication][msal-js-publicclientapplication] with a [Configuration][msal-js-configuration] object. The minimum required configuration property is the `clientID` of the application, shown as **Application (client) ID** on the **Overview** page of the app registration in the Azure portal.

-Initialize the MSAL 1.x authentication context by instantiating a UserAgentApplication with a configuration object. The minimum required configuration property is the `clientID` of your application, shown as **Application (client) ID** on the **Overview** page of the app registration in the Azure portal.

-If you have a Xamarin Android app currently using the Azure Active Directory Authentication Library for .NET (ADAL.NET) and an [authentication broker](msal-android-single-sign-on.md), it's time to migrate to the [Microsoft Authentication Library for .NET ](msal-overview.md) (MSAL.NET).

-For more information about Android-specific considerations when using MSAL.NET with Xamarin, see [Configuration requirements and troubleshooting tips for Xamarin Android with MSAL.NET](msal-net-xamarin-android-considerations.md).

-When accessing the Microsoft Graph, the managed identity needs to have proper permissions for the operation it wants to perform. Currently, there's no option to assign such permissions through the Azure portal. The following script will add the requested Microsoft Graph API permissions to the managed identity service principal object.

-After executing the script, you can verify in the [Azure portal](https://portal.azure.com) that the requested API permissions are assigned to the managed identity.

-Go to **Azure Active Directory**, and then select **Enterprise applications**. This pane displays all the service principals in your tenant. In **Managed Identities**, select the service principal for the managed identity.

-In the [Azure portal](https://portal.azure.com) menu, select **Azure Active Directory** or search for and select **Azure Active Directory** from any page.

-*AzureAd* specifies the configuration for the Microsoft.Identity.Web library. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** from the portal menu and then select **App registrations**. Select the app registration created when you enabled the App Service authentication/authorization module. (The app registration should have the same name as your web app.) You can find the tenant ID and client ID in the app registration overview page. The domain name can be found in the Azure AD overview page for your tenant.

- "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",

- "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",

- "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory** > **App registrations**, and then select your client application (*not* your web API).

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory** > **App registrations**, and then select your client application.

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. Select **Azure Active Directory** > **App registrations**, and then select your client application.

-1. Go to the [Azure portal page for app registration](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/DotNetCoreDaemonQuickstartPage/sourceType/docs).

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. In *appsettings.json*, replace the values of `Tenant`, `ClientId`, and `ClientSecret`. The value for the application (client) ID and the directory (tenant) ID, can be found in the app's **Overview** page on the Azure portal.

-For a global tenant administrator, go to **Enterprise applications** in the Azure portal. Select the app registration, and select **Permissions** from the **Security** section of the left pane. Then select the large button labeled **Grant admin consent for {Tenant Name}** (where **{Tenant Name}** is the name of the directory).

- | `ClientSecret` | The client secret created for the application in the Azure portal. |

- | `ClientId` | The application (client) ID for the application registered in the Azure portal. This value can be found on the app's **Overview** page in the Azure portal. |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-> To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal. To generate a new key, go to **Certificates & secrets** page.

-If you're a global tenant administrator, go to **API Permissions** page in **App registrations** in the Azure portal and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).

-| `config["secret"]` | Is the client secret created for the application in Azure portal. |

-| `config["client_id"]` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |

-| `config["scope"]` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations** in the Azure portal.|

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/UwpQuickstartPage/sourceType/docs) quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

- You can find the **Application (client) ID** on the app's **Overview** pane in the Azure portal (**Azure Active Directory** > **App registrations** > *{Your app registration}*).

-The value of `ClientId` is the **Application (client) ID** of the app you registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/WinDesktopQuickstartPage/sourceType/docs)quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

- To find the value of **Application (client) ID**, go to the app's **Overview** page in the Azure portal.

- To find the values of **Directory (tenant) ID** and **Supported account types**, go to the app's **Overview** page in the Azure portal.

-| `ClientId` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |

-See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of these fields.

-See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of the various fields.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of these fields.

-> See [Understand the Android MSAL configuration file ](msal-configuration.md) for an explanation of the various fields.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. In *appsettings.json*, replace the values of `ClientId`, and `TenantId`. The value for the application (client) ID and the directory (tenant) ID, can be found in the app's **Overview** page on the Azure portal.

-| `ClientId` | Application (client) ID of the application registered in the Azure portal. |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.

-1. Find and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. Go to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) portal.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

- - `Enter_the_Application_Id_here` is the application (client) ID of the app registration that you created earlier. Find the application (client) ID on the app's **Overview** page in **App registrations** in the Azure portal.

- - If your application supports **My organization only**, replace this value with the directory (tenant) ID or tenant name (for example, `contoso.onmicrosoft.com`). Find the directory (tenant) ID on the app's **Overview** page in **App registrations** in the Azure portal.

- - `redirectUri` is the **Redirect URI** you entered earlier in **App registrations** in the Azure portal.

-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations**.

-1. Select **New registration**.

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.

-1. Under **Manage**, select **App registrations** > **New registration**.

-Follow these steps to register your application in the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.

-1. Navigate to the portal's [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page, and select **New registration**.

-The Microsoft identity platform uses the cloud service's **Metadata URI** to retrieve the signing key and the logout URI. This way the Microsoft identity platform can send the response to the correct URL. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>;

-# [.NET (low level) ](#tab/dotnet)

-Specify the redirect URI for your app by [configuring the platform settings](quickstart-register-app.md#add-a-redirect-uri) for the app in **App registrations** in the Azure portal.

- 1. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, select your app in **App registrations**, and then select **Authentication**.

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. In the Azure portal, select the app registration you created earlier in [Create the app registration](#create-the-app-registration).

-1. In the Azure portal, select the app registration you created earlier in [Create the app registration](#create-the-app-registration).

-When all your production single-page applications represented by an app registration are using MSAL.js 2.0 and the authorization code flow, uncheck the implicit grant settings on the app registration's **Authentication** pane in the Azure portal. Applications using MSAL.js 1.x and the implicit flow can continue to function, however, if you leave the implicit flow enabled (checked).

-To interact with the Microsoft identity platform, Azure Active Directory (Azure AD) must be made aware of the application you create. This tutorial shows you how to register a single-page application (SPA) in a tenant on the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations > New registration**.

-1. Replace the following values with the values from the Azure portal.

-1. Replace the following values with the values from the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

-1. Go to **Users**.

-ROPC is a public client flow, so you need to enable your app for public client flows. From your app registration in the [Azure portal](https://portal.azure.com), go to **Authentication** > **Advanced settings** > **Allow public client flows**. Set the toggle to **Yes**.

-From your app registration in the [Azure portal](https://portal.azure.com), go to **API Permissions** > **Add a permission**. Add the permissions you need to call the APIs you'll be using. A test example further in this article uses the `https://graph.microsoft.com/User.Read` and `https://graph.microsoft.com/User.ReadBasic.All` permissions.

-If you plan on testing your app in the same tenant you registered it in and you are an administrator in that tenant, you can consent to the permissions from the [Azure portal](https://portal.azure.com). In your app registration in the Azure portal, go to **API Permissions** and select the **Grant admin consent for <your_tenant_name>** button next to the **Add a permission** button and then **Yes** to confirm.

-If you do not plan on testing your app in the same tenant you registered it in, or you are not an administrator in your tenant, you cannot consent to the permissions from the [Azure portal](https://portal.azure.com). You can still consent to some permissions, however, by triggering a sign-in prompt in a web browser.

-In your app registration in the [Azure portal](https://portal.azure.com), go to **Authentication** > **Platform configurations** > **Add a platform** > **Web**. Add the redirect URI "https://localhost" and select **Configure**.

-1. Sign in to the [Azure portal](https://portal.azure.com) to access your tenant. Select **Azure Active Directory**. Select **Security** in the left navigation pane and then select **Conditional Access**.

-Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain.

-The Microsoft Graph API requires the *user.read* scope to read a user's profile. By default, this scope is automatically added in every application that's registered in the Azure portal. Other APIs for Microsoft Graph, as well as custom APIs for your back-end server, might require additional scopes. For example, the Microsoft Graph API requires the *Mail.Read* scope in order to list the user's email.

-> * Register the application in the Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to **Azure Active Directory**.

-1. On the left panel, under **Manage**, select **App registrations**. Then, on the top menu bar, select **New registration**.

-To customize the information returned by the identity platform during authentication and authorization, use [claims mapping]( active-directory-claims-mapping.md) and [optional claims]( active-directory-optional-claims.md) to modify security token configuration.

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-| `client_id` | Required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-To use app roles (application permissions) with your own API (as opposed to Microsoft Graph), you must first [expose the app roles](./howto-add-app-roles-in-apps.md) in the API's app registration in the Azure portal. Then, [configure the required app roles](./howto-add-app-roles-in-apps.md#assign-app-roles-to-applications) by selecting those permissions in your client application's app registration. If you haven't exposed any app roles in your API's app registration, you won't be able to specify application permissions to that API in your client application's app registration in the Azure portal.

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned:

-| `client_id` | required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |

-| `client_id` | Required | The application (client) ID that [the Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page has assigned to your app. |

-| `client_secret` | Required | The client secret that you generated for your app in the Azure portal - App registrations page. The Basic auth pattern of instead providing credentials in the Authorization header, per [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) is also supported. |

-| `client_id` | Required | The application (client) ID that [the Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page has assigned to your app. |

-| client_id |required | The app ID assigned to the calling service during registration with Azure AD. To find the app ID in the Azure portal, select **Active Directory**, choose the directory, and then select the application name. |

-1. Sign in to the [Azure portal](https://portal.azure.com) and select **Azure Active Directory** > **App registrations** > *\<your application\>* > **Authentication**.

-To find the OIDC configuration document in the Azure portal, sign in to the [Azure portal](https://portal.azure.com) and then:

-1. Select **Azure Active Directory** > **App registrations** > *\<your application\>* > **Endpoints**.

-| `client_id` | Required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |

-Knowing about OAuth or OpenID Connect (OIDC) at the protocol level isn't required to use the Microsoft identity platform. However, you'll encounter protocol terms and concepts as you use the identity platform to add authentication to your apps. As you work with the Azure portal, our documentation, and authentication libraries, knowing some fundamentals can assist your integration and overall experience.

-To find the endpoints for an application you've registered, in the [Azure portal](https://portal.azure.com) navigate to:

-1. Sign in to the [app registration page of the portal](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) (Please note that we are using the v2.0 endpoints for Graph API and hence need to register the application in Azure portal. Otherwise we could have used the registrations in Azure AD).

-1. Sign in to the [Azure portal](https://portal.azure.com) with an account that has Global Administrator, Intune Administrator, or User Administrator role permissions.

-1. Select **Azure Active Directory** > **Groups**, and then select **New group**.

-[Customize your sign-in branding](../fundamentals/add-custom-domain.md)

-7. Complete one of the following set of steps:

- - *If the guest user isn't currently in the directory:*

-

- a. On the **Add members** page, type the user's full email address in the search box, type a **Personal message** (optional), and then choose **Invite** to send an invitation.

-

- b. Choose **Select**.

-

- c. Now add the user to the group: On the **Members** page, choose **Add members**. Type the user's name or email address in the search box, choose the user in the results, and then choose **Select**.

-8. Complete one of the following set of steps:

- - *If the guest user isn't currently in the directory:*

-

- a. On the **Users** page, type the user's full email address in the search box, type a **Personal message** (optional), and then choose **Invite**.

-

- b. Choose **Select**.

-

- c. Now add the invited user to the application: On the **Add Assignment** page, choose the link under **Users**. Type the invited user's name or email address in the search box, choose the user in the results, and then choose **Select**.

-

- d. On the **Add Assignment** page, choose **Assign**.

-### To select the layout of the attribute collection page (optional)

-You can choose the order in which the attributes are displayed on the sign-up page.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).

-1. Browse to **Identity** > **External Identities** > **User flows**.

-1. From the list, select your user flow.

-1. Under **Customize**, select **Page layouts**.

- The attributes you chose to collect are listed. You can change the attribute label, type, and whether itΓÇÖs required. You can also change the order of display by selecting an attribute, and then select **Move up**, **Move down**, **Move to the top**, or **Move to the bottom**.

- :::image type="content" source="media/how-to-user-flow-sign-up-sign-in-customers/page-layouts.png" alt-text="Screenshot of page layout options for a user flow.":::

-1. Select **Save**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

-2. Under **Azure services**, select **Azure Active Directory**.

-3. In the left menu, select **External Identities**.

-4. Select **User flows**.

-3. Select the user flow that you want to enable for translations.

-4. Select **Languages**.

-5. On the **Languages** page for the user flow, select the language that you want to customize.

-6. Expand **Attribute collection page**.

-7. Select **Download defaults** (or **Download overrides** if you've previously edited this language).

- 

-To communicate the multicloud, multiplatform functionality of the products, alleviate confusion with Windows Server Active Directory, and unify the [Microsoft Entra](/entra) product family, we're renaming Azure Active Directory (Azure AD) to Microsoft Entra ID.

-If you're using Azure AD today or are currently deploying Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations will continue to function as they do today without any action from you.

-Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô will continue to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra).

-## Guide to Azure AD name changes and exceptions

-We encourage content creators, organizations with internal documentation for IT or identity security admins, developers of Azure AD-enabled apps, independent software vendors, or partners of Microsoft to update your experiences and use the new name by the end of 2023. We recommend changing the name in customer-facing experiences, prioritizing highly visible surfaces.

-Microsoft Entra ID is the new name for Azure AD. Please replace the product names Azure Active Directory, Azure AD, and AAD with Microsoft Entra ID.

-Please change the Azure AD product icon in your experiences. The Azure AD icons are now at end-of-life.

-You can download the new Microsoft Entra ID icon here: [Microsoft Entra architecture icons](../architecture/architecture-icons.md)

-Capabilities or services formerly known as "Azure Active Directory &lt;feature name&gt;" or "Azure AD &lt;feature name&gt;" will be branded as Microsoft Entra product family features. This is done across our portfolio to avoid naming length and complexity, and because many features work across all the products. For example:

-See the [Glossary of updated terminology](#glossary-of-updated-terminology) later in this article for more examples.

-### Exceptions and clarifications to the Azure AD name change

-Names aren't changing for Active Directory, developer tools, Azure AD B2C, nor deprecated or retired functionality, features, or services.

-Don't rename the following features, functionality, or services.

-#### Azure AD renaming exceptions and clarifications

-| Authentication library <br/><br/>&#8226; Azure AD Authentication Library (ADAL) <br/>&#8226; Microsoft Authentication Library (MSAL) | Azure Active Directory Authentication Library (ADAL) is deprecated. While existing apps that use ADAL will continue to work, Microsoft will no longer release security fixes on ADAL. Migrate applications to the Microsoft Authentication Library (MSAL) to avoid putting your app's security at risk. <br/><br/>[Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) - Provides security tokens from the Microsoft identity platform to authenticate users and access secured web APIs to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. |

-| B2C <br/><br/>&#8226; Azure Active Directory B2C <br/>&#8226; Azure AD B2C | [Azure Active Directory B2C](/azure/active-directory-b2c) isn't being renamed. Microsoft Entra External ID for customers is Microsoft's new customer identity and access management (CIAM) solution. |

-| Graph <br/><br/>&#8226; Azure Active Directory Graph <br/>&#8226; Azure AD Graph <br/>&#8226; Microsoft Graph | Azure Active Directory (Azure AD) Graph is deprecated. Going forward, we will make no further investment in Azure AD Graph, and Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.<br/><br/>[Microsoft Graph](/graph) - Grants programmatic access to organization, user, and application data stored in Microsoft Entra ID. |

-| Microsoft identity platform | The Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts. |

-## Glossary of updated terminology

-Features of the identity and network access products are attributed to Microsoft EntraΓÇöthe product family, not the individual product name.

-You're not required to use the Microsoft Entra attribution with features. Only use if needed to clarify whether you're talking about a concept versus the feature in a specific product, or when comparing a Microsoft Entra feature with a competing feature.

-Only official product names are capitalized, plus Conditional Access and My * apps.

-| **Category** | **Old terminology** | **Correct name as of July 2023** |

-|-||-|

-| **Microsoft Entra product family** | Microsoft Azure Active Directory<br/> Azure Active Directory<br/> Azure Active Directory (Azure AD)<br/> Azure AD<br/> AAD | Microsoft Entra ID<br/> (Second use: Microsoft Entra ID is preferred, ID is acceptable in product/UI experiences, ME-ID if abbreviation is necessary) |

-| | Azure Active Directory External Identities<br/> Azure AD External Identities | Microsoft Entra External ID<br/> (Second use: External ID) |

-| | Azure Active Directory Identity Governance<br/> Azure AD Identity Governance<br/> Microsoft Entra Identity Governance | Microsoft Entra ID Governance<br/> (Second use: ID Governance) |

-| | *New* | Microsoft Entra Internet Access<br/> (Second use: Internet Access) |

-| | Cloud Knox | Microsoft Entra Permissions Management<br/> (Second use: Permissions Management) |

-| | *New* | Microsoft Entra Private Access<br/> (Second use: Private Access) |

-| | Azure Active Directory Verifiable Credentials<br/> Azure AD Verifiable Credentials | Microsoft Entra Verified ID<br/> (Second use: Verified ID) |

-| | Azure Active Directory Workload Identities<br/> Azure AD Workload Identities | Microsoft Entra Workload ID<br/> (Second use: Workload ID) |

-| | Azure Active Directory Domain Services<br/> Azure AD Domain Services | Microsoft Entra Domain Services<br/> (Second use: Domain Services) |

-| **Microsoft Entra ID SKUs** | Azure Active Directory Premium P1 | Microsoft Entra ID P1 |

-| | Azure Active Directory Premium P1 for faculty | Microsoft Entra ID P1 for faculty |

-| | Azure Active Directory Premium P1 for students | Microsoft Entra ID P1 for students |

-| | Azure Active Directory Premium P1 for government | Microsoft Entra ID P1 for government |

-| | Azure Active Directory Premium P2 | Microsoft Entra ID P2 |

-| | Azure Active Directory Premium P2 for faculty | Microsoft Entra ID P2 for faculty |

-| | Azure Active Directory Premium P2 for students | Microsoft Entra ID P2 for students |

-| | Azure Active Directory Premium P2 for government | Microsoft Entra ID P2 for government |

-| | Azure Active Directory Premium F2 | Microsoft Entra ID F2 |

-| **Microsoft Entra ID service plans** | Azure Active Directory Free | Microsoft Entra ID Free |

-| | Azure Active Directory Premium P1 | Microsoft Entra ID P1 |

-| | Azure Active Directory Premium P2 | Microsoft Entra ID P2 |

-| | Azure Active Directory for education | Microsoft Entra ID for education |

-| **Features and functionality** | Azure AD access token authentication<br/> Azure Active Directory access token authentication | Microsoft Entra access token authenticationΓÇ»|

-| | Azure AD account<br/> Azure Active Directory account | Microsoft Entra account<br/><br/> This terminology is only used with IT admins and developers. End users authenticate with a work or school account. |

-| | Azure AD activity logs | Microsoft Entra activity logs |

-| | Azure AD admin<br/> Azure Active Directory admin | Microsoft Entra admin |

-| | Azure AD admin center<br/> Azure Active Directory admin center | Replace with Microsoft Entra admin center and update link to entra.microsoft.com |

-| | Azure AD application proxy<br/> Azure Active Directory application proxy | Microsoft Entra application proxy |

-| | Azure AD audit log | Microsoft Entra audit log |

-| | Azure AD authentication<br/> authenticate with an Azure AD identity<br/> authenticate with Azure AD<br/> authentication to Azure AD | Microsoft Entra authentication<br/> authenticate with a Microsoft Entra identity<br/> authenticate with Microsoft Entra<br/> authentication to Microsoft Entra<br/><br/> This terminology is only used with administrators. End users authenticate with a work or school account. |

-| | Azure AD B2B<br/> Azure Active Directory B2B | Microsoft Entra B2B |

-| | Azure AD built-in roles<br/> Azure Active Directory built-in roles | Microsoft Entra built-in roles |

-| | Azure AD Conditional Access<br/> Azure Active Directory Conditional Access | Microsoft Entra Conditional Access<br/> (Second use: Conditional Access) |

-| | Azure AD cloud-only identities<br/> Azure Active Directory cloud-only identities | Microsoft Entra cloud-only identities |

-| | Azure AD Connect<br/> Azure Active Directory Connect | Microsoft Entra Connect |

-| | Azure AD Connect Sync<br/> Azure Active Directory Connect Sync | Microsoft Entra Connect Sync |

-| | Azure AD domain<br/> Azure Active Directory domain | Microsoft Entra domain |

-| | Azure AD Domain Services<br/> Azure Active Directory Domain Services | Microsoft Entra Domain Services |

-| | Azure AD enterprise application<br/> Azure Active Directory enterprise application | Microsoft Entra enterprise application |

-| | Azure AD federation services<br/> Azure Active Directory federation services | Active Directory Federation Services |

-| | Azure AD groups<br/> Azure Active Directory groups | Microsoft Entra groups |

-| | Azure AD hybrid identities<br/> Azure Active Directory hybrid identities | Microsoft Entra hybrid identities |

-| | Azure AD identities<br/> Azure Active Directory identities | Microsoft Entra identities |

-| | Azure AD identity protection<br/> Azure Active Directory identity protection | Microsoft Entra ID Protection |

-| | Azure AD integrated authentication<br/> Azure Active Directory integrated authentication | Microsoft Entra integrated authentication |

-| | Azure AD join<br/> Azure AD joined<br/> Azure Active Directory join<br/> Azure Active Directory joined | Microsoft Entra join<br/> Microsoft Entra joined |

-| | Azure AD login<br/> Azure Active Directory login | Microsoft Entra login |

-| | Azure AD managed identities<br/> Azure Active Directory managed identities | Microsoft Entra managed identities |

-| | Azure AD multifactor authentication (MFA)<br/> Azure Active Directory multifactor authentication (MFA) | Microsoft Entra multifactor authentication (MFA)<br/> (Second use: MFA) |

-| | Azure AD OAuth and OpenID Connect<br/> Azure Active Directory OAuth and OpenID Connect | Microsoft Entra ID OAuth and OpenID Connect |

-| | Azure AD object<br/> Azure Active Directory object | Microsoft Entra object |

-| | Azure Active Directory-only authentication<br/> Azure AD-only authentication | Microsoft Entra-only authentication |

-| | Azure AD pass-through authentication (PTA)<br/> Azure Active Directory pass-through authentication (PTA) | Microsoft Entra pass-through authentication |

-| | Azure AD password authentication<br/> Azure Active Directory password authentication | Microsoft Entra password authentication |

-| | Azure AD password hash synchronization (PHS)<br/> Azure Active Directory password hash synchronization (PHS) | Microsoft Entra password hash synchronization |

-| | Azure AD password protection<br/> Azure Active Directory password protection | Microsoft Entra password protection |

-| | Azure AD principal ID<br/> Azure Active Directory principal ID | Microsoft Entra principal ID |

-| | Azure AD Privileged Identity Management (PIM)<br/> Azure Active Directory Privileged Identity Management (PIM) | Microsoft Entra Privileged Identity Management (PIM) |

-| | Azure AD registered<br/> Azure Active Directory registered | Microsoft Entra registered |

-| | Azure AD reporting and monitoring<br/> Azure Active Directory reporting and monitoring | Microsoft Entra reporting and monitoring |

-| | Azure AD role<br/> Azure Active Directory role | Microsoft Entra role |

-| | Azure AD schema<br/> Azure Active Directory schema | Microsoft Entra schema |

-| | Azure AD Seamless single sign-on (SSO)<br/> Azure Active Directory Seamless single sign-on (SSO) | Microsoft Entra seamless single sign-on (SSO)<br/> (Second use: SSO) |

-| | Azure AD self-service password reset (SSPR)<br/> Azure Active Directory self-service password reset (SSPR) | Microsoft Entra self-service password reset (SSPR) |

-| | Azure AD service principal<br/> Azure Active Directory service principal | Microsoft Entra service principal |

-| | Azure AD tenant<br/> Azure Active Directory tenant | Microsoft Entra tenant |

-| | Create a user in Azure AD<br/> Create a user in Azure Active Directory | Create a user in Microsoft Entra |

-| | Federated with Azure AD<br/> Federated with Azure Active Directory | Federated with Microsoft Entra |

-| | Hybrid Azure AD Join<br/> Hybrid Azure AD Joined | Microsoft Entra hybrid join<br/> Microsoft Entra hybrid joined |

-| | Managed identities in Azure AD for Azure SQL | Managed identities in Microsoft Entra for Azure SQL |

-| **Acronym usage** | AAD | ME-ID<br/><br/> Note that this isn't an official abbreviation for the product but may be used in code or when absolute shortest form is required. |

-See the [Glossary of updated terminology](#glossary-of-updated-terminology) for more examples.

-Customers currently using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription will continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>.

-Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô will continue to be available within Microsoft 365 enterprise and business premium offers. Office 365 was renamed Microsoft 365 in 2022. Unique capabilities in the Azure AD for Office 365 apps (such as company branding and self-service sign-in activity search) will now be available to all Microsoft customers in Microsoft Entra ID Free.

-In addition to the capabilities they already have, Microsoft 365 E5 customers will also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra P2, currently known as Azure AD Premium P2.

-Microsoft identity platform encompasses all our identity and access developer assets. It will continue to provide the resources to help you build applications that your users and customers can sign in to using their Microsoft identities or social accounts.

-We'd like your help spreading the word about the name change and implementing it in your own experiences. If you're a content creator, author of internal documentation for IT or identity security admins, developer of Azure ADΓÇôenabled apps, independent software vendor, or Microsoft partner, we hope you use the naming guidance outlined in the ([Glossary of updated terminology](#glossary-of-updated-terminology)) to make the name change in your content and product experiences by the end of 2023.

-| August 29, 2023 | <br/>&#8226; In the [glossary](#glossary-of-updated-terminology), corrected the entry for "Azure AD activity logs" to separate "Azure AD audit log", which is a distinct type of activity log. <br/>&#8226; Added Azure AD Sync and DirSync to the [Azure AD renaming exceptions and clarifications](#azure-ad-renaming-exceptions-and-clarifications) section. |

-

-## April 2022

-### General Availability - Entitlement management separation of duties checks for incompatible access packages

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Identity Governance

-In Azure AD entitlement management, an administrator can now configure the incompatible access packages and groups of an access package in the Azure portal. This prevents a user who already has one of those incompatible access rights from being able to request further access. For more information, see: [Configure separation of duties checks for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-incompatible.md).

-### General Availability - Microsoft Defender for Endpoint Signal in Identity Protection

-**Type:** New feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-

-Identity Protection now integrates a signal from Microsoft Defender for Endpoint (MDE) that will protect against PRT theft detection. To learn more, see: [What is risk? Azure AD Identity Protection](../identity-protection/concept-identity-protection-risks.md).

-

-### General Availability - Entitlement management 3 stages of approval

-**Type:** Changed feature

-**Service category:** Other

-**Product capability:** Entitlement Management

-

-This update extends the Azure AD entitlement management access package policy to allow a third approval stage. This is able to be configured via the Azure portal or Microsoft Graph. For more information, see: [Change approval and requestor information settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md).

-

-### General Availability - Improvements to Azure AD Smart Lockout

-**Type:** Changed feature

-**Service category:** Identity Protection

-**Product capability:** User Management

-

-With a recent improvement, Smart Lockout now synchronizes the lockout state across Azure AD data centers, so the total number of failed sign-in attempts allowed before an account is locked out will match the configured lockout threshold. For more information, see: [Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md).

-

-### Public Preview - Integration of Microsoft 365 App Certification details into Azure Active Directory UX and Consent Experiences

-**Type:** New feature

-**Service category:** User Access Management

-**Product capability:** AuthZ/Access Delegation

-Microsoft 365 Certification status for an app is now available in Azure AD consent UX, and custom app consent policies. The status will later be displayed in several other Identity-owned interfaces such as enterprise apps. For more information, see: [Understanding Azure AD application consent experiences](../develop/application-consent-experience.md).

-### Public preview - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels

-**Type:** New feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: [Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews (preview)](../governance/create-access-review.md#include-b2b-direct-connect-users-and-teams-accessing-teams-shared-channels-in-access-reviews).

-### Public Preview - New MS Graph APIs to configure federated settings when federated with Azure AD

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Identity Security & Protection

-We're announcing the public preview of following MS Graph APIs and PowerShell cmdlets for configuring federated settings when federated with Azure AD:

-|Action |MS Graph API |PowerShell cmdlet |

-||||

-|Get federation settings for a federated domain | [Get internalDomainFederation](/graph/api/internaldomainfederation-get?view=graph-rest-beta&preserve-view=true) | [Get-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-|Create federation settings for a federated domain | [Create internalDomainFederation](/graph/api/domain-post-federationconfiguration?view=graph-rest-beta&preserve-view=true) | [New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-|Remove federation settings for a federated domain | [Delete internalDomainFederation](/graph/api/internaldomainfederation-delete?view=graph-rest-beta&preserve-view=true) | [Remove-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/remove-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-|Update federation settings for a federated domain | [Update internalDomainFederation](/graph/api/internaldomainfederation-update?view=graph-rest-beta&preserve-view=true) | [Update-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomainfederationconfiguration?view=graph-powershell-beta&preserve-view=true) |

-For more information, see [internalDomainFederation resource type - Microsoft Graph beta](/graph/api/resources/internaldomainfederation?view=graph-rest-beta&preserve-view=true).

-### Public Preview ΓÇô Ability to force reauthentication on Intune enrollment, risky sign-ins, and risky users

-**Type:** New feature

-**Service category:** RBAC role

-**Product capability:** AuthZ/Access Delegation

-Added functionality to session controls allowing admins to reauthenticate a user on every sign-in if a user or particular sign-in event is deemed risky, or when enrolling a device in Intune. For more information, see [Configure authentication session management with conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).

-### Public Preview ΓÇô Protect against by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD

-**Type:** New feature

-**Service category:** MS Graph

-**Product capability:** Identity Security & Protection

-We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true).

-We highly recommend enabling this new protection when using Azure AD Multi-Factor Authentication as your multi factor authentication for your federated users. To learn more about the protection and how to enable it, visit [Enable protection to prevent by-passing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#enable-protection-to-prevent-by-passing-of-cloud-azure-ad-multi-factor-authentication-when-federated-with-azure-ad).

-### New Federated Apps available in Azure AD Application gallery - April 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** Third Party Integration

-In April 2022 we added the following 24 new applications in our App gallery with Federation support:

-[X-1FBO](https://www.x1fbo.com/), [select Armor](https://app.clickarmor.c)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

-### General Availability - Customer data storage for Japan customers in Japanese data centers

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** GoLocal

-From April 15, 2022, Microsoft began storing Azure ADΓÇÖs Customer Data for new tenants with a Japan billing address within the Japanese data centers. For more information, see: [Customer data storage for Japan customers in Azure Active Directory](./data-storage-japan.md).

-### Public Preview - New provisioning connectors in the Azure AD Application Gallery - April 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** Third Party Integration

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md)

-Recently we [announced](../fundamentals/whats-new.md#modernizing-terms-of-use-experiences) the modernization of terms of use end-user experiences as part of ongoing service improvements. As previously communicated the end user experiences will be updated with a new PDF viewer and are moving from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com.

-## March 2023

-### Public Preview - New provisioning connectors in the Azure AD Application Gallery - March 2023

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-### General Availability - Workload identity Federation for Managed Identities

-**Type:** New feature

-**Service category:** Managed identities for Azure resources

-**Product capability:** Developer Experience

-Workload Identity Federation enables developers to use managed identities for their software workloads running anywhere and access Azure resources without needing secrets. Key scenarios include:

-For more information, see:

-### Public Preview - New My Groups Experience

-**Type:** Changed feature

-**Service category:** Group Management

-**Product capability:** End User Experiences

-A new and improved My Groups experience is now available at `https://www.myaccount.microsoft.com/groups`. My Groups enables end users to easily manage groups, such as finding groups to join, managing groups they own, and managing existing group memberships. Based on customer feedback, the new My Groups support sorting and filtering on lists of groups and group members, a full list of group members in large groups, and an actionable overview page for membership requests.

-This experience replaces the existing My Groups experience at `https://www.mygroups.microsoft.com` in May.

-For more information, see: [Update your Groups info in the My Apps portal](https://support.microsoft.com/account-billing/update-your-groups-info-in-the-my-apps-portal-bc0ca998-6d3a-42ac-acb8-e900fb1174a4).

-### Public preview - Customize tokens with Custom Claims Providers

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** Extensibility

-A custom claims provider lets you call an API and map custom claims into the token during the authentication flow. The API call is made after the user has completed all their authentication challenges, and a token is about to be issued to the app. For more information, see: [Custom authentication extensions (preview)](../develop/custom-claims-provider-overview.md).

-### General Availability - Converged Authentication Methods

-**Type:** New feature

-**Service category:** MFA

-**Product capability:** User Authentication

-The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy, migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in your tenant. For more information, see: [Manage authentication methods](../authentication/concept-authentication-methods-manage.md).

-### General Availability - Provisioning Insights Workbook

-**Type:** New feature

-**Service category:** Provisioning

-**Product capability:** Monitoring & Reporting

-This new workbook makes it easier to investigate and gain insights into your provisioning workflows in a given tenant. This includes HR-driven provisioning, cloud sync, app provisioning, and cross-tenant sync.

-Some key questions this workbook can help answer are:

-For more information, see: [Provisioning insights workbook](../app-provisioning/provisioning-workbook.md).

-### General Availability - Number Matching for Microsoft Authenticator notifications

-**Type:** Plan for Change

-**Service category:** Microsoft Authenticator App

-**Product capability:** User Authentication

-Microsoft Authenticator appΓÇÖs number matching feature has been Generally Available since Nov 2022! If you haven't already used the rollout controls (via Azure portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We previously announced that we'll remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we'll extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8, 2023. We'll also remove the rollout controls for number matching after that date.

-If customers donΓÇÖt enable number match for all Microsoft Authenticator push notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-ins while the services are rolling out this change. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.

-For more information, see: [How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy](../authentication/how-to-mfa-number-match.md)

-### Public Preview - IPv6 coming to Azure AD

-**Type:** Plan for Change

-**Service category:** Identity Protection

-**Product capability:** Platform

-Earlier, we announced our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD), enabling our customers to reach the Azure AD services over IPv4, IPv6 or dual stack endpoints. This is just a reminder that we have started introducing IPv6 support into Azure AD services in a phased approach in late March 2023.

-

-If you utilize Conditional Access or Identity Protection, and have IPv6 enabled on any of your devices, you likely must take action to avoid impacting your users. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to deprioritize IPv4 in any Azure AD features or services. We continue to share additional guidance on IPv6 enablement in Azure AD at this link: [IPv6 support in Azure Active Directory](/troubleshoot/azure/active-directory/azure-ad-ipv6-support).

-### General Availability - Microsoft cloud settings for Azure AD B2B

-**Type:** New feature

-**Service category:** B2B

-**Product capability:** B2B/B2C

-Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:

-For more information about Microsoft cloud settings for B2B collaboration, see [Microsoft cloud settings](../external-identities/cross-tenant-access-overview.md#microsoft-cloud-settings).

-### Modernizing Terms of Use Experiences

-**Type:** Plan for Change

-**Service category:** Terms of use

-**Product capability:** AuthZ/Access Delegation

-Starting July 2023, we're modernizing the following Terms of Use end user experiences with an updated PDF viewer, and moving the experiences from https://account.activedirectory.windowsazure.com to https://myaccount.microsoft.com:

-No functionalities are removed. The new PDF viewer adds functionality and the limited visual changes in the end-user experiences will be communicated in a future update. If your organization has allow-listed only certain domains, you must ensure your allowlist includes the domains ΓÇÿmyaccount.microsoft.comΓÇÖ and ΓÇÿ*.myaccount.microsoft.comΓÇÖ for Terms of Use to continue working as expected.

-* Some applications may use delegated user consent to control access to Microsoft Graph or other resources. As consents by each user aren't controlled by an approval process, consents aren't reviewable in Azure AD. Instead, you can review who is able to connect to the application through Conditional Access policies, that could be based on application role assignments or group memberships.

-Now that you have identified the integration pattern for the application, check the application as represented in Azure AD is ready for review.

-1. In the Azure portal, click **Azure Active Directory**, click **Enterprise Applications**, and check whether your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) in your Azure AD tenant.

-1. In the Azure portal experience for Azure AD, click **Groups**, and then search for and select each group from the list.

-| Azure AD role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal |

-| Azure resource role | Specified reviewers</br>Self-review | [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/governance/toc.json) | Azure portal |

-| [SAP SuccessFactors Writeback ](../../active-directory/saas-apps/sap-successfactors-writeback-tutorial.md) | ΓùÅ | ΓùÅ |

-## Run workflow history using the Azure portal

-You're able to retrieve run information of a workflow using Lifecycle Workflows. To check the runs of a workflow using the Azure portal, you would do the following steps:

-## User workflow history using the Azure portal

-To get further information than just the runs summary for a workflow, you're also able to get information about users processed by a workflow. To check the status of users a workflow has processed using the Azure portal, you would do the following steps:

-## Check execution user scope of a workflow using the Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. In the left navigation, select **Azure Active Directory** and then select **Groups**.

-3. On the top menu, select **New Group** to open the group pane.

-4. In the **Group type** list, select **Security**. Specify a name and description.

-5. Make sure to set the **Membership** type to **Assigned**.

-6. Select the users that should be part of this exclusion group and then select **Create**.

-1. In the left navigation, select **Azure Active Directory** and then select **Conditional Access** to open the **Policies** blade.

-2. Select **New policy** to open the **New** pane.

-3. Specify a name.

-4. Under Assignments select **Users and groups**.

-5. On the **Include** tab, select **All Users**.

-6. On the **Exclude** tab, add a checkmark to **Users and groups** and then

- select **Select excluded users**.

-7. Select the exclusion group you created.

- > [!NOTE]

-8. Continue with setting up the Conditional Access policy based on your organizational requirements.

-> A Global administrator or User administrator role is required to create access reviews.

-2. Will never end in order to make sure you're keeping this exclusion group the most up to date.

-3. All members of this group will be in scope for the review.

-4. Each user will need to self-attest that they still need access from these blocked countries/regions, therefore they still need to be a member of the

-5. If the user doesn't respond to the review request, they'll be automatically removed from the group, and they'll no longer have access to the tenant while traveling to these countries/regions.

-6. Enable email notifications to let users know about the start and completion of the access review.

- 

-1. This review would need to be a recurring review.

-2. Everyone in the group would need to be reviewed.

-3. It could be configured to list the business unit owners as the selected reviewers.

-4. Auto-apply the results and remove users that have not been approved to continue using legacy authentication methods.

-5. It might be beneficial to enable recommendations so reviewers of large groups can easily make their decisions.

-6. Enable mail notifications so users are notified about the start and completion of the access review.

- 

-1. In the Azure portal, open the **Access reviews** blade.

-2. Open the control and program you have created for managing the exclusion group.

-3. Select **Results** to see who was approved to stay on the list and who was removed.

-4. Then select **Audit logs** to see the actions that were taken during this review.

-1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.

-1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.

-## Customize email by using the Azure portal

-When you're customizing an email sent via lifecycle workflows, you can choose to customize either a new task or an existing task. You do these customizations the same way whether the task is new or existing, but the following steps walk you through updating an existing task. To customize emails sent from tasks within workflows by using the Azure portal:

-## Customize the schedule of workflows by using the Azure portal

-## Delete a workflow by using the Azure portal

-## View deleted workflows in the Azure portal

-| Group or application| Global administrator <p>User administrator<p>Identity Governance administrator<p>Privileged Role administrator (only does reviews for Azure AD role-assignable groups)<p>Group owner ([if enabled by an admin]( create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups))| Global administrator<p>Global reader<p>User administrator<p>Identity Governance administrator<p>Privileged Role administrator<p>Security reader<p>Group owner ([if enabled by an admin]( create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups)) |

-* Groups created manually in the Azure portal or via scripting through Microsoft Graph might not necessarily have owners defined. Define them either through the Azure portal in the group's **Owners** section or via Microsoft Graph.

-## Manage guest user lifecycle in the Azure portal

-If you want the users to also be assigned to the access package, you can [directly assign users](entitlement-management-access-package-assignments.md#directly-assign-a-user) to an access package using the Azure portal, or in bulk via Graph or PowerShell. The users will then also receive access to the other resource roles in the access package. However, as those users already have access prior to being added to the access package, when their access package assignment is removed, they remain in the resource role. For example, if a user was a member of a group, and was assigned to an access package that included group membership for that group as a resource role, and then that user's access package assignment was removed, the user would retain their group membership.

-For more information on creating logic app workflows, see [Quickstart: Create an example Consumption workflow in multi-tenant Azure Logic Apps with the Azure portal](../../logic-apps/quickstart-create-example-consumption-workflow.md).

-1. Sign in to the [Microsoft Entra admin center](https://portal.azure.com) as a Global Administrator. Make sure you have access to the resource group containing the Azure Monitor workspace.

-1. In the Azure portal, locate the [Log Analytics workspace](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fworkspaces).

-If you have multiple Log Analytics workspaces in that subscription, then the cmdlet [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) returns the list of workspaces. Then you can find the one that has the Azure AD logs. The `CustomerId` field returned by this cmdlet is the same as the value of the "Workspace ID" displayed in the Azure portal in the Log Analytics workspace overview.

- Sponsors are internal or external users already in your directory that are the point of contact for the relationship with this connected organization. Internal sponsors are member users in your directory. External sponsors are guest users from the connected organization that were previously invited and are already in your directory. Sponsors can be utilized as approvers when users in this connected organization request access to this access package. For information about how to invite a guest user to your directory, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../external-identities/add-users-administrator.md).

-When Azure AD receives a new request, it writes an audit record, in which the **Category** is `EntitlementManagement` and the **Activity** is typically `User requests access package assignment`. In the case of a direct assignment created in the Azure portal, the **Activity** field of the audit record is `Administrator directly assigns user to access package`, and the user performing the assignment is identified by the **ActorUserPrincipalName**.

- 

-## Register an application with secrets in Azure portal

-With Azure, you're able to use [Azure Key Vault](/azure/key-vault/secrets/about-secrets) to store application secrets such as passwords. To register an application with secrets within the Azure portal, follow these steps:

-1. In the Azure portal, in App registrations, select your application.

-1. **Add assignments of existing users, who already have access to the application, to the access packages.** For each access package, assign existing users of the application in that role, or members of that group, to the access package. You can [directly assign a user](entitlement-management-access-package-assignments.md) to an access package using the Azure portal, or in bulk via Graph or PowerShell.

-* An administrator, or a catalog owner, can [retrieve the list of users who have access package assignments](entitlement-management-access-package-assignments.md), via the Azure portal, Graph or PowerShell.

-* You can also send the audit logs to Azure Monitor and view a history of [changes to the access package](entitlement-management-logs-and-reporting.md#view-events-for-an-access-package), in the Azure portal, or via PowerShell.

-* You can view the last 30 days of sign-ins to an application in the [sign-ins report](../reports-monitoring/reference-basic-info-sign-in-logs.md) in the Azure portal, or via [Graph](/graph/api/signin-list?view=graph-rest-1.0&tabs=http&preserve-view=true).

-At regular intervals, such as weekly, monthly or quarterly, based on the volume of application access assignment changes for your application, use the Azure portal to ensure that access is being granted in accordance with the policies. You can also ensure that the identified users for approval and review are still the correct individuals for these tasks.

-1. Check the provisioning log through the [Azure portal](../reports-monitoring/concept-provisioning-logs.md) or [Graph APIs](../app-provisioning/application-provisioning-configuration-api.md#monitor-provisioning-events-using-the-provisioning-logs). Filter the log to the status **Failure**. If there are failures with an ErrorCode of **DuplicateTargetEntries**, this indicates an ambiguity in your provisioning matching rules, and you'll need to update the Azure AD users or the mappings that are used for matching to ensure each Azure AD user matches one application user. Then filter the log to the action **Create** and status **Skipped**. If users were skipped with the SkipReason code of **NotEffectivelyEntitled**, this may indicate that the user accounts in Azure AD were not matched because the user account status was **Disabled**.

-* **Check that Azure AD is already sending its audit log, and optionally other logs, to Azure Monitor.** Azure Monitor is optional, but useful for governing access to apps, as Azure AD only stores audit events for up to 30 days in its audit log. You can keep the audit data for longer than the default retention period, outlined in [How long does Azure AD store reporting data?](../reports-monitoring/reference-reports-data-retention.md), and use Azure Monitor workbooks and custom queries and reports on historical audit data. You can check the Azure AD configuration to see if it's using Azure Monitor, in **Azure Active Directory** in the Azure portal, by clicking on **Workbooks**. If this integration isn't configured, and you have an Azure subscription and are in the `Global Administrator` or `Security Administrator` roles, you can [configure Azure AD to use Azure Monitor](../governance/entitlement-management-logs-and-reporting.md).

-1. Sign in to the [Azure portal](https://portal.azure.com). Make sure you have access to the subscription or resource group where the Azure Automation account will be located.

-1. In the Azure portal, browse to **Azure Active Directory** > **App registrations**.

-Check out the [Getting started tab](https://portal.azure.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted) of **Identity Governance** in the Azure portal to start using entitlement management, access reviews, Privileged Identity Management, and Terms of use, and see some common use cases.

-If you have any feedback about Identity Governance features, click **Got feedback?** in the Azure portal to submit your feedback. The team regularly reviews your feedback.

-### Example license scenarios for PIM

-> Creating a custom task extension and logic app through the Azure portal will automate most of these steps. For a guide on creating a custom task extension this way, see: [Trigger Logic Apps based on custom task extensions](trigger-custom-task.md).

-For a complete guide on getting user processed summary information, see: [User workflow history using the Azure portal](check-status-workflow.md#user-workflow-history-using-the-azure-portal).

-For a complete guide on getting runs information, see: [Run workflow history using the Azure portal](check-status-workflow.md#run-workflow-history-using-the-azure-portal)

-In this section is each specific task, and detailed information such as parameters and prerequisites, required for them to run successfully. The parameters are noted as they appear both in the Azure portal, and within Microsoft Graph. For information about editing Lifecycle Workflow tasks in general, see: [Manage workflow Versions](manage-workflow-tasks.md).

-Lifecycle Workflows allow you to automate the sending of welcome emails to new hires in your organization. You're able to customize the task name and description for this task in the Azure portal.

-Lifecycle Workflows allow you to automate the sending of onboarding reminder emails to managers of new hires in your organization. You're able to customize the task name and description for this task in the Azure portal.

-With this task in the Azure portal, you're able to give the task a name and description. You must also set:

-Allows cloud-only user accounts to be enabled. Users with Azure AD role assignments aren't supported, nor are users with membership or ownership of role-assignable groups. You can utilize Azure Active Directory's HR driven provisioning to on-premises Active Directory to disable and enable synchronized accounts with an attribute mapping to `accountDisabled` based on data from your HR source. For more information, see: [Workday Configure attribute mappings](../saas-apps/workday-inbound-tutorial.md#part-4-configure-attribute-mappings) and [SuccessFactors Configure attribute mappings](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md#part-4-configure-attribute-mappings). You're able to customize the task name and description for this task in the Azure portal.

-Workflows can be configured to launch a custom task extension. You're able to customize the task name and description for this task using the Azure portal.

-Allows cloud-only user accounts to be disabled. Users with Azure AD role assignments aren't supported, nor are users with membership or ownership of role-assignable groups. You can utilize Azure Active Directory's HR driven provisioning to on-premises Active Directory to disable and enable synchronized accounts with an attribute mapping to `accountDisabled` based on data from your HR source. For more information, see: [Workday Configure attribute mappings](../saas-apps/workday-inbound-tutorial.md#part-4-configure-attribute-mappings) and [SuccessFactors Configure attribute mappings](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md#part-4-configure-attribute-mappings). You're able to customize the task name and description for this task in the Azure portal.

-You're able to customize the task name and description for this task in the Azure portal.

-You're able to customize the task name and description for this task in the Azure portal.

-Allows a user to be removed from one or multiple static teams. You're able to customize the task name and description for this task in the Azure portal.

-Allows users to be removed from every static team they're a member of. You're able to customize the task name and description for this task in the Azure portal.

-You're able to customize the task name and description for this task in the Azure portal. You also need to select the access package for which you want to remove the assignment.

-You're able to customize the task name and description for this task in the Azure portal.

-You're able to customize the task name and description for this task in the Azure portal.

-You're able to customize the task name and description for this task in the Azure portal.

-Allows cloud-only user accounts to be deleted. Users with Azure AD role assignments aren't supported, nor are users with membership or ownership of role-assignable groups. You're able to customize the task name and description for this task in the Azure portal.

-Allows an email to be sent to a user's manager before their last day. You're able to customize the task name and the description for this task in the Azure portal.

-Allows an email to be sent to a user's manager on their last day. You're able to customize the task name and the description for this task in the Azure portal.

-Allows an email containing off-boarding information to be sent to the user's manager after their last day. You're able to customize the task name and description for this task in the Azure portal.

-For a complete guide on creating a new workflow from a template, see: [Tutorial: On-boarding users to your organization using Lifecycle workflows with Azure portal](tutorial-onboard-custom-workflow-portal.md).

-You'll find these corresponding parameters in the Azure portal under the **Properties** section of the workflow you're updating.

-For a step by step guide on updating these properties using both the Azure portal and the API via Microsoft Graph, see: [Manage workflow properties](manage-workflow-properties.md).

-While new versions of these workflows are made as soon as you make the updates in the Azure portal, creating a new version of a workflow using the API with Microsoft Graph requires running the createNewVersion method. For a step by step guide for updating either tasks, or execution conditions, see: [Manage Workflow Versions](manage-workflow-tasks.md).

-Details contained in version information as shown in the Azure portal:

-5. Remove guest access for guests who were denied, didn't complete the review, or didn't previously accept their invitation. If some of the guests are contacts who were selected to participate in the review or they didn't previously accept an invitation, you can disable their accounts by using the Azure portal or PowerShell. If the guest no longer needs access and isn't a contact, you can remove their user object from your directory by using the Azure portal or PowerShell to delete the guest user object.

-> Earlier versions of the Azure portal didn't permit administrative access by users with the UserType of Guest. In some cases, an administrator in your directory might have changed a guest's UserType value to Member by using PowerShell. If this change previously occurred in your directory, the previous query might not include all guest users who historically had administrative access rights. In this case, you need to either change the guest's UserType or manually include the guest in the group membership.

->The following PowerShell script is provided to quickly create the two users required for this tutorial. These users can also be created manually by signing in to the Azure portal as a global administrator and creating them.

- 1. Open a Windows PowerShell command prompt, with Administrative privileges, from a machine that has access to the Azure portal.

-2. Navigate to the saved PowerShell script location and run it.

-3. If prompted select **Yes to all** when installing the Azure AD module.

-4. When prompted, sign in to the Azure portal with a global administrator for your Azure AD tenant.

-There are some additional steps that you should be aware of when testing either the [On-boarding users to your organization using Lifecycle workflows with Azure portal](tutorial-onboard-custom-workflow-portal.md) tutorial or the [On-boarding users to your organization using Lifecycle workflows with Microsoft Graph](tutorial-onboard-custom-workflow-graph.md) tutorial.

-### Edit the users attributes using the Azure portal

-Some of the attributes required for the pre-hire onboarding tutorial are exposed through the Azure portal and can be set there.

- 1. Sign in to the [Azure portal](https://portal.azure.com).

- 2. On the right, select **Azure Active Directory**.

- 3. Select **Users**.

- 4. Select **Melva Prince**.

- 5. At the top, select **Edit**.

- 6. Under manager, select **Change** and Select **Britta Simon**.

- 7. At the top, select **Save**.

- 8. Go back to users and select **Britta Simon**.

- 9. At the top, select **Edit**.

- 10. Under **Email**, enter a valid email address.

- 11. Select **Save**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. On the right, select **Azure Active Directory**.

-3. Select **Users**.

-4. Select **Melva Prince**.

-5. Select the copy sign next to the **Object ID**.

-6. Now navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

-7. Sign-in to Graph Explorer with the global administrator account for your tenant.

-8. At the top, change **GET** to **PATCH** and add `https://graph.microsoft.com/v1.0/users/<id>` to the box. Replace `<id>` with the value we copied before.

-9. Copy the following in to the **Request body** and select **Run query**

-10. Verify the change by changing **PATCH** back to **GET** and **v1.0** to **beta**. Select **Run query**. You should see the attributes for Melva set.

-2. Make sure the top is still set to **PUT** and `https://graph.microsoft.com/v1.0/users/<id>/manager/$ref` is in the box. Change `<id>` to the ID of Melva Prince.

-3. Copy the code below in to the **Request body**

-4. Replace `<managerid>` in the following code with the value of Britta Simons ID.

-5. Select **Run query**

-6. Now, we can verify that the manager has been set correctly by changing the **PUT** to **GET**.

-7. Make sure `https://graph.microsoft.com/v1.0/users/<id>/manager/` is in the box. The `<id>` is still that of Melva Prince.

-8. Select **Run query**. You should see Britta Simon returned in the Response.

-In this scenario, we use this feature of Azure AD to generate a temporary access pass for our new employee. It is then mailed to the employee's manager.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator and select **Azure Active Directory** > **Security** > **Authentication methods** > **Temporary Access Pass**

-2. Select **Yes** to enable the policy and add Britta Simon and select which users have the policy applied, and any **General** settings.

-There are some additional steps that you should be aware of when testing either the Off-boarding users from your organization using Lifecycle workflows with Azure portal tutorial or the Off-boarding users from your organization using Lifecycle workflows with Microsoft Graph tutorial.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 4. Under **Configuration**, select your configuration.

- 5. Select **View default properties**.

- 6. Click the pencil next to **Basics**

- 5. On the right, fill in the following information.

-|Azure AD Global Administrator account|Used to create the Azure AD Connector account and to configure Azure AD. You can view Global Administrator and Hybrid Identity Administrator accounts in the Azure portal. See [List Azure AD role assignments](../roles/view-assignments.md).|

-> The cloud sync configuration creates a service principal. The service principal is visible in the Azure portal. You should not modify the attribute mappings using the service principal experience in the Azure portal. This is not supported.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 4. Click on an existing configuration.

- 5. At the top, select **Properties**. You should see Exchange hybrid writeback disabled.

- 6. Select the pencil next to **Basic**.

- 7. On the right, place a check in **Exchange hybrid writeback** and click **Apply**.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 4. Under **Configuration**, select your configuration.

- 5. On the left, select **Provision on demand**.

- 6. Enter the distinguished name of a user and select the **Provision** button.

- 7. A success screen appears with four green check marks.

- 8. Click **Next**. On the **Writeback exchange attributes to Active Directory** tab, the synchronization starts.

- 9. You should see the success details.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

-4. Under **Configuration**, select your configuration.

-5. Select **View default properties**.

-6. Click the pencil next to **Basics**

-5. On the right, fill in the following information.

-> This article describes how to use the Azure portal to map attributes. For information on using Microsoft Graph, see [Transformations](how-to-transformation.md).

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

-

- :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::

- 4. Under **Configuration**, select your configuration.

- 5. On the left, select **Attribute mapping**.

- 6. At the top, ensure that you have the correct object type selected. That is, user, group, or contact.

- 7. Click **Add attribute mapping**.

- 8. Select the mapping type. This can be one of the following:

- 9. Depending on what you have selected in the previous step, different options will be available for filling in.

- 10. Select when to apply this mapping, and then select **Apply**.

- 11. Back on the **Attribute mappings** screen, you should see your new attribute mapping.

- 12. Select **Save schema**. You will be notified that once you save the schema, a synchronization will occur. Click **OK**.

- 13. Once the save is successful you will see a notification on the right.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 4. Under **Configuration**, select your configuration.

- 5. On the left, select **Provision on demand**.

- 6. Enter the distinguished name of a user and select the **Provision** button.

- 7. After provisioning finishes, a success screen appears with four green check marks. Any errors appear to the left.

-The Cloud sync workbook provides a flexible canvas for data analysis. The workbook allows you to create rich visual reports within the Azure portal. To learn more, see Azure Monitor Workbooks overview.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 4. Select **New configuration**.

- 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.

- 6. The **Get started** screen will open. From here, you can continue configuring cloud sync.

- 7. The configuration is split in to the following 5 sections.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 4. Under **Configuration**, select your configuration.

- 5. At the top of the configuration screen, select **Delete configuration**.

- 1. In the Azure portal, select **Azure Active Directory**.

- 1. Select **Azure AD Connect**.

- 1. Select **Manage cloud sync**.

- 1. Under **Configuration**, select your configuration.

- 1. Under **Manage attributes**, select **Click to edit mappings**.

- 1. On the **Edit attribute mappings** pane, select **Add attribute mapping**.

- 1. Under **Mapping type**, select **Expression**.

- 1. Select **Try the expression builder (Preview)**.

- 1. Sign in to the server you use with enterprise admin permissions.

- 2. Sign in to the [Azure portal](https://portal.azure.com), and then go to **Azure Active Directory**.

- 3. On the menu on the left, select **Azure AD Connect**.

- 4. Select **Manage cloud sync**.

- [](media/how-to-install/new-install-1.png#lightbox)</br>

- 5. At the top, click **Download agent**.

- [](media/how-to-install/new-install-2.png#lightbox)</br>

- 6. On the right, click **Accept terms and download**.

- 7. For the purposes of these instructions, the agent was downloaded to the C:\temp folder.

- 8. Install ProvisioningAgent in quiet mode. [If Installing against US Government Cloud, click here for alternate code block.](how-to-install-pshell.md#installing-against-us-government-cloud)

- 10. Import the Provisioning Agent PS module.

- 11. Connect to Azure AD by using an account with the hybrid identity role. You can customize this section to fetch a password from a secure store.

- 12. Add the gMSA account, and provide credentials of the domain admin to create the default gMSA account.

- 13. Or use the preceding cmdlet to provide a precreated gMSA account.

- 14. Add the domain.

- 15. Or use the preceding cmdlet to configure preferred domain controllers.

- 16. Repeat the previous step to add more domains. Provide the account names and domain names of the respective domains.

- 17. Restart the service.

- 18. Go to the Azure portal to create the cloud sync configuration.

-description: Learn how to install the Azure AD Connect provisioning agent and how to configure it in the Azure portal.

-This article walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal.

- 1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account.

- 2. Search for and select **Azure Active Directory**, select **Password reset**, then choose **On-premises integration**.

- 1. In the Azure portal, select **Azure Active Directory**.

- 1. Select **Azure AD Connect**.

- 1. Select **Manage cloud sync**.

- 1. Under **Configuration**, select your configuration.

- 1. Under **Manage attributes**, select **Click to edit mappings**.

- 1. Select **Add attribute mapping**.

-1. Select the mapping type. You can do the mapping in one of three ways:

-1. In the **Target attribute** dropdown box, select **UserType**.

-1. Select **Apply** at the bottom of the page to create a mapping for the Azure AD **UserType** attribute.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

-

- :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::

- 4. Under **Configuration**, select your configuration.

- 5. On the left, select **Provision on demand**.

- 6. Enter the distinguished name of a user and select the **Provision** button.

- 7. After provisioning finishes, a success screen appears with four green check marks. Any errors appear to the left.

-### In the Azure portal

- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure portal. |

- 1. Now, in the Azure portal, go to the cloud sync configuration and select **Restart provisioning**.

-You can verify these items in the Azure portal and on the local server that's running the agent.

-### Azure portal agent verification

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. On the left, select **Azure Active Directory** > **Azure AD Connect**. In the center, select **Manage sync**.

-1. On the **Azure AD Connect cloud sync** screen, select **Review all agents**.

- 

-1. On the **On-premises provisioning agents** screen, you see the agents you've installed. Verify that the agent in question is there. If all is well, you will see the *active* (green) status for the agent.

- 

-In the Azure portal, you can use provisioning logs to help track down and troubleshoot object synchronization problems. To view the logs, select **Logs**.

-Use the Azure portal to restart the provisioning job. On the agent configuration page, select **Restart sync**.

-|HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from Azure portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from Azure portal.|

-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.

-2. Select the **plus icon (+)** and search for **Azure Active Directory**.

-3. Select **Azure Active Directory** in the search results.

-</br>

-### In the Azure portal

- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Select **Azure Active Directory**

-3. Select **Azure AD Connect**

-4. Select **Manage cloud sync**

- 

-5. Select **New Configuration**

- 

-6. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.

- 

-7. The configuration status should now be **Healthy**.

- 

-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.

-2. On the left, select **Azure Active Directory**

-3. Under **Manage**, select **Users**.

-4. Verify that you see the new users in our tenant

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

-

- :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX cloud sync screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::

-

- 4. Select **New configuration**.

- 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.

- 6. The **Get started** screen will open.

- 7. On the **Get started** screen, click either **Add scoping filters** next to the **Add scoping filters** icon or on the click **Scoping filters** on the left under **Manage**.

- 8. Select the scoping filter. For this tutorial select:

- 9. In the box, enter "OU=CPUsers,DC=contoso,DC=com".

- 10. Click **Add**. Click **Save**.

-1. Disable provisioning configuration in the Azure portal.

-### In the Azure portal

- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**

-1. Select **Azure AD Connect**

-1. Select **Manage cloud sync**

- 

-1. Select **New Configuration**

-

- [](media/tutorial-single-forest/configure-1.png#lightbox)

-1. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.

- [](media/how-to-configure/configure-2.png#lightbox)

-1. The configuration status should now be **Healthy**.

- [](media/how-to-configure/manage-4.png#lightbox)

-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.

-2. On the left, select **Azure Active Directory**

-3. Under **Manage**, select **Users**.

-4. Verify that the new users appear in your tenant

-1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)

-1. Sign in with a user account that was created in your tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.

-|Is there a health monitoring solution?|Not required|Agent status provided by the [Azure portal](tshoot-connect-pass-through-authentication.md)|[Azure AD Connect Health](how-to-connect-health-adfs.md)|

-* External resources, such as Microsoft 365, the Azure portal, and thousands of other Software-as-a-Service (SaaS) applications.

-

-Azure AD enables administrators to [add applications](../../manage-apps/add-application-portal.md) to the Azure AD application gallery in the [Azure portal](https://portal.azure.com/). Adding applications to the Enterprise applications gallery makes it easier for you to configure applications to use Azure AD as your identity provider. It also lets you manage user access to the application with Conditional Access policies and configure single sign-on (SSO) to applications so that users don't have to enter their passwords repeatedly and are automatically signed into both on-premises and cloud-based applications.

-Enabling automated provisioning and deprovisioning to your applications is the best strategy for governing the lifecycle of identities across multiple systems. Azure AD supports [automated, policy-based provisioning and deprovisioning](../../app-provisioning/configure-automatic-user-provisioning-portal.md) of user accounts to various popular SaaS applications such as ServiceNow and Salesforce, and others that implement the [SCIM 2.0 protocol](../../app-provisioning/use-scim-to-provision-users-and-groups.md). Unlike traditional provisioning solutions, which require custom code or manual uploading of CSV files, the provisioning service is hosted in the cloud, and features pre-integrated connectors that can be set up and managed using the Azure portal. A key benefit of automatic deprovisioning is that it helps secure your organization by instantly removing users' identities from key SaaS apps when they leave the organization.

- 

-AD FS customers may expose password authentication endpoints to the internet to provide authentication services for end users to access SaaS applications such as Microsoft 365. In this case, it is possible for a bad actor to attempt logins against your AD FS system to guess an end userΓÇÖs password and get access to application resources. AD FS provides the extranet account lockout functionality to prevent these types of attacks since AD FS in Windows Server 2012 R2. If you are on a lower version, we strongly recommend that you upgrade your AD FS system to Windows Server 2016. <br />

-Additionally, it is possible for a single IP address to attempt multiple logins against multiple users. In these cases, the number of attempts per user may be under the threshold for account lockout protection in AD FS. Azure AD Connect Health now provides the ΓÇ£Risky IP reportΓÇ¥ that detects this condition and notifies administrators. The following are the key benefits for this report:

-| Detection Window Start Time | Shows the time stamp based on Azure portal local time when the detection time window starts.<br /> All daily events are generated at mid-night UTC time. <br />Hourly events have the timestamp rounded to the beginning of the hour. You can find first activity start time from ΓÇ£firstAuditTimestampΓÇ¥ in the exported file. |

-| Bad Password Error Count (50126) | The count of Bad Password error occurred from the IP address during the detection time window. The Bad Password errors can happen multiple times to certain users. Notice this does not include failed attempts due to expired passwords. |

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Navigate to **Azure Active Directory** > **Monitoring** > **Workbooks**.

-Load balancer aggregate failed sign-in activities and hit the alert threshold. If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. Please configure your load balancer correctly to pass forward client IP address.

-## Configure notification alerts using Azure Monitor Alerts through the Azure portal:

-1. In the Azure portal, search for ΓÇ£MonitorΓÇ¥ in the search bar to navigate to the Azure ΓÇ£MonitorΓÇ¥ service. Select ΓÇ£AlertsΓÇ¥ from the left menu, then ΓÇ£+ New alert ruleΓÇ¥.

-If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. Please configure your load balancer correctly to pass forward client IP address.

-| Time Stamp | The time stamp that's based on Azure portal local time when the detection time window starts.<br> All daily events are generated at midnight UTC time. <br>Hourly events have the time stamp rounded to the beginning of the hour. You can find the first activity start time from ΓÇ£firstAuditTimestampΓÇ¥ in the exported file. |

-> Remember that you must have Azure AD Premium (P1 or P2) to use Azure AD Connect Health. If you don't have Azure AD Premium, you can't complete the configuration in the Azure portal. For more information, see the [requirements](how-to-connect-health-agent-install.md#requirements).

-description: This document describes the diagnosis process of duplicated attribute synchronization errors and a potential fix of the orphaned object scenarios directly from the Azure portal.

-Follow the steps from the Azure portal to narrow down the sync error details and provide more specific solutions:

-From the Azure portal, take a few steps to identify specific fixable scenarios:

-1. In the Azure portal, search for Azure AD Connect Health

-This limits the evaluation of alerts by the service. You will see a banner that indicates this condition in the Azure portal under your service.

-Federating multiple, top-level domains with Azure AD requires some extra configuration that is not required when federating with one top-level domain.

-When you attempt to convert the bmfabrikam.com domain to be federated, an error occurs. The reason is, Azure AD has a constraint that does not allow the IssuerUri property to have the same value for more than one domain.

-This parameter makes Azure AD configure the IssuerUri so that it is based on the name of the domain. The IssuerUri will be unique across directories in Azure AD. Using the parameter allows the PowerShell command to complete successfully.

-`-SupportMultipleDomain` does not change the other endpoints, which are still configured to point to the federation service on adfs.bmcontoso.com.

-Thus during authentication to Azure AD or Microsoft 365, the IssuerUri element in the userΓÇÖs token is used to locate the domain in Azure AD. If, a match cannot be found, the authentication will fail.

-If you did not set up the federated trust between AD FS and your instance of Azure AD, you may need to re-create this trust. The reason is, when it is originally set up without the `-SupportMultipleDomain` parameter, the IssuerUri is set with the default value. In the screenshot below, you can see the IssuerUri is set to `https://adfs.bmcontoso.com/adfs/services/trust`.

-If you have successfully added a new domain in the Azure portal and then attempt to convert it using `Convert-MsolDomaintoFederated -DomainName <your domain>`, you will get the following error.

-If you try to add the `-SupportMultipleDomain` switch, you will receive the following error:

-Use the steps below to add an additional top-level domain. If you have already added a domain, and did not use the `-SupportMultipleDomain` parameter, start with the steps for removing and updating your original domain. If you have not added a top-level domain yet, you can start with the steps for adding a domain using PowerShell of Azure AD Connect.

-So lets say, for example, that I have bmcontoso.com and then add corp.bmcontoso.com. The IssuerUri for a user from corp.bmcontoso.com will need to be **`http://bmcontoso.com/adfs/services/trust`**. However the standard rule implemented above for Azure AD, will generate a token with an issuer as **`http://corp.bmcontoso.com/adfs/services/trust`**. which will not match the domain's required value and authentication will fail.

- * The [Azure portal](https://portal.azure.com).

-* If your proxy or firewall limit which URLs can be accessed, the URLs documented in [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) must be opened. Also see [Safelist the Azure portal URLs on your firewall or proxy server](../../../azure-portal/azure-portal-safelist-urls.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) as an admin.

-Use the Azure portal to check the status of a synchronization.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an admin.

-2. On the left, select **Active Directory**.

-3. On the left, select **Azure AD Connect**

- 1. Sign in to the [Azure portal](https://portal.azure.com).

- | **8080** (optional) | Authentication Agents report their status every ten minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. Port 8080 is _not_ used for user sign-ins. |

-Prior to enabling Pass-through Authentication through Azure AD Connect with Step 2, download the latest release of the PTA agent from the Azure portal. You need to ensure that your agent is versions **1.5.1742.0.** or later. To verify your agent see [Upgrade authentication agents](how-to-connect-pta-upgrade-preview-authentication-agents.md)

-1. Sign in to the [Azure portal](https://portal.azure.com) with the Global Administrator credentials for your tenant.

-2. Select **Azure Active Directory** on the left-hand navigation.

-3. Select **Azure AD Connect**.

-

-3. **Download the latest version of the Authentication Agent (versions 1.5.2482.0 or later)**: Sign in to the [Azure portal](https://portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the [terms of service](https://aka.ms/authagenteula) and download the latest version of the Authentication Agent. You can also download the Authentication Agent from [here](https://aka.ms/getauthagent).

-> If you check the Pass-through Authentication blade on the [Azure portal](https://portal.azure.com) after completing the preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as **Active** and the other as **Inactive**. This is _expected_. The **Inactive** entry is automatically dropped after a few days.

-2. **Download the latest version of the Authentication Agent (versions 1.5.2482.0 or later)**: Sign in to the [Azure portal](https://portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the terms of service and download the latest version.

-> If you check the Pass-through Authentication blade on the [Azure portal](https://portal.azure.com) after completing the preceding steps, you'll see two Authentication Agent entries per server - one entry showing the Authentication Agent as **Active** and the other as **Inactive**. This is _expected_. The **Inactive** entry is automatically dropped after a few days.

-* [Review the Microsoft Privacy policy on Trust Center](https://www.microsoft.com/trustcenter)

-1. Sign in to the [Azure portal](https://portal.azure.com) with the Hybrid Identity Administrator account credentials for your tenant.

-1. In the left menu, select **Azure Active Directory**.

-1. Select **Azure AD Connect**.

-* [Review the Microsoft Privacy policy on Trust Center](https://www.microsoft.com/trustcenter)

-1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

-1. Search for and select **Azure Active Directory**.

-1. From the left menu, select **Azure AD Connect**.

-You can monitor the users and groups added or removed from Staged Rollout and users sign-ins while in Staged Rollout, using the new Hybrid Auth workbooks in the Azure portal.

-During installation of Azure AD Connect, an application is registered where these attributes are available. You can see this application in the Azure portal. Its name is always **Tenant Schema Extension App**.

-You cannot see the shadow attributes using the Azure portal or with PowerShell. But understanding the concept helps you to troubleshoot certain scenarios where the attribute has different values on-premises and in the cloud.

-In Active Directory, the default UPN suffix is the domain DNS name where you created the user account. In most cases, you register this domain name as the enterprise domain. If you create the user account in the contoso.com domain, the default UPN is: username@contoso.com. However, you can add more UPN suffixes by using Active Directory domains and trusts. Learn more: [Add your custom domain name using the Azure portal](../../fundamentals/add-custom-domain.md).

-Allow enough time for the UPN change to sync to Azure AD. After you verify the new UPN appears in the Azure portal, ask the user to select the "Other user" tile to sign in with their new UPN. You can verify using Microsoft Graph PowerShell. See, [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser). After users sign in with a new UPN, references to the old UPN might appear on the **Access work or school** Windows setting.

->When you migrate from federated to cloud authentication, the process to convert the domain from federated to managed may take up to 60 minutes. During this process, users might not be prompted for credentials for any new logins to Azure portal or other browser based applications protected with Azure AD. We recommend that you include this delay in your maintenance window.

-Sign in to the [Azure portal](https://portal.azure.com/), browse to **Azure Active Directory** > **Azure AD Connect** and verify the **USER SIGN_IN** settings as shown in this diagram:

-7. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.

- 

- 

-

-1. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.

- 

-1. In the Azure portal, select **Azure Active Directory**, and then select **Azure AD Connect**.

- 

- If the authentication agent isn't active, complete these [troubleshooting steps](tshoot-connect-pass-through-authentication.md) before you continue with the domain conversion process in the next step. You risk causing an authentication outage if you convert your domains before you validate that your PTA agents are successfully installed and that their status is **Active** in the Azure portal.

-3. In the Azure portal, select **Azure Active Directory > Azure AD Connect**.

-If you've Azure AD Connect Health, you can [monitor usage](how-to-connect-health-adfs.md) from the Azure portal. In case the usage shows no new auth req and you validate that all users and clients are successfully authenticating via Azure AD, it's safe to remove the Microsoft 365 relying party trust.

-

-A server account is created with a long, complex password that doesn't expire. The account is granted a special Directory Synchronization Accounts role that has permissions to perform only directory synchronization tasks. This special built-in role can't be granted outside of the Azure AD Connect wizard. The Azure portal shows this account with the User role.

-* [Review the Microsoft Privacy policy on Trust Center](https://www.microsoft.com/trustcenter)

-### Sign-in failure reasons on the Azure portal (needs Premium license)

-Navigate to **Azure Active Directory** -> **Sign-ins** on the [Azure portal](https://portal.azure.com/) and click a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution using the following table:

-Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Azure Active Directory** > **Azure AD Connect** pane in the [Azure portal](https://portal.azure.com/).

-

-

-## Sign-in failure reasons in the Azure portal (needs a Premium license)

-If your tenant has an Azure AD Premium license associated with it, you can also look at the [sign-in activity report](../../reports-monitoring/concept-sign-ins.md) inside of Azure Active Directory in the [Azure portal](https://portal.azure.com/).

-

-Browse to **Azure Active Directory** > **Sign-ins** in the [Azure portal](https://portal.azure.com/), and then select a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution by using the following table:

-With the latest version of Azure AD Connect \(August 2016 or higher\), a Synchronization Errors Report is available in the [Azure portal](https://aka.ms/aadconnecthealth) as part of Azure AD Connect Health for sync.

-1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

-1. In the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview), be sure to close the **All users** pane.

-1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

-1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

-1. In the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview), be sure to close the **All users** pane.

-1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

-1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

-1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

-|Great user experience|Dashboard fashion from Azure portal</br>[Alerts through emails](how-to-connect-health-adfs.md#alerts-for-ad-fs)|

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. On the left, select **Azure AD Connect**.

- 3. On the left, select **Cloud sync**.

-1. **Create an equivalent** [user risk-based](#user-risk-policy-in-conditional-access) and [sign-in risk-based ](#sign-in-risk-policy-in-conditional-access) policy in Conditional Access in report-only mode. You can create a policy with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md) based on Microsoft's recommendations and your organizational requirements.

- 

- 

-To learn more, go to my.f5.com for [K18390492: Security | BIG-IP APM operations guide]( https://support.f5.com/csp/article/K18390492)

-The operations guide doesn't cover Single Log-Out (SLO). This feature ensures sessions between the IdP, the BIG-IP, and the user agent terminate when users sign out. The Easy Button deploys a SAML application to the Azure AD tenant. It populates the Logout URL with the APM SLO endpoint. IdP initiated sign out from the [My Apps]( https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) portal terminates the BIG-IP and client session.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure AD Privileged Identity Management -> My requests -> Groups**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure AD Privileged Identity Management -> My requests -> Groups**.

-When an eligible assignment is activated (Create **\*AssignmentScheduleRequest** was called), the **\*EligibilityScheduleInstance** continues to exist, new **\*AssignmentSchedule** and a **\*AssignmentScheduleInstance** objects will be created for that activated duration.

-To manage the PIM policies, use **roleManagementPolicy** and **roleManagementPolicyAssignment** entities:

- 

-| Audit | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Azure AD |

-| Sign-ins | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Azure AD |

-* A user with the **Global Administrator**, **Security Administrator**, **Security Reader**, or **Reports Reader** role for the tenant.

-**To complete this step:**

-1. Sign in to the [Azure portal](https://portal.azure.com) as Isabella Simonsen using an incorrect password.

-2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-ins log. For more information, see [Activity reports](./overview-reports.md#activity-reports).

-This section provides you with the steps to analyze a failed sign-in:

-**To review the failed sign-in:**

-1. Navigate to the [sign-ins log](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns).

-2. To list only records for Isabella Simonsen:

- 1. In the toolbar, select **Add filters**.

- 1. In the **Pick a field** list, select **User**, and then select **Apply**.

- 1. In the **Username** textbox, type **Isabella Simonsen**, and then select **Apply**.

- 1. In the toolbar, select **Refresh**.

-3. To analyze the issue, select **Troubleshooting and support**.

- 

-4. Copy the **Sign-in error code**.

-5. Paste the error code into the textbox of the [sign-in error lookup tool](https://login.microsoftonline.com/error), and then select **Submit**.

-When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users.md#delete-a-user).

-## Next steps

-1. Sign in to the **Azure portal** using one of the [required roles](concept-audit-logs.md).

-1. Browse to **Azure Active Directory** > **Audit logs**.

-|DirectoryManagement|Enable passthrough authentication

-|Authorization|Get customAuthenticationExtensions

-|Authorization|Update authentication flows policy

-|UserManagement|Delete FIDO2 security key|

-|RoleManagement|Cancel request|

-|GroupManagement|Set dynamic group properties|

-|UserManagement|User completed security info registration for self-service password reset|

-|UserManagement|User started security info registration for self-service password reset|

-description: Learn how to set up Azure Diagnostics to push Azure Active Directory logs to an event hub

-# Customer intent: As an IT administrator, I want to learn how to route Azure AD logs to an event hub so I can integrate it with my third party SIEM system.

-# Tutorial: Stream Azure Active Directory logs to an Azure event hub

-In this tutorial, you learn how to set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure event hub. Use this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.

-## Prerequisites

-To use this feature, you need:

-* An Azure subscription. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/).

-* An Azure AD tenant.

-* A user who's a *Global Administrator* or *Security Administrator* for the Azure AD tenant.

-* An Event Hubs namespace and an event hub in your Azure subscription. Learn how to [create an event hub](../../event-hubs/event-hubs-create.md).

-## Stream logs to an event hub

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Audit logs**.

-1. Select **Export Data Settings**.

-1. In the **Diagnostics settings** pane, do either of the following:

- * To change existing settings, select **Edit setting**.

- * To add new settings, select **Add diagnostics setting**.

- You can have up to three settings.

-1. Select the **Stream to an event hub** check box, and then select **Event Hub/Configure**.

- [  ](./media/tutorial-azure-monitor-stream-logs-to-event-hub/diagnostic-setting-stream-to-event-hub.png#lightbox)

- 1. Select the Azure subscription and Event Hubs namespace that you want to route the logs to.

- The subscription and Event Hubs namespace must both be associated with the Azure AD tenant that the logs stream from. You can also specify an event hub within the Event Hubs namespace to which logs should be sent. If no event hub is specified, an event hub is created in the namespace with the default name **insights-logs-audit**.

- 1. Select any combination of the following items:

- - To send audit logs to the event hub, select the **AuditLogs** check box.

- - To send interactive user sign-in logs to the event hub, select the **SignInLogs** check box.

- - To send non-interactive user sign-in logs to the event hub, select the **NonInteractiveUserSignInLogs** check box.

- - To send service principal sign-in logs to the event hub, select the **ServicePrincipalSignInLogs** check box.

- - To send managed identity sign-in logs to the event hub, select the **ManagedIdentitySignInLogs** check box.

- - To send provisioning logs to the event hub, select the **ProvisioningLogs** check box.

- - To send sign-ins sent to Azure AD by an AD FS Connect Health agent, select the **ADFSSignInLogs** check box.

- - To send risky user information, select the **RiskyUsers** check box.

- - To send user risk events information, select the **UserRiskEvents** check box.

- > [!NOTE]

- > Some sign-in categories contain large amounts of log data depending on your tenantΓÇÖs configuration. In general, the non-interactive user sign-ins and service principal sign-ins can be 5 to 10 times larger than the interactive user sign-ins.

- 1. Select **Save** to save the setting.

-1. After about 15 minutes, verify that events are displayed in your event hub. To do so, go to the event hub from the portal and verify that the **incoming messages** count is greater than zero.

- [ ](./media/tutorial-azure-monitor-stream-logs-to-event-hub/azure-monitor-event-hub-instance.png#lightbox)

-## Access data from your event hub

-After data is displayed in the event hub, you can access and read the data in two ways:

-* **Configure a supported SIEM tool**. To read data from the event hub, most tools require the event hub connection string and certain permissions to your Azure subscription. Third-party tools with Azure Monitor integration include, but aren't limited to:

-

- * **ArcSight**: For more information about integrating Azure AD logs with ArcSight, see [Integrate Azure Active Directory logs with ArcSight using Azure Monitor](howto-integrate-activity-logs-with-arcsight.md).

-

- * **Splunk**: For more information about integrating Azure AD logs with Splunk, see [Integrate Azure AD logs with Splunk by using Azure Monitor](./howto-integrate-activity-logs-with-splunk.md).

-

- * **IBM QRadar**: The DSM and Azure Event Hubs Protocol are available for download at [IBM support](https://www.ibm.com/support). For more information about integration with Azure, go to the [IBM QRadar Security Intelligence Platform 7.3.0](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_microsoft_azure_overview.html?cp=SS42VS_7.3.0) site.

-

- * **Sumo Logic**: To set up Sumo Logic to consume data from an event hub, see [Install the Azure AD app and view the dashboards](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#viewing-azure-active-directory-dashboards).

-* **Set up custom tooling**. If your current SIEM isn't supported in Azure Monitor diagnostics yet, you can set up custom tooling by using the Event Hubs API. To learn more, see the [Getting started receiving messages from an event hub](../../event-hubs/event-hubs-dotnet-standard-getstarted-send.md).

-## Next steps

-* [Create diagnostic settings to send platform logs and metrics to different destinations](../../azure-monitor/essentials/diagnostic-settings.md)

-* [Integrate Azure Active Directory logs with ArcSight using Azure Monitor](howto-integrate-activity-logs-with-arcsight.md)

-* [Integrate Azure AD logs with Splunk by using Azure Monitor](./howto-integrate-activity-logs-with-splunk.md)

-* [Integrate Azure AD logs with SumoLogic by using Azure Monitor](howto-integrate-activity-logs-with-sumologic.md)

-* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)

-* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)

-> * Configure a log analytics workspace for your audit and sign-in logs

-> * Create an alert rule that sends alerts when a specific account is used

-## Configure a workspace

-This procedure outlines how to configure a log analytics workspace for your audit and sign-in logs.

-Configuring a log analytics workspace consists of two main steps:

-

-1. Creating a log analytics workspace

-2. Setting diagnostic settings

-**To configure a workspace:**

- 

- 

- 3. In the **Name** textbox, type a name (e.g.: MytestWorkspace1).

-5. Click **Review + Create**.

-6. Click **Create** and wait for the deployment to be succeeded. You may need to refresh the page to see the new workspace.

-7. Search for **Azure Active Directory**.

- 

-8. In **Monitoring** section, click **Diagnostic setting**.

- 

-9. On the **Diagnostic settings** page, click **Add diagnostic setting**.

-10. On the **Diagnostic setting** page, perform the following steps:

- 

- 2. Under **Destination details**, select **Send to Log Analytics**, and then select your new log analytics workspace.

- 3. Click **Save**.

-## Run queries

-This procedure shows how to run queries using the **Kusto Query Language (KQL)**.

-**To run a query:**

-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.

-2. Search for **Azure Active Directory**.

-3. In the **Monitoring** section, click **Logs**.

-4. On the **Logs** page, click **Get Started**.

-5. In the **Search* textbox, type your query.

-6. Click **Run**.

-`SigninLogs | take 10`

-`SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus`

-`SigninLogs | where ConditionalAccessStatus == "success" | project UserDisplayName, ConditionalAccessStatus | count`

-`SigninLogs | where ConditionalAccessStatus == "success" | summarize SuccessfulSign-ins = count() by UserDisplayName, bin(TimeGenerated, 1d)`

-`AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | summarize count() by OperationName, Identity`

-`AuditLogs | where TimeGenerated > ago(30d) | where OperationName contains "Add member to role" | project OperationName, Identity | evaluate pivot(OperationName)`

-`AuditLogs |where OperationName contains "Add User" |extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName) | |project TimeGenerated, UserPrincipalName |join kind = inner (SigninLogs) on UserPrincipalName |summarize arg_min(TimeGenerated, *) by UserPrincipalName |extend SigninDate = TimeGenerated`

-`SigninLogs | summarize count() by ClientAppUsed`

-`SigninLogs | summarize NumberOfEntries=count() by bin(TimeGenerated, 1d)`

-`SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated `

-`SigninLogs | take 5 | project ClientAppUsed, Identity, ConditionalAccessStatus, Status, TimeGenerated `

-`SigninLogs | limit 10 | extend RiskUser = strcat(RiskDetail, "-", Identity) | project RiskUser, ClientAppUsed`

-## Create an alert rule

-This procedure shows how to send alerts when the breakglass account is used.

-**To create an alert rule:**

-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.

-2. Search for **Azure Active Directory**.

-3. In the **Monitoring** section, click **Logs**.

-4. On the **Logs** page, click **Get Started**.

-5. In the **Search** textbox, type: `SigninLogs |where UserDisplayName contains "BreakGlass" | project UserDisplayName`

-6. Click **Run**.

-7. In the toolbar, click **New alert rule**.

- 

-8. On the **Create alert rule** page, verify that the scope is correct.

-9. Under **Condition**, click: **Whenever the average custom log search is greater than `logic undefined` count**

- 

-10. On the **Configure signal logic** page, in the **Alert logic** section, perform the following steps:

- 

- 1. As **Based on**, select **Number of results**.

- 2. As **Operator**, select **Greater than**.

- 3. As **Threshold value**, select **0**.

-11. On the **Configure signal logic** page, in the **Evaluated based on** section, perform the following steps:

- 

- 1. As **Period (in minutes)**, select **5**.

- 2. As **Frequency (in minutes)**, select **5**.

- 3. Click **Done**.

-12. Under **Action group**, click **Select action group**.

- 

-13. On the **Select an action group to attach to this alert rule**, click **Create action group**.

- 

-14. On the **Create action group** page, perform the following steps:

- 

- 1. In the **Action group name** textbox, type **My action group**.

- 2. In the **Display name** textbox, type **My action**.

- 3. Click **Review + create**.

- 4. Click **Create**.

-15. Under **Customize action**, perform the following steps:

- 

- 1. Select **Email subject**.

- 2. In the **Subject line** textbox, type: `Breakglass account has been used`

-16. Under **Alert rule details**, perform the following steps:

- 

- 1. In the **Alert rule name** textbox, type: `Breakglass account`

- 2. In the **Description** textbox, type: `Your emergency access account has been used`

-17. Click **Create alert rule**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.

-2. Search for **Azure Active Directory**.

-3. In the **Monitoring** section, click **Workbooks**.

- 

-4. In the **Quickstart** section, click **Empty**.

-5. Click **Add**.

- 

-6. Click **Add text**.

-7. In the textbox, type: `# Client apps used in the past week`, and then click **Done Editing**.

- 

-8. In the new workbook, click **Add**, and then click **Add query**.

-9. In the query textbox, type: `SigninLogs | where TimeGenerated > ago(7d) | project TimeGenerated, UserDisplayName, ClientAppUsed | summarize count() by ClientAppUsed`

-10. Click **Run Query**.

-11. In the toolbar, under **Visualization**, click **Pie chart**.

-12. Click **Done Editing**.

- 

-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator.

-2. Search for **Azure Active Directory**.

-3. In the **Monitoring** section, click **Workbooks**.

- 

-4. In the **conditional access** section, click **Conditional Access Insights and Reporting**.

-5. In the toolbar, click **Edit**.

-6. In the toolbar, click the three dots, then **Add**, and then **Add query**.

-7. In the query textbox, type: `SigninLogs | where TimeGenerated > ago(20d) | where ConditionalAccessPolicies != "[]" | summarize dcount(UserDisplayName) by bin(TimeGenerated, 1d), ConditionalAccessStatus`

-8. Click **Run Query**.

-9. Click **Time Range**, and then select **Set in query**.

-10. Click **Visualization**, and then select **Bar chart**.

-11. Click **Advanced Settings**, as chart title, type `Conditional Access status over the last 20 days`, and then click **Done Editing**.

- 

-## Next steps

-Advance to the next article to learn how to manage device identities by using the Azure portal.

-> [Monitoring](overview-monitoring.md)

-> Microsoft is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance. Learn more about how the Microsoft global incident response team mitigates the effects of attacks against cloud services, and how security is built into Microsoft business products and cloud services at [Microsoft Trust Center - Security](https://www.microsoft.com/trustcenter/security) and Microsoft compliance targets at [Microsoft Trust Center - Compliance](https://www.microsoft.com/trustcenter/compliance).

-* [Microsoft Trust Center - Compliance](https://www.microsoft.com/trustcenter/compliance/complianceofferings) ΓÇô Microsoft's comprehensive set of compliance offerings for cloud services

-* You can use Microsoft My Apps. When you click the 23 Video tile in the My Apps, this will redirect to 23 Video Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the 4DX tile in the My Apps, you should be automatically signed in to the 4DX for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Achieve3000 tile in the My Apps, this will redirect to Achieve3000 Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the ACLP tile in the My Apps, this will redirect to ACLP Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Acoustic Connect tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Acoustic Connect for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Active and Thriving tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Active and Thriving for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Active Directory SSO for DoubleYou tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Active Directory SSO for DoubleYou for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Adaptive Shield tile in the My Apps, this will redirect to Adaptive Shield Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Adoddle cSaas Platform tile in the My Apps, you should be automatically signed in to the Adoddle cSaas Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the ADP EMEA French HR Portal mon.adp.com tile in the My Apps, you should be automatically signed in to the ADP EMEA French HR Portal mon.adp.com for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

- [  ](./media/adra-by-trintech-tutorial/settings.png#lightbox)

- [  ](./media/adra-by-trintech-tutorial/certificate.png#lightbox)

-You can also use Microsoft My Apps to test the application in any mode. When you click the Adra by Trintech tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Adra by Trintech for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-Once you configure Adra by Trintech you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-* You can use Microsoft My Apps. When you click the Adstream tile in the My Apps, this will redirect to Adstream Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

- 

-You can also use Microsoft My Apps to test the application in any mode. When you click the Agile Provisioning tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Agile Provisioning for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Air tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Air for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Airbase tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Airbase for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

- 

- 

-You can also use Microsoft My Apps to test the application in any mode. When you click the Alchemer tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Alchemer for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the AlertEnterprise-Guardian tile in the My Apps, you should be automatically signed in to the AlertEnterprise-Guardian for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the AlexisHR tile in the My Apps, you should be automatically signed in to the AlexisHR for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Allbound SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Allbound SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Allocadia tile in the My Apps, you should be automatically signed in to the Allocadia for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Altoura tile in the My Apps, this will redirect to Altoura Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Amazing People Schools tile in the My Apps, this will redirect to Amazing People Schools Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the AMMS tile in the My Apps, this will redirect to AMMS Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the ANAQUA tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ANAQUA for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the AnswerHub tile in the My Apps, this will redirect to AnswerHub Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Anyone Home CRM tile in the My Apps, you should be automatically signed in to the Anyone Home CRM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Appaegis Isolation Access Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Appaegis Isolation Access Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

- 

- 

- 

-* You can use Microsoft My Apps. When you click the AppRemo tile in the My Apps, this will redirect to AppRemo Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Aqua Platform tile in the My Apps, this will redirect to Aqua Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Archie tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Archie for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Arena EU tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Arena EU for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Arena tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Arena for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Articulate 360 tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Articulate 360 for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the ASC Contracts tile in the My Apps, you should be automatically signed in to the ASC Contracts for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the AsignetSSOIntegration tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AsignetSSOIntegration for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the askspoke tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the askspoke for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Asset Planner tile in the My Apps, this will redirect to Asset Planner Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Athena Systems Login Platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Athena Systems Login Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Atomic Learning tile in the My Apps, this will redirect to Atomic Learning Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the ATP SpotLight and ChronicX tile in the My Apps, this will redirect to ATP SpotLight and ChronicX Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Avionte Bold SAML Federated SSO tile in the My Apps, this will redirect to Avionte Bold SAML Federated SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the AwardSpring tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AwardSpring for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Axiad Cloud tile in the My Apps, this will redirect to Axiad Cloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Balsamiq Wireframes tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Balsamiq Wireframes for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Employee Advocacy by Sprout Social tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Employee Advocacy by Sprout Social for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BMIS - Battery Management Information System tile in the My Apps, you should be automatically signed in to the BMIS - Battery Management Information System for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BC in the Cloud tile in the My Apps, this will redirect to BC in the Cloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Beable tile in the My Apps, you should be automatically signed in to the Beable for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Bealink tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Bealink for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BenefitHub tile in the My Apps, you should be automatically signed in to the BenefitHub for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Benefitsolver tile in the My Apps, this will redirect to Benefitsolver Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BenSelect tile in the My Apps, you should be automatically signed in to the BenSelect for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Betterworks tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Betterworks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Beyond Identity Admin Console tile in the My Apps, this will redirect to Beyond Identity Admin Console Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BIC Process Design tile in the My Apps, this will redirect to BIC Process Design Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the BigPanda tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BigPanda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Bime tile in the My Apps, this will redirect to Bime Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Birst Agile Business Analytics tile in the My Apps, this will redirect to Birst Agile Business Analytics Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the BitaBIZ tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BitaBIZ for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Bitly tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Bitly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Blink tile in the My Apps, this will redirect to Blink Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Blockbax tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Blockbax for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Blue Access for Members (BAM) tile in the My Apps, you should be automatically signed in to the Blue Access for Members (BAM) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Blue Ocean Brain tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Blue Ocean Brain for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BlueConic tile in the My Apps, you should be automatically signed in to the BlueConic for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the BorrowBox tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BorrowBox for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Brainfuse Online Tutoring tile in the My Apps, this will redirect to Brainfuse Online Tutoring Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BrainStorm Platform tile in the My Apps, this will redirect to BrainStorm Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Braze tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Braze for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Britive tile in the My Apps, this will redirect to Britive Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the BullseyeTDP tile in the My Apps, you should be automatically signed in to the BullseyeTDP for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Buttonwood Central SSO tile in the My Apps, this will redirect to Buttonwood Central SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Campus Cafe tile in the My Apps, this will redirect to Campus Cafe Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Canva tile in the My Apps, you should be automatically signed in to the Canva for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Capriza Platform tile in the My Apps, this will redirect to Capriza Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the CAREERSHIP tile in the My Apps, this will redirect to CAREERSHIP Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the CBRE ServiceInsight tile in the My Apps, this will redirect to CBRE ServiceInsight Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Cerner Central tile in the My Apps, you should be automatically signed in to the Cerner Central for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Certain Admin SSO tile in the My Apps, this will redirect to Certain Admin SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Change Process Management tile in the My Apps, you should be automatically signed in to the Change Process Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-You can also use Microsoft My Apps to test the application in any mode. When you click the Chargebee tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Chargebee for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the ChartDesk SSO tile in the My Apps, you should be automatically signed in to the ChartDesk SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Chatwork tile in the My Apps, this will redirect to Chatwork Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Cheetah For Benelux tile in the My Apps, this will redirect to Cheetah For Benelux Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Chengliye Smart SMS Platform tile in the My Apps, you should be automatically signed in to the Chengliye Smart SMS Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the ChronicX® tile in the My Apps, this will redirect to ChronicX® Sign-On URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

-* You can use Microsoft My Apps. When you click the Cimpl tile in the My Apps, this will redirect to Cimpl Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).