Updates from: 09/21/2023 01:50:21
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Accidental Deletions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/accidental-deletions.md
Title: Enable accidental deletions prevention in the Azure AD provisioning service
-description: Enable accidental deletions prevention in the Azure Active Directory (Azure AD) provisioning service for applications and cross-tenant synchronization.
+ Title: Enable accidental deletions prevention in the Microsoft Entra provisioning service
+description: Enable accidental deletions prevention in the Microsoft Entra provisioning service for applications and cross-tenant synchronization.
zone_pivot_groups: app-provisioning-cross-tenant-synchronization
-# Enable accidental deletions prevention in the Azure AD provisioning service
+# Enable accidental deletions prevention in the Microsoft Entra provisioning service
::: zone pivot="app-provisioning"
-The Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in an application unexpectedly.
+The Microsoft Entra provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in an application unexpectedly.
::: zone-end ::: zone pivot="cross-tenant-synchronization"
-The Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in the target tenant unexpectedly.
+The Microsoft Entra provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in the target tenant unexpectedly.
::: zone-end You use accidental deletions to specify a deletion threshold. Anything above the threshold that you set requires an admin to explicitly allow the processing of the deletions.
active-directory Application Provisioning Config Problem No Users Provisioned https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned.md
Title: Users are not being provisioned in my application
-description: How to troubleshoot common issues faced when you don't see users appearing in an Azure AD Gallery Application you have configured for user provisioning with Azure AD
+description: How to troubleshoot common issues faced when you don't see users appearing in a Microsoft Entra Gallery Application you have configured for user provisioning with Microsoft Entra ID
>[!NOTE] >Starting 04/16/2020 we have changed the behavior for users assigned the default access role. Please see the section below for details. >
-After automatic provisioning has been configured for an application (including verifying that the app credentials provided to Azure AD to connect to the app are valid), then users and/or groups are provisioned to the app. Provisioning is determined by the following things:
+After automatic provisioning has been configured for an application (including verifying that the app credentials provided to Microsoft Entra ID to connect to the app are valid), then users and/or groups are provisioned to the app. Provisioning is determined by the following things:
-- Which users and groups have been **assigned** to the application. Note that provisioning nested groups are not supported. For more information on assignment, see [Assign a user or group to an enterprise app in Azure Active Directory](../manage-apps/assign-user-or-group-access-portal.md).-- Whether or not **attribute mappings** are enabled, and configured to sync valid attributes from Azure AD to the app. For more information on attribute mappings, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Azure Active Directory](customize-application-attributes.md).
+- Which users and groups have been **assigned** to the application. Note that provisioning nested groups are not supported. For more information on assignment, see [Assign a user or group to an enterprise app in Microsoft Entra ID](../manage-apps/assign-user-or-group-access-portal.md).
+- Whether or not **attribute mappings** are enabled, and configured to sync valid attributes from Microsoft Entra ID to the app. For more information on attribute mappings, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Microsoft Entra ID](customize-application-attributes.md).
- Whether or not there is a **scoping filter** present that is filtering users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-If you observe that users are not being provisioned, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Azure AD. Search for log entries for a specific user.
+If you observe that users are not being provisioned, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Microsoft Entra ID. Search for log entries for a specific user.
You can access the provisioning logs in the Microsoft Entra admin center by browsing to **Identity** > **Applications** > **Enterprise applications** > **Provisioning logs**. You can also select a specific application and then select **Provisioning logs** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
-The provisioning logs record all the operations performed by the provisioning service, including querying Azure AD for assigned users that are in scope for provisioning, querying the target app for the existence of those users, comparing the user objects between the system. Then add, update, or disable the user account in the target system based on the comparison.
+The provisioning logs record all the operations performed by the provisioning service, including querying Microsoft Entra ID for assigned users that are in scope for provisioning, querying the target app for the existence of those users, comparing the user objects between the system. Then add, update, or disable the user account in the target system based on the comparison.
## General Problem Areas with Provisioning to consider Below is a list of the general problem areas that you can drill into if you have an idea of where to start.
Below is a list of the general problem areas that you can drill into if you have
If you set the **Provisioning Status** to be **On** in the **Enterprise applications > \[Application Name\] >Provisioning** section of the Microsoft Entra admin center. However no other status details are shown on that page after subsequent reloads, it is likely that the service is running but has not completed an initial cycle yet. Check the **Provisioning logs (preview)** described above to determine what operations the service is performing, and if there are any errors. >[!NOTE]
->An initial cycle can take anywhere from 20 minutes to several hours, depending on the size of the Azure AD directory and the number of users in scope for provisioning. Subsequent syncs after the initial cycle are faster, as the provisioning service stores watermarks that represent the state of both systems after the initial cycle. The initial cycle improves performance of subsequent syncs.
+>An initial cycle can take anywhere from 20 minutes to several hours, depending on the size of the Microsoft Entra directory and the number of users in scope for provisioning. Subsequent syncs after the initial cycle are faster, as the provisioning service stores watermarks that represent the state of both systems after the initial cycle. The initial cycle improves performance of subsequent syncs.
>
If you set the **Provisioning Status** to be **On** in the **Enterprise applicat
When a user shows up as ΓÇ£skippedΓÇ¥ in the provisioning logs, it is important to review the **Steps** tab of the log to determine the reason. Below are common reasons and resolutions: - **A scoping filter has been configured** **that is filtering the user out based on an attribute value**. For more information on scoping filters, see [scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).-- **The user is ΓÇ£not effectively entitledΓÇ¥.** If you see this specific error message, it is because there is a problem with the user assignment record stored in Azure AD. To fix this issue, unassign the user (or group) from the app, and reassign it again. For more information on assignment, see [Assign user or group access](../manage-apps/assign-user-or-group-access-portal.md).-- **A required attribute is missing or not populated for a user.** An important thing to consider when setting up provisioning is to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Azure AD to the application. This configuration includes setting the ΓÇ£matching propertyΓÇ¥ that is used to uniquely identify and match users/groups between the two systems. For more information on this important process, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Azure Active Directory](customize-application-attributes.md).-- **Attribute mappings for groups:** Provisioning of the group name and group details, in addition to the members, if supported for some applications. You can enable or disable this functionality by enabling or disabling the **Mapping** for group objects shown in the **Provisioning** tab. If provisioning groups is enabled, be sure to review the attribute mappings to ensure an appropriate field is being used for the ΓÇ£matching IDΓÇ¥. The matching ID can be the display name or email alias. The group and its members are not provisioned if the matching property is empty or not populated for a group in Azure AD.
+- **The user is ΓÇ£not effectively entitledΓÇ¥.** If you see this specific error message, it is because there is a problem with the user assignment record stored in Microsoft Entra ID. To fix this issue, unassign the user (or group) from the app, and reassign it again. For more information on assignment, see [Assign user or group access](../manage-apps/assign-user-or-group-access-portal.md).
+- **A required attribute is missing or not populated for a user.** An important thing to consider when setting up provisioning is to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Microsoft Entra ID to the application. This configuration includes setting the ΓÇ£matching propertyΓÇ¥ that is used to uniquely identify and match users/groups between the two systems. For more information on this important process, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Microsoft Entra ID](customize-application-attributes.md).
+- **Attribute mappings for groups:** Provisioning of the group name and group details, in addition to the members, if supported for some applications. You can enable or disable this functionality by enabling or disabling the **Mapping** for group objects shown in the **Provisioning** tab. If provisioning groups is enabled, be sure to review the attribute mappings to ensure an appropriate field is being used for the ΓÇ£matching IDΓÇ¥. The matching ID can be the display name or email alias. The group and its members are not provisioned if the matching property is empty or not populated for a group in Microsoft Entra ID.
## Provisioning users assigned to the default access role The default role on an application from the gallery is called the "default access" role. Historically, users assigned to this role are not provisioned and are marked as skipped in the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) due to being "not effectively entitled."
For the next 3 months, the behavior will continue as it is today. Users with the
For questions about these changes, please reach out to provisioningfeedback@microsoft.com ## Next steps
-[Azure AD Connect sync: Understanding Declarative Provisioning](../hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning.md)
+[Microsoft Entra Connect Sync: Understanding Declarative Provisioning](../hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning.md)
active-directory Application Provisioning Config Problem Scim Compatibility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md
Title: Known issues with System for Cross-Domain Identity Management (SCIM) 2.0 protocol compliance
-description: How to solve common protocol compatibility issues faced when adding a non-gallery application that supports SCIM 2.0 to Azure AD
+description: How to solve common protocol compatibility issues faced when adding a non-gallery application that supports SCIM 2.0 to Microsoft Entra ID
-# Known issues and resolutions with SCIM 2.0 protocol compliance of the Azure AD User Provisioning service
+# Known issues and resolutions with SCIM 2.0 protocol compliance of the Microsoft Entra User Provisioning service
-Azure Active Directory (Azure AD) can automatically provision users and groups to any application or system that is fronted by a web service with the interface defined in the [System for Cross-Domain Identity Management (SCIM) 2.0 protocol specification](https://tools.ietf.org/html/draft-ietf-scim-api-19).
+Microsoft Entra ID can automatically provision users and groups to any application or system that is fronted by a web service with the interface defined in the [System for Cross-Domain Identity Management (SCIM) 2.0 protocol specification](https://tools.ietf.org/html/draft-ietf-scim-api-19).
-Azure AD's support for the SCIM 2.0 protocol is described in [Using System for Cross-Domain Identity Management (SCIM) to automatically provision users and groups from Azure Active Directory to applications](use-scim-to-provision-users-and-groups.md), which lists the specific parts of the protocol that it implements in order to automatically provision users and groups from Azure AD to applications that support SCIM 2.0.
+Microsoft Entra ID's support for the SCIM 2.0 protocol is described in [Using System for Cross-Domain Identity Management (SCIM) to automatically provision users and groups from Microsoft Entra ID to applications](use-scim-to-provision-users-and-groups.md), which lists the specific parts of the protocol that it implements in order to automatically provision users and groups from Microsoft Entra ID to applications that support SCIM 2.0.
-This article describes current and past issues with the Azure AD user provisioning service's adherence to the SCIM 2.0 protocol, and how to work around these issues.
+This article describes current and past issues with the Microsoft Entra user provisioning service's adherence to the SCIM 2.0 protocol, and how to work around these issues.
## Understanding the provisioning job The provisioning service uses the concept of a job to operate against an application. The jobID can be found in the [progress bar](application-provisioning-when-will-provisioning-finish-specific-user.md#view-the-provisioning-progress-bar). All new provisioning applications are created with a jobID starting with "scim". The scim job represents the current state of the service. Older jobs have the ID "customappsso". This job represents the state of the service in 2018.
In the table below, any item marked as fixed means that the proper behavior can
| **SCIM 2.0 compliance issue** | **Fixed?** | **Fix date** | **Backwards compatibility** | ||||
-| Azure AD requires "/scim" to be in the root of the application's SCIM endpoint URL | Yes | December 18, 2018 | downgrade to customappSSO |
+| Microsoft Entra ID requires "/scim" to be in the root of the application's SCIM endpoint URL | Yes | December 18, 2018 | downgrade to customappSSO |
| Extension attributes use dot "." notation before attribute names instead of colon ":" notation | Yes | December 18, 2018 | downgrade to customappSSO | | Patch requests for multi-value attributes contain invalid path filter syntax | Yes | December 18, 2018 | downgrade to customappSSO | | Group creation requests contain an invalid schema URI | Yes | December 18, 2018 | downgrade to customappSSO |
Following the steps below will delete your existing customappsso job and create
1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Locate and select your existing SCIM application. 1. In the **Properties** section of your existing SCIM app, copy the **Object ID**.
-1. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.
+1. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Microsoft Entra tenant where your app is added.
1. In the Graph Explorer, run the command below to locate the ID of your provisioning job. Replace "[object-id]" with the service principal ID (object ID) copied from the third step. `GET https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs`
Following the steps below will delete your existing customappsso job and create
1. In the **Create application** section, create a new **Non-gallery** application. 1. In the **Properties** section of your new custom app, copy the **Object ID**.
-1. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.
+1. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Microsoft Entra tenant where your app is added.
1. In the Graph Explorer, run the command below to initialize the provisioning configuration for your app. Replace "[object-id]" with the service principal ID (object ID) copied from the third step.
active-directory Application Provisioning Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-config-problem.md
Title: Problem configuring user provisioning to an Azure Active Directory Gallery app
-description: How to troubleshoot common issues faced when configuring user provisioning to an application already listed in the Azure Active Directory Application Gallery
+ Title: Problem configuring user provisioning to a Microsoft Entra Gallery app
+description: How to troubleshoot common issues faced when configuring user provisioning to an application already listed in the Microsoft Entra Application Gallery
-# Problem configuring user provisioning to an Azure AD Gallery application
+# Problem configuring user provisioning to a Microsoft Entra Gallery application
Configuring [automatic user provisioning](user-provisioning.md) for an app (where supported), requires that specific instructions be followed to prepare the application for automatic provisioning. Then you can use the Microsoft Entra admin center to configure the provisioning service to synchronize user accounts to the application.
-You should always start by finding the setup tutorial specific to setting up provisioning for your application. Then follow those steps to configure both the app and Azure AD to create the provisioning connection. A list of app tutorials can be found at [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](../saas-apps/tutorial-list.md).
+You should always start by finding the setup tutorial specific to setting up provisioning for your application. Then follow those steps to configure both the app and Microsoft Entra ID to create the provisioning connection. A list of app tutorials can be found at [List of Tutorials on How to Integrate SaaS Apps with Microsoft Entra ID](../saas-apps/tutorial-list.md).
## How to see if provisioning is working Once the service is configured, most insights into the operation of the service can be drawn from two places: -- **Provisioning logs (preview)** ΓÇô The [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) record all the operations performed by the provisioning service, including querying Azure AD for assigned users that are in scope for provisioning. Query the target app for the existence of those users, comparing the user objects between the system. Then add, update, or disable the user account in the target system based on the comparison. You can access the provisioning logs in the Microsoft Entra admin center by selecting **Identity** > **Applications** > **Enterprise applications** > **Provisioning logs** in the **Activity** section.
+- **Provisioning logs (preview)** ΓÇô The [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) record all the operations performed by the provisioning service, including querying Microsoft Entra ID for assigned users that are in scope for provisioning. Query the target app for the existence of those users, comparing the user objects between the system. Then add, update, or disable the user account in the target system based on the comparison. You can access the provisioning logs in the Microsoft Entra admin center by selecting **Identity** > **Applications** > **Enterprise applications** > **Provisioning logs** in the **Activity** section.
- **Current status ΓÇô** A summary of the last provisioning run for a given app can be seen in the **Identity** > **Applications** > **Enterprise applications** > \[Application Name\] > **Provisioning** section, at the bottom of the screen under the service settings. The Current Status section shows whether a provisioning cycle has started provisioning user accounts. You can watch the progress of the cycle, see how many users and groups have been provisioned, and see how many roles are created. If there are any errors, details can be found in the [Provisioning logs (../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
Below is a list of the general problem areas that you can drill into if you have
If you set the **Provisioning Status** to be **On** in the **Identity** > **Applications** > **Enterprise applications** > [Application Name\] > **Provisioning** section of the Microsoft Entra admin center. However no other status details are shown on that page after subsequent reloads. It is likely that the service is running but has not completed an initial cycle yet. Check the **Provisioning logs** described above to determine what operations the service is performing, and if there are any errors. >[!NOTE]
->An initial cycle can take anywhere from 20 minutes to several hours, depending on the size of the Azure AD directory and the number of users in scope for provisioning. Subsequent syncs after the initial cycle be faster, as the provisioning service stores watermarks that represent the state of both systems after the initial cycle, improving performance of subsequent syncs.
+>An initial cycle can take anywhere from 20 minutes to several hours, depending on the size of the Microsoft Entra directory and the number of users in scope for provisioning. Subsequent syncs after the initial cycle be faster, as the provisioning service stores watermarks that represent the state of both systems after the initial cycle, improving performance of subsequent syncs.
> > ## CanΓÇÖt save configuration due to app credentials not working
-In order for provisioning to work, Azure AD requires valid credentials that allow it to connect to a user management API provided by that app. If these credentials donΓÇÖt work, or you donΓÇÖt know what they are, review the tutorial for setting up this app, described previously.
+In order for provisioning to work, Microsoft Entra ID requires valid credentials that allow it to connect to a user management API provided by that app. If these credentials donΓÇÖt work, or you donΓÇÖt know what they are, review the tutorial for setting up this app, described previously.
## Provisioning logs say users are skipped and not provisioned even though they are assigned
When a user shows up as ΓÇ£skippedΓÇ¥ in the provisioning logs, it is very impor
- **A scoping filter has been configured** **that is filtering the user out based on an attribute value**. For more information, see [Attribute-based application provisioning with scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). -- **The user is ΓÇ£not effectively entitledΓÇ¥.** If you see this specific error message, it is because there is a problem with the user assignment record stored in Azure AD. To fix this issue, un-assign the user (or group) from the app, and re-assign it again. For more information, see [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md).
+- **The user is ΓÇ£not effectively entitledΓÇ¥.** If you see this specific error message, it is because there is a problem with the user assignment record stored in Microsoft Entra ID. To fix this issue, un-assign the user (or group) from the app, and re-assign it again. For more information, see [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md).
-- **A required attribute is missing or not populated for a user.** An important thing to consider when setting up provisioning be to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Azure AD to the application. This includes setting the ΓÇ£matching propertyΓÇ¥ that be used to uniquely identify and match users/groups between the two systems. For more information on this important process, see [Customizing user provisioning attribute-mappings](../app-provisioning/customize-application-attributes.md).
+- **A required attribute is missing or not populated for a user.** An important thing to consider when setting up provisioning be to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Microsoft Entra ID to the application. This includes setting the ΓÇ£matching propertyΓÇ¥ that be used to uniquely identify and match users/groups between the two systems. For more information on this important process, see [Customizing user provisioning attribute-mappings](../app-provisioning/customize-application-attributes.md).
- * **Attribute mappings for groups:** Provisioning of the group name and group details, in addition to the members, if supported for some applications. You can enable or disable this functionality by enabling or disabling the **Mapping** for group objects shown in the **Provisioning** tab. If provisioning groups is enabled, be sure to review the attribute mappings to ensure an appropriate field is being used for the ΓÇ£matching IDΓÇ¥. This can be the display name or email alias), as the group and its members not be provisioned if the matching property is empty or not populated for a group in Azure AD.
+ * **Attribute mappings for groups:** Provisioning of the group name and group details, in addition to the members, if supported for some applications. You can enable or disable this functionality by enabling or disabling the **Mapping** for group objects shown in the **Provisioning** tab. If provisioning groups is enabled, be sure to review the attribute mappings to ensure an appropriate field is being used for the ΓÇ£matching IDΓÇ¥. This can be the display name or email alias), as the group and its members not be provisioned if the matching property is empty or not populated for a group in Microsoft Entra ID.
## Next steps
-[Automate User Provisioning and Deprovisioning to SaaS Applications with Azure Active Directory](user-provisioning.md)
+[Automate User Provisioning and Deprovisioning to SaaS Applications with Microsoft Entra ID](user-provisioning.md)
active-directory Application Provisioning Configuration Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-configuration-api.md
The Microsoft Entra admin center is a convenient way to configure provisioning f
### Sign in to Microsoft Graph Explorer (recommended), Postman, or any other API client you use 1. Start [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
-1. Select the "Sign-In with Microsoft" button and sign in using Azure AD global administrator or App Admin credentials.
+1. Select the "Sign-In with Microsoft" button and sign in using Microsoft Entra Global Administrator or App Admin credentials.
1. Upon successful sign-in, you'll see the user account details in the left-hand pane. ### Retrieve the gallery application template identifier
-Applications in the Azure AD application gallery each have an [application template](/graph/api/applicationtemplate-list?tabs=http&view=graph-rest-beta&preserve-view=true) that describes the metadata for that application. Using this template, you can create an instance of the application and service principal in your tenant for management. Retrieve the identifier of the application template for **AWS Single-Account Access** and from the response, record the value of the **id** property to use later in this tutorial.
+Applications in the Microsoft Entra application gallery each have an [application template](/graph/api/applicationtemplate-list?tabs=http&view=graph-rest-beta&preserve-view=true) that describes the metadata for that application. Using this template, you can create an instance of the application and service principal in your tenant for management. Retrieve the identifier of the application template for **AWS Single-Account Access** and from the response, record the value of the **id** property to use later in this tutorial.
#### Request
HTTP/1.1 204 No Content
### Save your credentials
-Configuring provisioning requires establishing a trust between Azure AD and the application. Authorize access to the third-party application. The following example is for an application that requires a client secret and a secret token. Each application has its own requirements. Review the [API documentation](/graph/api/synchronization-synchronizationjob-validatecredentials?tabs=http&view=graph-rest-beta&preserve-view=true) to see the available options.
+Configuring provisioning requires establishing a trust between Microsoft Entra ID and the application. Authorize access to the third-party application. The following example is for an application that requires a client secret and a secret token. Each application has its own requirements. Review the [API documentation](/graph/api/synchronization-synchronizationjob-validatecredentials?tabs=http&view=graph-rest-beta&preserve-view=true) to see the available options.
#### Request ```msgraph-interactive
Content-type: application/json
## See also - [Review the synchronization Microsoft Graph documentation](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)-- [Integrating a custom SCIM app with Azure AD](./use-scim-to-provision-users-and-groups.md)
+- [Integrating a custom SCIM app with Microsoft Entra ID](./use-scim-to-provision-users-and-groups.md)
active-directory Application Provisioning Log Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-log-analytics.md
Title: Understand how Provisioning integrates with Azure Monitor logs in Azure Active Directory.
-description: Understand how Provisioning integrates with Azure Monitor logs in Azure Active Directory.
+ Title: Understand how Provisioning integrates with Azure Monitor logs in Microsoft Entra ID.
+description: Understand how Provisioning integrates with Azure Monitor logs in Microsoft Entra ID.
We're taking an open source and community-based approach to application provisio
- [Log analytics](../reports-monitoring/howto-analyze-activity-logs-log-analytics.md) - [Get started with queries in Azure Monitor logs](../../azure-monitor/logs/get-started-queries.md) - [Create and manage alert groups in the Azure portal](../../azure-monitor/alerts/action-groups.md)-- [Install and use the log analytics views for Azure Active Directory](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md)
+- [Install and use the log analytics views for Microsoft Entra ID](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md)
- [Provisioning logs API](/graph/api/resources/provisioningobjectsummary?preserve-view=true&view=graph-rest-beta)
active-directory Application Provisioning Quarantine Status https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-quarantine-status.md
Title: Quarantine status in Azure Active Directory Application Provisioning
+ Title: Quarantine status in Microsoft Entra Application Provisioning
description: When you've configured an application for automatic user provisioning, learn what a provisioning status of Quarantine means and how to clear it.
# Application provisioning in quarantine status
-The Azure AD provisioning service monitors the health of your configuration. It also places unhealthy apps in a "quarantine" state. If most, or all, of the calls made against the target system consistently fail then the provisioning job is marked as in quarantine. An example of a failure is an error received because of invalid admin credentials.
+The Microsoft Entra provisioning service monitors the health of your configuration. It also places unhealthy apps in a "quarantine" state. If most, or all, of the calls made against the target system consistently fail then the provisioning job is marked as in quarantine. An example of a failure is an error received because of invalid admin credentials.
While in quarantine: - The frequency of incremental cycles is gradually reduced to once per day.
Below are the common reasons your application may go into quarantine
|Description|Recommended Action| |||
-|**SCIM Compliance issue:** An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. In this case, the Azure AD provisioning service has made a request to the target application and received an unexpected response.|Check the admin credentials section. See if the application requires specifying the tenant URL and that the URL is correct. If you don't see an issue, contact the application developer to ensure that their service is SCIM-compliant. https://tools.ietf.org/html/rfc7644#section-3.4.2 |
+|**SCIM Compliance issue:** An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. In this case, the Microsoft Entra provisioning service has made a request to the target application and received an unexpected response.|Check the admin credentials section. See if the application requires specifying the tenant URL and that the URL is correct. If you don't see an issue, contact the application developer to ensure that their service is SCIM-compliant. https://tools.ietf.org/html/rfc7644#section-3.4.2 |
|**Invalid credentials:** When attempting to authorize, access to the target application, we received a response from the target application that indicates the credentials provided are invalid.|Navigate to the admin credentials section of the provisioning configuration UI and authorize access again with valid credentials. If the application is in the gallery, review the application configuration tutorial for anymore required steps.| |**Duplicate roles:** Roles imported from certain applications like Salesforce and Zendesk must be unique. |Navigate to the application [manifest](../develop/reference-app-manifest.md) in the Microsoft Entra admin center and remove the duplicate role.|
If any of the retries above gets a successful response, the job is automatically
First, resolve the issue that caused the application to be placed in quarantine. -- Check the application's provisioning settings to make sure you've [entered valid Admin Credentials](../app-provisioning/configure-automatic-user-provisioning-portal.md#configuring-automatic-user-account-provisioning). Azure AD must establish a trust with the target application. Ensure that you have entered valid credentials and your account has the necessary permissions.
+- Check the application's provisioning settings to make sure you've [entered valid Admin Credentials](../app-provisioning/configure-automatic-user-provisioning-portal.md#configuring-automatic-user-account-provisioning). Microsoft Entra ID must establish a trust with the target application. Ensure that you have entered valid credentials and your account has the necessary permissions.
-- Review the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to further investigate what errors are causing quarantine and address the error. Go to **Azure Active Directory** > **Enterprise Apps** > **Provisioning logs (preview)** in the **Activity** section.
+- Review the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to further investigate what errors are causing quarantine and address the error. Go to **Microsoft Entra ID** > **Enterprise Apps** > **Provisioning logs (preview)** in the **Activity** section.
After you've resolved the issue, restart the provisioning job. Certain changes to the application's provisioning settings, such as attribute mappings or scoping filters, will automatically restart provisioning for you. The progress bar on the application's **Provisioning** page indicates when provisioning last started. If you need to restart the provisioning job manually, use one of the following methods:
active-directory Application Provisioning When Will Provisioning Finish Specific User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
Title: Find out when a specific user is able to access an app in Azure Active Directory Application Provisioning
-description: How to find out when a critically important user is able to access an application you have configured for user provisioning with Azure Active Directory.
+ Title: Find out when a specific user is able to access an app in Microsoft Entra Application Provisioning
+description: How to find out when a critically important user is able to access an application you have configured for user provisioning with Microsoft Entra ID.
# Check the status of user provisioning
-The Azure AD provisioning service runs an initial provisioning cycle against the source system and target system, followed by periodic incremental cycles. When you configure provisioning for an app, you can check the current status of the provisioning service and see when a user is able to access an app.
+The Microsoft Entra provisioning service runs an initial provisioning cycle against the source system and target system, followed by periodic incremental cycles. When you configure provisioning for an app, you can check the current status of the provisioning service and see when a user is able to access an app.
## View the provisioning progress bar
- On the **Provisioning** page for an app, you can view the status of the Azure AD provisioning service. The **Current Status** section at the bottom of the page shows whether a provisioning cycle has started provisioning user accounts. You can watch the progress of the cycle, see how many users and groups have been provisioned, and see how many roles are created.
+ On the **Provisioning** page for an app, you can view the status of the Microsoft Entra provisioning service. The **Current Status** section at the bottom of the page shows whether a provisioning cycle has started provisioning user accounts. You can watch the progress of the cycle, see how many users and groups have been provisioned, and see how many roles are created.
When you first configure automatic provisioning, the **Current Status** section at the bottom of the page shows the status of the initial provisioning cycle. This section updates each time an incremental cycle is run. The following details are shown: - The type of provisioning cycle (initial or incremental) that is currently running or was last completed. - A **progress bar** showing the percentage of the provisioning cycle that has completed. The percentage reflects the count of pages provisioned. Each page could contain multiple users or groups, so the percentage doesn't directly correlate to the number of users, groups, or roles provisioned. - A **Refresh** button you can use to keep the view updated. - The number of **Users** and **Groups** in the connector data store. The count increases anytime an object is added to the scope of provisioning. The count doesn't go down if a user is soft-deleted or hard-deleted because the operation doesn't remove the object from the connector data store. The count is recalculated the first sync after the CDS is [reset](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true) -- A **View Audit Logs** link, which opens the Azure AD provisioning logs. To learn more about operations run by the user provisioning service, including provisioning status for individual users, see [Use provisioning logs](#use-provisioning-logs-to-check-a-users-provisioning-status) later in the article.
+- A **View Audit Logs** link, which opens the Microsoft Entra provisioning logs. To learn more about operations run by the user provisioning service, including provisioning status for individual users, see [Use provisioning logs](#use-provisioning-logs-to-check-a-users-provisioning-status) later in the article.
After a provisioning cycle is complete, the **Statistics to date** section shows the cumulative numbers of users and groups that have been provisioned to date, along with the completion date and duration of the last cycle. The **Activity ID** uniquely identifies the most recent provisioning cycle. The **Job ID** is a unique identifier for the provisioning job, and is specific to the app in your tenant.
The provisioning progress is viewed in the Microsoft Entra admin center at **Ide
## Use provisioning logs to check a user's provisioning status
-To see the provisioning status for a selected user, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Azure AD. All operations run by the user provisioning service are recorded in the Azure AD provisioning logs. The logs include read and write operations made to the source and target systems. Associated user data related to read and write operations is also logged.
+To see the provisioning status for a selected user, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Microsoft Entra ID. All operations run by the user provisioning service are recorded in the Microsoft Entra provisioning logs. The logs include read and write operations made to the source and target systems. Associated user data related to read and write operations is also logged.
You can access the provisioning logs in the Microsoft Entra admin center by selecting **Identity** > **Applications** > **Enterprise applications** > **Provisioning logs** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). The provisioning logs record all the operations performed by the provisioning service, including:
-* Querying Azure AD for assigned users that are in scope for provisioning
+* Querying Microsoft Entra ID for assigned users that are in scope for provisioning
* Querying the target app for the existence of those users * Comparing the user objects between the system * Adding, updating, or disabling the user account in the target system based on the comparison
The provisioning logs record all the operations performed by the provisioning se
For more information on how to read the provisioning logs in the Microsoft Entra admin center, see [provisioning reporting guide](check-status-user-account-provisioning.md). ## How long will it take to provision users?
-When you're using automatic user provisioning with an application, there are some things to keep in mind. First, Azure AD automatically provisions and updates user accounts in an app based on things like [user and group assignment](../manage-apps/assign-user-or-group-access-portal.md). The sync happens at a regularly scheduled time interval, typically every 40 minutes.
+When you're using automatic user provisioning with an application, there are some things to keep in mind. First, Microsoft Entra ID automatically provisions and updates user accounts in an app based on things like [user and group assignment](../manage-apps/assign-user-or-group-access-portal.md). The sync happens at a regularly scheduled time interval, typically every 40 minutes.
The time it takes for a given user to be provisioned depends mainly on whether your provisioning job is running an initial cycle or an incremental cycle. -- For **initial cycle**, the job time depends on many factors, including the number of users and groups in scope for provisioning, and the total number of users and group in the source system. The first sync between Azure AD and an app happen as fast as 20 minutes or take as long as several hours. The time depends on the size of the Azure AD directory and the number of users in scope for provisioning. A comprehensive list of factors that affect initial cycle performance are summarized later in this section.
+- For **initial cycle**, the job time depends on many factors, including the number of users and groups in scope for provisioning, and the total number of users and group in the source system. The first sync between Microsoft Entra ID and an app happen as fast as 20 minutes or take as long as several hours. The time depends on the size of the Microsoft Entra directory and the number of users in scope for provisioning. A comprehensive list of factors that affect initial cycle performance are summarized later in this section.
- For **incremental cycles**, after the initial cycle, job times tend to be faster (within 10 minutes), as the provisioning service stores watermarks that represent the state of both systems after the initial cycle, improving performance of subsequent syncs. The job time depends on the number of changes detected in that provisioning cycle. If there are fewer than 5,000 user or group membership changes, the job can finish within a single incremental provisioning cycle.
-The following table summarizes synchronization times for common provisioning scenarios. In these scenarios, the source system is Azure AD and the target system is a SaaS application. The sync times are derived from a statistical analysis of sync jobs for the SaaS applications ServiceNow, Workplace, Salesforce, and G Suite.
+The following table summarizes synchronization times for common provisioning scenarios. In these scenarios, the source system is Microsoft Entra ID and the target system is a SaaS application. The sync times are derived from a statistical analysis of sync jobs for the SaaS applications ServiceNow, Workplace, Salesforce, and G Suite.
| Scope configuration | Users, groups, and members in scope | Initial cycle time |
The following table summarizes synchronization times for common provisioning sce
| Sync assigned users and groups only | < 1,000 | < 30 minutes | | Sync assigned users and groups only | 1,000 - 10,000 | 142 - 708 minutes | | Sync assigned users and groups only | 10,000 - 100,000 | 1,170 - 2,340 minutes |
-| Sync all users and groups in Azure AD | < 1,000 | < 30 minutes |
-| Sync all users and groups in Azure AD | 1,000 - 10,000 | < 30 - 120 minutes |
-| Sync all users and groups in Azure AD | 10,000 - 100,000 | 713 - 1,425 minutes |
-| Sync all users in Azure AD| < 1,000 | < 30 minutes |
-| Sync all users in Azure AD | 1,000 - 10,000 | 43 - 86 minutes |
+| Sync all users and groups in Microsoft Entra ID | < 1,000 | < 30 minutes |
+| Sync all users and groups in Microsoft Entra ID | 1,000 - 10,000 | < 30 - 120 minutes |
+| Sync all users and groups in Microsoft Entra ID | 10,000 - 100,000 | 713 - 1,425 minutes |
+| Sync all users in Microsoft Entra ID| < 1,000 | < 30 minutes |
+| Sync all users in Microsoft Entra ID | 1,000 - 10,000 | 43 - 86 minutes |
For the configuration **Sync assigned user and groups only**, you can use the following formulas to determine the approximate minimum and maximum expected **initial cycle** times:
Summary of factors that influence the time it takes to complete an **initial cyc
- The total number of users and groups in scope for provisioning. -- The total number of users, groups, and group members present in the source system (Azure AD).
+- The total number of users, groups, and group members present in the source system (Microsoft Entra ID).
- Whether users in scope for provisioning are matched to existing users in the target application, or need to be created for the first time. Sync jobs for which all users are created for the first time take about *twice as long* as sync jobs for which all users are matched to existing users.
Summary of factors that influence the time it takes to complete an **initial cyc
- The number and sizes of assigned groups. Syncing assigned groups takes longer than syncing users. Both the number and the sizes of the assigned groups impact performance. If an application has [mappings enabled for group object sync](customize-application-attributes.md#editing-group-attribute-mappings), group properties such as group names and memberships are synced in addition to users. These syncs take longer than only syncing user objects. -- If performance becomes an issue, and you're attempting to provision most users and groups in your tenant, then use scoping filters. Scoping filters allow you to fine tune the data that the provisioning service extracts from Azure AD by filtering out users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
+- If performance becomes an issue, and you're attempting to provision most users and groups in your tenant, then use scoping filters. Scoping filters allow you to fine tune the data that the provisioning service extracts from Microsoft Entra ID by filtering out users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
In most cases, the **incremental cycle** completes in 30 minutes. However, when there are hundreds or thousands of user changes or group membership changes, the incremental cycle time will increase proportionally with the number of changes to process and can take several hours. Using **sync assigned users and groups** and minimizing the number of users / groups in scope for provisioning will help to reduce the sync time. ## Next steps
-[Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](user-provisioning.md)
+[Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](user-provisioning.md)
active-directory Check Status User Account Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/check-status-user-account-provisioning.md
Title: Report automatic user account provisioning from Azure Active Directory to Software as a Service (SaaS) applications
+ Title: Report automatic user account provisioning from Microsoft Entra ID to Software as a Service (SaaS) applications
description: 'Learn how to check the status of automatic user account provisioning jobs, and how to troubleshoot the provisioning of individual users.'
# Tutorial: Reporting on automatic user account provisioning
-Azure Active Directory (Azure AD) includes a [user account provisioning service](user-provisioning.md). The service helps automate the provisioning deprovisioning of user accounts in SaaS apps and other systems. The automation helps with end-to-end identity lifecycle management. Azure AD supports preintegrated user provisioning connectors for many applications and systems. To learn more about user provisioning tutorials, see [Provisioning Tutorials](../saas-apps/tutorial-list.md).
+Microsoft Entra ID includes a [user account provisioning service](user-provisioning.md). The service helps automate the provisioning deprovisioning of user accounts in SaaS apps and other systems. The automation helps with end-to-end identity lifecycle management. Microsoft Entra ID supports preintegrated user provisioning connectors for many applications and systems. To learn more about user provisioning tutorials, see [Provisioning Tutorials](../saas-apps/tutorial-list.md).
This article describes how to check the status of provisioning jobs after they have been set up, and how to troubleshoot the provisioning of individual users and groups.
Provisioning connectors are set up and configured using the [Microsoft Entra adm
This article uses the following terms:
-* **Source System** - The repository of users that the Azure AD provisioning service synchronizes from. Azure Active Directory is the source system for most preintegrated provisioning connectors, however there are some exceptions (example: Workday Inbound Synchronization).
-* **Target System** - The repository of users where the Azure AD provisioning service synchronizes. The repository is typically a SaaS application, such as Salesforce, ServiceNow, G Suite, and Dropbox for Business. In some cases the repository can be an on-premises system such as Active Directory, such as Workday Inbound Synchronization to Active Directory.
+* **Source System** - The repository of users that the Microsoft Entra provisioning service synchronizes from. Microsoft Entra ID is the source system for most preintegrated provisioning connectors, however there are some exceptions (example: Workday Inbound Synchronization).
+* **Target System** - The repository of users where the Microsoft Entra provisioning service synchronizes. The repository is typically a SaaS application, such as Salesforce, ServiceNow, G Suite, and Dropbox for Business. In some cases the repository can be an on-premises system such as Active Directory, such as Workday Inbound Synchronization to Active Directory.
## Getting provisioning reports from the Microsoft Entra admin center
The **Current Status** should be the first place admins look to check on the ope
## Provisioning logs
-All activities performed by the provisioning service are recorded in the Azure AD [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). You can access the provisioning logs in the Microsoft Entra admin center. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
+All activities performed by the provisioning service are recorded in the Microsoft Entra [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). You can access the provisioning logs in the Microsoft Entra admin center. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
## Troubleshooting
For scenario-based guidance on how to troubleshoot automatic user provisioning,
## Next steps - [Managing user account provisioning for Enterprise Apps](configure-automatic-user-provisioning-portal.md)-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+- [What is application access and single sign-on with Microsoft Entra ID?](../manage-apps/what-is-single-sign-on.md)
active-directory Configure Automatic User Provisioning Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/configure-automatic-user-provisioning-portal.md
Title: User provisioning management for enterprise apps in Azure Active Directory
-description: Learn how to manage user account provisioning for enterprise apps using the Azure Active Directory.
+ Title: User provisioning management for enterprise apps in Microsoft Entra ID
+description: Learn how to manage user account provisioning for enterprise apps using the Microsoft Entra ID.
# Managing user account provisioning for enterprise apps in the Microsoft Entra admin center
-This article describes the general steps for managing automatic user account provisioning and deprovisioning for applications that support it. *User account provisioning* is the act of creating, updating, and/or disabling user account records in an applicationΓÇÖs local user profile store. Most cloud and SaaS applications store the role and permissions in the user's own local user profile store. The presence of such a user record in the user's local store is *required* for single sign-on and access to work. To learn more about automatic user account provisioning, see [Automate User Provisioning and Deprovisioning to SaaS Applications with Azure Active Directory](user-provisioning.md).
+This article describes the general steps for managing automatic user account provisioning and deprovisioning for applications that support it. *User account provisioning* is the act of creating, updating, and/or disabling user account records in an applicationΓÇÖs local user profile store. Most cloud and SaaS applications store the role and permissions in the user's own local user profile store. The presence of such a user record in the user's local store is *required* for single sign-on and access to work. To learn more about automatic user account provisioning, see [Automate User Provisioning and Deprovisioning to SaaS Applications with Microsoft Entra ID](user-provisioning.md).
> [!IMPORTANT]
-> Azure Active Directory (Azure AD) has a gallery that contains thousands of pre-integrated applications that are enabled for automatic provisioning with Azure AD. You should start by finding the provisioning setup tutorial specific to your application in the [List of tutorials on how to integrate SaaS apps with Azure Active Directory](../saas-apps/tutorial-list.md). You'll likely find step-by-step guidance for configuring both the app and Azure AD to create the provisioning connection.
+> Microsoft Entra ID has a gallery that contains thousands of pre-integrated applications that are enabled for automatic provisioning with Microsoft Entra ID. You should start by finding the provisioning setup tutorial specific to your application in the [List of tutorials on how to integrate SaaS apps with Microsoft Entra ID](../saas-apps/tutorial-list.md). You'll likely find step-by-step guidance for configuring both the app and Microsoft Entra ID to create the provisioning connection.
## Finding your apps in the portal
Use the Microsoft Entra admin center to view and manage all applications that ar
The **Provisioning** pane begins with a **Mode** menu, which shows the provisioning modes supported for an enterprise application, and lets you configure them. The available options include:
-* **Automatic** - This option is shown if Azure AD supports automatic API-based provisioning or deprovisioning of user accounts to this application. Select this mode to display an interface that helps administrators:
+* **Automatic** - This option is shown if Microsoft Entra ID supports automatic API-based provisioning or deprovisioning of user accounts to this application. Select this mode to display an interface that helps administrators:
- * Configure Azure AD to connect to the application's user management API
- * Create account mappings and workflows that define how user account data should flow between Azure AD and the app
- * Manage the Azure AD provisioning service
+ * Configure Microsoft Entra ID to connect to the application's user management API
+ * Create account mappings and workflows that define how user account data should flow between Microsoft Entra ID and the app
+ * Manage the Microsoft Entra provisioning service
-* **Manual** - This option is shown if Azure AD doesn't support automatic provisioning of user accounts to this application. In this case, user account records stored in the application must be managed using an external process, based on the user management and provisioning capabilities provided by that application (which can include SAML Just-In-Time provisioning).
+* **Manual** - This option is shown if Microsoft Entra ID doesn't support automatic provisioning of user accounts to this application. In this case, user account records stored in the application must be managed using an external process, based on the user management and provisioning capabilities provided by that application (which can include SAML Just-In-Time provisioning).
## Configuring automatic user account provisioning
Select the **Automatic** option to specify settings for admin credentials, mappi
### Admin Credentials
-Expand **Admin Credentials** to enter the credentials required for Azure AD to connect to the application's user management API. The input required varies depending on the application. To learn about the credential types and requirements for specific applications, see the [configuration tutorial for that specific application](user-provisioning.md).
+Expand **Admin Credentials** to enter the credentials required for Microsoft Entra ID to connect to the application's user management API. The input required varies depending on the application. To learn about the credential types and requirements for specific applications, see the [configuration tutorial for that specific application](user-provisioning.md).
-Select **Test Connection** to test the credentials by having Azure AD attempt to connect to the app's provisioning app using the supplied credentials.
+Select **Test Connection** to test the credentials by having Microsoft Entra ID attempt to connect to the app's provisioning app using the supplied credentials.
### Mappings
-Expand **Mappings** to view and edit the user attributes that flow between Azure AD and the target application when user accounts are provisioned or updated.
+Expand **Mappings** to view and edit the user attributes that flow between Microsoft Entra ID and the target application when user accounts are provisioned or updated.
-There's a preconfigured set of mappings between Azure AD user objects and each SaaS appΓÇÖs user objects. Some apps also manage group objects. Select a mapping in the table to open the mapping editor, where you can view and customize them.
+There's a preconfigured set of mappings between Microsoft Entra user objects and each SaaS appΓÇÖs user objects. Some apps also manage group objects. Select a mapping in the table to open the mapping editor, where you can view and customize them.
Supported customizations include:
-* Enabling and disabling mappings for specific objects, such as the Azure AD user object to the SaaS app's user object.
-* Editing the attributes that flow from the Azure AD user object to the app's user object. For more information on attribute mapping, see [Understanding attribute mapping types](customize-application-attributes.md#understanding-attribute-mapping-types).
-* Filtering the provisioning actions that Azure AD runs on the targeted application. Instead of having Azure AD fully synchronize objects, you can limit the actions run.
+* Enabling and disabling mappings for specific objects, such as the Microsoft Entra user object to the SaaS app's user object.
+* Editing the attributes that flow from the Microsoft Entra user object to the app's user object. For more information on attribute mapping, see [Understanding attribute mapping types](customize-application-attributes.md#understanding-attribute-mapping-types).
+* Filtering the provisioning actions that Microsoft Entra ID runs on the targeted application. Instead of having Microsoft Entra ID fully synchronize objects, you can limit the actions run.
- For example, only select **Update** and Azure AD only updates existing user accounts in an application but doesn't create new ones. Only select **Create** and Azure only creates new user accounts but doesn't update existing ones. This feature lets admins create different mappings for account creation and update workflows.
+ For example, only select **Update** and Microsoft Entra-only updates existing user accounts in an application but doesn't create new ones. Only select **Create** and Azure only creates new user accounts but doesn't update existing ones. This feature lets admins create different mappings for account creation and update workflows.
* Adding a new attribute mapping. Select **Add New Mapping** at the bottom of the **Attribute Mapping** pane. Fill out the **Edit Attribute** form and select **Ok** to add the new mapping to the list.
Expand **Settings** to set an email address to receive notifications and whether
### Provisioning Status
-If provisioning is being enabled for the first time for an application, turn on the service by changing the **Provisioning Status** to **On**. This change causes the Azure AD provisioning service to run an initial cycle. It reads the users assigned in the **Users and groups** section, queries the target application for them, and then runs the provisioning actions defined in the Azure AD **Mappings** section. During this process, the provisioning service stores cached data about what user accounts it's managing. The service stores cached data so nonmanaged accounts inside the target applications that were never in scope for assignment aren't affected in deprovisioning operations. After the initial cycle, the provisioning service automatically synchronizes user and group objects on a forty-minute interval.
+If provisioning is being enabled for the first time for an application, turn on the service by changing the **Provisioning Status** to **On**. This change causes the Microsoft Entra provisioning service to run an initial cycle. It reads the users assigned in the **Users and groups** section, queries the target application for them, and then runs the provisioning actions defined in the Microsoft Entra ID **Mappings** section. During this process, the provisioning service stores cached data about what user accounts it's managing. The service stores cached data so nonmanaged accounts inside the target applications that were never in scope for assignment aren't affected in deprovisioning operations. After the initial cycle, the provisioning service automatically synchronizes user and group objects on a forty-minute interval.
Change the **Provisioning Status** to **Off** to pause the provisioning service. In this state, Azure doesn't create, update, or remove any user or group objects in the app. Change the state back to **On** and the service picks up where it left off.
active-directory Customize Application Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md
Title: Tutorial - Customize Azure Active Directory attribute mappings in Application Provisioning
-description: Learn about attribute mappings for Software as a Service (SaaS) apps in Azure Active Directory Application Provisioning. Learn what attributes are and how you can modify them to address your business needs.
+ Title: Tutorial - Customize Microsoft Entra attribute mappings in Application Provisioning
+description: Learn about attribute mappings for Software as a Service (SaaS) apps in Microsoft Entra Application Provisioning. Learn what attributes are and how you can modify them to address your business needs.
-# Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory
+# Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID
-Microsoft Azure AD provides support for user provisioning to third-party SaaS applications such as Salesforce, G Suite and others. If you enable user provisioning for a third-party SaaS application, the Microsoft Entra admin center controls its attribute values through attribute-mappings.
+Microsoft Entra ID provides support for user provisioning to third-party SaaS applications such as Salesforce, G Suite and others. If you enable user provisioning for a third-party SaaS application, the Microsoft Entra admin center controls its attribute values through attribute-mappings.
Before you get started, make sure you're familiar with app management and **single sign-on (SSO)** concepts. Check out the following links:-- [Quickstart Series on App Management in Azure AD](../manage-apps/view-applications-portal.md)
+- [Quickstart Series on App Management in Microsoft Entra ID](../manage-apps/view-applications-portal.md)
- [What is single sign-on (SSO)?](../manage-apps/what-is-single-sign-on.md)
-There's a preconfigured set of attributes and attribute-mappings between Azure AD user objects and each SaaS app's user objects. Some apps manage other types of objects along with Users, such as Groups.
+There's a preconfigured set of attributes and attribute-mappings between Microsoft Entra user objects and each SaaS app's user objects. Some apps manage other types of objects along with Users, such as Groups.
You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings.
Follow these steps to access the **Mappings** feature of user provisioning:
1. A list of all configured apps is shown, including apps that were added from the gallery. 1. Select any app to load its app management pane, where you can view reports and manage app settings. 1. Select **Provisioning** to manage user account provisioning settings for the selected app.
-1. Expand **Mappings** to view and edit the user attributes that flow between Azure AD and the target application. If the target application supports it, this section lets you optionally configure provisioning of groups and user accounts.
+1. Expand **Mappings** to view and edit the user attributes that flow between Microsoft Entra ID and the target application. If the target application supports it, this section lets you optionally configure provisioning of groups and user accounts.
![Use Mappings to view and edit user attributes](./media/customize-application-attributes/21.png)
Follow these steps to access the **Mappings** feature of user provisioning:
![Use Attribute Mapping to configure attribute mappings for apps](./media/customize-application-attributes/22.png)
- In this screenshot, you can see that the **Username** attribute of a managed object in Salesforce is populated with the **userPrincipalName** value of the linked Azure Active Directory Object.
+ In this screenshot, you can see that the **Username** attribute of a managed object in Salesforce is populated with the **userPrincipalName** value of the linked Microsoft Entra Object.
> [!NOTE] > Clearing **Create** doesn't affect existing users. If **Create** isn't selected, you can't create new users.
-1. Select an existing **Attribute Mapping** to open the **Edit Attribute** screen. Here you can edit the user attributes that flow between Azure AD and the target application.
+1. Select an existing **Attribute Mapping** to open the **Edit Attribute** screen. Here you can edit the user attributes that flow between Microsoft Entra ID and the target application.
![Use Edit Attribute to edit user attributes](./media/customize-application-attributes/23.png)
Follow these steps to access the **Mappings** feature of user provisioning:
With attribute-mappings, you control how attributes are populated in a third-party SaaS application. There are four different mapping types supported: -- **Direct** ΓÇô the target attribute is populated with the value of an attribute of the linked object in Azure AD.
+- **Direct** ΓÇô the target attribute is populated with the value of an attribute of the linked object in Microsoft Entra ID.
- **Constant** ΓÇô the target attribute is populated with a specific string you specified.-- **Expression** - the target attribute is populated based on the result of a script-like expression. For more information about expressions, see [Writing Expressions for Attribute-Mappings in Azure Active Directory](../app-provisioning/functions-for-customizing-application-data.md).
+- **Expression** - the target attribute is populated based on the result of a script-like expression. For more information about expressions, see [Writing Expressions for Attribute-Mappings in Microsoft Entra ID](../app-provisioning/functions-for-customizing-application-data.md).
- **None** - the target attribute is left unmodified. However, if the target attribute is ever empty, it's populated with the Default value that you specify.
-Along with these four basic types, custom attribute-mappings support the concept of an optional **default** value assignment. The default value assignment ensures that a target attribute is populated with a value if there's not a value in Azure AD or on the target object. The most common configuration is to leave this blank.
+Along with these four basic types, custom attribute-mappings support the concept of an optional **default** value assignment. The default value assignment ensures that a target attribute is populated with a value if there's not a value in Microsoft Entra ID or on the target object. The most common configuration is to leave this blank.
### Understanding attribute-mapping properties In the previous section, you were introduced to the attribute-mapping type property. Along with this property, attribute-mappings also supports the attributes: -- **Source attribute** - The user attribute from the source system (example: Azure Active Directory).
+- **Source attribute** - The user attribute from the source system (example: Microsoft Entra ID).
- **Target attribute** ΓÇô The user attribute in the target system (example: ServiceNow).-- **Default value if null (optional)** - The value that is passed to the target system if the source attribute is null. This value is only provisioned when a user is created. The "default value when null" isn't provisioned when updating an existing user. For example, add a default value for job title, when creating a user, with the expression: `Switch(IsPresent([jobTitle]), "DefaultValue", "True", [jobTitle])`. For more information about expressions, see [Reference for writing expressions for attribute mappings in Azure Active Directory](../app-provisioning/functions-for-customizing-application-data.md).-- **Match objects using this attribute** ΓÇô Whether this mapping should be used to uniquely identify users between the source and target systems. It's typically set on the userPrincipalName or mail attribute in Azure AD, which is typically mapped to a username field in a target application.
+- **Default value if null (optional)** - The value that is passed to the target system if the source attribute is null. This value is only provisioned when a user is created. The "default value when null" isn't provisioned when updating an existing user. For example, add a default value for job title, when creating a user, with the expression: `Switch(IsPresent([jobTitle]), "DefaultValue", "True", [jobTitle])`. For more information about expressions, see [Reference for writing expressions for attribute mappings in Microsoft Entra ID](../app-provisioning/functions-for-customizing-application-data.md).
+- **Match objects using this attribute** ΓÇô Whether this mapping should be used to uniquely identify users between the source and target systems. It's typically set on the userPrincipalName or mail attribute in Microsoft Entra ID, which is typically mapped to a username field in a target application.
- **Matching precedence** ΓÇô Multiple matching attributes can be set. When there are multiple, they're evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated. While you can set as many matching attributes as you would like, consider whether the attributes you're using as matching attributes are truly unique and need to be matching attributes. Generally customers have one or two matching attributes in their configuration. - **Apply this mapping** - **Always** ΓÇô Apply this mapping on both user creation and update actions. - **Only during creation** - Apply this mapping only on user creation actions. ## Matching users in the source and target systems
-The Azure AD provisioning service can be deployed in both "green field" scenarios (where users don't exist in the target system) and "brownfield" scenarios (where users already exist in the target system). To support both scenarios, the provisioning service uses the concept of matching attributes. Matching attributes allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
+The Microsoft Entra provisioning service can be deployed in both "green field" scenarios (where users don't exist in the target system) and "brownfield" scenarios (where users already exist in the target system). To support both scenarios, the provisioning service uses the concept of matching attributes. Matching attributes allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
- **Matching attributes should be unique:** Customers often use attributes such as userPrincipalName, mail, or object ID as the matching attribute. - **Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they're evaluated (defined as matching precedence in the UI). If for example, you define three attributes as matching attributes, and a user is uniquely matched after evaluating the first two attributes, the service won't evaluate the third attribute. The service evaluates matching attributes in the order specified and stops evaluating when a match is found.
The attributes provisioned as part of Group objects can be customized in the sam
## Editing the list of supported attributes
-The user attributes supported for a given application are preconfigured. Most application's user management APIs don't support schema discovery. So, the Azure AD provisioning service isn't able to dynamically generate the list of supported attributes by making calls to the application.
+The user attributes supported for a given application are preconfigured. Most application's user management APIs don't support schema discovery. So, the Microsoft Entra provisioning service isn't able to dynamically generate the list of supported attributes by making calls to the application.
-However, some applications support custom attributes, and the Azure AD provisioning service can read and write to custom attributes. To enter their definitions into the Microsoft Entra admin center, select the **Show advanced options** check box at the bottom of the **Attribute Mapping** screen, and then select **Edit attribute list for** your app.
+However, some applications support custom attributes, and the Microsoft Entra provisioning service can read and write to custom attributes. To enter their definitions into the Microsoft Entra admin center, select the **Show advanced options** check box at the bottom of the **Attribute Mapping** screen, and then select **Edit attribute list for** your app.
Applications and systems that support customization of the attribute list include: - Salesforce - ServiceNow-- Workday to Active Directory / Workday to Azure Active Directory-- SuccessFactors to Active Directory / SuccessFactors to Azure Active Directory-- Azure Active Directory ([Azure AD Graph API default attributes](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#user-entity) and custom directory extensions are supported). For more information about creating extensions, see [Syncing extension attributes for Azure Active Directory Application Provisioning](./user-provisioning-sync-attributes-for-mapping.md) and [Known issues for provisioning in Azure Active Directory](./known-issues.md).
+- Workday to Active Directory / Workday to Microsoft Entra ID
+- SuccessFactors to Active Directory / SuccessFactors to Microsoft Entra ID
+- Microsoft Entra ID ([Azure AD Graph API default attributes](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#user-entity) and custom directory extensions are supported). For more information about creating extensions, see [Syncing extension attributes for Microsoft Entra Application Provisioning](./user-provisioning-sync-attributes-for-mapping.md) and [Known issues for provisioning in Microsoft Entra ID](./known-issues.md).
- Apps that support [SCIM 2.0](https://tools.ietf.org/html/rfc7643)-- Azure Active Directory supports writeback to Workday or SuccessFactors for XPATH and JSONPath metadata. Azure Active Directory doesn't support new Workday or SuccessFactors attributes not included in the default schema.
+- Microsoft Entra ID supports writeback to Workday or SuccessFactors for XPATH and JSONPath metadata. Microsoft Entra ID doesn't support new Workday or SuccessFactors attributes not included in the default schema.
> [!NOTE] > Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Microsoft Entra admin center UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). > [!NOTE]
-> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. Provisioning multi-valued directory extension attributes is not supported.
+> When a directory extension attribute in Microsoft Entra ID doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Microsoft Entra attribute list". When manually adding Microsoft Entra directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. Provisioning multi-valued directory extension attributes is not supported.
When you're editing the list of supported attributes, the following properties are provided:
The SCIM RFC defines a core user and group schema, while also allowing for exten
For SCIM applications, the attribute name must follow the pattern shown in the example. The "CustomExtensionName" and "CustomAttribute" can be customized per your application's requirements, for example: urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute
-These instructions are only applicable to SCIM-enabled applications. Applications such as ServiceNow and Salesforce aren't integrated with Azure AD using SCIM, and therefore they don't require this specific namespace when adding a custom attribute.
+These instructions are only applicable to SCIM-enabled applications. Applications such as ServiceNow and Salesforce aren't integrated with Microsoft Entra ID using SCIM, and therefore they don't require this specific namespace when adding a custom attribute.
-Custom attributes can't be referential attributes, multi-value or complex-typed attributes. Custom multi-value and complex-typed extension attributes are currently supported only for applications in the gallery. The custom extension schema header is omitted in the example because it isn't sent in requests from the Azure AD SCIM client.
+Custom attributes can't be referential attributes, multi-value or complex-typed attributes. Custom multi-value and complex-typed extension attributes are currently supported only for applications in the gallery. The custom extension schema header is omitted in the example because it isn't sent in requests from the Microsoft Entra SCIM client.
**Example representation of a user with an extension attribute:**
Custom attributes can't be referential attributes, multi-value or complex-typed
## Provisioning a role to a SCIM app Use the steps in the example to provision roles for a user to your application. The description is specific to custom SCIM applications. For gallery applications such as Salesforce and ServiceNow, use the predefined role mappings. The bullets describe how to transform the AppRoleAssignments attribute to the format your application expects. -- Mapping an appRoleAssignment in Azure AD to a role in your application requires that you transform the attribute using an [expression](../app-provisioning/functions-for-customizing-application-data.md). The appRoleAssignment attribute **shouldn't be mapped directly** to a role attribute without using an expression to parse the role details.
+- Mapping an appRoleAssignment in Microsoft Entra ID to a role in your application requires that you transform the attribute using an [expression](../app-provisioning/functions-for-customizing-application-data.md). The appRoleAssignment attribute **shouldn't be mapped directly** to a role attribute without using an expression to parse the role details.
- **SingleAppRoleAssignment**
The request formats in the PATCH and POST differ. To ensure that POST and PATCH
- All roles are provisioned as primary = false. - The POST contains the role type. The PATCH request doesn't contain type. We're working on sending the type in both POST and PATCH requests. - AppRoleAssignmentsComplex isn't compatible with setting scope to "Sync All users and groups."
- - The AppRoleAssignmentsComplex only supports the PATCH add function. For multi-role SCIM applications, roles deleted in Azure Active Directory will therefore not be deleted from the application. We're working to support additional PATCH functions and address the limitation.
+ - The AppRoleAssignmentsComplex only supports the PATCH add function. For multi-role SCIM applications, roles deleted in Microsoft Entra ID will therefore not be deleted from the application. We're working to support additional PATCH functions and address the limitation.
- **Example output**
The request formats in the PATCH and POST differ. To ensure that POST and PATCH
## Provisioning a multi-value attribute
-Certain attributes such as phoneNumbers and emails are multi-value attributes where you may need to specify different types of phone numbers or emails. Use the expression for multi-value attributes. It allows you to specify the attribute type and map that to the corresponding Azure AD user attribute for the value.
+Certain attributes such as phoneNumbers and emails are multi-value attributes where you may need to specify different types of phone numbers or emails. Use the expression for multi-value attributes. It allows you to specify the attribute type and map that to the corresponding Microsoft Entra user attribute for the value.
* `phoneNumbers[type eq "work"].value` * `phoneNumbers[type eq "mobile"]`.value
Certain attributes such as phoneNumbers and emails are multi-value attributes wh
## Restoring the default attributes and attribute-mappings
-Should you need to start over and reset your existing mappings back to their default state, you can select the **Restore default mappings** check box and save the configuration. Doing so sets all mappings and scoping filters as if the application was added to your Azure AD tenant from the application gallery.
+Should you need to start over and reset your existing mappings back to their default state, you can select the **Restore default mappings** check box and save the configuration. Doing so sets all mappings and scoping filters as if the application was added to your Microsoft Entra tenant from the application gallery.
Selecting this option forces a resynchronization of all users while the provisioning service is running.
Selecting this option forces a resynchronization of all users while the provisio
## What you should know -- Microsoft Azure AD provides an efficient implementation of a synchronization process. In an initialized environment, only objects requiring updates are processed during a synchronization cycle.
+- Microsoft Entra ID provides an efficient implementation of a synchronization process. In an initialized environment, only objects requiring updates are processed during a synchronization cycle.
- Updating attribute-mappings has an impact on the performance of a synchronization cycle. An update to the attribute-mapping configuration requires all managed objects to be reevaluated. - A recommended best practice is to keep the number of consecutive changes to your attribute-mappings at a minimum. - Adding a photo attribute to be provisioned to an app isn't supported today as you can't specify the format to sync the photo. You can request the feature on [User Voice](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789)-- The attribute `IsSoftDeleted` is often part of the default mappings for an application. `IsSoftdeleted` can be true in one of four scenarios: 1) The user is out of scope due to being unassigned from the application. 2) The user is out of scope due to not meeting a scoping filter. 3) The user has been soft deleted in Azure AD. 4) The property `AccountEnabled` is set to false on the user. It's not recommended to remove the `IsSoftDeleted` attribute from your attribute mappings.-- The Azure AD provisioning service doesn't support provisioning null values.
+- The attribute `IsSoftDeleted` is often part of the default mappings for an application. `IsSoftdeleted` can be true in one of four scenarios: 1) The user is out of scope due to being unassigned from the application. 2) The user is out of scope due to not meeting a scoping filter. 3) The user has been soft deleted in Microsoft Entra ID. 4) The property `AccountEnabled` is set to false on the user. It's not recommended to remove the `IsSoftDeleted` attribute from your attribute mappings.
+- The Microsoft Entra provisioning service doesn't support provisioning null values.
- They primary key, typically "ID", shouldn't be included as a target attribute in your attribute mappings. - The role attribute typically needs to be mapped using an expression, rather than a direct mapping. For more information about role mapping, see [Provisioning a role to a SCIM app](#provisioning-a-role-to-a-scim-app). - While you can disable groups from your mappings, disabling users isn't supported.
Selecting this option forces a resynchronization of all users while the provisio
- [Automate User Provisioning/Deprovisioning to SaaS Apps](user-provisioning.md) - [Writing Expressions for Attribute-Mappings](functions-for-customizing-application-data.md) - [Scoping Filters for User Provisioning](define-conditional-rules-for-provisioning-user-accounts.md)-- [Using SCIM to enable automatic provisioning of users and groups from Azure Active Directory to applications](use-scim-to-provision-users-and-groups.md)
+- [Using SCIM to enable automatic provisioning of users and groups from Microsoft Entra ID to applications](use-scim-to-provision-users-and-groups.md)
- [List of Tutorials on How to Integrate SaaS Apps](../saas-apps/tutorial-list.md)
active-directory Define Conditional Rules For Provisioning User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md
Title: Scoping users or groups to be provisioned with scoping filters in Azure Active Directory
-description: Learn how to use scoping filters to define attribute-based rules that determine which users or groups are provisioned in Azure Active Directory.
+ Title: Scoping users or groups to be provisioned with scoping filters in Microsoft Entra ID
+description: Learn how to use scoping filters to define attribute-based rules that determine which users or groups are provisioned in Microsoft Entra ID.
zone_pivot_groups: app-provisioning-cross-tenant-synchronization
# Scoping users or groups to be provisioned with scoping filters
-Learn how to use scoping filters in the Azure Active Directory (Azure AD) provisioning service to define attribute based rules. The rules are used to determine which users or groups are provisioned.
+Learn how to use scoping filters in the Microsoft Entra provisioning service to define attribute based rules. The rules are used to determine which users or groups are provisioned.
## Scoping filter use cases ::: zone pivot="app-provisioning"
-You use scoping filters to prevent objects in applications that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements. A scoping filter allows you to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from Azure AD to a SaaS application used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
+You use scoping filters to prevent objects in applications that support automated user provisioning from being provisioned if an object doesn't satisfy your business requirements. A scoping filter allows you to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from Microsoft Entra ID to a SaaS application used by a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
Scoping filters can be used differently depending on the type of provisioning connector:
-* **Outbound provisioning from Azure AD to SaaS applications**. When Azure AD is the source system, [user and group assignments](../manage-apps/assign-user-or-group-access-portal.md) are the most common method for determining which users are in scope for provisioning. These assignments also are used for enabling single sign-on and provide a single method to manage access and provisioning. Scoping filters can be used optionally, in addition to assignments or instead of them, to filter users based on attribute values.
+* **Outbound provisioning from Microsoft Entra ID to SaaS applications**. When Microsoft Entra ID is the source system, [user and group assignments](../manage-apps/assign-user-or-group-access-portal.md) are the most common method for determining which users are in scope for provisioning. These assignments also are used for enabling single sign-on and provide a single method to manage access and provisioning. Scoping filters can be used optionally, in addition to assignments or instead of them, to filter users based on attribute values.
>[!TIP] > The more users and groups in scope for provisioning, the longer the synchronization process can take. Setting the scope to sync assigned users and groups, limiting the number of groups assigned to the app, and limiting the size of the groups will reduce the time it takes to synchronize everyone that is in scope.
-* **Inbound provisioning from HCM applications to Azure AD and Active Directory**. When an [HCM application such as Workday](../saas-apps/workday-tutorial.md) is the source system, scoping filters are the primary method for determining which users should be provisioned from the HCM application to Active Directory or Azure AD.
+* **Inbound provisioning from HCM applications to Microsoft Entra ID and Active Directory**. When an [HCM application such as Workday](../saas-apps/workday-tutorial.md) is the source system, scoping filters are the primary method for determining which users should be provisioned from the HCM application to Active Directory or Microsoft Entra ID.
-By default, Azure AD provisioning connectors don't have any attribute-based scoping filters configured.
+By default, Microsoft Entra provisioning connectors don't have any attribute-based scoping filters configured.
::: zone-end ::: zone pivot="cross-tenant-synchronization"
-When Azure AD is the source system, [user and group assignments](../manage-apps/assign-user-or-group-access-portal.md) are the most common method for determining which users are in scope for provisioning. Reducing the number of users in scope improves performance and synchronizing assigned users and groups instead of synchronizing all users and groups is recommended.
+When Microsoft Entra ID is the source system, [user and group assignments](../manage-apps/assign-user-or-group-access-portal.md) are the most common method for determining which users are in scope for provisioning. Reducing the number of users in scope improves performance and synchronizing assigned users and groups instead of synchronizing all users and groups is recommended.
-Scoping filters can be used optionally, in addition to scoping by assignment. A scoping filter allows the Azure AD provisioning service to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
+Scoping filters can be used optionally, in addition to scoping by assignment. A scoping filter allows the Microsoft Entra provisioning service to include or exclude any users who have an attribute that matches a specific value. For example, when provisioning users from a sales team, you can specify that only users with a "Department" attribute of "Sales" should be in scope for provisioning.
::: zone-end ## Scoping filter construction
A single clause defines a single condition for a single attribute value. If mult
Finally, multiple scoping filters can be created for a single application. If multiple scoping filters are present, they're evaluated together by using "OR" logic. The "OR" logic means that if all the clauses in any of the configured scoping filters evaluate to "true", the user is provisioned.
-Each user or group processed by the Azure AD provisioning service is always evaluated individually against each scoping filter.
+Each user or group processed by the Microsoft Entra provisioning service is always evaluated individually against each scoping filter.
As an example, consider the following scoping filter:
According to this scoping filter, users must satisfy the following criteria to b
* Their job title must not be null or empty. ## Create scoping filters
-Scoping filters are configured as part of the attribute mappings for each Azure AD user provisioning connector. The following procedure assumes that you already set up automatic provisioning for [one of the supported applications](../saas-apps/tutorial-list.md) and are adding a scoping filter to it.
+Scoping filters are configured as part of the attribute mappings for each Microsoft Entra user provisioning connector. The following procedure assumes that you already set up automatic provisioning for [one of the supported applications](../saas-apps/tutorial-list.md) and are adding a scoping filter to it.
### Create a scoping filter
Scoping filters are configured as part of the attribute mappings for each Azure
::: zone pivot="app-provisioning"
-5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Azure Active Directory Users to ServiceNow".
+5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Microsoft Entra Users to ServiceNow".
::: zone-end ::: zone pivot="cross-tenant-synchronization"
-5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Provision Azure Active Directory Users".
+5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Provision Microsoft Entra Users".
::: zone-end
Scoping filters are configured as part of the attribute mappings for each Azure
* [Customize attribute mappings for user provisioning](../app-provisioning/customize-application-attributes.md) * [Write expressions for attribute mappings](functions-for-customizing-application-data.md) * [Account provisioning notifications](../app-provisioning/user-provisioning.md)
-* [Use SCIM to enable automatic provisioning of users and groups from Azure Active Directory to applications](../app-provisioning/use-scim-to-provision-users-and-groups.md)
+* [Use SCIM to enable automatic provisioning of users and groups from Microsoft Entra ID to applications](../app-provisioning/use-scim-to-provision-users-and-groups.md)
* [List of tutorials on how to integrate SaaS apps](../saas-apps/tutorial-list.md)
active-directory Export Import Provisioning Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/export-import-provisioning-configuration.md
Title: Export Application Provisioning configuration and roll back to a known good state for disaster recovery in Azure Active Directory
-description: Learn how to export your Application Provisioning configuration and roll back to a known good state for disaster recovery in Azure Active Directory.
+ Title: Export Application Provisioning configuration and roll back to a known good state for disaster recovery in Microsoft Entra ID
+description: Learn how to export your Application Provisioning configuration and roll back to a known good state for disaster recovery in Microsoft Entra ID.
Some things to consider when rolling back to a previous configuration:
## Export and import your provisioning configuration by using the Microsoft Graph API
-You can use the Microsoft Graph API and the Microsoft Graph Explorer to export your User Provisioning attribute mappings and schema to a JSON file and import it back into Azure AD. You can also use the steps captured here to create a backup of your provisioning configuration.
+You can use the Microsoft Graph API and the Microsoft Graph Explorer to export your User Provisioning attribute mappings and schema to a JSON file and import it back into Microsoft Entra ID. You can also use the steps captured here to create a backup of your provisioning configuration.
### Step 1: Retrieve your Provisioning App Service Principal ID (Object ID)
You can use the Microsoft Graph API and the Microsoft Graph Explorer to export y
### Step 2: Sign into Microsoft Graph Explorer 1. Launch [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
-1. Click on the "Sign-In with Microsoft" button and sign-in using Azure AD Global Administrator or App Admin credentials.
+1. Click on the "Sign-In with Microsoft" button and sign-in using Microsoft Entra Global Administrator or App Admin credentials.
![Microsoft Graph Sign-in](./media/export-import-provisioning-configuration/wd_export_02.png)
active-directory Expression Builder https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/expression-builder.md
Title: Understand how expression builder works with Application Provisioning in Azure Active Directory
-description: Understand how expression builder works with Application Provisioning in Azure Active Directory.
+ Title: Understand how expression builder works with Application Provisioning in Microsoft Entra ID
+description: Understand how expression builder works with Application Provisioning in Microsoft Entra ID.
active-directory Functions For Customizing Application Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
Title: Reference for writing expressions for attribute mappings in Azure Active Directory Application Provisioning
-description: Learn how to use expression mappings to transform attribute values into an acceptable format during automated provisioning of SaaS app objects in Azure Active Directory. Includes a reference list of functions.
+ Title: Reference for writing expressions for attribute mappings in Microsoft Entra Application Provisioning
+description: Learn how to use expression mappings to transform attribute values into an acceptable format during automated provisioning of SaaS app objects in Microsoft Entra ID. Includes a reference list of functions.
-# Reference for writing expressions for attribute mappings in Azure Active Directory
+# Reference for writing expressions for attribute mappings in Microsoft Entra ID
When you configure provisioning to a SaaS application, one of the types of attribute mappings that you can specify is an expression mapping. For these mappings, you must write a script-like expression that allows you to transform your users' data into formats that are more acceptable for the SaaS application.
Example: If you're using a Salesforce Sandbox, you might need to append another
AppRoleAssignmentsComplex([appRoleAssignments]) **Description:**
-Used to provision multiple roles for a user. For detailed usage, see [Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Azure Active Directory](customize-application-attributes.md#provisioning-a-role-to-a-scim-app).
+Used to provision multiple roles for a user. For detailed usage, see [Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID](customize-application-attributes.md#provisioning-a-role-to-a-scim-app).
**Parameters:**
Splits a string into a multi-valued array, using the specified delimiter charact
| **delimiter** |Required |String |Specifies the character that will be used to split the string (example: ",") | #### Split a string into a multi-valued array
-Example: You need to take a comma-delimited list of strings, and split them into an array that can be plugged into a multi-value attribute like Salesforce's PermissionSets attribute. In this example, a list of permission sets has been populated in extensionAttribute5 in Azure AD.
+Example: You need to take a comma-delimited list of strings, and split them into an array that can be plugged into a multi-value attribute like Salesforce's PermissionSets attribute. In this example, a list of permission sets has been populated in extensionAttribute5 in Microsoft Entra ID.
**Expression:** Split([extensionAttribute5], ",")
When **source** value matches a **key**, returns **value** for that **key**. If
| **value** |Required |String |Replacement value for the **source** matching the key. | #### Replace a value based on predefined set of options
-Example: Define the time zone of the user based on the state code stored in Azure AD.
+Example: Define the time zone of the user based on the state code stored in Microsoft Entra ID.
If the state code doesn't match any of the predefined options, use default value of "Australia/Sydney". **Expression:**
Add a comma between last name and first name.
* [Automate User Provisioning/Deprovisioning to SaaS Apps](../app-provisioning/user-provisioning.md) * [Customizing Attribute Mappings for User Provisioning](../app-provisioning/customize-application-attributes.md) * [Scoping Filters for User Provisioning](define-conditional-rules-for-provisioning-user-accounts.md)
-* [Using SCIM to enable automatic provisioning of users and groups from Azure Active Directory to applications](../app-provisioning/use-scim-to-provision-users-and-groups.md)
+* [Using SCIM to enable automatic provisioning of users and groups from Microsoft Entra ID to applications](../app-provisioning/use-scim-to-provision-users-and-groups.md)
* [Account Provisioning Notifications](../app-provisioning/user-provisioning.md) * [List of Tutorials on How to Integrate SaaS Apps](../saas-apps/tutorial-list.md)
active-directory How Provisioning Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/how-provisioning-works.md
Title: Understand how Application Provisioning in Azure Active Directory
-description: Understand how Application Provisioning works in Azure Active Directory.
+ Title: Understand how Application Provisioning in Microsoft Entra ID
+description: Understand how Application Provisioning works in Microsoft Entra ID.
-# How Application Provisioning works in Azure Active Directory
+# How Application Provisioning works in Microsoft Entra ID
-Automatic provisioning refers to creating user identities and roles in the cloud applications that users need to access. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Before you start a deployment, you can review this article to learn how Azure AD provisioning works and get configuration recommendations.
+Automatic provisioning refers to creating user identities and roles in the cloud applications that users need to access. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Before you start a deployment, you can review this article to learn how Microsoft Entra provisioning works and get configuration recommendations.
-The **Azure AD Provisioning Service** provisions users to SaaS apps and other systems by connecting to a System for Cross-Domain Identity Management (SCIM) 2.0 user management API endpoint provided by the application vendor. This SCIM endpoint allows Azure AD to programmatically create, update, and remove users. For selected applications, the provisioning service can also create, update, and remove extra identity-related objects, such as groups and roles. The channel used for provisioning between Azure AD and the application is encrypted using HTTPS TLS 1.2 encryption.
+The **Microsoft Entra provisioning service** provisions users to SaaS apps and other systems by connecting to a System for Cross-Domain Identity Management (SCIM) 2.0 user management API endpoint provided by the application vendor. This SCIM endpoint allows Microsoft Entra ID to programmatically create, update, and remove users. For selected applications, the provisioning service can also create, update, and remove extra identity-related objects, such as groups and roles. The channel used for provisioning between Microsoft Entra ID and the application is encrypted using HTTPS TLS 1.2 encryption.
-![Azure AD Provisioning Service](./media/how-provisioning-works/provisioning0.PNG)
-*Figure 1: The Azure AD Provisioning Service*
+![Microsoft Entra provisioning service](./media/how-provisioning-works/provisioning0.PNG)
+*Figure 1: The Microsoft Entra provisioning service*
![Outbound user provisioning workflow](./media/how-provisioning-works/provisioning1.PNG)
-*Figure 2: "Outbound" user provisioning workflow from Azure AD to popular SaaS applications*
+*Figure 2: "Outbound" user provisioning workflow from Microsoft Entra ID to popular SaaS applications*
![Inbound user provisioning workflow](./media/how-provisioning-works/provisioning2.PNG)
-*Figure 3: "Inbound" user provisioning workflow from popular Human Capital Management (HCM) applications to Azure Active Directory and Windows Server Active Directory*
+*Figure 3: "Inbound" user provisioning workflow from popular Human Capital Management (HCM) applications to Microsoft Entra ID and Windows Server Active Directory*
## Provisioning using SCIM 2.0
-The Azure AD provisioning service uses the [SCIM 2.0 protocol](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/bg-p/IdentityStandards) for automatic provisioning. The service connects to the SCIM endpoint for the application, and uses SCIM user object schema and REST APIs to automate the provisioning and deprovisioning of users and groups. A SCIM-based provisioning connector is provided for most applications in the Azure AD gallery. Developers use the SCIM 2.0 user management API in Azure AD to build endpoints for their apps that integrate with the provisioning service. For details, see [Build a SCIM endpoint and configure user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md).
+The Microsoft Entra provisioning service uses the [SCIM 2.0 protocol](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/bg-p/IdentityStandards) for automatic provisioning. The service connects to the SCIM endpoint for the application, and uses SCIM user object schema and REST APIs to automate the provisioning and deprovisioning of users and groups. A SCIM-based provisioning connector is provided for most applications in the Microsoft Entra gallery. Developers use the SCIM 2.0 user management API in Microsoft Entra ID to build endpoints for their apps that integrate with the provisioning service. For details, see [Build a SCIM endpoint and configure user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md).
-To request an automatic Azure AD provisioning connector for an app that doesn't currently have one, see [Azure Active Directory Application Request](../manage-apps/v2-howto-app-gallery-listing.md).
+To request an automatic Microsoft Entra provisioning connector for an app that doesn't currently have one, see [Microsoft Entra Application Request](../manage-apps/v2-howto-app-gallery-listing.md).
## Authorization
-Credentials are required for Azure AD to connect to the application's user management API. While you're configuring automatic user provisioning for an application, you need to enter valid credentials. For gallery applications, you can find credential types and requirements for the application by referring to the app tutorial. For non-gallery applications, you can refer to the [SCIM](./use-scim-to-provision-users-and-groups.md#authorization-to-provisioning-connectors-in-the-application-gallery) documentation to understand the credential types and requirements. In the Microsoft Entra admin center, you're able to test the credentials by having Azure AD attempt to connect to the app's provisioning app using the supplied credentials.
+Credentials are required for Microsoft Entra ID to connect to the application's user management API. While you're configuring automatic user provisioning for an application, you need to enter valid credentials. For gallery applications, you can find credential types and requirements for the application by referring to the app tutorial. For non-gallery applications, you can refer to the [SCIM](./use-scim-to-provision-users-and-groups.md#authorization-to-provisioning-connectors-in-the-application-gallery) documentation to understand the credential types and requirements. In the Microsoft Entra admin center, you're able to test the credentials by having Microsoft Entra ID attempt to connect to the app's provisioning app using the supplied credentials.
## Mapping attributes
-When you enable user provisioning for a third-party SaaS application, the Microsoft Entra admin center controls its attribute values through attribute mappings. Mappings determine the user attributes that flow between Azure AD and the target application when user accounts are provisioned or updated.
+When you enable user provisioning for a third-party SaaS application, the Microsoft Entra admin center controls its attribute values through attribute mappings. Mappings determine the user attributes that flow between Microsoft Entra ID and the target application when user accounts are provisioned or updated.
-There's a preconfigured set of attributes and attribute mappings between Azure AD user objects and each SaaS appΓÇÖs user objects. Some apps manage other types of objects along with Users, such as Groups.
+There's a preconfigured set of attributes and attribute mappings between Microsoft Entra user objects and each SaaS appΓÇÖs user objects. Some apps manage other types of objects along with Users, such as Groups.
-When setting up provisioning, it's important to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Azure AD to the application. Review and configure the matching property (**Match objects using this attribute**) that is used to uniquely identify and match users/groups between the two systems.
+When setting up provisioning, it's important to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Microsoft Entra ID to the application. Review and configure the matching property (**Match objects using this attribute**) that is used to uniquely identify and match users/groups between the two systems.
You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings. For details, see [Customizing user provisioning attribute-mappings for SaaS applications](./customize-application-attributes.md).
When you configure provisioning to a SaaS application, one of the types of attri
## Scoping ### Assignment-based scoping
-For outbound provisioning from Azure AD to a SaaS application, relying on [user or group assignments](../manage-apps/assign-user-or-group-access-portal.md) is the most common way to determine which users are in scope for provisioning. Because user assignments are also used for enabling single sign-on, the same method can be used for managing both access and provisioning. Assignment-based scoping doesn't apply to inbound provisioning scenarios such as Workday and Successfactors.
+For outbound provisioning from Microsoft Entra ID to a SaaS application, relying on [user or group assignments](../manage-apps/assign-user-or-group-access-portal.md) is the most common way to determine which users are in scope for provisioning. Because user assignments are also used for enabling single sign-on, the same method can be used for managing both access and provisioning. Assignment-based scoping doesn't apply to inbound provisioning scenarios such as Workday and Successfactors.
-* **Groups.** With an Azure AD Premium license plan, you can use groups to assign access to a SaaS application. Then, when the provisioning scope is set to **Sync only assigned users and groups**, the Azure AD provisioning service provisions or deprovisions users based on whether they're members of a group that's assigned to the application. The group object itself isn't provisioned unless the application supports group objects. Ensure that groups assigned to your application have the property "SecurityEnabled" set to "True".
+* **Groups.** With a Microsoft Entra ID P1 or P2 license plan, you can use groups to assign access to a SaaS application. Then, when the provisioning scope is set to **Sync only assigned users and groups**, the Microsoft Entra provisioning service provisions or deprovisions users based on whether they're members of a group that's assigned to the application. The group object itself isn't provisioned unless the application supports group objects. Ensure that groups assigned to your application have the property "SecurityEnabled" set to "True".
-* **Dynamic groups.** The Azure AD user provisioning service can read and provision users in [dynamic groups](../enterprise-users/groups-create-rule.md). Keep these caveats and recommendations in mind:
+* **Dynamic groups.** The Microsoft Entra user provisioning service can read and provision users in [dynamic groups](../enterprise-users/groups-create-rule.md). Keep these caveats and recommendations in mind:
- * Dynamic groups can impact the performance of end-to-end provisioning from Azure AD to SaaS applications.
+ * Dynamic groups can impact the performance of end-to-end provisioning from Microsoft Entra ID to SaaS applications.
* How fast a user in a dynamic group is provisioned or deprovisioned in a SaaS application depends on how fast the dynamic group can evaluate membership changes. For information about how to check the processing status of a dynamic group, see [Check processing status for a membership rule](../enterprise-users/groups-create-rule.md). * When a user loses membership in the dynamic group, it's considered a deprovisioning event. Consider this scenario when creating rules for dynamic groups.
-* **Nested groups.** The Azure AD user provisioning service can't read or provision users in nested groups. The service can only read and provision users that are immediate members of an explicitly assigned group. This limitation of "group-based assignments to applications" also affects single sign-on (see [Using a group to manage access to SaaS applications](../enterprise-users/groups-saasapps.md)). Instead, directly assign or otherwise [scope in](define-conditional-rules-for-provisioning-user-accounts.md) the groups that contain the users who need to be provisioned.
+* **Nested groups.** The Microsoft Entra user provisioning service can't read or provision users in nested groups. The service can only read and provision users that are immediate members of an explicitly assigned group. This limitation of "group-based assignments to applications" also affects single sign-on (see [Using a group to manage access to SaaS applications](../enterprise-users/groups-saasapps.md)). Instead, directly assign or otherwise [scope in](define-conditional-rules-for-provisioning-user-accounts.md) the groups that contain the users who need to be provisioned.
### Attribute-based scoping
-You can use scoping filters to define attribute-based rules that determine which users are provisioned to an application. This method is commonly used for inbound provisioning from HCM applications to Azure AD and Active Directory. Scoping filters are configured as part of the attribute mappings for each Azure AD user provisioning connector. For details about configuring attribute-based scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
+You can use scoping filters to define attribute-based rules that determine which users are provisioned to an application. This method is commonly used for inbound provisioning from HCM applications to Microsoft Entra ID and Active Directory. Scoping filters are configured as part of the attribute mappings for each Microsoft Entra user provisioning connector. For details about configuring attribute-based scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
### B2B (guest) users
-It's possible to use the Azure AD user provisioning service to provision B2B (guest) users in Azure AD to SaaS applications. However, for B2B users to sign in to the SaaS application using Azure AD, you must manually configure the SaaS application to use Azure AD as a Security Assertion Markup Language (SAML) identity provider.
+It's possible to use the Microsoft Entra user provisioning service to provision B2B (guest) users in Microsoft Entra ID to SaaS applications. However, for B2B users to sign in to the SaaS application using Microsoft Entra ID, you must manually configure the SaaS application to use Microsoft Entra ID as a Security Assertion Markup Language (SAML) identity provider.
Follow these general guidelines when configuring SaaS apps for B2B (guest) users: - For most of the apps, user setup needs to happen manually. Users must be created manually in the app as well.
originalUserPrincipalName = alias_theirdomain#EXT#@yourdomain
## Provisioning cycles: Initial and incremental
-When Azure AD is the source system, the provisioning service uses the [delta query to track changes in Microsoft Graph data](/graph/delta-query-overview) to monitor users and groups. The provisioning service runs an initial cycle against the source system and target system, followed by periodic incremental cycles.
+When Microsoft Entra ID is the source system, the provisioning service uses the [delta query to track changes in Microsoft Graph data](/graph/delta-query-overview) to monitor users and groups. The provisioning service runs an initial cycle against the source system and target system, followed by periodic incremental cycles.
### Initial cycle
After the initial cycle, all other cycles will:
8. If a user that was previously in scope for provisioning is disabled or soft-deleted in the source system, the service disables the user in the target system via an update.
-9. If a user that was previously in scope for provisioning is hard-deleted in the source system, the service deletes the user in the target system. In Azure AD, users are hard-deleted 30 days after they're soft-deleted.
+9. If a user that was previously in scope for provisioning is hard-deleted in the source system, the service deletes the user in the target system. In Microsoft Entra ID, users are hard-deleted 30 days after they're soft-deleted.
10. Persist a new watermark at the end of the incremental cycle, which provides the starting point for the later incremental cycles.
Performance depends on whether your provisioning job is running an initial provi
### How to tell if users are being provisioned properly
-All operations run by the user provisioning service are recorded in the Azure AD [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). The logs include all read and write operations made to the source and target systems, and the user data that was read or written during each operation. For information on how to read the provisioning logs in the Microsoft Entra admin center, see the [provisioning reporting guide](./check-status-user-account-provisioning.md).
+All operations run by the user provisioning service are recorded in the Microsoft Entra [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). The logs include all read and write operations made to the source and target systems, and the user data that was read or written during each operation. For information on how to read the provisioning logs in the Microsoft Entra admin center, see the [provisioning reporting guide](./check-status-user-account-provisioning.md).
## Deprovisioning
-The Azure AD provisioning service keeps source and target systems in sync by deprovisioning accounts when user access is removed.
+The Microsoft Entra provisioning service keeps source and target systems in sync by deprovisioning accounts when user access is removed.
The provisioning service supports both deleting and disabling (sometimes referred to as soft-deleting) users. The exact definition of disable and delete varies based on the target app's implementation, but generally a disable indicates that the user can't sign in. A delete indicates that the user has been removed completely from the application. For SCIM applications, a disable is a request to set the *active* property to false on a user.
Confirm the mapping for *active* for your application. If you're using an applic
**Configure your application to delete a user** The scenario triggers a disable or a delete:
-* A user is soft-deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false). Thirty days after a user is deleted in Azure AD, they're permanently deleted from the tenant. At this point, the provisioning service sends a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can [manually delete a user permanently](../fundamentals/users-restore.md), which sends a delete request to the application.
-* A user is permanently deleted / removed from the recycle bin in Azure AD.
+* A user is soft-deleted in Microsoft Entra ID (sent to the recycle bin / AccountEnabled property set to false). Thirty days after a user is deleted in Microsoft Entra ID, they're permanently deleted from the tenant. At this point, the provisioning service sends a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can [manually delete a user permanently](../fundamentals/users-restore.md), which sends a delete request to the application.
+* A user is permanently deleted / removed from the recycle bin in Microsoft Entra ID.
* A user is unassigned from an app. * A user goes from in scope to out of scope (doesn't pass a scoping filter anymore). :::image type="content" source="./media/how-provisioning-works/delete-user.png" alt-text="Delete a user" lightbox="./media/how-provisioning-works/delete-user.png":::
-By default, the Azure AD provisioning service soft-deletes or disables users that go out of scope. If you want to override this default behavior, you can set a flag to [skip out-of-scope deletions.](skip-out-of-scope-deletions.md)
+By default, the Microsoft Entra provisioning service soft-deletes or disables users that go out of scope. If you want to override this default behavior, you can set a flag to [skip out-of-scope deletions.](skip-out-of-scope-deletions.md)
When one of the four events occurs and the target application doesn't support soft-deletes, the provisioning service sends a DELETE request to permanently delete the user from the app.
If you see `IsSoftDeleted` in your attribute mappings, it's used to determine th
**Deprovisioning events**
-The table describes how you can configure deprovisioning actions with the Azure AD provisioning service. These rules are written with the non-gallery / custom application in mind, but generally apply to applications in the gallery. However, the behavior for gallery applications can differ as they've been optimized to meet the needs of the application. For example, if the target application doesn't support soft-deleting then the Azure AD provisioning service might send a hard-delete request to delete users rather than send a soft-delete.
+The table describes how you can configure deprovisioning actions with the Microsoft Entra provisioning service. These rules are written with the non-gallery / custom application in mind, but generally apply to applications in the gallery. However, the behavior for gallery applications can differ as they've been optimized to meet the needs of the application. For example, if the target application doesn't support soft-deleting then the Microsoft Entra provisioning service might send a hard-delete request to delete users rather than send a soft-delete.
-|Scenario|How to configure in Azure AD|
+|Scenario|How to configure in Microsoft Entra ID|
|--|--|
-|A user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You don't want anything to be done.|Remove `isSoftDeleted` from the attribute mappings and / or set the [skip out of scope deletions](skip-out-of-scope-deletions.md) property to true.|
-|A user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You want to set a specific attribute to `true` or `false`.|Map `isSoftDeleted` to the attribute that you would like to set to false.|
-|A user is disabled in Azure AD, unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in. You want to send a DELETE request to the target application.|This is currently supported for a limited set of gallery applications where the functionality is required. It's not configurable by customers.|
-|A user is deleted in Azure AD. You don't want anything done in the target application.|Ensure that "Delete" isn't selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
-|A user is deleted in Azure AD. You want to set the value of an attribute in the target application.|Not supported.|
-|A user is deleted in Azure AD. You want to delete the user in the target application|Ensure that Delete is selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
+|A user is unassigned from an app, soft-deleted in Microsoft Entra ID, or blocked from sign-in. You don't want anything to be done.|Remove `isSoftDeleted` from the attribute mappings and / or set the [skip out of scope deletions](skip-out-of-scope-deletions.md) property to true.|
+|A user is unassigned from an app, soft-deleted in Microsoft Entra ID, or blocked from sign-in. You want to set a specific attribute to `true` or `false`.|Map `isSoftDeleted` to the attribute that you would like to set to false.|
+|A user is disabled in Microsoft Entra ID, unassigned from an app, soft-deleted in Microsoft Entra ID, or blocked from sign-in. You want to send a DELETE request to the target application.|This is currently supported for a limited set of gallery applications where the functionality is required. It's not configurable by customers.|
+|A user is deleted in Microsoft Entra ID. You don't want anything done in the target application.|Ensure that "Delete" isn't selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
+|A user is deleted in Microsoft Entra ID. You want to set the value of an attribute in the target application.|Not supported.|
+|A user is deleted in Microsoft Entra ID. You want to delete the user in the target application|Ensure that Delete is selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
**Known limitations** * When a user or group is unassigned from an app and no longer managed with the provisioning service, a disable request is sent. At that point, the service doesn't manage the user and a delete request isn't sent when the user is deleted from the directory.
-* Provisioning a user that is disabled in Azure AD isn't supported. They must be active in Azure AD before they're provisioned.
-* When a user goes from soft-deleted to active, the Azure AD provisioning service activates the user in the target app, but doesn't automatically restore the group memberships. The target application should maintain the group memberships for the user in inactive state. If the target application doesn't support maintaining the inactive state, you can restart provisioning to update the group memberships.
+* Provisioning a user that is disabled in Microsoft Entra ID isn't supported. They must be active in Microsoft Entra ID before they're provisioned.
+* When a user goes from soft-deleted to active, the Microsoft Entra provisioning service activates the user in the target app, but doesn't automatically restore the group memberships. The target application should maintain the group memberships for the user in inactive state. If the target application doesn't support maintaining the inactive state, you can restart provisioning to update the group memberships.
**Recommendation**
active-directory Hr Attribute Retrieval Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-attribute-retrieval-issues.md
| **Applies to** | |--|
-| * Workday to on-premises Active Directory user provisioning <br> * Workday to Azure Active Directory user provisioning |
+| * Workday to on-premises Active Directory user provisioning <br> * Workday to Microsoft Entra user provisioning |
| **Issue Description** | | You have just configured the Workday inbound provisioning app and successfully connected to the Workday tenant URL. You ran a test sync and you observed that the provisioning app is not retrieving certain attributes from Workday. Only some attributes are read and provisioned to the target. | | **Probable Cause** |
| **Applies to** | |--|
-| * Workday to on-premises Active Directory user provisioning <br> * Workday to Azure Active Directory user provisioning |
+| * Workday to on-premises Active Directory user provisioning <br> * Workday to Microsoft Entra user provisioning |
| **Issue Description** |
-| You have just configured the Workday inbound provisioning app and successfully connected to the Workday tenant URL. You have an integration system configured in Workday and you have configured XPATHs that point to attributes in the Workday Integration System. However, the Azure AD provisioning app isn't fetching values associated with these integration system attributes or calculated fields. |
+| You have just configured the Workday inbound provisioning app and successfully connected to the Workday tenant URL. You have an integration system configured in Workday and you have configured XPATHs that point to attributes in the Workday Integration System. However, the Microsoft Entra provisioning app isn't fetching values associated with these integration system attributes or calculated fields. |
| **Cause** | | This is a known limitation. The Workday provisioning app currently doesn't support fetching calculated fields/integration system attributes using the *Field_And_Parameter_Criteria_Data* Get_Workers request filter. | | **Resolution Options** |
## Next steps
-* [Learn more about Azure AD and Workday integration scenarios and web service calls](workday-integration-reference.md)
+* [Learn more about Microsoft Entra ID and Workday integration scenarios and web service calls](workday-integration-reference.md)
* [Learn how to review logs and get reports on provisioning activity](check-status-user-account-provisioning.md)
active-directory Hr Manager Update Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-manager-update-issues.md
**Applies to:** * Workday to on-premises Active Directory user provisioning
-* Workday to Azure Active Directory user provisioning
+* Workday to Microsoft Entra user provisioning
* SAP SuccessFactors to on-premises Active Directory user provisioning
-* SAP SuccessFactors to Azure Active Directory user provisioning
+* SAP SuccessFactors to Microsoft Entra user provisioning
## Understanding how manager reference resolution works
-The Azure AD provisioning service automatically updates manager information so that the user-manager relationship in Azure AD is always in sync with your HR data. It uses a process called *manager reference resolution* to accurately update the *manager* attribute. Before going into the process details, it is important to understand how manager information is stored in Azure AD and on-premises Active Directory.
+The Microsoft Entra provisioning service automatically updates manager information so that the user-manager relationship in Microsoft Entra ID is always in sync with your HR data. It uses a process called *manager reference resolution* to accurately update the *manager* attribute. Before going into the process details, it is important to understand how manager information is stored in Microsoft Entra ID and on-premises Active Directory.
* In **on-premises Active Directory**, the *manager* attribute stores the *distinguishedName (dn)* of the manager's account in AD.
-* In **Azure AD**, the *manager* attribute is a DirectoryObject navigation property in Azure AD. When you view the user record in the Microsoft Entra admin center, it shows the *displayName* of the manager record in Azure AD.
+* In **Microsoft Entra ID**, the *manager* attribute is a DirectoryObject navigation property in Microsoft Entra ID. When you view the user record in the Microsoft Entra admin center, it shows the *displayName* of the manager record in Microsoft Entra ID.
The *manager reference resolution* is a two step-process: * Step 1: Link the manager's HR source record with the manager's target account record using a pair of attributes referred to as *source anchor* and *target anchor*.
The default anchor attributes and reference attributes for each app is listed be
| Workday | WID | ManagerReference (which points to the WID of the manager record) | | SAP SuccessFactors | personIdExternal | manager (which points to the personIdExternal of the manager record) | | On-premises Active Directory | objectGUID | manager (which points to DN of the manager record) |
-| Azure AD | objectId | manager (which points to the manager's Azure AD record) |
+| Microsoft Entra ID | objectId | manager (which points to the manager's Microsoft Entra ID record) |
## Prerequisites for successful manager update In order for *manager reference resolution* to work successfully, the following pre-requisites should be met:
In order for *manager reference resolution* to work successfully, the following
## Next steps
-* [Learn more about Azure AD and Workday integration scenarios and web service calls](workday-integration-reference.md)
+* [Learn more about Microsoft Entra ID and Workday integration scenarios and web service calls](workday-integration-reference.md)
* [Learn how to review logs and get reports on provisioning activity](check-status-user-account-provisioning.md)
active-directory Hr User Creation Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-user-creation-issues.md
**Applies to:** * Workday to on-premises Active Directory user provisioning
-* Workday to Azure Active Directory user provisioning
+* Workday to Microsoft Entra user provisioning
* SAP SuccessFactors to on-premises Active Directory user provisioning
-* SAP SuccessFactors to Azure Active Directory user provisioning
+* SAP SuccessFactors to Microsoft Entra user provisioning
| Troubleshooting | Details | |-- | -- |
`IIF(IsNullOrEmpty([BusinessTitle]),"N/A",[BusinessTitle])`
- * Option 2: Use the function [IgnoreFlowIfNullOrEmpty](functions-for-customizing-application-data.md#ignoreflowifnullorempty) to drop empty or null attributes in the payload sent to on-premises Active Directory / Azure AD.
+ * Option 2: Use the function [IgnoreFlowIfNullOrEmpty](functions-for-customizing-application-data.md#ignoreflowifnullorempty) to drop empty or null attributes in the payload sent to on-premises Active Directory / Microsoft Entra ID.
`IgnoreFlowIfNullOrEmpty([BusinessTitle])` ## Next steps
-* [Learn more about Azure AD and Workday integration scenarios and web service calls](workday-integration-reference.md)
+* [Learn more about Microsoft Entra ID and Workday integration scenarios and web service calls](workday-integration-reference.md)
* [Learn how to review logs and get reports on provisioning activity](check-status-user-account-provisioning.md)-
active-directory Hr User Update Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-user-update-issues.md
## Null and empty values not processed as expected **Applies to:** * Workday to on-premises Active Directory user provisioning
-* Workday to Azure Active Directory user provisioning
+* Workday to Microsoft Entra user provisioning
* SAP SuccessFactors to on-premises Active Directory user provisioning
-* SAP SuccessFactors to Azure Active Directory user provisioning
+* SAP SuccessFactors to Microsoft Entra user provisioning
| Troubleshooting | Details | |-- | -- |
-| **Issue** | You have successfully configured the inbound provisioning app. You are getting null or empty value from the HR app. You expect the provisioning service to clear the corresponding target attribute value in on-premises Active Directory / Azure AD. But the operation fails with the error message: `InvalidAttributeSyntax-LdapErr: The syntax is invalid. The parameter is incorrect. Error in attribute conversion operation, data 0, v3839` |
+| **Issue** | You have successfully configured the inbound provisioning app. You are getting null or empty value from the HR app. You expect the provisioning service to clear the corresponding target attribute value in on-premises Active Directory / Microsoft Entra ID. But the operation fails with the error message: `InvalidAttributeSyntax-LdapErr: The syntax is invalid. The parameter is incorrect. Error in attribute conversion operation, data 0, v3839` |
| **Cause** | The provisioning service does not have a default logic for null value processing. When the provisioning service gets an empty string from the source app, it tries to flow the value "as-is" to the target app. In this case, on-premises Active Directory does not support setting empty string values and hence you see the above error. | | **Resolution** | Check the provisioning logs. Identify attributes in the target Active Directory that are receiving null or empty string values. Update the attribute mapping for such attributes to use an expression mapping. See recommended resolutions below. |
`IIF(IsNullOrEmpty([BusinessTitle]),"N/A",[BusinessTitle])`
- * Option 2: Use the function [IgnoreFlowIfNullOrEmpty](functions-for-customizing-application-data.md#ignoreflowifnullorempty) to drop empty or null attributes in the payload sent to on-premises Active Directory / Azure AD.
+ * Option 2: Use the function [IgnoreFlowIfNullOrEmpty](functions-for-customizing-application-data.md#ignoreflowifnullorempty) to drop empty or null attributes in the payload sent to on-premises Active Directory / Microsoft Entra ID.
`IgnoreFlowIfNullOrEmpty([BusinessTitle])` ## Some Workday attribute updates are missing **Applies to:** * Workday to on-premises Active Directory user provisioning
-* Workday to Azure Active Directory user provisioning
+* Workday to Microsoft Entra user provisioning
| Troubleshooting | Details | |-- | -- | | **Issue** | You have successfully configured the Workday inbound provisioning app and successfully connected to the Workday tenant URL. You are observing that there is a delay in the flow of certain attribute updates from Workday or in some cases, the attributes changes from Workday are not flowing through as expected during incremental sync. |
-| **Cause** | During incremental sync, the provisioning app queries Workday transaction log for changes to the primary Worker entity and only changes tracked by Workday's transaction log are processed. <br> If changes to a Workday attribute in your setup is not tracked by Workday's transaction log, then Azure AD will not be able to fetch that change. For example: the *LocalReference* Workday attribute is part of the default attribute mapping and it has XPATH `wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Local_Reference/wd:ID[@wd:type='Locale_ID']/text()`. Note that this attribute is part of the entity *Business_Site_Summary_Data*. A change in the value of this attribute in Workday will not show up in the Workday transaction log. Thus during incremental sync, the new value of this attribute will show up only if an attribute associated with the primary Worker entity also changes during the sync interval. |
+| **Cause** | During incremental sync, the provisioning app queries Workday transaction log for changes to the primary Worker entity and only changes tracked by Workday's transaction log are processed. <br> If changes to a Workday attribute in your setup is not tracked by Workday's transaction log, then Microsoft Entra ID will not be able to fetch that change. For example: the *LocalReference* Workday attribute is part of the default attribute mapping and it has XPATH `wd:Worker/wd:Worker_Data/wd:Employment_Data/wd:Position_Data/wd:Business_Site_Summary_Data/wd:Local_Reference/wd:ID[@wd:type='Locale_ID']/text()`. Note that this attribute is part of the entity *Business_Site_Summary_Data*. A change in the value of this attribute in Workday will not show up in the Workday transaction log. Thus during incremental sync, the new value of this attribute will show up only if an attribute associated with the primary Worker entity also changes during the sync interval. |
| **Resolution** | If you notice this behavior frequently, where changes to certain Workday attributes are not flowing through, we recommend periodically running a weekly or monthly full sync. | ## User match with extensionAttribute not working **Applies to:**
-* Workday to Azure Active Directory user provisioning
-* SAP SuccessFactors to Azure Active Directory user provisioning
+* Workday to Microsoft Entra user provisioning
+* SAP SuccessFactors to Microsoft Entra user provisioning
| Troubleshooting | Details | |-- | -- |
-| **Issue** | Let's say you are using *extensionAttribute3* in Azure AD to store the employee ID and you have mapped it to Workday *WorkerID* or SuccessFactors *personIdExternal* attribute for user matching. With this configuration, the matching step in provisioning process fails. This issue impacts both user creation and updates. |
-| **Cause** | The Azure AD *OnPremisesExtensionAttributes* (`extensionAttributes1-15`) cannot be used as a matching attribute because the `$filter` parameter of **Azure AD Graph API** does not [support filtering by extensionAttributes](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-supported-queries-filters-and-paging-options#filter). |
-| **Resolution** | Don't use Azure AD *OnPremisesExtensionAttributes* (`extensionAttributes1-15`) in the matching attribute pair. Use employeeID. |
+| **Issue** | Let's say you are using *extensionAttribute3* in Microsoft Entra ID to store the employee ID and you have mapped it to Workday *WorkerID* or SuccessFactors *personIdExternal* attribute for user matching. With this configuration, the matching step in provisioning process fails. This issue impacts both user creation and updates. |
+| **Cause** | The Microsoft Entra ID *OnPremisesExtensionAttributes* (`extensionAttributes1-15`) cannot be used as a matching attribute because the `$filter` parameter of **Azure AD Graph API** does not [support filtering by extensionAttributes](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-supported-queries-filters-and-paging-options#filter). |
+| **Resolution** | Don't use Microsoft Entra ID *OnPremisesExtensionAttributes* (`extensionAttributes1-15`) in the matching attribute pair. Use employeeID. |
## Next steps
-* [Learn more about Azure AD and Workday integration scenarios and web service calls](workday-integration-reference.md)
+* [Learn more about Microsoft Entra ID and Workday integration scenarios and web service calls](workday-integration-reference.md)
* [Learn how to review logs and get reports on provisioning activity](check-status-user-account-provisioning.md)
active-directory Hr Writeback Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/hr-writeback-issues.md
| Troubleshooting | Details | |-- | -- |
-| **Issue** | You have successfully configured the Writeback app. You are getting null or empty value from Azure AD. You expect the provisioning service to clear the corresponding email or phone number value in the HR app. But the operation fails. |
+| **Issue** | You have successfully configured the Writeback app. You are getting null or empty value from Microsoft Entra ID. You expect the provisioning service to clear the corresponding email or phone number value in the HR app. But the operation fails. |
| **Cause** | The provisioning service does not have a default logic for null value processing. When the provisioning service gets an empty string from the source app, it tries to flow the value "as-is" to the target app. If Workday or SuccessFactors cannot process empty values, then an error is returned. | | **Resolution** | Update the attribute mapping to use expression mappings as recommended below. | **Recommended resolutions**
- Let's say the attribute `telephoneNumber` mapped to SAP SuccessFactors attribute `businessPhoneNumber` may be null or empty in Azure AD.
+ Let's say the attribute `telephoneNumber` mapped to SAP SuccessFactors attribute `businessPhoneNumber` may be null or empty in Microsoft Entra ID.
* Option 1: Define an expression to check for empty or null values using functions like [IIF](functions-for-customizing-application-data.md#iif), [IsNullOrEmpty](functions-for-customizing-application-data.md#isnullorempty), [Coalesce](functions-for-customizing-application-data.md#coalesce) or [IsPresent](functions-for-customizing-application-data.md#ispresent) and pass a non-blank literal value (example: 000-000-0000 in this case). `IIF(IsNullOrEmpty([telephoneNumber]),"000-000-0000",[telephoneNumber])`
## Next steps
-* [Learn more about Azure AD and Workday integration scenarios and web service calls](workday-integration-reference.md)
+* [Learn more about Microsoft Entra ID and Workday integration scenarios and web service calls](workday-integration-reference.md)
* [Learn how to review logs and get reports on provisioning activity](check-status-user-account-provisioning.md)
active-directory Inbound Provisioning Api Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-concepts.md
# API-driven inbound provisioning concepts (Public preview)
-This document provides a conceptual overview of the Azure AD API-driven inbound user provisioning.
+This document provides a conceptual overview of the Microsoft Entra API-driven inbound user provisioning.
> [!IMPORTANT] > API-driven inbound provisioning is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Introduction
-Today enterprises have a variety of authoritative systems of record. To establish end-to-end identity lifecycle, strengthen security posture and stay compliant with regulations, identity data in Azure Active Directory must be kept in sync with workforce data managed in these systems of record. The *system of record* could be an HR app, a payroll app, a spreadsheet or SQL tables in a database hosted either on-premises or in the cloud.
+Today enterprises have a variety of authoritative systems of record. To establish end-to-end identity lifecycle, strengthen security posture and stay compliant with regulations, identity data in Microsoft Entra ID must be kept in sync with workforce data managed in these systems of record. The *system of record* could be an HR app, a payroll app, a spreadsheet or SQL tables in a database hosted either on-premises or in the cloud.
-With API-driven inbound provisioning, the Azure AD provisioning service now supports integration with *any* system of record. Customers and partners can use *any* automation tool of their choice to retrieve workforce data from the system of record and ingest it into Azure AD. The IT admin has full control on how the data is processed and transformed with attribute mappings. Once the workforce data is available in Azure AD, the IT admin can configure appropriate joiner-mover-leaver business processes using [Lifecycle Workflows](../governance/what-are-lifecycle-workflows.md).
+With API-driven inbound provisioning, the Microsoft Entra provisioning service now supports integration with *any* system of record. Customers and partners can use *any* automation tool of their choice to retrieve workforce data from the system of record and ingest it into Microsoft Entra ID. The IT admin has full control on how the data is processed and transformed with attribute mappings. Once the workforce data is available in Microsoft Entra ID, the IT admin can configure appropriate joiner-mover-leaver business processes using [Lifecycle Workflows](../governance/what-are-lifecycle-workflows.md).
## Supported scenarios
Several inbound user provisioning scenarios are enabled using API-driven inbound
### Scenario 1: Enable IT teams to import HR data extracts using any automation tool Flat files, CSV files and SQL staging tables are commonly used in enterprise integration scenarios. Employee, contractor and vendor information are periodically exported into one of these formats and an automation tool is used to sync this data with enterprise identity directories. With API-driven inbound provisioning, IT teams can use any automation tool of their choice (example: PowerShell scripts or Azure Logic Apps) to modernize and simplify this integration.
-### Scenario 2: Enable ISVs to build direct integration with Azure AD
-With API-driven inbound provisioning, HR ISVs can ship native synchronization experiences so that changes in the HR system automatically flow into Azure AD and connected on-premises Active Directory domains. For example, an HR app or student information systems app can send data to Azure AD as soon as a transaction is complete or as end-of-day bulk update.
+<a name='scenario-2-enable-isvs-to-build-direct-integration-with-azure-ad'></a>
+
+### Scenario 2: Enable ISVs to build direct integration with Microsoft Entra ID
+With API-driven inbound provisioning, HR ISVs can ship native synchronization experiences so that changes in the HR system automatically flow into Microsoft Entra ID and connected on-premises Active Directory domains. For example, an HR app or student information systems app can send data to Microsoft Entra ID as soon as a transaction is complete or as end-of-day bulk update.
### Scenario 3: Enable system integrators to build more connectors to systems of record
-Partners can build custom HR connectors to meet different integration requirements around data flow from systems of record to Azure AD.
+Partners can build custom HR connectors to meet different integration requirements around data flow from systems of record to Microsoft Entra ID.
-In all the above scenarios, the integration is greatly simplified as Azure AD provisioning service takes over the responsibility of performing identity profile comparison, restricting the data sync to scoping logic configured by the IT admin and executing rule-based attribute flow and transformation managed in the Microsoft Entra admin center.
+In all the above scenarios, the integration is greatly simplified as Microsoft Entra provisioning service takes over the responsibility of performing identity profile comparison, restricting the data sync to scoping logic configured by the IT admin and executing rule-based attribute flow and transformation managed in the Microsoft Entra admin center.
## End-to-end flow :::image type="content" source="media/inbound-provisioning-api-concepts/end-to-end-workflow.png" alt-text="Diagram of the end-to-end workflow of inbound provisioning." lightbox="media/inbound-provisioning-api-concepts/end-to-end-workflow.png":::
In all the above scenarios, the integration is greatly simplified as Azure AD pr
1. IT Admin configures [an API-driven inbound user provisioning app](inbound-provisioning-api-configure-app.md) from the Microsoft Entra Enterprise App gallery. 1. IT Admin [grants access permissions](inbound-provisioning-api-grant-access.md) and provides endpoint access details to the API developer/partner/system integrator.
-1. The API developer/partner/system integrator builds an API client to send authoritative identity data to Azure AD.
+1. The API developer/partner/system integrator builds an API client to send authoritative identity data to Microsoft Entra ID.
1. The API client reads identity data from the authoritative source. 1. The API client sends a POST request to provisioning [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint associated with the provisioning app. >[!NOTE] > The API client doesn't need to perform any comparisons between the source attributes and the target attribute values to determine what operation (create/update/enable/disable) to invoke. This is automatically handled by the provisioning service. The API client simply uploads the identity data read from the source system by packaging it as bulk request using SCIM schema constructs. 1. If successful, an ```Accepted 202 Status``` is returned.
-1. The Azure AD Provisioning Service processes the data received, applies the attribute mapping rules and completes user provisioning.
-1. Depending on the provisioning app configured, the user is provisioned either into on-premises Active Directory (for hybrid users) or Azure AD (for cloud-only users).
+1. The Microsoft Entra provisioning service processes the data received, applies the attribute mapping rules and completes user provisioning.
+1. Depending on the provisioning app configured, the user is provisioned either into on-premises Active Directory (for hybrid users) or Microsoft Entra ID (for cloud-only users).
1. The API Client then queries the provisioning logs API endpoint for the status of each record sent. 1. If the processing of any record fails, the API client can check the error details and include records corresponding to the failed operations in the next bulk request (step 5). 1. At any time, the IT Admin can check the status of the provisioning job and view events in the provisioning logs.
In all the above scenarios, the integration is greatly simplified as Azure AD pr
- The Graph API endpoint accepts valid bulk request payloads using SCIM schema constructs. - With SCIM schema extensions, you can send any attribute in the bulk request payload. - The rate limit for the inbound provisioning API is 40 bulk upload requests per second. Each bulk request can contain a maximum of 50 user records, thereby supporting an upload rate of 2000 records per second. -- Each API endpoint is associated with a specific provisioning app in Azure AD. You can integrate multiple data sources by creating a provisioning app for each data source.
+- Each API endpoint is associated with a specific provisioning app in Microsoft Entra ID. You can integrate multiple data sources by creating a provisioning app for each data source.
- Incoming bulk request payloads are processed in near real-time. - Admins can check provisioning progress by viewing the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md). - API clients can track progress by querying [provisioning logs API](/graph/api/resources/provisioningobjectsummary).
In all the above scenarios, the integration is greatly simplified as Azure AD pr
## Next steps - [Configure API-driven inbound provisioning app](inbound-provisioning-api-configure-app.md) - [Frequently asked questions about API-driven inbound provisioning](inbound-provisioning-api-faqs.md)-- [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](user-provisioning.md)
+- [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](user-provisioning.md)
active-directory Inbound Provisioning Api Configure App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md
This tutorial describes how to configure [API-driven inbound user provisioning](
> API-driven inbound provisioning is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). This feature is available only when you configure the following Enterprise Gallery apps:
-* API-driven inbound user provisioning to Azure AD
+* API-driven inbound user provisioning to Microsoft Entra ID
* API-driven inbound user provisioning to on-premises AD ## Prerequisites To complete the steps in this tutorial, you need access to Microsoft Entra admin center with the following roles:
-* [Application Administrator](../roles/permissions-reference.md#application-administrator) (if you're configuring inbound user provisioning to Azure AD) OR
+* [Application Administrator](../roles/permissions-reference.md#application-administrator) (if you're configuring inbound user provisioning to Microsoft Entra ID) OR
* [Application Administrator](../roles/permissions-reference.md#application-administrator) + [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) (if you're configuring inbound user provisioning to on-premises Active Directory) If you're configuring inbound user provisioning to on-premises Active Directory, you need access to a Windows Server where you can install the provisioning agent for connecting to your Active Directory domain controller.
If you're configuring inbound user provisioning to on-premises Active Directory,
## Create your API-driven provisioning app 1. Log in to the [Microsoft Entra admin center](<https://entra.microsoft.com>) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
-2. Browse to **Azure Active Directory** > **Applications** > **Enterprise applications**.
+2. Browse to **Microsoft Entra ID** > **Applications** > **Enterprise applications**.
3. Click on **New application** to create a new provisioning application.
- [![Screenshot of Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox)
+ [![Screenshot of Microsoft Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox)
4. Enter **API-driven** in the search field, then select the application for your setup:
- * **API-driven Inbound User Provisioning to On-Premises AD**: Select this app if you're provisioning hybrid identities (identities that need both on-premises AD and Azure AD account) from your system of record. Once these accounts are provisioned in on-premises AD, they are automatically synchronized to your Azure AD tenant using Azure AD Connect or Cloud Sync.
- * **API-driven Inbound User Provisioning to Azure AD**: Select this app if you're provisioning cloud-only identities (identities that don't require on-premises AD accounts and only need Azure AD account) from your system of record.
+ * **API-driven Inbound User Provisioning to On-Premises AD**: Select this app if you're provisioning hybrid identities (identities that need both on-premises AD and Microsoft Entra account) from your system of record. Once these accounts are provisioned in on-premises AD, they are automatically synchronized to your Microsoft Entra tenant using Microsoft Entra Connect or Cloud Sync.
+ * **API-driven Inbound User Provisioning to Microsoft Entra ID**: Select this app if you're provisioning cloud-only identities (identities that don't require on-premises AD accounts and only need Microsoft Entra account) from your system of record.
[![Screenshot of API-driven provisioning apps.](media/inbound-provisioning-api-configure-app/api-driven-inbound-provisioning-apps.png)](media/inbound-provisioning-api-configure-app/api-driven-inbound-provisioning-apps.png#lightbox)
If you're configuring inbound user provisioning to on-premises Active Directory,
Depending on the app you selected, use one of the following sections to complete your setup: * [Configure API-driven inbound provisioning to on-premises AD](#configure-api-driven-inbound-provisioning-to-on-premises-ad)
-* [Configure API-driven inbound provisioning to Azure AD](#configure-api-driven-inbound-provisioning-to-azure-ad)
+* [Configure API-driven inbound provisioning to Microsoft Entra ID](#configure-api-driven-inbound-provisioning-to-azure-ad)
## Configure API-driven inbound provisioning to on-premises AD 1. After setting the Provisioning Mode to **Automatic**, click on **Save** to create the initial configuration of the provisioning job.
-1. Click on the information banner about the Azure AD Provisioning Agent.
+1. Click on the information banner about the Microsoft Entra provisioning Agent.
[![Screenshot of provisioning agent banner.](media/inbound-provisioning-api-configure-app/provisioning-agent-banner.png)](media/inbound-provisioning-api-configure-app/provisioning-agent-banner.png#lightbox)
-1. Click **Accept terms & download** to download the Azure AD Provisioning Agent.
-1. Refer to the steps documented here to [install and configure the provisioning agent.](https://go.microsoft.com/fwlink/?linkid=2241216). This step registers your on-premises Active Directory domains with your Azure AD tenant.
+1. Click **Accept terms & download** to download the Microsoft Entra provisioning Agent.
+1. Refer to the steps documented here to [install and configure the provisioning agent.](https://go.microsoft.com/fwlink/?linkid=2241216). This step registers your on-premises Active Directory domains with your Microsoft Entra tenant.
1. Once the agent registration is successful, select your domain in the drop-down **Active Directory domain** and specify the distinguished name of the OU where new user accounts are created by default. [![Screenshot of Active Directory domain selected.](media/inbound-provisioning-api-configure-app/provisioning-select-active-directory-domain.png)](media/inbound-provisioning-api-configure-app/provisioning-select-active-directory-domain.png#lightbox) > [!NOTE] > If your AD domain is not visible in the **Active Directory Domain** dropdown list, reload the provisioning app in the browser. Click on **View on-premises agents for your domain** to ensure that your agent status is healthy.
-1. Click on **Test connection** to ensure that Azure AD can connect to the provisioning agent.
+1. Click on **Test connection** to ensure that Microsoft Entra ID can connect to the provisioning agent.
1. Click on **Save** to save your changes. 1. Once the save operation is successful, you'll see two more expansion panels ΓÇô one for **Mappings** and one for **Settings**. Before proceeding to the next step, provide a valid notification email ID and save the configuration again. [![Screenshot of the notification email box.](media/inbound-provisioning-api-configure-app/provisioning-notification-email.png)](media/inbound-provisioning-api-configure-app/provisioning-notification-email.png#lightbox)
Depending on the app you selected, use one of the following sections to complete
1. Complete the configuration by following steps in the section [Start accepting provisioning requests](#start-accepting-provisioning-requests).
-## Configure API-driven inbound provisioning to Azure AD
+<a name='configure-api-driven-inbound-provisioning-to-azure-ad'></a>
+
+## Configure API-driven inbound provisioning to Microsoft Entra ID
1. After setting the Provisioning Mode to **Automatic**, click on **Save** to create the initial configuration of the provisioning job.
Depending on the app you selected, use one of the following sections to complete
## Next steps - [Grant access to the inbound provisioning API](inbound-provisioning-api-grant-access.md) - [Frequently asked questions about API-driven inbound provisioning](inbound-provisioning-api-faqs.md)-- [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](user-provisioning.md)-
+- [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](user-provisioning.md)
active-directory Inbound Provisioning Api Curl Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-curl-tutorial.md
## Verify processing of the bulk request payload 1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
-1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**.
+1. Browse to **Microsoft Entra ID -> Applications -> Enterprise applications**.
1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. 1. Click on **View provisioning logs** to open the provisioning logs blade. Alternatively, you can click on the menu option **Monitor -> Provisioning logs**.
active-directory Inbound Provisioning Api Custom Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-custom-attributes.md
By default, API-driven provisioning apps support processing attributes that are
## Example scenario
-You have configured API-driven provisioning app. You're provisioning app is successfully consuming the attributes that are part of the standard SCIM Core User and Enterprise User schema and provisioning users in Azure AD. You now want to send two custom attributes `HireDate` and `JobCode` from your HR system to the inbound provisioning API endpoint. You'd like to map these two custom attributes to Azure AD attributes `employeeHireDate` and `jobTitle`.
+You have configured API-driven provisioning app. You're provisioning app is successfully consuming the attributes that are part of the standard SCIM Core User and Enterprise User schema and provisioning users in Microsoft Entra ID. You now want to send two custom attributes `HireDate` and `JobCode` from your HR system to the inbound provisioning API endpoint. You'd like to map these two custom attributes to Microsoft Entra attributes `employeeHireDate` and `jobTitle`.
## Step 1 - Extend the provisioning app schema
Let's now add these extensions to the provisioning app attribute mapping.
1. Map the `urn:ietf:params:scim:schemas:extension:contoso:1.0:User:HireDate` attribute to `employeeHireDate`. Click **OK**. <br> :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/hire-date-mapping.png" alt-text="Screenshot of hire date mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/hire-date-mapping.png"::: 1. Next, select the existing mapping for `title` and click on it to edit the mapping.
-1. Edit the attribute mapping to an expression that will include the `urn:ietf:params:scim:schemas:extension:contoso:1.0:User:JobCode` as part of the `jobTitle` Azure AD attribute.
+1. Edit the attribute mapping to an expression that will include the `urn:ietf:params:scim:schemas:extension:contoso:1.0:User:JobCode` as part of the `jobTitle` Microsoft Entra attribute.
``` Join("", [title], "(", [urn:ietf:params:scim:schemas:extension:contoso:1.0:User:JobCode], ")") ``` :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/job-title-mapping.png" alt-text="Screenshot of job title mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/job-title-mapping.png":::
- With this expression mapping, if the `title` is "Tour Lead" and `JobCode`is "TL-1001", then the Azure AD attribute `jobTitle` will be set to "Tour Lead (TL-1001)".
+ With this expression mapping, if the `title` is "Tour Lead" and `JobCode`is "TL-1001", then the Microsoft Entra attribute `jobTitle` will be set to "Tour Lead (TL-1001)".
1. Save the attribute mappings. ## Step 3 - Upload bulk request with custom attributes
Let's now add these extensions to the provisioning app attribute mapping.
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/upload-bulk-request.png" alt-text="Screenshot of bulk upload request." lightbox="./media/inbound-provisioning-api-custom-attributes/upload-bulk-request.png"::: 1. After some time, you can check the provisioning logs to verify the attribute change. <br> :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/verify-provisioning-logs.png" alt-text="Screenshot of provisioning logs." lightbox="./media/inbound-provisioning-api-custom-attributes/verify-provisioning-logs.png":::
-1. You can also verify the change in the Azure AD user profile. The value for `Employee hire date` reflects your tenant time zone. <br>
+1. You can also verify the change in the Microsoft Entra user profile. The value for `Employee hire date` reflects your tenant time zone. <br>
:::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/verify-user-profile.png" alt-text="Screenshot of user profile." lightbox="./media/inbound-provisioning-api-custom-attributes/verify-user-profile.png"::: ## Appendix
active-directory Inbound Provisioning Api Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-faqs.md
There are significant differences between the provisioning /bulkUpload API and t
- **Payload format**: The MS Graph Users API endpoint expects data in OData format. The request payload format for the new inbound provisioning /bulkUpload API uses SCIM schema constructs. When invoking this API, set the 'Content-Type' header to `application/scim+json`. - **Operation end-result**:
- - When identity data is sent to the MS Graph Users API endpoint, it's immediately processed, and a Create/Update/Delete operation takes place on the Azure AD user profile.
- - Request data sent to the provisioning /bulkUpload API is processed *asynchronously* by the Azure AD provisioning service. The provisioning job applies scoping rules, attribute mapping and transformation configured by the IT admin. This initiates a ```Create/Update/Delete``` operation on the Azure AD user profile or the on-premises AD user profile.
-- **IT admin retains control**: With API-driven inbound provisioning, the IT admin has more control on how the incoming identity data is processed and mapped to Azure AD attributes. They can define scoping rules to exclude certain types of identity data (for example, contractor data) and use transformation functions to derive new values before setting the attribute values on the user profile.
+ - When identity data is sent to the MS Graph Users API endpoint, it's immediately processed, and a Create/Update/Delete operation takes place on the Microsoft Entra user profile.
+ - Request data sent to the provisioning /bulkUpload API is processed *asynchronously* by the Microsoft Entra provisioning service. The provisioning job applies scoping rules, attribute mapping and transformation configured by the IT admin. This initiates a ```Create/Update/Delete``` operation on the Microsoft Entra user profile or the on-premises AD user profile.
+- **IT admin retains control**: With API-driven inbound provisioning, the IT admin has more control on how the incoming identity data is processed and mapped to Microsoft Entra attributes. They can define scoping rules to exclude certain types of identity data (for example, contractor data) and use transformation functions to derive new values before setting the attribute values on the user profile.
## Is the inbound provisioning /bulkUpload API a standard SCIM endpoint?
The MS Graph inbound provisioning /bulkUpload is designed to handle a different
2. Ability to include any identity attribute in the payload (for example, costCenter, pay grade, badgeId) 3. Support API clients unaware of operation semantics. These clients are non-SCIM API clients that only have access to raw *source data* (for example, records in CSV file, SQL table or HR records). These clients don't have the processing capability to read each record and determine the operation semantics of ```Create/Update/Delete``` on the identity store.
-The primary goal of MS Graph inbound provisioning /bulkUpload API is to enable customers to send *any* identity data (for example, costCenter, pay grade, badgeId) from *any* identity data source (for example, CSV/SQL/HR) for eventual processing by Azure AD provisioning service. The Azure AD provisioning service consumes the bulk payload data received at this endpoint, applies attribute mapping rules configured by the IT admin and determines whether the data payload leads to (Create, Update, Enable, Disable) operation in the target identity store (Azure AD / on-premises AD).
+The primary goal of MS Graph inbound provisioning /bulkUpload API is to enable customers to send *any* identity data (for example, costCenter, pay grade, badgeId) from *any* identity data source (for example, CSV/SQL/HR) for eventual processing by Microsoft Entra provisioning service. The Microsoft Entra provisioning service consumes the bulk payload data received at this endpoint, applies attribute mapping rules configured by the IT admin and determines whether the data payload leads to (Create, Update, Enable, Disable) operation in the target identity store (Microsoft Entra ID / on-premises AD).
## Does the provisioning /bulkUpload API support on-premises Active Directory domains as a target?
Yes, the provisioning API supports on-premises AD domains as a target.
## How do we get the /bulkUpload API endpoint for our provisioning app?
-The /bulkUpload API is available only for apps of the type: "API-driven inbound provisioning to Azure AD" and "API-driven inbound provisioning to on-premises Active Directory". You can retrieve the unique API endpoint for each provisioning app from the Provisioning blade home page. In **Statistics to date** > **View technical information**,copy the **Provisioning API Endpoint** URL.
+The /bulkUpload API is available only for apps of the type: "API-driven inbound provisioning to Microsoft Entra ID" and "API-driven inbound provisioning to on-premises Active Directory". You can retrieve the unique API endpoint for each provisioning app from the Provisioning blade home page. In **Statistics to date** > **View technical information**,copy the **Provisioning API Endpoint** URL.
:::image type="content" source="media/inbound-provisioning-api-configure-app/provisioning-api-endpoint.png" alt-text="Screenshot of Provisioning API endpoint." lightbox="media/inbound-provisioning-api-configure-app/provisioning-api-endpoint.png":::
Use the **Restart provisioning** option only if required. Here's how it works:
Here's how the provisioning job associated with the /bulkUpload API endpoint processes incoming user payloads:
-1. The job retrieves the attribute mapping for the provisioning job and makes note of the matching attribute pair (by default ```externalId``` API attribute is used to match with ```employeeId``` in Azure AD).
+1. The job retrieves the attribute mapping for the provisioning job and makes note of the matching attribute pair (by default ```externalId``` API attribute is used to match with ```employeeId``` in Microsoft Entra ID).
1. You can change this default attribute matching pair. 1. The job extracts each operation present in the bulk request payload.
-1. The job checks the value matching identifier in the request (by default the attribute `externalId`) and uses it to check if there's a user in Azure AD with matching `employeeId` value.
+1. The job checks the value matching identifier in the request (by default the attribute `externalId`) and uses it to check if there's a user in Microsoft Entra ID with matching `employeeId` value.
1. If the job doesn't find a matching user, then the job applies the sync rules and creates a new user in the target directory.
-To make sure that the right users get created in Azure AD, define the right matching attribute pair in your mapping which uniquely identifies users in your source and Azure AD.
+To make sure that the right users get created in Microsoft Entra ID, define the right matching attribute pair in your mapping which uniquely identifies users in your source and Microsoft Entra ID.
## How do we generate unique values for UPN?
Here are some options that you can consider for generating unique UPNs:
## How do we send more HR attributes to the provisioning /bulkUpload API endpoint?
-By default, the API endpoint supports processing any attribute that is part of the SCIM Core User and Enterprise User schema. If you'd like to send more attributes, you can extend the provisioning app schema, map the new attributes to Azure AD attributes and update the bulk request to send those attributes.
+By default, the API endpoint supports processing any attribute that is part of the SCIM Core User and Enterprise User schema. If you'd like to send more attributes, you can extend the provisioning app schema, map the new attributes to Microsoft Entra attributes and update the bulk request to send those attributes.
Refer to the tutorial [Extend API-driven provisioning to sync custom attributes](inbound-provisioning-api-custom-attributes.md). ## How do we exclude certain users from the provisioning flow?
You can achieve this using the **Scoping filter**. In the provisioning app confi
Here's how the provisioning job associated with the /bulkUpload API endpoint processes incoming user payloads:
-1. The provisioning job retrieves the attribute mapping for the provisioning job and makes note of the matching attribute pair (by default ```externalId``` API attribute is used to match with ```employeeId``` in Azure AD). You can change this default attribute matching pair.
+1. The provisioning job retrieves the attribute mapping for the provisioning job and makes note of the matching attribute pair (by default ```externalId``` API attribute is used to match with ```employeeId``` in Microsoft Entra ID). You can change this default attribute matching pair.
1. The job extracts the operations from the bulk request payload.
-1. The job checks the value matching identifier in the SCIM request (by default: API attribute ```externalId```) and uses it to check if there's a user in Azure AD with matching ```employeeId``` value.
+1. The job checks the value matching identifier in the SCIM request (by default: API attribute ```externalId```) and uses it to check if there's a user in Microsoft Entra ID with matching ```employeeId``` value.
1. If the job finds a matching user, then it applies the sync rules and compares the source and target profiles. 1. If the job determines that some values have changed, then it updates the corresponding user record in the directory.
-To make sure that the right users get updated in Azure AD, make sure you define the right matching attribute pair in your mapping which uniquely identifies users in your source and Azure AD.
+To make sure that the right users get updated in Microsoft Entra ID, make sure you define the right matching attribute pair in your mapping which uniquely identifies users in your source and Microsoft Entra ID.
## Can we create more than one app that supports API-driven inbound provisioning?
You can retrieve the unique API endpoint for each job from the Provisioning blad
## How do we process terminations using the /bulkUpload API endpoint?
-To process terminations, identify an attribute in your source that will be used to set the ```accountEnabled``` flag in Azure AD. If you are provisioning to on-premises Active Directory, then map that source attribute to the `accountDisabled` attribute.
+To process terminations, identify an attribute in your source that will be used to set the ```accountEnabled``` flag in Microsoft Entra ID. If you are provisioning to on-premises Active Directory, then map that source attribute to the `accountDisabled` attribute.
By default, the value associated with the SCIM Core User schema attribute ```active``` determines the status of the user's account in the target directory. If the attribute is set to **true**, the default mapping rule enables the account. If the attribute is set to **false**, then the default mapping rule disables the account.
-## Can we soft-delete a user in Azure AD using /bulkUpload provisioning API?
+<a name='can-we-soft-delete-a-user-in-azure-ad-using-bulkupload-provisioning-api'></a>
+
+## Can we soft-delete a user in Microsoft Entra ID using /bulkUpload provisioning API?
Yes, you can soft-delete a user by using the **DELETE** method in the bulk request operation. Refer to the [bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API spec doc for an example request.
Yes, you can soft-delete a user by using the **DELETE** method in the bulk reque
To prevent and recover from accidental deletions, we recommend [configuring accidental deletion threshold](accidental-deletions.md) in the provisioning app and [enabling the on-premises Active Directory recycle bin](../hybrid/connect/how-to-connect-sync-recycle-bin.md). In your provisioning app's **Attribute Mapping** blade, under **Target object actions** disable the **Delete** operation. **Recovering deleted accounts**
-* If the target directory for the operation is Azure AD, then the matched user is soft-deleted. The user can be seen on the Microsoft Azure portal **Deleted users** page for the next 30 days and can be restored during that time.
+* If the target directory for the operation is Microsoft Entra ID, then the matched user is soft-deleted. The user can be seen on the Microsoft Azure portal **Deleted users** page for the next 30 days and can be restored during that time.
* If the target directory for the operation is on-premises Active Directory, then the matched user is hard-deleted. If the **Active Directory Recycle Bin** is enabled, you can restore the deleted on-premises AD user object. ## Do we need to send all users from the HR system in every request?
The provisioning job that processes data received by the API endpoint automatica
## How is writeback supported?
-The current API only supports inbound data. Here are some options to consider for implementing writeback of attributes like email / username / phone generated by Azure AD, that you can flow back to the HR system:
+The current API only supports inbound data. Here are some options to consider for implementing writeback of attributes like email / username / phone generated by Microsoft Entra ID, that you can flow back to the HR system:
- **Option 1 ΓÇô SCIM connectivity to HR endpoint/proxy service that in turn updates the HR source** - If the system of record provides a SCIM endpoint for user updates (for example Oracle HCM provides an [API endpoint for SCIM updates](https://docs.oracle.com/en/cloud/saas/applications-common/23b/farc#integrate-your-scim-endpoint-with-the-azure-ad-provisioning-service). - If the system of record doesn't provide a SCIM endpoint, explore the possibility of setting up a proxy SCIM service, which receives the update and propagate the change to the HR system. -- **Option 2 ΓÇô Use Azure AD ECMA connector for the writeback scenario**
+- **Option 2 ΓÇô Use Microsoft Entra ECMA connector for the writeback scenario**
- Depending on the customer requirement, explore if one of the ECMA connectors could be used (PowerShell / SQL / Web Services).
active-directory Inbound Provisioning Api Grant Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-grant-access.md
After you've configured [API-driven inbound provisioning app](inbound-provisioning-api-configure-app.md), you need to grant access permissions so that API clients can send requests to the provisioning [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API and query the [provisioning logs API](/graph/api/resources/provisioningobjectsummary). This tutorial walks you through the steps to configure these permissions.
-Depending on how your API client authenticates with Azure AD, you can select between two configuration options:
+Depending on how your API client authenticates with Microsoft Entra ID, you can select between two configuration options:
-* [Configure a service principal](#configure-a-service-principal): Follow these instructions if your API client plans to use a service principal of an [Azure AD registered app](../develop/howto-create-service-principal-portal.md) and authenticate using OAuth client credentials grant flow.
-* [Configure a managed identity](#configure-a-managed-identity): Follow these instructions if your API client plans to use an Azure AD [managed identity](../managed-identities-azure-resources/overview.md).
+* [Configure a service principal](#configure-a-service-principal): Follow these instructions if your API client plans to use a service principal of an [Microsoft Entra registered app](../develop/howto-create-service-principal-portal.md) and authenticate using OAuth client credentials grant flow.
+* [Configure a managed identity](#configure-a-managed-identity): Follow these instructions if your API client plans to use a Microsoft Entra [managed identity](../managed-identities-azure-resources/overview.md).
## Configure a service principal
-This configuration registers an app in Azure AD that represents the external API client and grants it permission to invoke the inbound provisioning API. The service principal client id and client secret can be used in the OAuth client credentials grant flow.
+This configuration registers an app in Microsoft Entra ID that represents the external API client and grants it permission to invoke the inbound provisioning API. The service principal client id and client secret can be used in the OAuth client credentials grant flow.
1. Log in to Microsoft Entra admin center (https://entra.microsoft.com) with at least [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823) login credentials.
-1. Browse to **Azure Active Directory** -> **Applications** -> **App registrations**.
+1. Browse to **Microsoft Entra ID** -> **Applications** -> **App registrations**.
1. Click on the option **New registration**. 1. Provide an app name, select the default options, and click on **Register**. [![Screenshot of app registration.](media/inbound-provisioning-api-grant-access/register-app.png)](media/inbound-provisioning-api-grant-access/register-app.png#lightbox)
This section describes how you can assign the necessary permissions to a managed
$managedID = Get-MgServicePrincipal -Filter "DisplayName eq 'CSV2SCIMBulkUpload'" New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedID.Id -ServicePrincipalId $managedID.Id -ResourceId $graphApp.Id -AppRoleId $AppRole.Id ```
-1. To confirm that the permission was applied, find the managed identity service principal under **Enterprise Applications** in Azure AD. Remove the **Application type** filter to see all service principals.
+1. To confirm that the permission was applied, find the managed identity service principal under **Enterprise Applications** in Microsoft Entra ID. Remove the **Application type** filter to see all service principals.
[![Screenshot of managed identity principal.](media/inbound-provisioning-api-grant-access/managed-identity-principal.png)](media/inbound-provisioning-api-grant-access/managed-identity-principal.png#lightbox) 1. Click on the **Permissions** blade under **Security**. Ensure the permission is set. [![Screenshot of managed identity permissions.](media/inbound-provisioning-api-grant-access/managed-identity-permissions.png)](media/inbound-provisioning-api-grant-access/managed-identity-permissions.png#lightbox)
This section describes how you can assign the necessary permissions to a managed
- [Quick start using Postman](inbound-provisioning-api-postman.md) - [Quick start using Graph Explorer](inbound-provisioning-api-graph-explorer.md) - [Frequently asked questions about API-driven inbound provisioning](inbound-provisioning-api-faqs.md)-
active-directory Inbound Provisioning Api Graph Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-graph-explorer.md
This tutorial describes how you can quickly test [API-driven inbound provisionin
* You have configured [API-driven inbound provisioning app](inbound-provisioning-api-configure-app.md). > [!NOTE]
-> This provisioning API is primarily meant for use within an application or service. Tenant admins can either configure a service principal or managed identity to grant permission to perform the upload. There is no separate user-assignable Azure AD built-in directory role for this API. Outside of applications that have acquired `SynchronizationData-User.Upload` permission with admin consent, only admin users with Global Administrator role can invoke the API. This tutorial shows how you can test the API with a global administrator role in your test setup.
+> This provisioning API is primarily meant for use within an application or service. Tenant admins can either configure a service principal or managed identity to grant permission to perform the upload. There is no separate user-assignable Microsoft Entra built-in directory role for this API. Outside of applications that have acquired `SynchronizationData-User.Upload` permission with admin consent, only admin users with Global Administrator role can invoke the API. This tutorial shows how you can test the API with a global administrator role in your test setup.
## Upload user data to the inbound provisioning API
You can verify the processing either from the Microsoft Entra admin center or us
### Verify processing from Microsoft Entra admin center 1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with at least [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823) login credentials.
-1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**.
+1. Browse to **Microsoft Entra ID -> Applications -> Enterprise applications**.
1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. 1. Click on **View provisioning logs** to open the provisioning logs blade. Alternatively, you can click on the menu option **Monitor -> Provisioning logs**.
active-directory Inbound Provisioning Api Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-issues.md
There's a user provisioning failure. The provisioning logs displays an error mes
2. Select the ```UserPrincipalName``` mapping and copy and paste this expression into the expression input box: ```Join("", Replace([userName], , "(?<Suffix>@(.)*)", "Suffix", "", , ), RandomString(3, 3, 0, 0, 0, ), "@", DefaultDomain())```
-This expression fixes the issue by appending a default domain to the UPN value accepted by Azure AD.
+This expression fixes the issue by appending a default domain to the UPN value accepted by Microsoft Entra ID.
## Next steps * [Learn more about API-driven inbound provisioning](inbound-provisioning-api-concepts.md)-
active-directory Inbound Provisioning Api Logic Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-logic-apps.md
# API-driven inbound provisioning with Azure Logic Apps (Public preview)
-This tutorial describes how to use Azure Logic Apps workflow to implement Microsoft Entra ID [API-driven inbound provisioning](inbound-provisioning-api-concepts.md). Using the steps in this tutorial, you can convert a CSV file containing HR data into a bulk request payload and send it to the Microsoft Entra ID provisioning [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint. The article also provides guidance on how the same integration pattern can be used with any system of record.
+This tutorial describes how to use Azure Logic Apps workflow to implement Microsoft Entra ID [API-driven inbound provisioning](inbound-provisioning-api-concepts.md). Using the steps in this tutorial, you can convert a CSV file containing HR data into a bulk request payload and send it to the Microsoft Entra provisioning [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint. The article also provides guidance on how the same integration pattern can be used with any system of record.
## Integration scenario
From an implementation perspective:
* You want to use an Azure Logic Apps workflow to read data from the CSV file exports available in an Azure File Share and send it to the inbound provisioning API endpoint. * In your Azure Logic Apps workflow, you don't want to implement the complex logic of comparing identity data between your system of record and target directory.
-* You want to use Microsoft Entra ID provisioning service to apply your IT managed provisioning rules to automatically create/update/enable/disable accounts in the target directory (on-premises Active Directory or Microsoft Entra ID).
+* You want to use Microsoft Entra provisioning service to apply your IT managed provisioning rules to automatically create/update/enable/disable accounts in the target directory (on-premises Active Directory or Microsoft Entra ID).
:::image type="content" source="media/inbound-provisioning-api-logic-apps/logic-apps-integration-overview.png" alt-text="Graphic of Azure Logic Apps-based integration." lightbox="media/inbound-provisioning-api-logic-apps/logic-apps-integration-overview.png":::
Here's a list of enterprise integration scenario variations, where API-driven in
| 5 | Dynamics 365 Human Resources | Use the [Dataverse connector](/azure/connectors/connect-common-data-service) to read data from [Dataverse tables](/dynamics365/human-resources/hr-developer-entities) used by Microsoft Dynamics 365 Human Resources. | | 6 | Any system that exposes REST APIs | If you don't find a connector for your system of record in the Logic Apps connector library, You can create your own [custom connector](/azure/logic-apps/logic-apps-create-api-app) to read data from your system of record. |
-After reading the source data, apply your pre-processing rules and convert the output from your system of record into a bulk request that can be sent to the Microsoft Entra ID provisioning [bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint.
+After reading the source data, apply your pre-processing rules and convert the output from your system of record into a bulk request that can be sent to the Microsoft Entra provisioning [bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint.
> [!IMPORTANT]
-> If you'd like to share your API-driven inbound provisioning + Logic Apps integration workflow with the community, create a [Logic app template](/azure/logic-apps/logic-apps-create-azure-resource-manager-templates), document steps on how to use it and submit a pull request for inclusion in the GitHub repository [Entra-ID-Inbound-Provisioning](https://github.com/AzureAD/entra-id-inbound-provisioning).
+> If you'd like to share your API-driven inbound provisioning + Logic Apps integration workflow with the community, create a [Logic app template](/azure/logic-apps/logic-apps-create-azure-resource-manager-templates), document steps on how to use it and submit a pull request for inclusion in the GitHub repository [`entra-id-inbound-provisioning`](https://github.com/AzureAD/entra-id-inbound-provisioning).
## How to use this tutorial
-The Logic Apps deployment template published in the [Microsoft Entra ID inbound provisioning GitHub repository](https://github.com/AzureAD/entra-id-inbound-provisioning/tree/main/LogicApps/CSV2SCIMBulkUpload) automates several tasks. It also has logic for handling large CSV files and chunking the bulk request to send 50 records in each request. Here's how you can test it and customize it per your integration requirements.
+The Logic Apps deployment template published in the [Microsoft Entra inbound provisioning GitHub repository](https://github.com/AzureAD/entra-id-inbound-provisioning/tree/main/LogicApps/CSV2SCIMBulkUpload) automates several tasks. It also has logic for handling large CSV files and chunking the bulk request to send 50 records in each request. Here's how you can test it and customize it per your integration requirements.
> [!NOTE] > The sample Azure Logic Apps workflow is provided "as-is" for implementation reference. If you have questions related to it or if you'd like to enhance it, please use the [GitHub project repository](https://github.com/AzureAD/entra-id-inbound-provisioning).
active-directory Inbound Provisioning Api Postman https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-postman.md
In this step, you'll configure the Postman app and invoke the API using the conf
1. Download and install the [Postman app](https://www.postman.com/downloads/). 1. Open the Postman desktop app.
-1. From the **Workspaces** menu, select **Create Workspace** to create a new Workspace called **Microsoft Entra ID Provisioning API**.
+1. From the **Workspaces** menu, select **Create Workspace** to create a new Workspace called **Microsoft Entra provisioning API**.
1. Download the following Postman collections and save it in your local directory.
- - [Entra ID Inbound Provisioning.postman_collection.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Entra%20ID%20Inbound%20Provisioning.postman_collection.json) (Request collection)
- - [Test-API2AAD.postman_environment.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Test-API2AAD.postman_environment.json) (Environment collection for API-driven provisioning to Azure AD)-
+ - [Microsoft Entra Inbound Provisioning.postman_collection.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Entra%20ID%20Inbound%20Provisioning.postman_collection.json) (Request collection)
+ - [Test-API2AAD.postman_environment.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Test-API2AAD.postman_environment.json) (Environment collection for API-driven provisioning to Microsoft Entra ID)-
- [Test-API2AD.postman_environment.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Test-API2AD.postman_environment.json) (Environment collection for API-driven provisioning to on-premises AD) 1. Use the **Import** option in Postman to import both of these files into your Workspace. :::image type="content" source="media/inbound-provisioning-api-postman/postman-import-elements.png" alt-text="Screenshot of Postman Import elements." lightbox="media/inbound-provisioning-api-postman/postman-import-elements.png":::
In this step, you'll configure the Postman app and invoke the API using the conf
1. Open your provisioning app landing page and copy-paste the value of **Job ID** for the `jobId` variable and the value of **Provisioning API endpoint** for the `bulk_upload_endpoint` variable :::image type="content" source="media/inbound-provisioning-api-configure-app/provisioning-api-endpoint.png" alt-text="Screenshot of Provisioning API endpoint." lightbox="media/inbound-provisioning-api-configure-app/provisioning-api-endpoint.png"::: 1. Leave the value of **ms_graph_resource_id** unchanged and save the environment collection. Make sure that both **Initial value** and **Current value** columns are populated.
-1. Next, open the collection **Entra ID Inbound Provisioning**.
+1. Next, open the collection **Microsoft Entra Inbound Provisioning**.
1. From the **Environment** dropdown, select **Test-API2AAD**. 1. Select the **Authorization** tab associated with the collection. 1. Make sure that authorization is configured to use OAuth settings.
You can verify the processing either from the Microsoft Entra admin center or us
### Verify processing from Microsoft Entra admin center 1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with at least [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823) level credentials.
-1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**.
+1. Browse to **Microsoft Entra ID -> Applications -> Enterprise applications**.
1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. 1. Click on **View provisioning logs** to open the provisioning logs blade. Alternatively, you can click on the menu option **Monitor -> Provisioning logs**.
You can verify the processing either from the Microsoft Entra admin center or us
### Verify processing using provisioning logs API in Postman This section shows how you can query provisioning logs in Postman using the same service account (service principal) that you configured.
-1. Open the workspace **Microsoft Entra ID Provisioning API** in your Postman desktop app.
-2. The collection **Entra ID Inbound Provisioning** contains three sample requests that enable you to query the provisioning logs.
+1. Open the workspace **Microsoft Entra provisioning API** in your Postman desktop app.
+2. The collection **Microsoft Entra Inbound Provisioning** contains three sample requests that enable you to query the provisioning logs.
3. You can open any of these predefined requests. 4. If you don't have a valid access token or you're not sure if the access token is still valid, go to the collection object's root Authorization tab and use the option **Get New Access Token** to get a fresh token. 5. Click **Send** to get provisioning log records.
active-directory Inbound Provisioning Api Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-powershell.md
# API-driven inbound provisioning with PowerShell script (Public preview)
-This tutorial describes how to use a PowerShell script to implement Microsoft Entra ID [API-driven inbound provisioning](inbound-provisioning-api-concepts.md). Using the steps in this tutorial, you can convert a CSV file containing HR data into a bulk request payload and send it to the Microsoft Entra ID provisioning [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint. The article also provides guidance on how the same integration pattern can be used with any system of record.
+This tutorial describes how to use a PowerShell script to implement Microsoft Entra ID [API-driven inbound provisioning](inbound-provisioning-api-concepts.md). Using the steps in this tutorial, you can convert a CSV file containing HR data into a bulk request payload and send it to the Microsoft Entra provisioning [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint. The article also provides guidance on how the same integration pattern can be used with any system of record.
## Integration scenario
From an implementation perspective:
* You want to use an unattended PowerShell script to read data from the CSV file exports and send it to the inbound provisioning API endpoint. * In your PowerShell script, you don't want to implement the complex logic of comparing identity data between your system of record and target directory.
-* You want to use Microsoft Entra ID provisioning service to apply your IT managed provisioning rules to automatically create/update/enable/disable accounts in the target directory (on-premises Active Directory or Microsoft Entra ID).
+* You want to use Microsoft Entra provisioning service to apply your IT managed provisioning rules to automatically create/update/enable/disable accounts in the target directory (on-premises Active Directory or Microsoft Entra ID).
:::image type="content" source="media/inbound-provisioning-api-powershell/powershell-integration-overview.png" alt-text="Graphic of PowerShell-based integration." lightbox="media/inbound-provisioning-api-powershell/powershell-integration-overview.png":::
While this tutorial uses a CSV file as a system of record, you can customize the
|3 | Any system that exposes REST APIs | To read data from a REST API endpoint using PowerShell, you can use the [Invoke-RestMethod](/powershell/module/microsoft.powershell.utility/invoke-restmethod) cmdlet from the `Microsoft.PowerShell.Utility` module. Check the documentation of your REST API and find out what parameters and headers it expects, what format it returns, and what authentication method it uses. You can then adjust your `Invoke-RestMethod` command accordingly. | |4 | Any system that exposes SOAP APIs | To read data from a SOAP API endpoint using PowerShell, you can use the [New-WebServiceProxy](/powershell/module/microsoft.powershell.management/new-webserviceproxy) cmdlet from the `Microsoft.PowerShell.Management` module. Check the documentation of your SOAP API and find out what parameters and headers it expects, what format it returns, and what authentication method it uses. You can then adjust your `New-WebServiceProxy` command accordingly. |
-After reading the source data, apply your pre-processing rules and convert the output from your system of record into a bulk request that can be sent to the Microsoft Entra ID provisioning [bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint.
+After reading the source data, apply your pre-processing rules and convert the output from your system of record into a bulk request that can be sent to the Microsoft Entra provisioning [bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint.
> [!IMPORTANT]
-> If you'd like to share your PowerShell integration script with the community, publish it on [PowerShell Gallery](https://www.powershellgallery.com/) and notify us on the GitHub repository [Entra-ID-Inbound-Provisioning](https://github.com/AzureAD/entra-id-inbound-provisioning), so we can add a reference it.
+> If you'd like to share your PowerShell integration script with the community, publish it on [PowerShell Gallery](https://www.powershellgallery.com/) and notify us on the GitHub repository [`entra-id-inbound-provisioning`](https://github.com/AzureAD/entra-id-inbound-provisioning), so we can add a reference it.
## How to use this tutorial
-The PowerShell sample script published in the [Microsoft Entra ID inbound provisioning GitHub repository](https://github.com/AzureAD/entra-id-inbound-provisioning/tree/main/PowerShell/CSV2SCIM) automates several tasks. It has logic for handling large CSV files and chunking the bulk request to send 50 records in each request. Here's how you can test it and customize it per your integration requirements.
+The PowerShell sample script published in the [Microsoft Entra inbound provisioning GitHub repository](https://github.com/AzureAD/entra-id-inbound-provisioning/tree/main/PowerShell/CSV2SCIM) automates several tasks. It has logic for handling large CSV files and chunking the bulk request to send 50 records in each request. Here's how you can test it and customize it per your integration requirements.
> [!NOTE] > The sample PowerShell script is provided "as-is" for implementation reference. If you have questions related to the script or if you'd like to enhance it, please use the [GitHub project repository](https://github.com/AzureAD/entra-id-inbound-provisioning).
The PowerShell sample script published in the [Microsoft Entra ID inbound provis
||||-| |1 | Read worker data from the CSV file. | [Download the PowerShell script](#download-the-powershell-script). It has out-of-the-box logic to read data from any CSV file. Refer to [CSV2SCIM PowerShell usage details](#csv2scim-powershell-usage-details) to get familiar with the different execution modes of this script. | If your system of record is different, check guidance provided in the section [Integration scenario variations](#integration-scenario-variations) on how you can customize the PowerShell script. | |2 | Pre-process and convert data to SCIM format. | By default, the PowerShell script converts each record in the CSV file to a SCIM Core User + Enterprise User representation. Follow the steps in the section [Generate bulk request payload with standard schema](#generate-bulk-request-payload-with-standard-schema) to get familiar with this process. | If your CSV file has different fields, tweak the [AttributeMapping.psd file](#attributemappingpsd-file) to generate a valid SCIM user. You can also [generate bulk request with custom SCIM schema](#generate-bulk-request-with-custom-scim-schema). Update the PowerShell script to include any custom CSV data validation logic.|
-|3 | Use a certificate for authentication to Entra ID. | [Create a service principal that can access](inbound-provisioning-api-grant-access.md) the inbound provisioning API. Refer to steps in the section [Configure client certificate for service principal authentication](#configure-client-certificate-for-service-principal-authentication) to learn how to use client certificate for authentication. | If you'd like to use managed identity instead of a service principal for authentication, then review the use of `Connect-MgGraph` in the sample script and update it to use [managed identities](/powershell/microsoftgraph/authentication-commands#using-managed-identity). |
+|3 | Use a certificate for authentication to Microsoft Entra ID. | [Create a service principal that can access](inbound-provisioning-api-grant-access.md) the inbound provisioning API. Refer to steps in the section [Configure client certificate for service principal authentication](#configure-client-certificate-for-service-principal-authentication) to learn how to use client certificate for authentication. | If you'd like to use managed identity instead of a service principal for authentication, then review the use of `Connect-MgGraph` in the sample script and update it to use [managed identities](/powershell/microsoftgraph/authentication-commands#using-managed-identity). |
|4 | Provision accounts in on-premises Active Directory or Microsoft Entra ID. | Configure [API-driven inbound provisioning app](inbound-provisioning-api-configure-app.md). This generates a unique [/bulkUpload](/graph/api/synchronization-synchronizationjob-post-bulkupload) API endpoint. Refer to the steps in the section [Generate and upload bulk request payload as admin user](#generate-and-upload-bulk-request-payload-as-admin-user) to learn how to upload data to this endpoint. Validate the attribute flow and customize the attribute mappings per your integration requirements. To run the script using a service principal with certificate-based authentication, refer to the steps in the section [Upload bulk request payload using client certificate authentication](#upload-bulk-request-payload-using-client-certificate-authentication) | If you plan to [use bulk request with custom SCIM schema](#generate-bulk-request-with-custom-scim-schema), then [extend the provisioning app schema](#extending-provisioning-job-schema) to include your custom SCIM schema elements.| |5 | Scan the provisioning logs and retry provisioning for failed records. | Refer to the steps in the section [Get provisioning logs of the latest sync cycles](#get-provisioning-logs-of-the-latest-sync-cycles) to learn how to fetch and analyze provisioning log data. Identify failed user records and include them in the next upload cycle. | - | |6 | Deploy your PowerShell based automation to production. | Once you have verified your API-driven provisioning flow and customized the PowerShell script to meet your requirements, you can deploy the automation as a [PowerShell Workflow runbook in Azure Automation](../../automation/learn/automation-tutorial-runbook-textual.md) or as a server process [scheduled to run on a Windows server](/troubleshoot/windows-server/system-management-components/schedule-server-process). | - |
The PowerShell sample script published in the [Microsoft Entra ID inbound provis
## Download the PowerShell script
-1. Access the GitHub repository https://github.com/AzureAD/entra-id-inbound-provisioning.
+1. Access the GitHub repository [`entra-id-inbound-provisioning`](https://github.com/AzureAD/entra-id-inbound-provisioning).
1. Use the **Code** -> **Clone** or **Code** -> **Download ZIP** option to copy contents of this repository into your local folder. 1. Navigate to the folder **PowerShell/CSV2SCIM**. It has the following directory structure: - src
To illustrate the procedure, we'll use the CSV file ```Samples/csv-with-2-record
## Get provisioning logs of the latest sync cycles
-After sending the bulk request, you can query the logs of the latest sync cycles processed by Azure AD. You can retrieve the sync statistics and processing details with the PowerShell script and save it for analysis.
+After sending the bulk request, you can query the logs of the latest sync cycles processed by Microsoft Entra ID. You can retrieve the sync statistics and processing details with the PowerShell script and save it for analysis.
1. To view the log details and sync statistics on the console, run the following command:
It doesn't refer to the attribute mappings that you perform in the Microsoft Ent
| ValidateAttributeMapping |Use this Switch flag to validate that the AttributeMapping file contains attributes that comply with the SCIM Core and Enterprise user schema. | Mandatory: No</br> Recommend using it to ensure compliance. | | ServicePrincipalId |The GUID value of your provisioning app's service principal ID that you can retrieve from the **Provisioning App** > **Properties** > **Object ID**| Mandatory: Only when you want to: </br>- Update the provisioning app schema, or</br>- Send the generated bulk request to the API endpoint. | | UpdateSchema |Use this switch to instruct the script to read the CSV columns and add them as custom SCIM attributes in your provisioning app schema.|
-| ClientId |The Client ID of an Azure AD registered app to use for OAuth authentication flow. This app must have valid certificate credentials. | Mandatory: Only when performing certificate-based authentication. |
+| ClientId |The Client ID of a Microsoft Entra registered app to use for OAuth authentication flow. This app must have valid certificate credentials. | Mandatory: Only when performing certificate-based authentication. |
| ClientCertificate |The Client Authentication Certificate to use during OAuth flow. | Mandatory: Only when performing certificate-based authentication.| | GetPreviousCycleLogs |To get the provisioning logs of the latest sync cycles. | | NumberOfCycles | To specify how many sync cycles should be retrieved. This value is 1 by default.|
active-directory Insufficient Access Rights Error Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/insufficient-access-rights-error-troubleshooting.md
Replace the ```dc=contoso,dc=com``` with your root node or appropriate OU contai
**Option 4: Skip GMSA account and use manually created service account** This option should only be used as a temporary workaround to unblock until the GMSA permission issue is investigated and resolved. Our recommendation is to use the GMSA account.
-You can set the registry option to [skip GMSA configuration](https://go.microsoft.com/fwlink/?linkid=2239993) and reconfigure the Azure AD Connect provisioning agent to use a manually created service account with the right permissions.
+You can set the registry option to [skip GMSA configuration](https://go.microsoft.com/fwlink/?linkid=2239993) and reconfigure the Microsoft Entra Connect provisioning agent to use a manually created service account with the right permissions.
## Next steps
active-directory Isv Automatic Provisioning Multi Tenant Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/isv-automatic-provisioning-multi-tenant-apps.md
Title: Enable automatic user provisioning for multi-tenant applications in Azure Active Directory
-description: A guide for independent software vendors for enabling automated provisioning in Azure Active Directory
+ Title: Enable automatic user provisioning for multi-tenant applications in Microsoft Entra ID
+description: A guide for independent software vendors for enabling automated provisioning in Microsoft Entra ID
-# Enable automatic user provisioning for your multi-tenant application in Azure Active Directory
+# Enable automatic user provisioning for your multi-tenant application in Microsoft Entra ID
Automatic user provisioning is the process of automating the creation, maintenance, and removal of user identities in target systems like your software-as-a-service applications.
Applications that require that a user record is present in the application befor
* Reduce support costs by providing rich logs to help customers troubleshoot user provisioning issues.
-* Increase the visibility of your application in the [Azure AD app gallery](https://azuremarketplace.microsoft.com/marketplace/apps).
+* Increase the visibility of your application in the [Microsoft Entra app gallery](https://azuremarketplace.microsoft.com/marketplace/apps).
* Get a prioritized listing in the App Tutorials page.
Applications that require that a user record is present in the application befor
## Choose a provisioning method
-Azure AD provides several integration paths to enable automatic user provisioning for your application.
+Microsoft Entra ID provides several integration paths to enable automatic user provisioning for your application.
-* The [Azure AD Provisioning Service](../app-provisioning/user-provisioning.md) manages the provisioning and deprovisioning of users from Azure AD to your application (outbound provisioning) and from your application to Azure AD (inbound provisioning). The service connects to the System for Cross-Domain Identity Management (SCIM) user management API endpoints provided by your application.
+* The [Microsoft Entra provisioning service](../app-provisioning/user-provisioning.md) manages the provisioning and deprovisioning of users from Microsoft Entra ID to your application (outbound provisioning) and from your application to Microsoft Entra ID (inbound provisioning). The service connects to the System for Cross-Domain Identity Management (SCIM) user management API endpoints provided by your application.
-* When using the [Microsoft Graph](/graph/), your application manages inbound and outbound provisioning of users and groups from Azure AD to your application by querying the Microsoft Graph API.
+* When using the [Microsoft Graph](/graph/), your application manages inbound and outbound provisioning of users and groups from Microsoft Entra ID to your application by querying the Microsoft Graph API.
* The Security Assertion Markup Language Just in Time (SAML JIT) user provisioning can be enabled if your application is using SAML for federation. It uses claims information sent in the SAML token to provision users. To help determine which integration option to use for your application, refer to the high-level comparison table, and then see the more detailed information on each option.
-| Capabilities enabled or enhanced by Automatic Provisioning| Azure AD Provisioning Service (SCIM 2.0)| Microsoft Graph API (OData v4.0)| SAML JIT |
+| Capabilities enabled or enhanced by Automatic Provisioning| Microsoft Entra provisioning service (SCIM 2.0)| Microsoft Graph API (OData v4.0)| SAML JIT |
|||||
-| User and group management in Azure AD| √| √| User only |
+| User and group management in Microsoft Entra ID| √| √| User only |
| Manage users and groups synced from on-premises Active Directory| √*| √*| User only* | | Access data beyond users and groups during provisioning Access to Microsoft 365 data (Teams, SharePoint, Email, Calendar, Documents, etc.)| X+| √| X | | Create, read, and update users based on business rules| √| √| √ |
To help determine which integration option to use for your application, refer to
| Support guest accounts (B2B)| √| √| √ | | Support non-enterprise accounts (B2C)| X| √| √ |
-<sup>*</sup> ΓÇô Azure AD Connect setup is required to sync users from AD to Azure AD.
+<sup>*</sup> ΓÇô Microsoft Entra Connect setup is required to sync users from AD to Microsoft Entra ID.
<sup>+</sup >ΓÇô Using SCIM for provisioning does not preclude you from integrating your application with Microsoft Graph for other purposes.
-## Azure AD Provisioning Service (SCIM)
+<a name='azure-ad-provisioning-service-scim'></a>
-The Azure AD provisioning services uses [SCIM](https://aka.ms/SCIMOverview), an industry standard for provisioning supported by many identity providers (IdPs) as well as applications (e.g. Slack, G Suite, Dropbox). We recommend you use the Azure AD provisioning service if you want to support IdPs in addition to Azure AD, as any SCIM-compliant IdP can connect to your SCIM endpoint. Building a simple /User endpoint, you can enable provisioning without having to maintain your own sync engine.
+## Microsoft Entra provisioning service (SCIM)
-For more information on how the Azure AD Provisioning Service users SCIM, see:
+The Microsoft Entra provisioning service uses [SCIM](https://aka.ms/SCIMOverview), an industry standard for provisioning supported by many identity providers (IdPs) as well as applications (e.g. Slack, G Suite, Dropbox). We recommend you use the Microsoft Entra provisioning service if you want to support IdPs in addition to Microsoft Entra ID, as any SCIM-compliant IdP can connect to your SCIM endpoint. Building a simple /User endpoint, you can enable provisioning without having to maintain your own sync engine.
+
+For more information on how the Microsoft Entra provisioning service users SCIM, see:
* [Learn more about the SCIM standard](https://aka.ms/SCIMOverview)
-* [Using System for Cross-Domain Identity Management (SCIM) to automatically provision users and groups from Azure Active Directory to applications](../app-provisioning/use-scim-to-provision-users-and-groups.md)
+* [Using System for Cross-Domain Identity Management (SCIM) to automatically provision users and groups from Microsoft Entra ID to applications](../app-provisioning/use-scim-to-provision-users-and-groups.md)
-* [Understand the Azure AD SCIM implementation](../app-provisioning/use-scim-to-provision-users-and-groups.md)
+* [Understand the Microsoft Entra SCIM implementation](../app-provisioning/use-scim-to-provision-users-and-groups.md)
## Microsoft Graph for Provisioning When you use Microsoft Graph for provisioning, you have access to all the rich user data available in Graph. In addition to the details of users and groups, you can also fetch additional information like the userΓÇÖs roles, manager and direct reports, owned and registered devices, and hundreds of other data pieces available in the [Microsoft Graph](/graph/api/overview).
-More than 15 million organizations, and 90% of fortune 500 companies use Azure AD while subscribing to Microsoft cloud services like Microsoft 365, Microsoft Azure, or Enterprise Mobility Suite. You can use Microsoft Graph to integrate your app with administrative workflows, such as employee onboarding (and termination), profile maintenance, and more.
+More than 15 million organizations, and 90% of fortune 500 companies use Microsoft Entra ID while subscribing to Microsoft cloud services like Microsoft 365, Microsoft Azure, or Enterprise Mobility Suite. You can use Microsoft Graph to integrate your app with administrative workflows, such as employee onboarding (and termination), profile maintenance, and more.
Learn more about using Microsoft Graph for provisioning:
Learn more about using Microsoft Graph for provisioning:
If you want to provision users only upon first sign in to your application, and do not need to automatically deprovision users, SAML JIT is an option. Your application must support SAML 2.0 as a federation protocol to use SAML JIT.
-SAML JIT uses the claims information in the SAML token to create and update user information in the application. Customers can configure these required claims in the Azure AD application as needed. Sometimes the JIT provisioning needs to be enabled from the application side so that customer can use this feature. SAML JIT is useful for creating and updating users, but it can't delete or deactivate the users in the application.
+SAML JIT uses the claims information in the SAML token to create and update user information in the application. Customers can configure these required claims in the Microsoft Entra application as needed. Sometimes the JIT provisioning needs to be enabled from the application side so that customer can use this feature. SAML JIT is useful for creating and updating users, but it can't delete or deactivate the users in the application.
## Next Steps
active-directory Known Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/known-issues.md
Title: Known issues for provisioning in Azure Active Directory
-description: Learn about known issues when you work with automated application provisioning or cross-tenant synchronization in Azure Active Directory.
+ Title: Known issues for provisioning in Microsoft Entra ID
+description: Learn about known issues when you work with automated application provisioning or cross-tenant synchronization in Microsoft Entra ID.
zone_pivot_groups: app-provisioning-cross-tenant-synchronization
-# Known issues for provisioning in Azure Active Directory
+# Known issues for provisioning in Microsoft Entra ID
-This article discusses known issues to be aware of when you work with app provisioning or cross-tenant synchronization. To provide feedback about the application provisioning service on UserVoice, see [Azure Active Directory (Azure AD) application provision UserVoice](https://aka.ms/appprovisioningfeaturerequest). We watch UserVoice closely so that we can improve the service.
+This article discusses known issues to be aware of when you work with app provisioning or cross-tenant synchronization. To provide feedback about the application provisioning service on UserVoice, see [Microsoft Entra application provision UserVoice](https://aka.ms/appprovisioningfeaturerequest). We watch UserVoice closely so that we can improve the service.
> [!NOTE] > This article isn't a comprehensive list of known issues. If you know of an issue that isn't listed, provide feedback at the bottom of the page.
This article discusses known issues to be aware of when you work with app provis
### Provisioning users
-An external user from the source (home) tenant can't be provisioned into another tenant. Internal guest users from the source tenant can't be provisioned into another tenant. Only internal member users from the source tenant can be provisioned into the target tenant. For more information, see [Properties of an Azure Active Directory B2B collaboration user](../external-identities/user-properties.md).
+An external user from the source (home) tenant can't be provisioned into another tenant. Internal guest users from the source tenant can't be provisioned into another tenant. Only internal member users from the source tenant can be provisioned into the target tenant. For more information, see [Properties of a Microsoft Entra B2B collaboration user](../external-identities/user-properties.md).
In addition, users that are enabled for SMS sign-in cannot be synchronized through cross-tenant synchronization.
Configuring synchronization from the target tenant isn't supported. All configur
When two users in the source tenant have the same mail, and they both need to be created in the target tenant, one user will be created in the target and linked to the two users in the source. Please ensure that the mail attribute is not shared among users in the source tenant. In addition, please ensure that the mail of the user in the source tenant is from a verified domain. The external user will not be created successfully if the mail is from an unverified domain.
-### Usage of Azure AD B2B collaboration for cross-tenant access
+<a name='usage-of-azure-ad-b2b-collaboration-for-cross-tenant-access'></a>
+
+### Usage of Microsoft Entra B2B collaboration for cross-tenant access
- B2B users are unable to manage certain Microsoft 365 services in remote tenants (such as Exchange Online), as there's no directory picker. - Azure Virtual Desktop currently doesn't support B2B users.-- B2B users with UserType Member aren't currently supported in Power BI. For more information, see [Distribute Power BI content to external guest users using Azure Active Directory B2B](/power-bi/guidance/whitepaper-azure-b2b-power-bi)-- Converting a guest account into an Azure AD member account or converting an Azure AD member account into a guest isn't supported by Teams. For more information, see [Guest access in Microsoft Teams](/microsoftteams/guest-access).
+- B2B users with UserType Member aren't currently supported in Power BI. For more information, see [Distribute Power BI content to external guest users using Microsoft Entra B2B](/power-bi/guidance/whitepaper-azure-b2b-power-bi)
+- Converting a guest account into a Microsoft Entra member account or converting a Microsoft Entra member account into a guest isn't supported by Teams. For more information, see [Guest access in Microsoft Teams](/microsoftteams/guest-access).
::: zone-end ## Authorization
Extensions to your schema can sometimes be missing from the source attribute dro
#### Null attribute can't be provisioned
-Azure AD currently can't provision null attributes. If an attribute is null on the user object, it will be skipped.
+Microsoft Entra ID currently can't provision null attributes. If an attribute is null on the user object, it will be skipped.
#### Maximum characters for attribute-mapping expressions
If you create an app registration, the corresponding service principal in enterp
The [time](./application-provisioning-when-will-provisioning-finish-specific-user.md#how-long-will-it-take-to-provision-users) between provisioning cycles is currently not configurable.
-#### Changes not moving from target app to Azure AD
+<a name='changes-not-moving-from-target-app-to-azure-ad'></a>
+
+#### Changes not moving from target app to Microsoft Entra ID
-The app provisioning service isn't aware of changes made in external apps. So, no action is taken to roll back. The app provisioning service relies on changes made in Azure AD.
+The app provisioning service isn't aware of changes made in external apps. So, no action is taken to roll back. The app provisioning service relies on changes made in Microsoft Entra ID.
#### Switching from Sync All to Sync Assigned not working
Credentials, including the secret token, notification email, and SSO certificate
::: zone pivot="app-provisioning" ## On-premises application provisioning
-The following information is a current list of known limitations with the Azure AD ECMA Connector Host and on-premises application provisioning.
+The following information is a current list of known limitations with the Microsoft Entra ECMA Connector Host and on-premises application provisioning.
### Application and directories The following applications and directories aren't yet supported.
-#### Active Directory Domain Services (user or group writeback from Azure AD by using the on-premises provisioning preview)
- - When a user is managed by Azure AD Connect, the source of authority is on-premises Active Directory Domain Services. So, user attributes can't be changed in Azure AD. This preview doesn't change the source of authority for users managed by Azure AD Connect.
- - Attempting to use Azure AD Connect and the on-premises provisioning to provision groups or users into Active Directory Domain Services can lead to creation of a loop, where Azure AD Connect can overwrite a change that was made by the provisioning service in the cloud. Microsoft is working on a dedicated capability for group or user writeback. Upvote the UserVoice feedback on [this website](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789/) to track the status of the preview. Alternatively, you can use [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for user or group writeback from Azure AD to Active Directory.
+<a name='active-directory-domain-services-user-or-group-writeback-from-azure-ad-by-using-the-on-premises-provisioning-preview'></a>
+
+#### Active Directory Domain Services (user or group writeback from Microsoft Entra ID by using the on-premises provisioning preview)
+ - When a user is managed by Microsoft Entra Connect, the source of authority is on-premises Active Directory Domain Services. So, user attributes can't be changed in Microsoft Entra ID. This preview doesn't change the source of authority for users managed by Microsoft Entra Connect.
+ - Attempting to use Microsoft Entra Connect and the on-premises provisioning to provision groups or users into Active Directory Domain Services can lead to creation of a loop, where Microsoft Entra Connect can overwrite a change that was made by the provisioning service in the cloud. Microsoft is working on a dedicated capability for group or user writeback. Upvote the UserVoice feedback on [this website](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789/) to track the status of the preview. Alternatively, you can use [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for user or group writeback from Microsoft Entra ID to Active Directory.
+
+<a name='azure-ad'></a>
-#### Azure AD
+#### Microsoft Entra ID
- By using on-premises provisioning, you can take a user already in Azure AD and provision them into a third-party application. *You can't bring a user into the directory from a third-party application.* Customers will need to rely on our native HR integrations, Azure AD Connect, Microsoft Identity Manager, or Microsoft Graph, to bring users into the directory.
+ By using on-premises provisioning, you can take a user already in Microsoft Entra ID and provision them into a third-party application. *You can't bring a user into the directory from a third-party application.* Customers will need to rely on our native HR integrations, Microsoft Entra Connect, Microsoft Identity Manager, or Microsoft Graph, to bring users into the directory.
### Attributes and objects The following attributes and objects aren't supported:
The following attributes and objects aren't supported:
- Groups. - Complex anchors (for example, ObjectTypeName+UserName). - Binary attributes.
- - On-premises applications are sometimes not federated with Azure AD and require local passwords. The on-premises provisioning preview doesn't support password synchronization. Provisioning initial one-time passwords is supported. Ensure that you're using the [Redact](./functions-for-customizing-application-data.md#redact) function to redact the passwords from the logs. In the SQL and LDAP connectors, the passwords aren't exported on the initial call to the application, but rather a second call with set password.
+ - On-premises applications are sometimes not federated with Microsoft Entra ID and require local passwords. The on-premises provisioning preview doesn't support password synchronization. Provisioning initial one-time passwords is supported. Ensure that you're using the [Redact](./functions-for-customizing-application-data.md#redact) function to redact the passwords from the logs. In the SQL and LDAP connectors, the passwords aren't exported on the initial call to the application, but rather a second call with set password.
#### SSL certificates
- The Azure AD ECMA Connector Host currently requires either an SSL certificate to be trusted by Azure or the provisioning agent to be used. The certificate subject must match the host name the Azure AD ECMA Connector Host is installed on.
+ The Microsoft Entra ECMA Connector Host currently requires either an SSL certificate to be trusted by Azure or the provisioning agent to be used. The certificate subject must match the host name the Microsoft Entra ECMA Connector Host is installed on.
#### Anchor attributes
- The Azure AD ECMA Connector Host currently doesn't support anchor attribute changes (renames) or target systems, which require multiple attributes to form an anchor.
+ The Microsoft Entra ECMA Connector Host currently doesn't support anchor attribute changes (renames) or target systems, which require multiple attributes to form an anchor.
#### Attribute discovery and mapping The attributes that the target application supports are discovered and surfaced in the Azure portal in **Attribute Mappings**. Newly added attributes will continue to be discovered. If an attribute type has changed, for example, string to Boolean, and the attribute is part of the mappings, the type won't change automatically in the Azure portal. Customers will need to go into advanced settings in mappings and manually update the attribute type.
active-directory On Premises Application Provisioning Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
Title: 'Azure AD on-premises application provisioning architecture'
+ Title: 'Microsoft Entra on-premises application provisioning architecture'
description: Presents an overview of on-premises application provisioning architecture.
-# Azure AD on-premises application identity provisioning architecture
+# Microsoft Entra on-premises application identity provisioning architecture
## Overview
The following diagram shows an overview of how on-premises application provision
There are three primary components to provisioning users into an on-premises application: -- The provisioning agent provides connectivity between Azure Active Directory (Azure AD) and your on-premises environment.-- The ECMA host converts provisioning requests from Azure AD to requests made to your target application. It serves as a gateway between Azure AD and your application. You can use it to import existing ECMA2 connectors used with Microsoft Identity Manager. The ECMA host isn't required if you've built a SCIM application or SCIM gateway.-- The Azure AD provisioning service serves as the synchronization engine.
+- The provisioning agent provides connectivity between Microsoft Entra ID and your on-premises environment.
+- The ECMA host converts provisioning requests from Microsoft Entra ID to requests made to your target application. It serves as a gateway between Microsoft Entra ID and your application. You can use it to import existing ECMA2 connectors used with Microsoft Identity Manager. The ECMA host isn't required if you've built a SCIM application or SCIM gateway.
+- The Microsoft Entra provisioning service serves as the synchronization engine.
>[!NOTE] > Microsoft Identity Manager Synchronization isn't required. But you can use it to build and test your ECMA connector before you import it into the ECMA host.
The ECMA Connector Host has several areas it uses to achieve on-premises provisi
|Area|Description| |--|--|
-|Endpoints|Responsible for communication and data-transfer with the Azure AD provisioning service|
+|Endpoints|Responsible for communication and data-transfer with the Microsoft Entra provisioning service|
|In-memory cache|Used to store the data imported from the on-premises data source| |Autosync|Provides asynchronous data synchronization between the ECMA Connector Host and the on-premises data source| |Business logic|Used to coordinate all of the ECMA Connector Host activities. The Autosync time is configurable in the ECMA host. This is in the properties page.|
Since ECMA Connector Host currently only supports the USER object type, the OBJE
### User creation workflow
-1. The Azure AD provisioning service queries the ECMA Connector Host to see if the user exists. It uses the **matching attribute** as the filter. This attribute is defined in the Azure portal under Enterprise applications -> On-premises provisioning -> provisioning -> attribute matching. It is denoted by the 1 for matching precedence.
+1. The Microsoft Entra provisioning service queries the ECMA Connector Host to see if the user exists. It uses the **matching attribute** as the filter. This attribute is defined in the Azure portal under Enterprise applications -> On-premises provisioning -> provisioning -> attribute matching. It is denoted by the 1 for matching precedence.
You can define one or more matching attribute(s) and prioritize them based on the precedence. Should you want to change the matching attribute you can also do so. [![Matching attribute](./media/on-premises-application-provisioning-architecture/match-1.png)](./media/on-premises-application-provisioning-architecture/match-1.png#lightbox)
-2. ECMA Connector Host receives the GET request and queries its internal cache to see if the user exists and has based imported. This is done using the matching attribute(s) above. If you define multiple matching attributes, the Azure AD provisioning service will send a GET request for each attribute and the ECMA host will check its cache for a match until it finds one.
+2. ECMA Connector Host receives the GET request and queries its internal cache to see if the user exists and has based imported. This is done using the matching attribute(s) above. If you define multiple matching attributes, the Microsoft Entra provisioning service will send a GET request for each attribute and the ECMA host will check its cache for a match until it finds one.
-3. If the user does not exist, Azure AD will make a POST request to create the user. The ECMA Connector Host will respond back to Azure AD with the HTTP 201 and provide an ID for the user. This ID is derived from the anchor value defined in the object types page. This anchor will be used by Azure AD to query the ECMA Connector Host for future and subsequent requests.
-4. If a change happens to the user in Azure AD, then Azure AD will make a GET request to retrieve the user using the anchor from the previous step, rather than the matching attribute in step 1. This allows, for example, the UPN to change without breaking the link between the user in Azure AD and in the app.
+3. If the user does not exist, Microsoft Entra ID will make a POST request to create the user. The ECMA Connector Host will respond back to Microsoft Entra ID with the HTTP 201 and provide an ID for the user. This ID is derived from the anchor value defined in the object types page. This anchor will be used by Microsoft Entra ID to query the ECMA Connector Host for future and subsequent requests.
+4. If a change happens to the user in Microsoft Entra ID, then Microsoft Entra ID will make a GET request to retrieve the user using the anchor from the previous step, rather than the matching attribute in step 1. This allows, for example, the UPN to change without breaking the link between the user in Microsoft Entra ID and in the app.
## Agent best practices-- Using the same agent for the on-premises provisioning feature along with Workday / SuccessFactors / Azure AD Connect Cloud Sync is currently unsupported. We are actively working to support on-premises provisioning on the same agent as the other provisioning scenarios.
+- Using the same agent for the on-premises provisioning feature along with Workday / SuccessFactors / Microsoft Entra Connect Cloud Sync is currently unsupported. We are actively working to support on-premises provisioning on the same agent as the other provisioning scenarios.
- The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by: - Reducing the distance between the two ends of the hop.
Some common questions are answered here.
1. Sign in to the Windows server where the provisioning agent is installed. 2. Go to **Control Panel** > **Uninstall or Change a Program**.
- 3. Look for the version that corresponds to the entry for **Microsoft Azure AD Connect Provisioning Agent**.
+ 3. Look for the version that corresponds to the entry for **Microsoft Entra Connect Provisioning Agent**.
-### Can I install the provisioning agent on the same server running Azure AD Connect or Microsoft Identity Manager?
+<a name='can-i-install-the-provisioning-agent-on-the-same-server-running-azure-ad-connect-or-microsoft-identity-manager'></a>
-Yes. You can install the provisioning agent on the same server that runs Azure AD Connect or Microsoft Identity Manager, but they aren't required.
+### Can I install the provisioning agent on the same server running Microsoft Entra Connect or Microsoft Identity Manager?
+
+Yes. You can install the provisioning agent on the same server that runs Microsoft Entra Connect or Microsoft Identity Manager, but they aren't required.
### How do I configure the provisioning agent to use a proxy server for outbound HTTP communication?
The provisioning agent supports use of outbound proxy. You can configure it by e
</defaultProxy> </system.net> ```
-### How do I ensure the provisioning agent can communicate with the Azure AD tenant and no firewalls are blocking ports required by the agent?
+<a name='how-do-i-ensure-the-provisioning-agent-can-communicate-with-the-azure-ad-tenant-and-no-firewalls-are-blocking-ports-required-by-the-agent'></a>
+
+### How do I ensure the provisioning agent can communicate with the Microsoft Entra tenant and no firewalls are blocking ports required by the agent?
You can also check whether all the required ports are open.
You can also check whether all the required ports are open.
1. Sign in to the Windows server where the provisioning agent is installed. 2. Go to **Control Panel** > **Uninstall or Change a Program**. 3. Uninstall the following programs:
- - Microsoft Azure AD Connect Provisioning Agent
- - Microsoft Azure AD Connect Agent Updater
- - Microsoft Azure AD Connect Provisioning Agent Package
+ - Microsoft Entra Connect Provisioning Agent
+ - Microsoft Entra Connect Agent Updater
+ - Microsoft Entra Connect Provisioning Agent Package
## Provisioning agent history
-This article lists the versions and features of Azure Active Directory Connect Provisioning Agent that have been released. The Azure AD team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and Cloud Sync / HR-driven provisioning.
+This article lists the versions and features of Microsoft Entra Connect Provisioning Agent that have been released. The Microsoft Entra ID team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and Cloud Sync / HR-driven provisioning.
Microsoft provides direct support for the latest agent version and one version before.
active-directory On Premises Custom Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-custom-connector.md
Title: Azure AD provisioning to applications using custom connectors
-description: This document describes how to configure Azure AD to provision users with external systems that offer REST and SOAP APIs.
+ Title: Microsoft Entra provisioning to applications using custom connectors
+description: This document describes how to configure Microsoft Entra ID to provision users with external systems that offer REST and SOAP APIs.
# Provisioning with the custom connectors
-Azure AD supports preintegrated connectors for applications that support the following protocols and standards:
+Microsoft Entra ID supports preintegrated connectors for applications that support the following protocols and standards:
> [!div class="checklist"] > - [SCIM 2.0](on-premises-scim-provisioning.md)
Azure AD supports preintegrated connectors for applications that support the fol
> - [REST](on-premises-ldap-connector-configure.md) > - [SOAP](on-premises-ldap-connector-configure.md)
-For connectivity to applications that don't support the aforementioned protocols and standards, customers and [partners](https://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-mim-2016-management-agents-from-partners.aspx) have built custom [ECMA 2.0](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for Microsoft Identity Manager (MIM) 2016. You can now use those ECMA 2.0 connectors with the lightweight Azure AD provisioning agent, without needing MIM sync deployed.
+For connectivity to applications that don't support the aforementioned protocols and standards, customers and [partners](https://social.technet.microsoft.com/wiki/contents/articles/1589.fim-2010-mim-2016-management-agents-from-partners.aspx) have built custom [ECMA 2.0](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for Microsoft Identity Manager (MIM) 2016. You can now use those ECMA 2.0 connectors with the lightweight Microsoft Entra provisioning agent, without needing MIM sync deployed.
Custom connectors built for MIM rely on the [ECMA framework](/previous-versions/
* **Correct:** public Schema GetSchema (KeyedCollection<string, ConfigParameter> configParameters) * **Incorrect:** Schema PrefixGetSchema.GetSchema (KeyedCollection<string, ConfigParameter> configParameters)
-The following table includes capabilities of the ECMA framework that are either partially supported or not supported by the Azure AD provisioning agent. For a list of known limitations for the Azure AD provisioning service and on-premises application provisioning, see [here](known-issues.md#on-premises-application-provisioning).
+The following table includes capabilities of the ECMA framework that are either partially supported or not supported by the Microsoft Entra provisioning agent. For a list of known limitations for the Microsoft Entra provisioning service and on-premises application provisioning, see [here](known-issues.md#on-premises-application-provisioning).
| **Capability / feature** | **Support** | **Comments** |
The following table includes capabilities of the ECMA framework that are either
- [App provisioning](user-provisioning.md) - [ECMA Connector Host generic SQL connector](tutorial-ecma-sql-connector.md) - [ECMA Connector Host LDAP connector](on-premises-ldap-connector-configure.md)--
active-directory On Premises Ecma Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md
# Troubleshoot on-premises application provisioning ## Troubleshoot test connection issues
-After you configure the provisioning agent and ECMA host, it's time to test connectivity from the Azure Active Directory (Azure AD) provisioning service to the provisioning agent, the ECMA host, and the application. To perform this end-to-end test, select **Test connection** in the application in the Azure portal. Be sure to wait 10 to 20 minutes after assigning an initial agent or changing the agent before testing the connection. If after this time the test connection fails, try the following troubleshooting steps:
+After you configure the provisioning agent and ECMA host, it's time to test connectivity from the Microsoft Entra provisioning service to the provisioning agent, the ECMA host, and the application. To perform this end-to-end test, select **Test connection** in the application in the Azure portal. Be sure to wait 10 to 20 minutes after assigning an initial agent or changing the agent before testing the connection. If after this time the test connection fails, try the following troubleshooting steps:
1. Check that the agent and ECMA host are running: 1. On the server with the agent installed, open **Services** by going to **Start** > **Run** > **Services.msc**.
- 2. Under **Services**, make sure the **Microsoft Azure AD Connect Provisioning Agent**, and **Microsoft ECMA2Host** services are present and their status is *Running*.
+ 2. Under **Services**, make sure the **Microsoft Entra Connect Provisioning Agent**, and **Microsoft ECMA2Host** services are present and their status is *Running*.
![Screenshot that shows that the ECMA service is running.](./media/on-premises-ecma-troubleshoot/tshoot-1.png)
After you configure the provisioning agent and ECMA host, it's time to test conn
1. Ensure that you've assigned one or more agents to the application in the Azure portal. 1. After you assign an agent, you need to wait 10 to 20 minutes for the registration to complete. The connectivity test won't work until the registration completes. 1. Ensure that you're using a valid certificate that has not expired. Go to the **Settings** tab of the ECMA host to view the certificate expiration date. If the certificate has expired, click `Generate certificate` to generate a new certificate.
- 1. Restart the provisioning agent by going to the taskbar on your VM by searching for the Microsoft Azure AD Connect provisioning agent. Right-click **Stop**, and then select **Start**.
+ 1. Restart the provisioning agent by going to the taskbar on your VM by searching for the Microsoft Entra Connect provisioning agent. Right-click **Stop**, and then select **Start**.
1. If you continue to see `The ECMA host is currently importing data from the target application` even after restarting the ECMA Connector Host and the provisioning agent, and waiting for the initial import to complete, then you may need to cancel and start over configuring provisioning to the application in the Azure portal. 1. When you provide the tenant URL in the Azure portal, ensure that it follows the following pattern. You can replace `localhost` with your host name, but it isn't required. Replace `connectorName` with the name of the connector you specified in the ECMA host. The error message 'invalid resource' generally indicates that the URL does not follow the expected format.
After the ECMA Connector Host schema mapping has been configured, start the serv
## Understand incoming SCIM requests
-Requests made by Azure AD to the provisioning agent and connector host use the SCIM protocol. Requests made from the host to apps use the protocol the app supports. The requests from the host to the agent to Azure AD rely on SCIM. You can learn more about the SCIM implementation in [Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory](use-scim-to-provision-users-and-groups.md).
+Requests made by Microsoft Entra ID to the provisioning agent and connector host use the SCIM protocol. Requests made from the host to apps use the protocol the app supports. The requests from the host to the agent to Microsoft Entra ID rely on SCIM. You can learn more about the SCIM implementation in [Tutorial: Develop and plan provisioning for a SCIM endpoint in Microsoft Entra ID](use-scim-to-provision-users-and-groups.md).
-The Azure AD provisioning service generally makes a get-user call to check for a [dummy user](use-scim-to-provision-users-and-groups.md#request-3) in three situations: at the beginning of each provisioning cycle, before performing on-demand provisioning and when **test connection** is selected. This check ensures the target endpoint is available and returning SCIM-compliant responses to the Azure AD provisioning service.
+The Microsoft Entra provisioning service generally makes a get-user call to check for a [dummy user](use-scim-to-provision-users-and-groups.md#request-3) in three situations: at the beginning of each provisioning cycle, before performing on-demand provisioning and when **test connection** is selected. This check ensures the target endpoint is available and returning SCIM-compliant responses to the Microsoft Entra provisioning service.
## How do I troubleshoot the provisioning agent?
You might experience the following error scenarios.
You might receive an error message that states:
-"Service 'Microsoft Azure AD Connect Provisioning Agent' failed to start. Check that you have sufficient privileges to start the system services."
+"Service 'Microsoft Entra Connect Provisioning Agent' failed to start. Check that you have sufficient privileges to start the system services."
This problem is typically caused by a group policy that prevented permissions from being applied to the local NT Service sign-in account created by the installer (NT SERVICE\AADConnectProvisioningAgent). These permissions are required to start the service.
To resolve this problem:
1. Sign in to the server with an administrator account. 2. Open **Services** by either navigating to it or by going to **Start** > **Run** > **Services.msc**.
- 3. Under **Services**, double-click **Microsoft Azure AD Connect Provisioning Agent**.
+ 3. Under **Services**, double-click **Microsoft Entra Connect Provisioning Agent**.
4. On the **Log On** tab, change **This account** to a domain admin. Then restart the service. This test verifies that your agents can communicate with Azure over port 443. Open a browser, and go to the previous URL from the server where the agent is installed.
By default, the agent emits minimal error messages and stack trace information.
To gather more information for troubleshooting agent-related problems:
- 1. Install the AADCloudSyncTools PowerShell module as described in [AADCloudSyncTools PowerShell Module for Azure AD Connect cloud sync](../hybrid/cloud-sync/reference-powershell.md#install-the-aadcloudsynctools-powershell-module).
+ 1. Install the AADCloudSyncTools PowerShell module as described in [AADCloudSyncTools PowerShell Module for Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/reference-powershell.md#install-the-aadcloudsynctools-powershell-module).
2. Use the `Export-AADCloudSyncToolsLogs` PowerShell cmdlet to capture the information. Use the following switches to fine-tune your data collection. Use: - **SkipVerboseTrace** to only export current logs without capturing verbose logs (default = false).
To gather more information for troubleshooting agent-related problems:
-By using Azure AD, you can monitor the provisioning service in the cloud and collect logs on-premises. The provisioning service emits logs for each user that was evaluated as part of the synchronization process. Those logs can be consumed through the [Azure portal UI, APIs, and log analytics](../reports-monitoring/concept-provisioning-logs.md). The ECMA host also generates logs on-premises. It shows each provisioning request that was received and the response that was sent to Azure AD.
+By using Microsoft Entra ID, you can monitor the provisioning service in the cloud and collect logs on-premises. The provisioning service emits logs for each user that was evaluated as part of the synchronization process. Those logs can be consumed through the [Azure portal UI, APIs, and log analytics](../reports-monitoring/concept-provisioning-logs.md). The ECMA host also generates logs on-premises. It shows each provisioning request that was received and the response that was sent to Microsoft Entra ID.
### Agent installation fails * The error `System.ComponentModel.Win32Exception: The specified service already exists` indicates that the previous ECMA host was unsuccessfully uninstalled. Uninstall the host application. Go to program files, and remove the ECMA host folder. You might want to store the configuration file for backup.
active-directory On Premises Ldap Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ldap-connector-configure.md
Title: Azure AD Provisioning to LDAP directories
-description: This document describes how to configure Azure AD to provision users into an LDAP directory.
+ Title: Microsoft Entra provisioning to LDAP directories
+description: This document describes how to configure Microsoft Entra ID to provision users into an LDAP directory.
-# Configuring Azure AD to provision users into LDAP directories
-The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into an LDAP directory.
+# Configuring Microsoft Entra ID to provision users into LDAP directories
+The following documentation provides configuration and tutorial information demonstrating how to provision users from Microsoft Entra ID into an LDAP directory.
[!INCLUDE [app-provisioning-ldap.md](../../../includes/app-provisioning-ldap.md)]
active-directory On Premises Ldap Connector Prepare Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ldap-connector-prepare-directory.md
Title: Preparing for Azure AD Provisioning to Active Directory Lightweight Directory Services
-description: This document describes how to configure Azure AD to provision users into Active Directory Lightweight Directory Services as an example of an LDAP directory.
+ Title: Preparing for Microsoft Entra provisioning to Active Directory Lightweight Directory Services
+description: This document describes how to configure Microsoft Entra ID to provision users into Active Directory Lightweight Directory Services as an example of an LDAP directory.
-# Prepare Active Directory Lightweight Directory Services for provisioning from Azure AD
+# Prepare Active Directory Lightweight Directory Services for provisioning from Microsoft Entra ID
-The following documentation provides tutorial information demonstrating how to prepare an Active Directory Lightweight Directory Services (AD LDS) installation. This can be used as an example LDAP directory for troubleshooting or to demonstrate [how to provision users from Azure AD into an LDAP directory](on-premises-ldap-connector-configure.md).
+The following documentation provides tutorial information demonstrating how to prepare an Active Directory Lightweight Directory Services (AD LDS) installation. This can be used as an example LDAP directory for troubleshooting or to demonstrate [how to provision users from Microsoft Entra ID into an LDAP directory](on-premises-ldap-connector-configure.md).
## Prepare the LDAP directory
Currently, the LDAP connector provisions users with a blank password. This prov
6. Close the Local Group Policy editor
-Next, continue in the guidance to [provision users from Azure AD into an LDAP directory](on-premises-ldap-connector-configure.md) to download and configure the provisioning agent.
+Next, continue in the guidance to [provision users from Microsoft Entra ID into an LDAP directory](on-premises-ldap-connector-configure.md) to download and configure the provisioning agent.
## Appendix A - Install AD LDS PowerShell script The following PowerShell script can be used to automate the installation of Active Directory Lightweight Directory Services. You'll need to edit the script to match your environment; in particular, change `APP3` to the hostname of your computer.
active-directory On Premises Migrate Microsoft Identity Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md
Title: 'Export a Microsoft Identity Manager connector for use with the Azure AD ECMA Connector Host'
-description: Describes how to create and export a connector from MIM Sync to be used with the Azure AD ECMA Connector Host.
+ Title: 'Export a Microsoft Identity Manager connector for use with the Microsoft Entra ECMA Connector Host'
+description: Describes how to create and export a connector from MIM Sync to be used with the Microsoft Entra ECMA Connector Host.
-# Export a Microsoft Identity Manager connector for use with the Azure AD ECMA Connector Host
+# Export a Microsoft Identity Manager connector for use with the Microsoft Entra ECMA Connector Host
-You can import into the Azure Active Directory (Azure AD) ECMA Connector Host a configuration for a specific connector from a Forefront Identity Manager Synchronization Service or Microsoft Identity Manager Synchronization Service (MIM Sync) installation. The MIM Sync installation is only used for configuration, not for the ongoing synchronization from Azure AD.
+You can import into the Microsoft Entra ECMA Connector Host a configuration for a specific connector from a Forefront Identity Manager Synchronization Service or Microsoft Identity Manager Synchronization Service (MIM Sync) installation. The MIM Sync installation is only used for configuration, not for the ongoing synchronization from Microsoft Entra ID.
## Create a connector configuration in MIM Sync This section is included for illustrative purposes, if you wish to set up MIM Sync with a connector. If you already have MIM Sync with your ECMA connector configured, skip to the next section.
- 1. Prepare a Windows Server 2016 server, which is distinct from the server that will be used for running the Azure AD ECMA Connector Host. This host server should either have a SQL Server 2016 database colocated or have network connectivity to a SQL Server 2016 database. One way to set up this server is by deploying an Azure virtual machine with the image **SQL Server 2016 SP1 Standard on Windows Server 2016**. This server doesn't need internet connectivity other than remote desktop access for setup purposes.
+ 1. Prepare a Windows Server 2016 server, which is distinct from the server that will be used for running the Microsoft Entra ECMA Connector Host. This host server should either have a SQL Server 2016 database colocated or have network connectivity to a SQL Server 2016 database. One way to set up this server is by deploying an Azure virtual machine with the image **SQL Server 2016 SP1 Standard on Windows Server 2016**. This server doesn't need internet connectivity other than remote desktop access for setup purposes.
1. Create an account for use during the MIM Sync installation. It can be a local account on that Windows Server instance. To create a local account, open **Control Panel** > **User Accounts**, and add the user account **mimsync**. 1. Add the account created in the previous step to the local Administrators group. 1. Give the account created earlier the ability to run a service. Start **Local Security Policy** and select **Local Policies** > **User Rights Assignment** > **Log on as a service**. Add the account mentioned earlier.
At this point, the MIM Sync server is no longer needed.
## Import a connector configuration 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#3-install-and-configure-the-azure-ad-connect-provisioning-agent) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#install-and-configure-the-azure-ad-connect-provisioning-agent) articles.
- 1. Sign in to the Windows server as the account that the Azure AD ECMA Connector Host runs as.
+ 1. Sign in to the Windows server as the account that the Microsoft Entra ECMA Connector Host runs as.
1. Change to the directory C:\Program Files\Microsoft ECMA2host\Service\ECMA. Ensure there are one or more DLLs already present in that directory. Those DLLs correspond to Microsoft-delivered connectors. 1. Copy the MA DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory. 1. Change to the directory C:\Program Files\Microsoft ECMA2Host\Wizard. Run the program Microsoft.ECMA2Host.ConfigWizard.exe to set up the ECMA Connector Host configuration.
At this point, the MIM Sync server is no longer needed.
## Next steps - Learn more about [App provisioning](user-provisioning.md)-- [Configuring Azure AD to provision users into SQL based applications](on-premises-sql-connector-configure.md) with the Generic SQL connector-- [Configuring Azure AD to provision users into LDAP directories](on-premises-ldap-connector-configure.md) with the Generic LDAP connector
+- [Configuring Microsoft Entra ID to provision users into SQL based applications](on-premises-sql-connector-configure.md) with the Generic SQL connector
+- [Configuring Microsoft Entra ID to provision users into LDAP directories](on-premises-ldap-connector-configure.md) with the Generic LDAP connector
active-directory On Premises Powershell Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-powershell-connector.md
Title: Azure AD Provisioning to applications via PowerShell
-description: This document describes how to configure Azure AD to provision users with external systems that offer Windows PowerShell based APIs.
+ Title: Microsoft Entra provisioning to applications via PowerShell
+description: This document describes how to configure Microsoft Entra ID to provision users with external systems that offer Windows PowerShell based APIs.
# Provisioning users into applications using PowerShell
-The following documentation provides configuration and tutorial information demonstrating how the generic PowerShell connector and the ECMA Connector Host can be used to integrate Azure AD with external systems that offer Windows PowerShell based APIs.
+The following documentation provides configuration and tutorial information demonstrating how the generic PowerShell connector and the ECMA Connector Host can be used to integrate Microsoft Entra ID with external systems that offer Windows PowerShell based APIs.
For additional information see [Windows PowerShell Connector technical reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-powershell)
The connector provides a bridge between the capabilities of the ECMA Connector H
### Cloud requirements
+ - A Microsoft Entra tenant with Microsoft Entra ID P1 or Premium P2 (or EMS E3 or E5). [!INCLUDE [active-directory-p1-license.md](../../../includes/active-directory-p1-license.md)]
- The Hybrid Identity Administrator role for configuring the provisioning agent and the Application Administrator or Cloud Application Administrator roles for configuring provisioning in the Azure portal.
+ - The Microsoft Entra users, to be provisioned, must already be populated with any attributes required by the schema.
-## Download, install, and configure the Azure AD Connect Provisioning Agent Package
+<a name='download-install-and-configure-the-azure-ad-connect-provisioning-agent-package'></a>
+
+## Download, install, and configure the Microsoft Entra Connect Provisioning Agent Package
If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
+ 1. In the Azure portal, select **Microsoft Entra ID**.
+ 2. On the left, select **Microsoft Entra Connect**.
3. On the left, select **Cloud sync**. :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
If you have already downloaded the provisioning agent and configured it for anot
5. Select **Download on-premises agent**, and select **Accept terms & download**. >[!NOTE]
- >Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
+ >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
6. Open the provisioning agent installer, agree to the terms of service, and select **next**. 7. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.
- 8. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
- 9. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
+ 8. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
+ 9. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
10. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer. ## Configure the On-premises ECMA app
If you have already downloaded the provisioning agent and configured it for anot
|InputFile.txt|`C:\Program Files\Microsoft ECMA2Host\Service\ECMA\MAData`| |Schema.xml|`C:\Program Files\Microsoft ECMA2Host\Service\ECMA`|
- ## Configure the Azure AD ECMA Connector Host certificate
+ <a name='configure-the-azure-ad-ecma-connector-host-certificate'></a>
+
+## Configure the Microsoft Entra ECMA Connector Host certificate
1. On the Windows Server where the provisioning agent is installed, right click the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs. 2. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The certificate SAN matches the host name.
If you have already downloaded the provisioning agent and configured it for anot
1. Launch the Microsoft ECMA2Host Configuration Wizard from the start menu. 2. At the top, select **Import** and select the configuration.xml file from step 1. 3. The new connector should be created and appear in red. Click **Edit**.
- 4. Generate a secret token used for authenticating Azure AD to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string.
+ 4. Generate a secret token used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string.
```powershell -join (((48..90) + (96..122)) * 16 | Get-Random -Count 16 | % {[char]$_}) ```
Ensure that the following attributes are selected:
### Deprovisioning
-On the Deprovisioning page, you can specify if you wish to have Azure AD remove users from the directory when they go out of scope of the application. If so, under Disable flow, select Delete, and under Delete flow, select Delete. If Set attribute value is chosen, the attributes selected on the previous page won't be available to select on the Deprovisioning page.
+On the Deprovisioning page, you can specify if you wish to have Microsoft Entra ID remove users from the directory when they go out of scope of the application. If so, under Disable flow, select Delete, and under Delete flow, select Delete. If Set attribute value is chosen, the attributes selected on the previous page won't be available to select on the Deprovisioning page.
- On the **Deprovisioning** page, all of the information should be populated. The table is provided as reference. Click **Next**.
On the Deprovisioning page, you can specify if you wish to have Azure AD remove
Follow these steps to confirm that the connector host has started and has identified any existing users from the target system.
- 1. On the server running the Azure AD ECMA Connector Host, select **Start**.
+ 1. On the server running the Microsoft Entra ECMA Connector Host, select **Start**.
2. Select **run** if needed, then enter **services.msc** in the box. 3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it is not running, select **Start**.
- 4. On the server running the Azure AD ECMA Connector Host, launch PowerShell.
+ 4. On the server running the Microsoft Entra ECMA Connector Host, launch PowerShell.
5. Change to the folder where the ECMA host was installed, such as `C:\Program Files\Microsoft ECMA2Host`. 6. Change to the subdirectory `Troubleshooting`. 7. Run the script `TestECMA2HostConnection.ps1` in the directory as shown, and provide as arguments the connector name and the `ObjectTypePath` value `cache`. If your connector host is not listening on TCP port 8585, then you may also need to provide the `-Port` argument as well. When prompted, type the secret token configured for that connector.
Follow these steps to confirm that the connector host has started and has identi
``` 8. If the script displays an error or warning message, then check that the service is running, and the connector name and secret token match those values you configured in the configuration wizard. 9. If the script displays the output `False`, then the connector has not seen any entries in the source target system for existing users. If this is a new target system installation, then this behavior is to be expected, and you can continue at the next section.
- 10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the target system. If you attempt to provision, then Azure AD may not correctly match users in that source directory with users in Azure AD. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users.
+ 10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the target system. If you attempt to provision, then Microsoft Entra ID may not correctly match users in that source directory with users in Microsoft Entra ID. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users.
+
+<a name='test-the-connection-from-azure-ad-to-the-connector-host'></a>
-## Test the connection from Azure AD to the connector host
+## Test the connection from Microsoft Entra ID to the connector host
1. Return to the web browser window where you were configuring the application provisioning in the portal. >[!NOTE]
Follow these steps to confirm that the connector host has started and has identi
3. Enter the **Secret Token** value that you defined when you created the connector. >[!NOTE]
- >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent** service, right-click the service, and restart.
+ >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent** service, right-click the service, and restart.
4. Select **Test Connection**, and wait one minute. 5. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
Return to the web browser window where you were configuring the application prov
|Tenant URL| `https://localhost:8585/ecma2host_CSV/scim`| 6. Enter the **Secret Token** value that you defined when you created the connector. >[!NOTE]
- >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.
+ >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent Service**, right-click the service, and restart.
7. Select **Test Connection**, and wait one minute. 8. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**. ## Configure attribute mappings
-Now you need to map attributes between the representation of the user in Azure AD and the representation of a user in the on-premises InputFile.txt.
+Now you need to map attributes between the representation of the user in Microsoft Entra ID and the representation of a user in the on-premises InputFile.txt.
-You'll use the Azure portal to configure the mapping between the Azure AD user's attributes and the attributes that you previously selected in the ECMA Host configuration wizard.
+You'll use the Azure portal to configure the mapping between the Microsoft Entra user's attributes and the attributes that you previously selected in the ECMA Host configuration wizard.
- 1. In the Azure AD portal, under **Enterprise applications**, select the **On-premises ECMA app** application, and then the **Provisioning** page.
+ 1. In the Microsoft Entra portal, under **Enterprise applications**, select the **On-premises ECMA app** application, and then the **Provisioning** page.
2. Select **Edit provisioning**, and wait 10 seconds.
- 3. Expand **Mappings** and select **Provision Azure Active Directory Users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder.
- 4. To confirm that the schema is available in Azure AD, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list.
+ 3. Expand **Mappings** and select **Provision Microsoft Entra Users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder.
+ 4. To confirm that the schema is available in Microsoft Entra ID, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list.
5. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning. Change the value to match the following:
You'll use the Azure portal to configure the mapping between the Azure AD user's
## Assign users to an application
-Now that you have the Azure AD ECMA Connector Host talking with Azure AD, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning.
+Now that you have the Microsoft Entra ECMA Connector Host talking with Microsoft Entra ID, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning.
>[!IMPORTANT] >If you were signed in using a Hybrid Identity Administrator role, you need to sign-out and sign-in with an account that has the Application Administrator, Cloud Application Administrator or Global Administrator role, for this section. The Hybrid Identity Administrator role does not have permissions to assign users to applications.
-If there are existing users in the InputFile.txt, then you should create application role assignments for those existing users. To learn more about how to create application role assignments in bulk, see [governing an application's existing users in Azure AD](../governance/identity-governance-applications-existing-users.md).
+If there are existing users in the InputFile.txt, then you should create application role assignments for those existing users. To learn more about how to create application role assignments in bulk, see [governing an application's existing users in Microsoft Entra ID](../governance/identity-governance-applications-existing-users.md).
-Otherwise, if there are no current users of the application, then select a test user from Azure AD who will be provisioned to the application.
+Otherwise, if there are no current users of the application, then select a test user from Microsoft Entra who will be provisioned to the application.
1. Ensure that the user selected has all the properties, mapped to the required attributes of the schema. 2. In the Azure portal, select **Enterprise applications**.
active-directory On Premises Sap Connector Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-sap-connector-configure.md
Title: Azure AD Provisioning into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later.
-description: This document describes how to configure Azure AD to provision users into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later.
+ Title: Microsoft Entra provisioning into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later.
+description: This document describes how to configure Microsoft Entra ID to provision users into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later.
-# Configuring Azure AD to provision users into SAP ECC with NetWeaver AS ABAP 7.0 or later
-The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning.
+# Configuring Microsoft Entra ID to provision users into SAP ECC with NetWeaver AS ABAP 7.0 or later
+The following documentation provides configuration and tutorial information demonstrating how to provision users from Microsoft Entra ID into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning.
[!INCLUDE [app-provisioning-sap.md](../../../includes/app-provisioning-sap.md)]
active-directory On Premises Scim Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Title: Azure AD on-premises app provisioning to SCIM-enabled apps
-description: This article describes how to use the Azure AD provisioning service to provision users into an on-premises app that's SCIM enabled.
+ Title: Microsoft Entra on-premises app provisioning to SCIM-enabled apps
+description: This article describes how to use the Microsoft Entra provisioning service to provision users into an on-premises app that's SCIM enabled.
-# Azure AD on-premises application provisioning to SCIM-enabled apps
+# Microsoft Entra on-premises application provisioning to SCIM-enabled apps
-The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/provisioning-with-scim-getting-started/ba-p/880010) client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Azure AD provisioning service to provision users into an on-premises application that's SCIM enabled. If you want to provision users into non-SCIM on-premises applications that use SQL as a data store, see the [Azure AD ECMA Connector Host Generic SQL Connector tutorial](tutorial-ecma-sql-connector.md). If you want to provision users into cloud apps such as DropBox and Atlassian, review the app-specific [tutorials](../../active-directory/saas-apps/tutorial-list.md).
+The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/provisioning-with-scim-getting-started/ba-p/880010) client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Microsoft Entra provisioning service to provision users into an on-premises application that's SCIM enabled. If you want to provision users into non-SCIM on-premises applications that use SQL as a data store, see the [Microsoft Entra ECMA Connector Host Generic SQL Connector tutorial](tutorial-ecma-sql-connector.md). If you want to provision users into cloud apps such as DropBox and Atlassian, review the app-specific [tutorials](../../active-directory/saas-apps/tutorial-list.md).
![Diagram that shows SCIM architecture.](./media/on-premises-scim-provisioning/scim-4.png) ## Prerequisites-- An Azure AD tenant with Azure AD Premium P1 or Premium P2 (or EMS E3 or E5). [!INCLUDE [active-directory-p1-license.md](../../../includes/active-directory-p1-license.md)]
+- A Microsoft Entra tenant with Microsoft Entra ID P1 or Premium P2 (or EMS E3 or E5). [!INCLUDE [active-directory-p1-license.md](../../../includes/active-directory-p1-license.md)]
- Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's either a hybrid administrator or a global administrator. - Administrator role for configuring the application in the cloud (application administrator, cloud application administrator, global administrator, or a custom role with permissions). - A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy.
-## Download, install, and configure the Azure AD Connect Provisioning Agent Package
+<a name='download-install-and-configure-the-azure-ad-connect-provisioning-agent-package'></a>
+
+## Download, install, and configure the Microsoft Entra Connect Provisioning Agent Package
If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
+ 1. In the Azure portal, select **Microsoft Entra ID**.
+ 2. On the left, select **Microsoft Entra Connect**.
3. On the left, select **Cloud sync**. :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
If you have already downloaded the provisioning agent and configured it for anot
5. Select **Download on-premises agent**, and select **Accept terms & download**. >[!NOTE]
- >Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
+ >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
1. Open the provisioning agent installer, agree to the terms of service, and select **next**. 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.
- 1. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
- 1. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
+ 1. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
+ 1. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer. ## Provisioning to SCIM-enabled application
Once the agent is installed, no further configuration is necessary on-premises,
2. From the left hand menu navigate to the **Provisioning** option and select **Get started**. 3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option. 4. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
- 5. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
+ 5. Now either wait 10 minutes or restart the **Microsoft Entra Connect Provisioning Agent** before proceeding to the next step & testing the connection.
6. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png) 7. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. >[!NOTE]
The following video provides an overview of on-premises provisioning.
> [!VIDEO https://www.youtube.com/embed/QdfdpaFolys] ## Additional requirements
-* Ensure your [SCIM](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Azure AD SCIM requirements](use-scim-to-provision-users-and-groups.md).
+* Ensure your [SCIM](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Microsoft Entra SCIM requirements](use-scim-to-provision-users-and-groups.md).
- Azure AD offers open-source [reference code](https://github.com/AzureAD/SCIMReferenceCode/wiki) that developers can use to bootstrap their SCIM implementation. The code is as is.
+ Microsoft Entra ID offers open-source [reference code](https://github.com/AzureAD/SCIMReferenceCode/wiki) that developers can use to bootstrap their SCIM implementation. The code is as is.
* Support the /schemas endpoint to reduce configuration required in the Azure portal. ## Next steps
active-directory On Premises Web Services Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-web-services-connector.md
Title: Azure AD provisioning to applications via web services connector
-description: This document describes how to configure Azure AD to provision users with external systems that offer web services based APIs.
+ Title: Microsoft Entra provisioning to applications via web services connector
+description: This document describes how to configure Microsoft Entra ID to provision users with external systems that offer web services based APIs.
# Provisioning with the web services connector
-The following documentation provides information about the generic web services connector. Microsoft Entra Identity Governance supports provisioning accounts into various applications such as SAP ECC, Oracle eBusiness Suite, and line of business applications that expose REST or SOAP APIs. Customers that have previously deployed MIM to connect to these applications can easily switch to using the lightweight Azure AD provisioning agent, while reusing the same web services connector built for MIM.
+The following documentation provides information about the generic web services connector. Microsoft Entra ID Governance supports provisioning accounts into various applications such as SAP ECC, Oracle eBusiness Suite, and line of business applications that expose REST or SOAP APIs. Customers that have previously deployed MIM to connect to these applications can easily switch to using the lightweight Microsoft Entra provisioning agent, while reusing the same web services connector built for MIM.
## Capabilities supported > [!div class="checklist"] > - Create users in your application. > - Remove users in your application when they don't need access anymore.
-> - Keep user attributes synchronized between Azure AD and your application.
+> - Keep user attributes synchronized between Microsoft Entra ID and your application.
> - Discover the schema for your application. The web services connector implements the following functionalities:
active-directory Partner Driven Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/partner-driven-integrations.md
# Partner-driven provisioning integrations
-The Azure Active Directory Provisioning service allows you to provision users and groups into both [SaaS](user-provisioning.md) and [on-premises](on-premises-scim-provisioning.md) applications. There are four integration paths:
+The Microsoft Entra provisioning service allows you to provision users and groups into both [SaaS](user-provisioning.md) and [on-premises](on-premises-scim-provisioning.md) applications. There are four integration paths:
-**Option 1 - Azure AD Application Gallery:**
-Popular third party applications, such as Dropbox, Snowflake, and Workplace by Facebook, are made available for customers through the Azure AD application gallery. New applications can easily be onboarded to the gallery using the [application network portal](../manage-apps/v2-howto-app-gallery-listing.md).
+**Option 1 - Microsoft Entra Application Gallery:**
+Popular third party applications, such as Dropbox, Snowflake, and Workplace by Facebook, are made available for customers through the Microsoft Entra application gallery. New applications can easily be onboarded to the gallery using the [application network portal](../manage-apps/v2-howto-app-gallery-listing.md).
**Option 2 - Implement a SCIM compliant API for your application:**
-If your line-of-business application supports the [SCIM](https://aka.ms/scimoverview) standard, it can easily be integrated with the [Azure AD SCIM client](use-scim-to-provision-users-and-groups.md).
+If your line-of-business application supports the [SCIM](https://aka.ms/scimoverview) standard, it can easily be integrated with the [Microsoft Entra SCIM client](use-scim-to-provision-users-and-groups.md).
[![Diagram showing implementation of a SCIM compliant API for your application.](media/partner-driven-integrations/scim-compliant-api-1.png)](media/partner-driven-integrations/scim-compliant-api-1.png#lightbox) **Option 3 - Use Microsoft Graph:**
-Many new applications use Microsoft Graph to retrieve users, groups and other resources from Azure Active Directory. You can learn more about what scenarios to use [SCIM and Graph](scim-graph-scenarios.md) in.
+Many new applications use Microsoft Graph to retrieve users, groups and other resources from Microsoft Entra ID. You can learn more about what scenarios to use [SCIM and Graph](scim-graph-scenarios.md) in.
**Option 4 - Use partner-driven connectors:**
-In cases where an application doesn't support SCIM, partners have built gateways between the Azure AD SCIM client and target applications. **This document serves as a place for partners to attest to integrations that are compatible with Azure Active Directory, and for customers to discover these partner-driven integrations.** These gateways are built, maintained, and owned by the third-party vendor.
+In cases where an application doesn't support SCIM, partners have built gateways between the Microsoft Entra SCIM client and target applications. **This document serves as a place for partners to attest to integrations that are compatible with Microsoft Entra ID, and for customers to discover these partner-driven integrations.** These gateways are built, maintained, and owned by the third-party vendor.
- [![Diagram showing gateways between the Azure AD SCIM client and target applications.](media/partner-driven-integrations/partner-driven-connectors-1.png)](media/partner-driven-integrations/partner-driven-connectors-1.png#lightbox)
+ [![Diagram showing gateways between the Microsoft Entra SCIM client and target applications.](media/partner-driven-integrations/partner-driven-connectors-1.png)](media/partner-driven-integrations/partner-driven-connectors-1.png#lightbox)
## Available partner-driven integrations The descriptions and lists of applications below are provided by the partners themselves. You can use the lists of applications supported to identify a partner that you may want to contact and learn more about.
The descriptions and lists of applications below are provided by the partners th
### IDMWORKS #### Description We Are Experts In Identity & Access Management and Data Center Management.
-The Azure AD platform integrates with IDMWORKS IdentityForge (IDF) Gateway for user lifecycle management for Mainframe systems (RACF, Top Secret, ACF2), Midrange system (AS400), Healthcare applications (EPIC/Cerner), Linux/Unix servers, Databases, and dozens of on-premises and cloud applications. IdentityForge provides a central, standardized integration engine and modern identity store that serves as a trusted source for all lifecycle management.
-The IDF Gateway for Azure AD provides lifecycle management for import sources and provisioning target systems that are not covered by the Azure AD connector portfolio like Mainframe systems (RACF, Top Secret, ACF2) or Healthcare applications (EPIC/Cerner). The IDF Gateway powers Azure AD identity lifecycle management (LCM) to continuously synchronize user account information from Mainframe/Healthcare sources and to automate the account provisioning lifecycle use cases like create, read (import), update, deactivate, delete user accounts and perform group management.
+The Microsoft Entra platform integrates with IDMWORKS IdentityForge (IDF) Gateway for user lifecycle management for Mainframe systems (RACF, Top Secret, ACF2), Midrange system (AS400), Healthcare applications (EPIC/Cerner), Linux/Unix servers, Databases, and dozens of on-premises and cloud applications. IdentityForge provides a central, standardized integration engine and modern identity store that serves as a trusted source for all lifecycle management.
+The IDF Gateway for Microsoft Entra ID provides lifecycle management for import sources and provisioning target systems that are not covered by the Microsoft Entra connector portfolio like Mainframe systems (RACF, Top Secret, ACF2) or Healthcare applications (EPIC/Cerner). The IDF Gateway powers Microsoft Entra identity lifecycle management (LCM) to continuously synchronize user account information from Mainframe/Healthcare sources and to automate the account provisioning lifecycle use cases like create, read (import), update, deactivate, delete user accounts and perform group management.
#### Contact information * Company website: https://www.idmworks.com/identity-forge
UNIFY Solutions is the leading provider of Identity, Access, Security and Govern
## How-to add partner-driven integrations to this document If you have built a SCIM Gateway and would like to add it to this list, follow the steps below.
-1. Review the Azure AD SCIM [documentation](use-scim-to-provision-users-and-groups.md) to understand the Azure AD SCIM implementation.
-1. Test compatibility between the Azure AD SCIM client and your SCIM gateway.
+1. Review the Microsoft Entra SCIM [documentation](use-scim-to-provision-users-and-groups.md) to understand the Microsoft Entra SCIM implementation.
+1. Test compatibility between the Microsoft Entra SCIM client and your SCIM gateway.
1. Click the pencil at the top of this document to edit the article 1. Once you're redirected to GitHub, click the pencil at the top of the article to start making changes 1. Make changes in the article using the Markdown language and create a pull request. Make sure to provide a description for the pull request.
If you have built a SCIM Gateway and would like to add it to this list, follow t
* Add any new partners in alphabetical order. * Limit your entries to 500 words. * Ensure that you provide contact information for customers to learn more.
-* To avoid duplication, only include applications that don't already have out of the box provisioning connectors in the [Azure AD application gallery](../saas-apps/tutorial-list.md).
+* To avoid duplication, only include applications that don't already have out of the box provisioning connectors in the [Microsoft Entra application gallery](../saas-apps/tutorial-list.md).
## Disclaimer
-For independent software vendors: The Microsoft Azure Active Directory Application Gallery Terms & Conditions, excluding Sections 2ΓÇô4, apply to this Partner-Driven Integrations Catalog (the ΓÇ£Integrations CatalogΓÇ¥). References to the ΓÇ£GalleryΓÇ¥ shall be read as the ΓÇ£Integrations CatalogΓÇ¥ and references to an ΓÇ£AppΓÇ¥ shall be read as ΓÇ£IntegrationΓÇ¥.
+For independent software vendors: The Microsoft Entra Application Gallery Terms & Conditions, excluding Sections 2ΓÇô4, apply to this Partner-Driven Integrations Catalog (the ΓÇ£Integrations CatalogΓÇ¥). References to the ΓÇ£GalleryΓÇ¥ shall be read as the ΓÇ£Integrations CatalogΓÇ¥ and references to an ΓÇ£AppΓÇ¥ shall be read as ΓÇ£IntegrationΓÇ¥.
If you don't agree with these terms, you shouldn't submit your Integration for listing in the Integrations Catalog. If you submit an Integration to the Integrations Catalog, you agree that you or the entity you represent (ΓÇ£YOUΓÇ¥ or ΓÇ£YOURΓÇ¥) is bound by these terms.
active-directory Plan Auto User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md
Title: Plan an automatic user provisioning deployment for Azure Active Directory
-description: Guidance for planning and executing automatic user provisioning in Azure Active Directory
+ Title: Plan an automatic user provisioning deployment for Microsoft Entra ID
+description: Guidance for planning and executing automatic user provisioning in Microsoft Entra ID
-# Plan an automatic user provisioning deployment in Azure Active Directory
+# Plan an automatic user provisioning deployment in Microsoft Entra ID
Many organizations rely on software as a service (SaaS) applications such as ServiceNow, Zscaler, and Slack for end-user productivity. Historically IT staff has relied on manual provisioning methods such as uploading CSV files, or using custom scripts to securely manage user identities in each SaaS application. These processes are error prone, insecure, and hard to manage.
-Azure Active Directory (Azure AD) automatic user provisioning simplifies this process by securely automating the creation, maintenance, and removal of user identities in SaaS applications based on business rules. This automation allows you to effectively scale your identity management systems on both cloud-only and hybrid environments as you expand their dependency on cloud-based solutions.
+Microsoft Entra automatic user provisioning simplifies this process by securely automating the creation, maintenance, and removal of user identities in SaaS applications based on business rules. This automation allows you to effectively scale your identity management systems on both cloud-only and hybrid environments as you expand their dependency on cloud-based solutions.
-See [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md) to better understand the functionality.
+See [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md) to better understand the functionality.
## Learn
The key benefits of enabling automatic user provisioning are:
* **Manage risk**. You can increase security by automating changes based on employee status or group memberships that define roles and/or access.
-* **Address compliance and governance**. Azure AD supports native audit logs for every user provisioning request. Requests are executed in both the source and target systems. Audit logs let you track who has access to applications from a single screen.
+* **Address compliance and governance**. Microsoft Entra ID supports native audit logs for every user provisioning request. Requests are executed in both the source and target systems. Audit logs let you track who has access to applications from a single screen.
* **Reduce cost**. Automatic user provisioning reduces costs by avoiding inefficiencies and human error associated with manual provisioning. It reduces the need for custom-developed user provisioning solutions, scripts, and audit logs. ### Licensing
-Azure AD provides self-service integration of any application using templates provided in the application gallery menu. For a full list of license requirements, see [Azure AD pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+Microsoft Entra ID provides self-service integration of any application using templates provided in the application gallery menu. For a full list of license requirements, see [Microsoft Entra pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
#### Application licensing
-You need the appropriate licenses for the application(s) you want to automatically provision. Discuss with the application owners whether the users assigned to the application have the proper licenses for their application roles. If Azure AD manages automatic provisioning based on roles, the roles assigned in Azure AD must align to application licenses. Incorrect licenses owned in the application may lead to errors during the provisioning/updating of a user.
+You need the appropriate licenses for the application(s) you want to automatically provision. Discuss with the application owners whether the users assigned to the application have the proper licenses for their application roles. If Microsoft Entra ID manages automatic provisioning based on roles, the roles assigned in Microsoft Entra ID must align to application licenses. Incorrect licenses owned in the application may lead to errors during the provisioning/updating of a user.
### Terms
This article uses the following terms:
* Single sign-on (SSO) - The ability for a user to sign-on once and access all SSO enabled applications. In the context of user provisioning, SSO is a result of users having a single account to access all systems that use automatic user provisioning.
-* Source system - The repository of users that the Azure AD provisions from. Azure AD is the source system for most preintegrated provisioning connectors. However, there are some exceptions for cloud applications such as SAP, Workday, and AWS. For example, see [User provisioning from Workday to AD](../saas-apps/workday-inbound-tutorial.md).
+* Source system - The repository of users that the Microsoft Entra ID provisions from. Microsoft Entra ID is the source system for most preintegrated provisioning connectors. However, there are some exceptions for cloud applications such as SAP, Workday, and AWS. For example, see [User provisioning from Workday to AD](../saas-apps/workday-inbound-tutorial.md).
-* Target system - The repository of users that the Azure AD provisions to. The Target system is typically a SaaS application such as ServiceNow, Zscaler, and Slack. The target system can also be an on-premises system such as AD.
+* Target system - The repository of users that the Microsoft Entra ID provisions to. The Target system is typically a SaaS application such as ServiceNow, Zscaler, and Slack. The target system can also be an on-premises system such as AD.
* [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview) - An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers and service providers. Microsoft is an example of an identity provider. Salesforce is an example of a service provider. Service providers require user identity information and an identity provider fulfills that need. SCIM is the mechanism the identity provider and service provider use to send information back and forth.
This article uses the following terms:
| Resources| Link and Description | | - | - |
-| On-demand webinars| [Manage your Enterprise Applications with Azure AD](https://info.microsoft.com/CO-AZUREPLAT-WBNR-FY18-03Mar-06-ManageYourEnterpriseApplicationsOption1-MCW0004438_02OnDemandRegistration-ForminBody.html)<br>ΓÇÄLearn how Azure AD can help you achieve SSO to your enterprise SaaS applications and best practices for controlling access. |
-| Videos| [What is user provisioning in Active Azure Directory?](https://youtu.be/_ZjARPpI6NI) <br> [How to deploy user provisioning in Active Azure Directory?](https://youtu.be/pKzyts6kfrw) <br> [Integrating Salesforce with Azure AD: How to automate User Provisioning](https://youtu.be/MAy8s5WSe3A)
-| Online courses| SkillUp Online: [Managing Identities](https://skillup.online/courses/course-v1:Microsoft+AZ-100.5+2018_T3/) <br> Learn how to integrate Azure AD with many SaaS applications and to secure user access to those applications. |
-| Books| [Modern Authentication with Azure Active Directory for Web Applications (Developer Reference) 1st Edition](https://www.amazon.com/Authentication-Directory-Applications-Developer-Reference/dp/0735696942/ref=sr_1_fkmr0_1?keywords=Azure+multifactor+authentication&qid=1550168894&s=gateway&sr=8-1-fkmr0). <br> ΓÇÄThis is an authoritative, deep-dive guide to building Active Directory authentication solutions for these new environments. |
-| Tutorials| See the [list of tutorials on how to integrate SaaS apps with Azure AD](../saas-apps/tutorial-list.md). |
+| On-demand webinars| [Manage your Enterprise Applications with Microsoft Entra ID](https://info.microsoft.com/CO-AZUREPLAT-WBNR-FY18-03Mar-06-ManageYourEnterpriseApplicationsOption1-MCW0004438_02OnDemandRegistration-ForminBody.html)<br>ΓÇÄLearn how Microsoft Entra ID can help you achieve SSO to your enterprise SaaS applications and best practices for controlling access. |
+| Videos| [What is user provisioning in Active Azure Directory?](https://youtu.be/_ZjARPpI6NI) <br> [How to deploy user provisioning in Active Azure Directory?](https://youtu.be/pKzyts6kfrw) <br> [Integrating Salesforce with Microsoft Entra ID: How to automate User Provisioning](https://youtu.be/MAy8s5WSe3A)
+| Online courses| SkillUp Online: [Managing Identities](https://skillup.online/courses/course-v1:Microsoft+AZ-100.5+2018_T3/) <br> Learn how to integrate Microsoft Entra ID with many SaaS applications and to secure user access to those applications. |
+| Books| [Modern Authentication with Microsoft Entra ID for Web Applications (Developer Reference) 1st Edition](https://www.amazon.com/Authentication-Directory-Applications-Developer-Reference/dp/0735696942/ref=sr_1_fkmr0_1?keywords=Azure+multifactor+authentication&qid=1550168894&s=gateway&sr=8-1-fkmr0). <br> ΓÇÄThis is an authoritative, deep-dive guide to building Active Directory authentication solutions for these new environments. |
+| Tutorials| See the [list of tutorials on how to integrate SaaS apps with Microsoft Entra ID](../saas-apps/tutorial-list.md). |
| FAQ| [Frequently asked questions](../app-provisioning/user-provisioning.md) on automated user provisioning | ### Solution architectures
-The Azure AD provisioning service provisions users to SaaS apps and other systems by connecting to user management API endpoints provided by each application vendor. These user management API endpoints allow Azure AD to programmatically create, update, and remove users.
+The Microsoft Entra provisioning service provisions users to SaaS apps and other systems by connecting to user management API endpoints provided by each application vendor. These user management API endpoints allow Microsoft Entra ID to programmatically create, update, and remove users.
#### Automatic user provisioning for hybrid enterprises
-In this example, users and or groups are created in an HR database connected to an on-premises directory. The Azure AD provisioning service manages automatic user provisioning to the target SaaS applications.
+In this example, users and or groups are created in an HR database connected to an on-premises directory. The Microsoft Entra provisioning service manages automatic user provisioning to the target SaaS applications.
![user provisioning](./media/plan-auto-user-provisioning/hybridprovisioning.png)
In this example, users and or groups are created in an HR database connected to
1. Users/groups are created in an on-premises HR application/system, such as SAP.
-1. **Azure AD Connect agent** runs scheduled synchronizations of identities (users and groups) from the local AD to Azure AD.
+1. **Microsoft Entra Connect agent** runs scheduled synchronizations of identities (users and groups) from the local AD to Microsoft Entra ID.
-1. **Azure AD provisioning service** begins an [initial cycle](../app-provisioning/user-provisioning.md) against the source system and target system.
+1. **Microsoft Entra provisioning service** begins an [initial cycle](../app-provisioning/user-provisioning.md) against the source system and target system.
-1. **Azure AD provisioning service** queries the source system for any users and groups changed since the initial cycle, and pushes changes in [incremental cycles](../app-provisioning/user-provisioning.md).
+1. **Microsoft Entra provisioning service** queries the source system for any users and groups changed since the initial cycle, and pushes changes in [incremental cycles](../app-provisioning/user-provisioning.md).
#### Automatic user provisioning for cloud-only enterprises
-In this example, user creation occurs in Azure AD and the Azure AD provisioning service manages automatic user provisioning to the target (SaaS) applications.
+In this example, user creation occurs in Microsoft Entra ID and the Microsoft Entra provisioning service manages automatic user provisioning to the target (SaaS) applications.
-![Diagram that shows the user/group creation process from an on-premises H R application through the Azure A D Provisioning Service to the target S A A S applications.](./media/plan-auto-user-provisioning/cloudprovisioning.png)
+![Diagram that shows the user/group creation process from an on-premises H R application through the Microsoft Entra provisioning service to the target S A A S applications.](./media/plan-auto-user-provisioning/cloudprovisioning.png)
**Description of workflow:**
-1. Users/groups are created in Azure AD.
+1. Users/groups are created in Microsoft Entra ID.
-1. **Azure AD provisioning service** begins an [initial cycle](../app-provisioning/user-provisioning.md) against the source system and target system.
+1. **Microsoft Entra provisioning service** begins an [initial cycle](../app-provisioning/user-provisioning.md) against the source system and target system.
-1. **Azure AD provisioning service** queries the source system for any users and groups updated since the initial cycle, and performs any [incremental cycles](../app-provisioning/user-provisioning.md).
+1. **Microsoft Entra provisioning service** queries the source system for any users and groups updated since the initial cycle, and performs any [incremental cycles](../app-provisioning/user-provisioning.md).
#### Automatic user provisioning for cloud HR applications
-In this example, the users and or groups are created in a cloud HR application like such as Workday and SuccessFactors. The Azure AD provisioning service and Azure AD Connect provisioning agent provisions the user data from the cloud HR app tenant into AD. Once the accounts are updated in AD, it's synced with Azure AD through Azure AD Connect, and the email addresses and username attributes can be written back to the cloud HR app tenant.
+In this example, the users and or groups are created in a cloud HR application like such as Workday and SuccessFactors. The Microsoft Entra provisioning service and Microsoft Entra Connect provisioning agent provisions the user data from the cloud HR app tenant into AD. Once the accounts are updated in AD, it's synced with Microsoft Entra ID through Microsoft Entra Connect, and the email addresses and username attributes can be written back to the cloud HR app tenant.
![Picture 2](./media/plan-auto-user-provisioning/workdayprovisioning.png) 1. **HR team** performs the transactions in the cloud HR app tenant.
-2. **Azure AD provisioning service** runs the scheduled cycles from the cloud HR app tenant and identifies changes that need to be processed for sync with AD.
-3. **Azure AD provisioning service** invokes the Azure AD Connect provisioning agent with a request payload containing AD account create/update/enable/disable operations.
-4. **Azure AD Connect provisioning agent** uses a service account to manage AD account data.
-5. **Azure AD Connect** runs delta sync to pull updates in AD.
-6. **AD** updates are synced with Azure AD.
-7. **Azure AD provisioning service** writebacks email attribute and username from Azure AD to the cloud HR app tenant.
+2. **Microsoft Entra provisioning service** runs the scheduled cycles from the cloud HR app tenant and identifies changes that need to be processed for sync with AD.
+3. **Microsoft Entra provisioning service** invokes the Microsoft Entra Connect provisioning agent with a request payload containing AD account create/update/enable/disable operations.
+4. **Microsoft Entra Connect provisioning agent** uses a service account to manage AD account data.
+5. **Microsoft Entra Connect** runs delta sync to pull updates in AD.
+6. **AD** updates are synced with Microsoft Entra ID.
+7. **Microsoft Entra provisioning service** writebacks email attribute and username from Microsoft Entra ID to the cloud HR app tenant.
## Plan the deployment project
Use the Azure portal to view and manage all the applications that support provis
### Determine the type of connector to use
-The actual steps required to enable and configure automatic provisioning vary depending on the application. If the application you wish to automatically provision is listed in the [Azure AD SaaS app gallery](../saas-apps/tutorial-list.md), then you should select the [app-specific integration tutorial](../saas-apps/tutorial-list.md) to configure its preintegrated user provisioning connector.
+The actual steps required to enable and configure automatic provisioning vary depending on the application. If the application you wish to automatically provision is listed in the [Microsoft Entra SaaS app gallery](../saas-apps/tutorial-list.md), then you should select the [app-specific integration tutorial](../saas-apps/tutorial-list.md) to configure its preintegrated user provisioning connector.
If not, follow the steps: 1. [Create a request](../manage-apps/v2-howto-app-gallery-listing.md) for a preintegrated user provisioning connector. Our team works with you and the application developer to onboard your application to our platform if it supports SCIM.
-1. Use the [BYOA SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md) generic user provisioning support for the app. Using SCIM is a requirement for Azure AD to provision users to the app without a preintegrated provisioning connector.
+1. Use the [BYOA SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md) generic user provisioning support for the app. Using SCIM is a requirement for Microsoft Entra ID to provision users to the app without a preintegrated provisioning connector.
1. If the application is able to utilize the BYOA SCIM connector, then refer to [BYOA SCIM integration tutorial](../app-provisioning/use-scim-to-provision-users-and-groups.md) to configure the BYOA SCIM connector for the application.
-For more information, see [What applications and systems can I use with Azure AD automatic user provisioning?](../app-provisioning/user-provisioning.md)
+For more information, see [What applications and systems can I use with Microsoft Entra automatic user provisioning?](../app-provisioning/user-provisioning.md)
### Collect information to authorize application access
If you enable user provisioning for enterprise apps, the [Azure portal](https://
### Determine operations for each SaaS app
-Each application may have unique user or group attributes that must be mapped to the attributes in your Azure AD. Application may have only a subset of CRUD operations available.
+Each application may have unique user or group attributes that must be mapped to the attributes in your Microsoft Entra ID. Application may have only a subset of CRUD operations available.
For each application, document the following information:
Before implementing automatic user provisioning, you must determine the users an
### Define user and group attribute mapping
-To implement automatic user provisioning, you need to define the user and group attributes that are needed for the application. There's a preconfigured set of attributes and [attribute-mappings](../app-provisioning/configure-automatic-user-provisioning-portal.md) between Azure AD user objects, and each SaaS applicationΓÇÖs user objects. Not all SaaS apps enable group attributes.
+To implement automatic user provisioning, you need to define the user and group attributes that are needed for the application. There's a preconfigured set of attributes and [attribute-mappings](../app-provisioning/configure-automatic-user-provisioning-portal.md) between Microsoft Entra user objects, and each SaaS applicationΓÇÖs user objects. Not all SaaS apps enable group attributes.
-Azure AD supports by direct attribute-to-attribute mapping, providing constant values, or [writing expressions for attribute mappings](../app-provisioning/functions-for-customizing-application-data.md). This flexibility gives you fine control over what is populated in the targeted system's attribute. You can use [Microsoft Graph API](../app-provisioning/export-import-provisioning-configuration.md) and Graph Explorer to export your user provisioning attribute mappings and schema to a JSON file and import it back into Azure AD.
+Microsoft Entra ID supports by direct attribute-to-attribute mapping, providing constant values, or [writing expressions for attribute mappings](../app-provisioning/functions-for-customizing-application-data.md). This flexibility gives you fine control over what is populated in the targeted system's attribute. You can use [Microsoft Graph API](../app-provisioning/export-import-provisioning-configuration.md) and Graph Explorer to export your user provisioning attribute mappings and schema to a JSON file and import it back into Microsoft Entra ID.
-For more information, see [Customizing User Provisioning Attribute-Mappings for SaaS Applications in Azure Active Directory](../app-provisioning/customize-application-attributes.md).
+For more information, see [Customizing User Provisioning Attribute-Mappings for SaaS Applications in Microsoft Entra ID](../app-provisioning/customize-application-attributes.md).
### Special considerations for user provisioning
Consider the following to reduce issues post-deployment:
* Applications may have specific restrictions and/or requirements that need to be met for user provisioning to work correctly. For example, Slack truncates values for certain attributes. Refer to [automatic user provisioning tutorials](../saas-apps/tutorial-list.md) specific to each application.
-* Confirm schema consistency between source and target systems. Common issues include attributes such as UPN or mail not matching. For example, UPN in Azure AD set as *john_smith@contoso.com* and in the app, it's *jsmith@contoso.com*. For more information, see The [User and group schema reference](../app-provisioning/use-scim-to-provision-users-and-groups.md).
+* Confirm schema consistency between source and target systems. Common issues include attributes such as UPN or mail not matching. For example, UPN in Microsoft Entra ID set as *john_smith@contoso.com* and in the app, it's *jsmith@contoso.com*. For more information, see The [User and group schema reference](../app-provisioning/use-scim-to-provision-users-and-groups.md).
## Plan testing and security
First, configure automatic user provisioning for the application. Then run test
| - | - | | User is added to a group assigned to the target system. | User object is provisioned in target system. <br>User can sign-in to target system and perform the desired actions. | | User is removed from a group that is assigned to target system. | User object is deprovisioned in the target system.<br>User can't sign-in to target system. |
-| User information updates in Azure AD by any method. | Updated user attributes reflect in the target system after an incremental cycle. |
+| User information updates in Microsoft Entra ID by any method. | Updated user attributes reflect in the target system after an incremental cycle. |
| User is out of scope. | User object is disabled or deleted. <br>Note: This behavior is overridden for [Workday provisioning](skip-out-of-scope-deletions.md). | ### Plan security
-It's common for a security review to be required as part of a deployment. If you require a security review, see the many Azure AD [whitepapers](https://www.microsoft.com/download/details.aspx?id=36391) that provides an overview for identity as a service.
+It's common for a security review to be required as part of a deployment. If you require a security review, see the many Microsoft Entra ID [whitepapers](https://www.microsoft.com/download/details.aspx?id=36391) that provides an overview for identity as a service.
### Plan rollback
If the automatic user provisioning implementation fails to work as desired in th
1. Review the [provisioning logs](../app-provisioning/check-status-user-account-provisioning.md) to determine what incorrect operations occurred on the affected users and/or groups.
-1. Use provisioning audit logs to determine the last known good state of the users and/or groups affected. Also review the source systems (Azure AD or AD).
+1. Use provisioning audit logs to determine the last known good state of the users and/or groups affected. Also review the source systems (Microsoft Entra ID or AD).
1. Work with the application owner to update the users and/or groups affected directly in the application using the last known good state values.
Choose the steps that align to your solution requirements.
### Prepare for the initial cycle
-When the Azure AD provisioning service runs for the first time, the initial cycle against the source system and target systems creates a snapshot of all user objects for each target system.
+When the Microsoft Entra provisioning service runs for the first time, the initial cycle against the source system and target systems creates a snapshot of all user objects for each target system.
-When you enable automatic provisioning for an application, the initial cycle takes anywhere from 20 minutes to several hours. The duration depends on the size of the Azure AD directory and the number of users in scope for provisioning.
+When you enable automatic provisioning for an application, the initial cycle takes anywhere from 20 minutes to several hours. The duration depends on the size of the Microsoft Entra directory and the number of users in scope for provisioning.
The provisioning service stores the state of both systems after the initial cycle, improving performance of subsequent incremental cycles.
The provisioning service stores the state of both systems after the initial cycl
Use the [Azure portal](https://portal.azure.com/) to manage automatic user account provisioning and deprovisioning for applications that support it. Follow the steps in [How do I set up automatic provisioning to an application?](../app-provisioning/user-provisioning.md)
-The Azure AD user provisioning service can also be configured and managed using the [Microsoft Graph API](/graph/api/resources/synchronization-overview).
+The Microsoft Entra user provisioning service can also be configured and managed using the [Microsoft Graph API](/graph/api/resources/synchronization-overview).
## Manage automatic user provisioning
Now that you've deployed, you need to manage the solution.
### Monitor user provisioning operation health
-After a successful [initial cycle](../app-provisioning/user-provisioning.md), the Azure AD provisioning service will run incremental updates indefinitely, at intervals specific to each application, until one of the following events occurs:
+After a successful [initial cycle](../app-provisioning/user-provisioning.md), the Microsoft Entra provisioning service will run incremental updates indefinitely, at intervals specific to each application, until one of the following events occurs:
* The service is manually stopped, and a new initial cycle is triggered using the [Azure portal](https://portal.azure.com/), or using the appropriate [Microsoft Graph API](/graph/api/resources/synchronization-overview) command.
After a successful [initial cycle](../app-provisioning/user-provisioning.md), th
* The provisioning process goes into quarantine due to a high error rate and stays in quarantine for more than four weeks then it's automatically disabled.
-To review these events, and all other activities performed by the provisioning service, refer to Azure AD [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
+To review these events, and all other activities performed by the provisioning service, refer to Microsoft Entra [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
To understand how long the provisioning cycles take and monitor the progress of the provisioning job, you can [check the status of user provisioning](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). ### Gain insights from reports
-Azure AD can provide more insights into your organizationΓÇÖs user provisioning usage and operational health through audit logs and reports. To learn more about user insights, see [Check the status of user provisioning](application-provisioning-when-will-provisioning-finish-specific-user.md).
+Microsoft Entra ID can provide more insights into your organizationΓÇÖs user provisioning usage and operational health through audit logs and reports. To learn more about user insights, see [Check the status of user provisioning](application-provisioning-when-will-provisioning-finish-specific-user.md).
-Admins should check the provisioning summary report to monitor the operational health of the provisioning job. All activities performed by the provisioning service are recorded in the Azure AD audit logs. See [Tutorial: Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md).
+Admins should check the provisioning summary report to monitor the operational health of the provisioning job. All activities performed by the provisioning service are recorded in the Microsoft Entra audit logs. See [Tutorial: Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md).
-We recommend that you assume ownership of and consume these reports on a cadence that meets your organizationΓÇÖs requirements. Azure AD retains most audit data for 30 days.
+We recommend that you assume ownership of and consume these reports on a cadence that meets your organizationΓÇÖs requirements. Microsoft Entra ID retains most audit data for 30 days.
### Troubleshoot Refer to the following links to troubleshoot any issues that may turn up during provisioning:
-* [Problem configuring user provisioning to an Azure AD Gallery application](../app-provisioning/application-provisioning-config-problem.md)
+* [Problem configuring user provisioning to a Microsoft Entra Gallery application](../app-provisioning/application-provisioning-config-problem.md)
-* [Sync an attribute from your on-premises Active Directory to Azure AD for provisioning to an application](../app-provisioning/user-provisioning-sync-attributes-for-mapping.md)
+* [Sync an attribute from your on-premises Active Directory to Microsoft Entra ID for provisioning to an application](../app-provisioning/user-provisioning-sync-attributes-for-mapping.md)
-* [Problem saving administrator credentials while configuring user provisioning to an Azure Active Directory Gallery application](./user-provisioning.md)
+* [Problem saving administrator credentials while configuring user provisioning to a Microsoft Entra Gallery application](./user-provisioning.md)
-* [No users are being provisioned to an Azure AD Gallery application](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md)
+* [No users are being provisioned to a Microsoft Entra Gallery application](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md)
-* [Wrong set of users are being provisioned to an Azure AD Gallery application](../manage-apps/add-application-portal-assign-users.md)
+* [Wrong set of users are being provisioned to a Microsoft Entra Gallery application](../manage-apps/add-application-portal-assign-users.md)
### Helpful documentation
Refer to the following links to troubleshoot any issues that may turn up during
* [Skip deletion of user accounts that go out of scope](skip-out-of-scope-deletions.md)
-* [Azure AD Connect Provisioning Agent: Version release history](provisioning-agent-release-version-history.md)
+* [Microsoft Entra Connect Provisioning Agent: Version release history](provisioning-agent-release-version-history.md)
#### Resources * [Provide product feedback](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789)
-* [Keep up to date on what's new with Azure AD](https://azure.microsoft.com/updates/?product=active-directory)
+* [Keep up to date on what's new with Microsoft Entra ID](https://azure.microsoft.com/updates/?product=active-directory)
-* [Microsoft Q&A Azure AD forum](/answers/topics/azure-active-directory.html)
+* [Microsoft Q&A Microsoft Entra forum](/answers/topics/azure-active-directory.html)
## Next steps * [Configure Automatic User Provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) * [Export or import your provisioning configuration by using Microsoft Graph API](../app-provisioning/export-import-provisioning-configuration.md)
-* [Writing expressions for attribute mappings in Azure Active directory](../app-provisioning/functions-for-customizing-application-data.md)
+* [Writing expressions for attribute mappings in Microsoft Entra ID](../app-provisioning/functions-for-customizing-application-data.md)
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
Title: Plan cloud HR application to Azure Active Directory user provisioning
-description: This article describes the deployment process of integrating cloud HR systems, such as Workday and SuccessFactors, with Azure Active Directory. Integrating Azure AD with your cloud HR system results in a complete identity lifecycle management system.
+ Title: Plan cloud HR application to Microsoft Entra user provisioning
+description: This article describes the deployment process of integrating cloud HR systems, such as Workday and SuccessFactors, with Microsoft Entra ID. Integrating Microsoft Entra ID with your cloud HR system results in a complete identity lifecycle management system.
-# Plan cloud HR application to Azure Active Directory user provisioning
+# Plan cloud HR application to Microsoft Entra user provisioning
Historically, IT staff has relied on manual methods to create, update, and delete employees. They've used methods such as uploading CSV files or custom scripts to sync employee data. These provisioning processes are error prone, insecure, and hard to manage.
-To manage the identity lifecycles of employees, vendors, or contingent workers, [Azure Active Directory (Azure AD) user provisioning service](../app-provisioning/user-provisioning.md) offers integration with cloud-based human resources (HR) applications. Examples of applications include Workday or SuccessFactors.
+To manage the identity lifecycles of employees, vendors, or contingent workers, [Microsoft Entra user provisioning service](../app-provisioning/user-provisioning.md) offers integration with cloud-based human resources (HR) applications. Examples of applications include Workday or SuccessFactors.
-Azure AD uses this integration to enable the following cloud HR application (app) workflows:
+Microsoft Entra ID uses this integration to enable the following cloud HR application (app) workflows:
- **Provision users to Active Directory:** Provision selected sets of users from a cloud HR app into one or more Active Directory domains.-- **Provision cloud-only users to Azure AD:** In scenarios where Active Directory isn't used, provision users directly from the cloud HR app to Azure AD.-- **Write back to the cloud HR app:** Write the email addresses and username attributes from Azure AD back to the cloud HR app.
+- **Provision cloud-only users to Microsoft Entra ID:** In scenarios where Active Directory isn't used, provision users directly from the cloud HR app to Microsoft Entra ID.
+- **Write back to the cloud HR app:** Write the email addresses and username attributes from Microsoft Entra back to the cloud HR app.
The following video provides guidance on planning your HR-driven provisioning integrations. > [!VIDEO https://www.youtube-nocookie.com/embed/HsdBt40xEHs] > [!NOTE]
-> This deployment plan shows you how to deploy your cloud HR app workflows with Azure AD user provisioning. For information on how to deploy automatic user provisioning to software as a service (SaaS) apps, see [Plan an automatic user provisioning deployment](./plan-auto-user-provisioning.md).
+> This deployment plan shows you how to deploy your cloud HR app workflows with Microsoft Entra user provisioning. For information on how to deploy automatic user provisioning to software as a service (SaaS) apps, see [Plan an automatic user provisioning deployment](./plan-auto-user-provisioning.md).
## Enabled HR scenarios
-The Azure AD user provisioning service enables automation of the following HR-based identity lifecycle management scenarios:
+The Microsoft Entra user provisioning service enables automation of the following HR-based identity lifecycle management scenarios:
-- **New employee hiring:** Adding an employee to the cloud HR app automatically creates a user in Active Directory and Azure AD. Adding a user account includes the option to write back the email address and username attributes to the cloud HR app.-- **Employee attribute and profile updates:** When an employee record such as name, title, or manager is updated in the cloud HR app, their user account is automatically updated in Active Directory and Azure AD.-- **Employee terminations:** When an employee is terminated in the cloud HR app, their user account is automatically disabled in Active Directory and Azure AD.-- **Employee rehires:** When an employee is rehired in the cloud HR app, their old account can be automatically reactivated or reprovisioned to Active Directory and Azure AD.
+- **New employee hiring:** Adding an employee to the cloud HR app automatically creates a user in Active Directory and Microsoft Entra ID. Adding a user account includes the option to write back the email address and username attributes to the cloud HR app.
+- **Employee attribute and profile updates:** When an employee record such as name, title, or manager is updated in the cloud HR app, their user account is automatically updated in Active Directory and Microsoft Entra ID.
+- **Employee terminations:** When an employee is terminated in the cloud HR app, their user account is automatically disabled in Active Directory and Microsoft Entra ID.
+- **Employee rehires:** When an employee is rehired in the cloud HR app, their old account can be automatically reactivated or reprovisioned to Active Directory and Microsoft Entra ID.
## Who is this integration best suited for?
-The cloud HR app integration with Azure AD user provisioning is ideally suited for organizations that:
+The cloud HR app integration with Microsoft Entra user provisioning is ideally suited for organizations that:
- Want a prebuilt, cloud-based solution for cloud HR user provisioning.-- Require direct user provisioning from the cloud HR app to Active Directory or Azure AD.
+- Require direct user provisioning from the cloud HR app to Active Directory or Microsoft Entra ID.
- Require users to be provisioned by using data obtained from the cloud HR app. - Syncing users who are joining, moving, and leaving. The sync happens between one or more Active Directory forests, domains, and OUs based only on change information detected in the cloud HR app. - Use Microsoft 365 for email.
User provisioning creates a foundation for ongoing identity governance. It enhan
This article uses the following terms: -- **Source system**: The repository of users that Azure AD provisions from. An example is a cloud HR app such as Workday or SuccessFactors.-- **Target system**: The repository of users that the Azure AD provisions to. Examples are Active Directory, Azure AD, Microsoft 365, or other SaaS apps.
+- **Source system**: The repository of users that Microsoft Entra ID provisions from. An example is a cloud HR app such as Workday or SuccessFactors.
+- **Target system**: The repository of users that the Microsoft Entra ID provisions to. Examples are Active Directory, Microsoft Entra ID, Microsoft 365, or other SaaS apps.
- **Joiners-Movers-Leavers process**: A term used for new hires, transfers, and termination by using a cloud HR app as a system of records. The process completes when the service successfully provisions the necessary attributes to the target system. ### Key benefits
This capability of HR-driven IT provisioning offers the following significant bu
- **Increase productivity:** You can now automate the assignment of user accounts and Microsoft 365 licenses and provide access to key groups. Automating assignments gives new hires immediate access to their job tools and increases productivity. - **Manage risk:** Automate changes based on employee status or group membership to increase security. This automation ensures that user identities and access to key apps update automatically. For example, an update in the HR app when a user transitions or leaves the organization flows in automatically.-- **Address compliance and governance:** Azure AD supports native audit logs for user provisioning requests performed by apps of both source and target systems. With auditing, you can track who has access to the apps from a single screen.
+- **Address compliance and governance:** Microsoft Entra ID supports native audit logs for user provisioning requests performed by apps of both source and target systems. With auditing, you can track who has access to the apps from a single screen.
- **Manage cost:** Automatic provisioning reduces costs by avoiding inefficiencies and human error associated with manual provisioning. It reduces the need for custom-developed user provisioning solutions built over time by using legacy and outdated platforms. ### Licensing
-To configure the cloud HR app to Azure AD user provisioning integration, you require a valid [Azure AD Premium license](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) and a license for the cloud HR app, such as Workday or SuccessFactors.
+To configure the cloud HR app to Microsoft Entra user provisioning integration, you require a valid [Microsoft Entra ID P1 or P2 license](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) and a license for the cloud HR app, such as Workday or SuccessFactors.
-You also need a valid Azure AD Premium P1 or higher subscription license for every user that is sourced from the cloud HR app and provisioned to either Active Directory or Azure AD. Any improper number of licenses owned in the cloud HR app might lead to errors during user provisioning.
+You also need a valid Microsoft Entra ID P1 or higher subscription license for every user that is sourced from the cloud HR app and provisioned to either Active Directory or Microsoft Entra ID. Any improper number of licenses owned in the cloud HR app might lead to errors during user provisioning.
### Prerequisites -- Azure AD [hybrid identity administrator](../roles/permissions-reference.md#hybrid-identity-administrator) to configure the Azure AD Connect provisioning agent.-- Azure AD [application administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app in the Azure portal
+- Microsoft Entra ID [hybrid identity administrator](../roles/permissions-reference.md#hybrid-identity-administrator) to configure the Microsoft Entra Connect provisioning agent.
+- Microsoft Entra ID [application administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app in the Azure portal
- A test and production instance of the cloud HR app. - Administrator permissions in the cloud HR app to create a system integration user and make changes to test employee data for testing purposes.-- For user provisioning to Active Directory, a server running Windows Server 2016 or greater is required to host the Azure AD Connect provisioning agent. This server should be a tier 0 server based on the Active Directory administrative tier model.-- [Azure AD Connect](../hybrid/connect/whatis-azure-ad-connect.md) for synchronizing users between Active Directory and Azure AD.
+- For user provisioning to Active Directory, a server running Windows Server 2016 or greater is required to host the Microsoft Entra Connect provisioning agent. This server should be a tier 0 server based on the Active Directory administrative tier model.
+- [Microsoft Entra Connect](../hybrid/connect/whatis-azure-ad-connect.md) for synchronizing users between Active Directory and Microsoft Entra ID.
### Training resources
You also need a valid Azure AD Premium P1 or higher subscription license for eve
|:-|:-| | Videos | [What is user provisioning in Active Azure Directory?](https://youtu.be/_ZjARPpI6NI) | | | [How to deploy user provisioning in Active Azure Directory](https://youtu.be/pKzyts6kfrw) |
-| Tutorials | [List of tutorials on how to integrate SaaS apps with Azure AD](../saas-apps/tutorial-list.md) |
+| Tutorials | [List of tutorials on how to integrate SaaS apps with Microsoft Entra ID](../saas-apps/tutorial-list.md) |
| | [Tutorial: Configure automatic user provisioning with Workday](../saas-apps/workday-inbound-tutorial.md) | | | [Tutorial: Configure automatic user provisioning with SAP SuccessFactors](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md) | | FAQ | [Automated user provisioning](../app-provisioning/user-provisioning.md#what-applications-and-systems-can-i-use-with-azure-ad-automatic-user-provisioning) |
-| | [Provisioning from Workday to Azure AD](../saas-apps/workday-inbound-tutorial.md#frequently-asked-questions-faq) |
+| | [Provisioning from Workday to Microsoft Entra ID](../saas-apps/workday-inbound-tutorial.md#frequently-asked-questions-faq) |
### Solution architecture The following example describes the end-to-end user provisioning solution architecture for common hybrid environments and includes: -- **Authoritative HR data flow from cloud HR app to Active Directory.** In this flow, the HR event (Joiners-Movers-Leavers process) is initiated in the cloud HR app tenant. The Azure AD provisioning service and Azure AD Connect provisioning agent provision the user data from the cloud HR app tenant into Active Directory. Depending on the event, it might lead to create, update, enable, and disable operations in Active Directory.-- **Sync with Azure AD and write back email and username from on-premises Active Directory to cloud HR app.** After the accounts are updated in Active Directory, it's synced with Azure AD through Azure AD Connect. The email addresses and username attributes can be written back to the cloud HR app tenant.
+- **Authoritative HR data flow from cloud HR app to Active Directory.** In this flow, the HR event (Joiners-Movers-Leavers process) is initiated in the cloud HR app tenant. The Microsoft Entra provisioning service and Microsoft Entra Connect provisioning agent provision the user data from the cloud HR app tenant into Active Directory. Depending on the event, it might lead to create, update, enable, and disable operations in Active Directory.
+- **Sync with Microsoft Entra ID and write back email and username from on-premises Active Directory to cloud HR app.** After the accounts are updated in Active Directory, it's synced with Microsoft Entra ID through Microsoft Entra Connect. The email addresses and username attributes can be written back to the cloud HR app tenant.
![Workflow diagram](media/plan-cloud-hr-provision/plan-cloudhr-provisioning-img1.png)
The following example describes the end-to-end user provisioning solution archit
The following key steps are indicated in the diagram:   1. **HR team** performs the transactions in the cloud HR app tenant.
-2. **Azure AD provisioning service** runs the scheduled cycles from the cloud HR app tenant and identifies changes to process for sync with Active Directory.
-3. **Azure AD provisioning service** invokes the Azure AD Connect provisioning agent with a request payload that contains Active Directory account create, update, enable, and disable operations.
-4. **Azure AD Connect provisioning agent** uses a service account to manage Active Directory account data.
-5. **Azure AD Connect** runs delta [sync](../hybrid/connect/how-to-connect-sync-whatis.md) to pull updates in Active Directory.
-6. **Active Directory** updates are synced with Azure AD.
-7. **Azure AD provisioning service** write backs email attribute and username from Azure AD to the cloud HR app tenant.
+2. **Microsoft Entra provisioning service** runs the scheduled cycles from the cloud HR app tenant and identifies changes to process for sync with Active Directory.
+3. **Microsoft Entra provisioning service** invokes the Microsoft Entra Connect provisioning agent with a request payload that contains Active Directory account create, update, enable, and disable operations.
+4. **Microsoft Entra Connect provisioning agent** uses a service account to manage Active Directory account data.
+5. **Microsoft Entra Connect** runs delta [sync](../hybrid/connect/how-to-connect-sync-whatis.md) to pull updates in Active Directory.
+6. **Active Directory** updates are synced with Microsoft Entra ID.
+7. **Microsoft Entra provisioning service** write backs email attribute and username from Microsoft Entra ID to the cloud HR app tenant.
## Plan the deployment project
Run the initial configuration in a [pilot environment](../architecture/deploymen
## Select cloud HR provisioning connector apps
-To facilitate Azure AD provisioning workflows between the cloud HR app and Active Directory, you can add multiple provisioning connector apps from the Azure AD app gallery:
+To facilitate Microsoft Entra provisioning workflows between the cloud HR app and Active Directory, you can add multiple provisioning connector apps from the Microsoft Entra app gallery:
-- **Cloud HR app to Active Directory user provisioning**: This provisioning connector app facilitates user account provisioning from the cloud HR app to a single Active Directory domain. If you have multiple domains, you can add one instance of this app from the Azure AD app gallery for each Active Directory domain you need to provision to.-- **Cloud HR app to Azure AD user provisioning**: Azure AD Connect is the tool used to synchronize Active Directory on premises users to Azure Active Directory. The Cloud HR app to Azure AD user provisioning is a connector you use to provision cloud-only users from the cloud HR app to a single Azure AD tenant.-- **Cloud HR app write-back**: This provisioning connector app facilitates the write-back of the user's email addresses from Azure AD to the cloud HR app.
+- **Cloud HR app to Active Directory user provisioning**: This provisioning connector app facilitates user account provisioning from the cloud HR app to a single Active Directory domain. If you have multiple domains, you can add one instance of this app from the Microsoft Entra app gallery for each Active Directory domain you need to provision to.
+- **Cloud HR app to Microsoft Entra user provisioning**: Microsoft Entra Connect is the tool used to synchronize Active Directory on premises users to Microsoft Entra ID. The Cloud HR app to Microsoft Entra user provisioning is a connector you use to provision cloud-only users from the cloud HR app to a single Microsoft Entra tenant.
+- **Cloud HR app write-back**: This provisioning connector app facilitates the write-back of the user's email addresses from Microsoft Entra ID to the cloud HR app.
-For example, the following image lists the Workday connector apps that are available in the Azure AD app gallery.
+For example, the following image lists the Workday connector apps that are available in the Microsoft Entra app gallery.
![Azure portal app gallery](media/plan-cloud-hr-provision/plan-cloudhr-provisioning-img2.png)
Use the following decision flow chart to identify which cloud HR provisioning ap
![Decision flow chart](media/plan-cloud-hr-provision/plan-cloudhr-provisioning-img3.png)
-## Design the Azure AD Connect provisioning agent deployment topology
+<a name='design-the-azure-ad-connect-provisioning-agent-deployment-topology'></a>
+
+## Design the Microsoft Entra Connect provisioning agent deployment topology
The provisioning integration between the cloud HR app and Active Directory requires four components: - Cloud HR app tenant - Provisioning connector app-- Azure AD Connect provisioning agent
+- Microsoft Entra Connect provisioning agent
- Active Directory domain
-The Azure AD Connect provisioning agent deployment topology depends on the number of cloud HR app tenants and Active Directory child domains that you plan to integrate. If you have multiple Active Directory domains, it depends on whether the Active Directory domains are contiguous or [disjoint](/windows-server/identity/ad-ds/plan/disjoint-namespace).
+The Microsoft Entra Connect provisioning agent deployment topology depends on the number of cloud HR app tenants and Active Directory child domains that you plan to integrate. If you have multiple Active Directory domains, it depends on whether the Active Directory domains are contiguous or [disjoint](/windows-server/identity/ad-ds/plan/disjoint-namespace).
Based on your decision, choose one of the deployment scenarios:
We recommend the following production configuration:
|Requirement|Recommendation| |:-|:-|
-|Number of Azure AD Connect provisioning agents to deploy.|Two (for high availability and failover).
+|Number of Microsoft Entra Connect provisioning agents to deploy.|Two (for high availability and failover).
|Number of provisioning connector apps to configure.|One app per child domain.|
-|Server host for Azure AD Connect provisioning agent.|Windows Server 2016 with line of sight to geolocated Active Directory domain controllers. </br>Can coexist with Azure AD Connect service.|
+|Server host for Microsoft Entra Connect provisioning agent.|Windows Server 2016 with line of sight to geolocated Active Directory domain controllers. </br>Can coexist with Microsoft Entra Connect service.|
![Flow to on-premises agents](media/plan-cloud-hr-provision/plan-cloudhr-provisioning-img4.png)
We recommend the following production configuration:
|Requirement|Recommendation| |:-|:-|
-|Number of Azure AD Connect provisioning agents to deploy on-premises|Two per disjoint Active Directory forest.|
+|Number of Microsoft Entra Connect provisioning agents to deploy on-premises|Two per disjoint Active Directory forest.|
|Number of provisioning connector apps to configure|One app per child domain.|
-|Server host for Azure AD Connect provisioning agent.|Windows Server 2016 with line of sight to geolocated Active Directory domain controllers. </br>Can coexist with Azure AD Connect service.|
+|Server host for Microsoft Entra Connect provisioning agent.|Windows Server 2016 with line of sight to geolocated Active Directory domain controllers. </br>Can coexist with Microsoft Entra Connect service.|
![Single cloud HR app tenant disjoint Active Directory forest](media/plan-cloud-hr-provision/plan-cloudhr-provisioning-img5.png)
-### Azure AD Connect provisioning agent requirements
+<a name='azure-ad-connect-provisioning-agent-requirements'></a>
+
+### Microsoft Entra Connect provisioning agent requirements
-The cloud HR app to Active Directory user provisioning solution requires the deployment of one or more Azure AD Connect provisioning agents. These agents must be deployed on servers that run Windows Server 2016 or greater. The servers must have a minimum of 4-GB RAM and .NET 4.7.1+ runtime. Ensure that the host server has network access to the target Active Directory domain.
+The cloud HR app to Active Directory user provisioning solution requires the deployment of one or more Microsoft Entra Connect provisioning agents. These agents must be deployed on servers that run Windows Server 2016 or greater. The servers must have a minimum of 4-GB RAM and .NET 4.7.1+ runtime. Ensure that the host server has network access to the target Active Directory domain.
-To prepare the on-premises environment, the Azure AD Connect provisioning agent configuration wizard registers the agent with your Azure AD tenant, [opens ports](../app-proxy/application-proxy-add-on-premises-application.md#open-ports), [allows access to URLs](../app-proxy/application-proxy-add-on-premises-application.md#allow-access-to-urls), and supports [outbound HTTPS proxy configuration](../saas-apps/workday-inbound-tutorial.md#how-do-i-configure-the-provisioning-agent-to-use-a-proxy-server-for-outbound-http-communication).
+To prepare the on-premises environment, the Microsoft Entra Connect provisioning agent configuration wizard registers the agent with your Microsoft Entra tenant, [opens ports](../app-proxy/application-proxy-add-on-premises-application.md#open-ports), [allows access to URLs](../app-proxy/application-proxy-add-on-premises-application.md#allow-access-to-urls), and supports [outbound HTTPS proxy configuration](../saas-apps/workday-inbound-tutorial.md#how-do-i-configure-the-provisioning-agent-to-use-a-proxy-server-for-outbound-http-communication).
The provisioning agent configures a [Global Managed Service Account (GMSA)](../hybrid/cloud-sync/how-to-prerequisites.md#group-managed-service-accounts) to communicate with the Active Directory domains. You can select domain controllers that should handle provisioning requests. If you have several geographically distributed domain controllers, install the provisioning agent in the same site as your preferred domain controllers. This positioning improves the reliability and performance of the end-to-end solution.
-For high availability, you can deploy more than one Azure AD Connect provisioning agent. Register the agent to handle the same set of on-premises Active Directory domains.
+For high availability, you can deploy more than one Microsoft Entra Connect provisioning agent. Register the agent to handle the same set of on-premises Active Directory domains.
## Design HR provisioning app deployment topology
Deployment topology one is the most common deployment topology. Use this topolog
**Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover.
-* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register your AD domain with your Azure AD tenant.
+* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register your AD domain with your Microsoft Entra tenant.
* When configuring the provisioning app, select the AD domain from the dropdown of registered domains. * If you're using scoping filters, configure [skip out of scope deletions flag](skip-out-of-scope-deletions.md) to prevent accidental account deactivations.
For example: In the diagram, the provisioning apps are set up for each geographi
**Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover.
-* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register all child AD domains with your Azure AD tenant.
+* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register all child AD domains with your Microsoft Entra tenant.
* Create a separate HR2AD provisioning app for each target domain. * When configuring the provisioning app, select the respective child AD domain from the dropdown of available AD domains. * Use [scoping filters](define-conditional-rules-for-provisioning-user-accounts.md) in the provisioning app to define users that each app processes.
For example: In the diagram, the provisioning apps are set up for each geographi
**Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover. * Configure [referral chasing](../hybrid/cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent.
-* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant.
+* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Microsoft Entra tenant.
* Create a separate HR2AD provisioning app for each target domain. * When configuring each provisioning app, select the parent AD domain from the dropdown of available AD domains. Selecting the parent domain ensures forest-wide lookup while generating unique values for attributes like *userPrincipalName*, *samAccountName* and *mail*. * Use *parentDistinguishedName* with expression mapping to dynamically create user in the correct child domain and [OU container](#configure-active-directory-ou-container-assignment).
For example: In the diagram, a single provisioning app manages users present in
**Salient configuration aspects** * Setup two provisioning agent nodes for high availability and failover. * Configure [referral chasing](../hybrid/cloud-sync/how-to-manage-registry-options.md#configure-referral-chasing) on the provisioning agent.
-* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Azure AD tenant.
+* Use the [provisioning agent configuration wizard](../hybrid/cloud-sync/how-to-install.md#install-the-agent) to register the parent AD domain and all child AD domains with your Microsoft Entra tenant.
* Create a single HR2AD provisioning app for the entire forest. * When configuring the provisioning app, select the parent AD domain from the dropdown of available AD domains. Selecting the parent domain ensures forest-wide lookup while generating unique values for attributes like *userPrincipalName*, *samAccountName* and *mail*. * Use *parentDistinguishedName* with expression mapping to dynamically create user in the correct child domain and [OU container](#configure-active-directory-ou-container-assignment).
In large organizations, it isn't uncommon to have multiple HR systems. During bu
## Plan scoping filters and attribute mapping
-When you enable provisioning from the cloud HR app to Active Directory or Azure AD, the Azure portal controls the attribute values through attribute mapping.
+When you enable provisioning from the cloud HR app to Active Directory or Microsoft Entra ID, the Azure portal controls the attribute values through attribute mapping.
### Define scoping filters
-Use [scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md) to define the attribute-based rules that determine which users should be provisioned from the cloud HR app to Active Directory or Azure AD.
+Use [scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md) to define the attribute-based rules that determine which users should be provisioned from the cloud HR app to Active Directory or Microsoft Entra ID.
When you initiate the Joiners process, gather the following requirements: - Is the cloud HR app used to bring on board both employees and contingent workers?-- Do you plan to use the cloud HR app to Azure AD user provisioning to manage both employees and contingent workers?-- Do you plan to roll out the cloud HR app to Azure AD user provisioning only for a subset of the cloud HR app users? An example might be employees only.
+- Do you plan to use the cloud HR app to Microsoft Entra user provisioning to manage both employees and contingent workers?
+- Do you plan to roll out the cloud HR app to Microsoft Entra user provisioning only for a subset of the cloud HR app users? An example might be employees only.
Depending on your requirements, when you configure attribute mappings, you can set the **Source Object Scope** field to select which sets of users in the cloud HR app should be in scope for provisioning to Active Directory. For more information, see the cloud HR app tutorial for commonly used scoping filters. ### Determine matching attributes
-With provisioning, you get the ability to match existing accounts between the source and target system. When you integrate the cloud HR app with the Azure AD provisioning service, you can [configure attribute mapping](../app-provisioning/configure-automatic-user-provisioning-portal.md#mappings) to determine what user data should flow from the cloud HR app to Active Directory or Azure AD.
+With provisioning, you get the ability to match existing accounts between the source and target system. When you integrate the cloud HR app with the Microsoft Entra provisioning service, you can [configure attribute mapping](../app-provisioning/configure-automatic-user-provisioning-portal.md#mappings) to determine what user data should flow from the cloud HR app to Active Directory or Microsoft Entra ID.
When you initiate the Joiners process, gather the following requirements:
When you initiate the Joiners process, gather the following requirements:
- From an identity lifecycle perspective, how do you handle employee to contingent worker conversion, or otherwise? - Do converted users keep their old Active Directory accounts or do they get new ones?
-Depending on your requirements, Azure AD supports direct attribute-to-attribute mapping by providing constant values or [writing expressions for attribute mappings](../app-provisioning/functions-for-customizing-application-data.md). This flexibility gives you ultimate control of what's populated in the targeted app attribute. You can use the [Microsoft Graph API](../app-provisioning/export-import-provisioning-configuration.md) and Graph Explorer to export your user provisioning attribute mappings and schema to a JSON file and import it back into Azure AD.
+Depending on your requirements, Microsoft Entra ID supports direct attribute-to-attribute mapping by providing constant values or [writing expressions for attribute mappings](../app-provisioning/functions-for-customizing-application-data.md). This flexibility gives you ultimate control of what's populated in the targeted app attribute. You can use the [Microsoft Graph API](../app-provisioning/export-import-provisioning-configuration.md) and Graph Explorer to export your user provisioning attribute mappings and schema to a JSON file and import it back into Microsoft Entra ID.
By default, the attribute in the cloud HR app that represents the unique employee ID is used as the matching attribute *mapped to the unique attribute in Active Directory.* For example, in the Workday app scenario, the **Workday** **WorkerID** attribute is mapped to the Active Directory **employeeID** attribute.
When you initiate the Joiners-Leavers process, gather the following requirements
| | How do employee and contingent worker conversions affect existing Active Directory accounts? | | | How do you process the Rescind operation in Active Directory? Rescind operations need to be handled if future dated hires are created in Active Directory as part of the Joiner process. |
-Depending on your requirements, you might customize the mapping logic by using [Azure AD expressions](../app-provisioning/functions-for-customizing-application-data.md) so that the Active Directory account is enabled or disabled based on a combination of data points.
+Depending on your requirements, you might customize the mapping logic by using [Microsoft Entra expressions](../app-provisioning/functions-for-customizing-application-data.md) so that the Active Directory account is enabled or disabled based on a combination of data points.
### Map cloud HR app to Active Directory user attributes
Depending on your requirements, you can modify the mappings to meet your integra
Attributes like CN, samAccountName, and the UPN have unique constraints. You may need to generate unique attribute values when you initiate the Joiners process.
-The Azure AD function [SelectUniqueValues](../app-provisioning/functions-for-customizing-application-data.md#selectuniquevalue) evaluates each rule and then checks the value generated for uniqueness in the target system. For an example, see [Generate unique value for the userPrincipalName (UPN) attribute](../app-provisioning/functions-for-customizing-application-data.md#generate-unique-value-for-userprincipalname-upn-attribute).
+The Microsoft Entra ID function [SelectUniqueValues](../app-provisioning/functions-for-customizing-application-data.md#selectuniquevalue) evaluates each rule and then checks the value generated for uniqueness in the target system. For an example, see [Generate unique value for the userPrincipalName (UPN) attribute](../app-provisioning/functions-for-customizing-application-data.md#generate-unique-value-for-userprincipalname-upn-attribute).
> [!NOTE] > This function is currently only supported for Workday to Active Directory and SAP SuccessFactors to Active Directory user provisioning. It can't be used with other provisioning apps.
With this expression, if the Municipality value is Dallas, Austin, Seattle, or L
## Plan for password delivery of new user accounts
-When you initiate the Joiners process, you need to set and deliver a temporary password of new user accounts. With cloud HR to Azure AD user provisioning, you can roll out the Azure AD [self-service password reset](../authentication/tutorial-enable-sspr.md) (SSPR) capability for the user on day one.
+When you initiate the Joiners process, you need to set and deliver a temporary password of new user accounts. With cloud HR to Microsoft Entra user provisioning, you can roll out the Microsoft Entra ID [self-service password reset](../authentication/tutorial-enable-sspr.md) (SSPR) capability for the user on day one.
-SSPR is a simple means for IT administrators to enable users to reset their passwords or unlock their accounts. You can provision the **Mobile Number** attribute from the cloud HR app to Active Directory and sync it with Azure AD. After the **Mobile Number** attribute is in Azure AD, you can enable SSPR for the user's account. Then on day one, the new user can use the registered and verified mobile number for authentication. Refer to the [SSPR documentation](../authentication/howto-sspr-authenticationdata.md) for details on how to prepopulate authentication contact information.
+SSPR is a simple means for IT administrators to enable users to reset their passwords or unlock their accounts. You can provision the **Mobile Number** attribute from the cloud HR app to Active Directory and sync it with Microsoft Entra ID. After the **Mobile Number** attribute is in Microsoft Entra ID, you can enable SSPR for the user's account. Then on day one, the new user can use the registered and verified mobile number for authentication. Refer to the [SSPR documentation](../authentication/howto-sspr-authenticationdata.md) for details on how to prepopulate authentication contact information.
## Plan for initial cycle
-When the Azure AD provisioning service runs for the first time, it performs an [initial cycle](../app-provisioning/how-provisioning-works.md#initial-cycle) against the cloud HR app to create a snapshot of all user objects in the cloud HR app. The time taken for initial cycles is directly dependent on how many users are present in the source system. The initial cycle for some cloud HR app tenants with over 100,000 users can take a long time.
+When the Microsoft Entra provisioning service runs for the first time, it performs an [initial cycle](../app-provisioning/how-provisioning-works.md#initial-cycle) against the cloud HR app to create a snapshot of all user objects in the cloud HR app. The time taken for initial cycles is directly dependent on how many users are present in the source system. The initial cycle for some cloud HR app tenants with over 100,000 users can take a long time.
**For large cloud HR app tenants (>30,000 users),** run the initial cycle in progressive stages. Start the incremental updates only after you validate that the correct attributes are set in Active Directory for different user provisioning scenarios. Follow the order here.
A deployment consists of stages ranging from the initial pilot to enabling user
### Plan testing
-After you configure the cloud HR app to Azure AD user provisioning, run test cases to verify whether this solution meets your organization's requirements.
+After you configure the cloud HR app to Microsoft Entra user provisioning, run test cases to verify whether this solution meets your organization's requirements.
|Scenarios|Expected results| |:-|:-|
-|New employee is hired in the cloud HR app.| - The user account is provisioned in Active Directory.</br>- The user can log into Active Directory-domain apps and perform the desired actions.</br>- If Azure AD Connect sync is configured, the user account also gets created in Azure AD.
+|New employee is hired in the cloud HR app.| - The user account is provisioned in Active Directory.</br>- The user can log into Active Directory-domain apps and perform the desired actions.</br>- If Microsoft Entra Connect Sync is configured, the user account also gets created in Microsoft Entra ID.
|User is terminated in the cloud HR app.|- The user account is disabled in Active Directory.</br>- The user can't log into any enterprise apps protected by Active Directory. |User supervisory organization is updated in the cloud HR app.|Based on the attribute mapping, the user account moves from one OU to another in Active Directory.| |HR updates the user's manager in the cloud HR app.|The manager field in Active Directory is updated to reflect the new manager's name.|
Use the previous results to determine how to transition your automatic user prov
### Plan security
-It's common for a security review to be required as part of the deployment of a new service. If a security review is required or hasn't been conducted, see the many Azure AD [white papers](https://www.microsoft.com/download/details.aspx?id=36391) that provide an overview of the identity as a service.
+It's common for a security review to be required as part of the deployment of a new service. If a security review is required or hasn't been conducted, see the many Microsoft Entra ID [white papers](https://www.microsoft.com/download/details.aspx?id=36391) that provide an overview of the identity as a service.
### Plan rollback The cloud HR user provisioning implementation might fail to work as desired in the production environment. If so, the following rollback steps can assist you in reverting to a previous known good state. 1. Review the [provisioning logs](../app-provisioning/check-status-user-account-provisioning.md#provisioning-logs) to determine what incorrect operations were performed on the affected users or groups. For more information on the provisioning summary report and logs, see [Manage cloud HR app user provisioning](#manage-your-configuration).
-2. The last known good state of the users or groups affected can be determined through the provisioning audit logs or by reviewing the target systems (Azure AD or Active Directory).
+2. The last known good state of the users or groups affected can be determined through the provisioning audit logs or by reviewing the target systems (Microsoft Entra ID or Active Directory).
3. Work with the app owner to update the users or groups affected directly in the app by using the last known good state values. ## Deploy the cloud HR app Choose the cloud HR app that aligns to your solution requirements.
-**Workday**: To import worker profiles from Workday into Active Directory and Azure AD, see [Tutorial: Configure Workday for automatic user provisioning](../saas-apps/workday-inbound-tutorial.md#planning-your-deployment). Optionally, you can write back the email address, username and phone number to Workday.
+**Workday**: To import worker profiles from Workday into Active Directory and Microsoft Entra ID, see [Tutorial: Configure Workday for automatic user provisioning](../saas-apps/workday-inbound-tutorial.md#planning-your-deployment). Optionally, you can write back the email address, username and phone number to Workday.
-**SAP SuccessFactors**: To import worker profiles from SuccessFactors into Active Directory and Azure AD, see [Tutorial: Configure SAP SuccessFactors for automatic user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md). Optionally, you can write back the email address and username to SuccessFactors.
+**SAP SuccessFactors**: To import worker profiles from SuccessFactors into Active Directory and Microsoft Entra ID, see [Tutorial: Configure SAP SuccessFactors for automatic user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md). Optionally, you can write back the email address and username to SuccessFactors.
## Manage your configuration
-Azure AD can provide more insights into your organization's user provisioning usage and operational health through audit logs and reports.
+Microsoft Entra ID can provide more insights into your organization's user provisioning usage and operational health through audit logs and reports.
### Gain insights from reports and logs
-After a successful [initial cycle](../app-provisioning/how-provisioning-works.md#initial-cycle), the Azure AD provisioning service continues to run back-to-back incremental updates indefinitely, at intervals defined in the tutorials specific to each app, until one of the following events occurs:
+After a successful [initial cycle](../app-provisioning/how-provisioning-works.md#initial-cycle), the Microsoft Entra provisioning service continues to run back-to-back incremental updates indefinitely, at intervals defined in the tutorials specific to each app, until one of the following events occurs:
- The service is manually stopped. A new initial cycle is triggered by using the [Azure portal](https://portal.azure.com/) or the appropriate [Microsoft Graph API](/graph/api/resources/synchronization-overview) command. - A new initial cycle is triggered owing to a change in attribute mappings or scoping filters.
To review these events and all other activities performed by the provisioning se
#### Azure Monitor logs
-All activities performed by the provisioning service are recorded in the Azure AD audit logs. You can route Azure AD audit logs to Azure Monitor logs for further analysis. With Azure Monitor logs (also known as Log Analytics workspace), you can query data to find events, analyze trends, and perform correlation across various data sources. Watch this [video](https://youtu.be/MP5IaCTwkQg) to learn the benefits of using Azure Monitor logs for Azure AD logs in practical user scenarios.
+All activities performed by the provisioning service are recorded in the Microsoft Entra audit logs. You can route Microsoft Entra audit logs to Azure Monitor logs for further analysis. With Azure Monitor logs (also known as Log Analytics workspace), you can query data to find events, analyze trends, and perform correlation across various data sources. Watch this [video](https://youtu.be/MP5IaCTwkQg) to learn the benefits of using Azure Monitor logs for Microsoft Entra ID logs in practical user scenarios.
-Install the [log analytics views for Azure AD activity logs](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) to get access to [prebuilt reports](https://github.com/AzureAD/Deployment-Plans/tree/master/Log%20Analytics%20Views) around provisioning events in your environment.
+Install the [log analytics views for Microsoft Entra activity logs](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) to get access to [prebuilt reports](https://github.com/AzureAD/Deployment-Plans/tree/master/Log%20Analytics%20Views) around provisioning events in your environment.
-For more information, see how to [analyze the Azure AD activity logs with your Azure Monitor logs](../reports-monitoring/howto-analyze-activity-logs-log-analytics.md).
+For more information, see how to [analyze the Microsoft Entra activity logs with your Azure Monitor logs](../reports-monitoring/howto-analyze-activity-logs-log-analytics.md).
### Manage personal data
-The Azure AD Connect provisioning agent installed on the Windows server creates logs in the Windows event log that might contain personal data depending on your cloud HR app to Active Directory attribute mappings. To comply with user privacy obligations, set up a Windows scheduled task to clear the event log and ensure that no data is kept beyond 48 hours.
+The Microsoft Entra Connect provisioning agent installed on the Windows server creates logs in the Windows event log that might contain personal data depending on your cloud HR app to Active Directory attribute mappings. To comply with user privacy obligations, set up a Windows scheduled task to clear the event log and ensure that no data is kept beyond 48 hours.
-Azure AD provisioning service doesn't generate reports, perform analytics, or provide insights beyond 30 days because the service doesn't store, process, or keep any data beyond 30 days.
+Microsoft Entra provisioning service doesn't generate reports, perform analytics, or provide insights beyond 30 days because the service doesn't store, process, or keep any data beyond 30 days.
### Troubleshoot To troubleshoot any issues that might turn up during provisioning, see the following articles: -- [Problem configuring user provisioning to an Azure AD Gallery application](application-provisioning-config-problem.md)-- [Sync an attribute from your on-premises Active Directory to Azure AD for provisioning to an application](user-provisioning-sync-attributes-for-mapping.md)-- [Problem saving administrator credentials while configuring user provisioning to an Azure Active Directory Gallery application](./user-provisioning.md)-- [No users are being provisioned to an Azure AD Gallery application](application-provisioning-config-problem-no-users-provisioned.md)-- [Wrong set of users are being provisioned to an Azure AD Gallery application](../manage-apps/add-application-portal-assign-users.md)
+- [Problem configuring user provisioning to a Microsoft Entra Gallery application](application-provisioning-config-problem.md)
+- [Sync an attribute from your on-premises Active Directory to Microsoft Entra ID for provisioning to an application](user-provisioning-sync-attributes-for-mapping.md)
+- [Problem saving administrator credentials while configuring user provisioning to a Microsoft Entra Gallery application](./user-provisioning.md)
+- [No users are being provisioned to a Microsoft Entra Gallery application](application-provisioning-config-problem-no-users-provisioned.md)
+- [Wrong set of users are being provisioned to a Microsoft Entra Gallery application](../manage-apps/add-application-portal-assign-users.md)
- [Setting up Windows Event Viewer for agent troubleshooting](../saas-apps/workday-inbound-tutorial.md#setting-up-windows-event-viewer-for-agent-troubleshooting) - [Setting up Azure portal Audit Logs for service troubleshooting](../saas-apps/workday-inbound-tutorial.md#setting-up-azure-portal-audit-logs-for-service-troubleshooting) - [Understanding logs for AD User Account create operations](../saas-apps/workday-inbound-tutorial.md#understanding-logs-for-ad-user-account-create-operations)
To troubleshoot any issues that might turn up during provisioning, see the follo
- [Writing expressions for attribute mappings](functions-for-customizing-application-data.md) - [Azure AD synchronization API overview](/graph/api/resources/synchronization-overview) - [Skip deletion of user accounts that go out of scope](skip-out-of-scope-deletions.md)-- [Azure AD Connect Provisioning Agent: Version release history](provisioning-agent-release-version-history.md)
+- [Microsoft Entra Connect Provisioning Agent: Version release history](provisioning-agent-release-version-history.md)
active-directory Provision On Demand https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provision-on-demand.md
Title: Provision a user or group on demand using the Azure Active Directory provisioning service
-description: Learn how to provision users on demand in Azure Active Directory.
+ Title: Provision a user or group on demand using the Microsoft Entra provisioning service
+description: Learn how to provision users on demand in Microsoft Entra ID.
zone_pivot_groups: app-provisioning-cross-tenant-synchronization
-# On-demand provisioning in Azure Active Directory
+# On-demand provisioning in Microsoft Entra ID
Use on-demand provisioning to provision a user or group in seconds. Among other things, you can use this capability to:
Use on-demand provisioning to provision a user or group in seconds. Among other
1. Sign in to the [Azure portal](https://portal.azure.com). ::: zone pivot="app-provisioning"
-2. Go to **Azure Active Directory** > **Enterprise applications** > **All applications**.
+2. Go to **Microsoft Entra ID** > **Enterprise applications** > **All applications**.
3. Select your application, and then go to the provisioning configuration page. ::: zone-end ::: zone pivot="cross-tenant-synchronization"
-2. Go to **Azure Active Directory** > **Cross-tenant Synchronization** > **Configurations**
+2. Go to **Microsoft Entra ID** > **Cross-tenant Synchronization** > **Configurations**
3. Select your configuration, and then go to the **Provisioning** configuration page. ::: zone-end
The provisioning service attempts to authorize access to the target system by ma
* Ensure that you've provided valid credentials, such as the secret token and tenant URL, to the target system. The required credentials vary by application. For detailed configuration tutorials, see the [tutorial list](../saas-apps/tutorial-list.md). * Make sure that the target system supports filtering on the matching attributes defined in the **Attribute mappings** pane. You might need to check the API documentation provided by the application developer to understand the supported filters.
-* For System for Cross-domain Identity Management (SCIM) applications, you can use a tool like Postman. Such tools help you ensure that the application responds to authorization requests in the way that the Azure Active Directory (Azure AD) provisioning service expects. Have a look at an [example request](./use-scim-to-provision-users-and-groups.md#request-3).
+* For System for Cross-domain Identity Management (SCIM) applications, you can use a tool like Postman. Such tools help you ensure that the application responds to authorization requests in the way that the Microsoft Entra provisioning service expects. Have a look at an [example request](./use-scim-to-provision-users-and-groups.md#request-3).
### Step 2: Import user
Next, the provisioning service retrieves the user from the source system. The us
#### View details
-The **View details** section shows the properties of the user that were imported from the source system (for example, Azure AD).
+The **View details** section shows the properties of the user that were imported from the source system (for example, Microsoft Entra ID).
#### Troubleshooting tips
Next, the provisioning service determines whether the user is in [scope](./how-p
The **View details** section shows the scoping conditions that were evaluated. You might see one or more of the following properties:
-* **Active in source system** indicates that the user has the property `IsActive` set to **true** in Azure AD.
-* **Assigned to application** indicates that the user is assigned to the application in Azure AD.
+* **Active in source system** indicates that the user has the property `IsActive` set to **true** in Microsoft Entra ID.
+* **Assigned to application** indicates that the user is assigned to the application in Microsoft Entra ID.
* **Scope sync all** indicates that the scope setting allows all users and groups in the tenant. * **User has required role** indicates that the user has the necessary roles to be provisioned into the application. * **Scoping filters** are also shown if you have defined scoping filters for your application. The filter is displayed with the following format: {scoping filter title} {scoping filter attribute} {scoping filter operator} {scoping filter value}.
There are currently a few known limitations to on-demand provisioning. Post your
* On-demand provisioning supports provisioning one user at a time through the Microsoft Entra portal. * Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft-delete a user with on-demand provisioning and then restore the user, it can result in duplicate users. * On-demand provisioning of roles isn't supported.
-* On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users don't appear when you search for a user.
+* On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Microsoft Entra ID. Those users don't appear when you search for a user.
* On-demand provisioning doesn't support nested groups that aren't directly assigned to the application.
+* The on-demand provisioning request API can only accept a single group with up to 5 members at a time.
## Next steps
active-directory User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning.md
Some common motivations for using automatic provisioning include:
- Easily importing a large number of users into a particular SaaS application or system. - A single set of policies to determine provisioned users that can sign in to an app.
-Azure AD user provisioning can help address these challenges. To learn more about how customers have been using Azure AD user provisioning, read the [ASOS case study](https://aka.ms/asoscasestudy). The following video provides an overview of user provisioning in Azure AD.
+Azure AD user provisioning can help address these challenges. To learn more about how customers have been using Azure AD user provisioning, read the [ASOS case study](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/asos-better-protects-its-data-with-azure-ad-automated-user/ba-p/827846). The following video provides an overview of user provisioning in Azure AD.
> [!VIDEO https://www.youtube.com/embed/_ZjARPpI6NI]
active-directory App Proxy Protect Ndes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/app-proxy-protect-ndes.md
Title: Integrate with Azure Active Directory Application Proxy on an NDES server
-description: Guidance on deploying an Azure Active Directory Application Proxy to protect your NDES server.
+ Title: Integrate with Microsoft Entra application proxy on an NDES server
+description: Guidance on deploying a Microsoft Entra application proxy to protect your NDES server.
Last updated 09/13/2023
-# Integrate with Azure Active Directory Application Proxy on a Network Device Enrollment Service (NDES) server
+# Integrate with Microsoft Entra application proxy on a Network Device Enrollment Service (NDES) server
-Azure Active Directory (AD) Application Proxy lets you publish applications inside your network. These applications are ones such as SharePoint sites, Microsoft Outlook Web App, and other web applications. It also provides secure access to users outside your network via Azure.
+Microsoft Entra application proxy lets you publish applications inside your network. These applications are ones such as SharePoint sites, Microsoft Outlook Web App, and other web applications. It also provides secure access to users outside your network via Azure.
-If you're new to Azure AD Application Proxy and want to learn more, see [Remote access to on-premises applications through Azure AD Application Proxy](application-proxy.md).
+If you're new to Microsoft Entra application proxy and want to learn more, see [Remote access to on-premises applications through Microsoft Entra application proxy](application-proxy.md).
-Azure AD Application Proxy is built on Azure. It gives you a massive amount of network bandwidth and server infrastructure for better protection against distributed denial-of-service (DDOS) attacks and superb availability. Furthermore, there's no need to open external firewall ports to your on-premises network and no DMZ server is required. All traffic is originated inbound. For a complete list of outbound ports, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](./application-proxy-add-on-premises-application.md#prepare-your-on-premises-environment).
+Microsoft Entra application proxy is built on Azure. It gives you a massive amount of network bandwidth and server infrastructure for better protection against distributed denial-of-service (DDOS) attacks and superb availability. Furthermore, there's no need to open external firewall ports to your on-premises network and no DMZ server is required. All traffic is originated inbound. For a complete list of outbound ports, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](./application-proxy-add-on-premises-application.md#prepare-your-on-premises-environment).
-> Azure AD Application Proxy is a feature that is available only if you are using the Premium or Basic editions of Azure Active Directory. For more information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+> Microsoft Entra application proxy is a feature that is available only if you are using the Premium or Basic editions of Microsoft Entra ID. For more information, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
> If you have Enterprise Mobility Suite (EMS) licenses, you are eligible to use this solution.
-> The Azure AD Application Proxy connector only installs on Windows Server 2012 R2 or later. This is also a requirement of the NDES server.
+> The Microsoft Entra application proxy connector only installs on Windows Server 2012 R2 or later. This is also a requirement of the NDES server.
## Install and register the connector on the NDES server
Azure AD Application Proxy is built on Azure. It gives you a massive amount of n
![Download connector service to see the Terms of Service](./media/app-proxy-protect-ndes/application-proxy-download-connector-service.png) 1. Read the Terms of Service. When you're ready, select **Accept terms & Download**.
-1. Copy the Azure AD Application Proxy connector setup file to your NDES server.
+1. Copy the Microsoft Entra application proxy connector setup file to your NDES server.
> You can install the connector on any server within your corporate network with access to NDES. You don't have to install it on the NDES server itself. 1. Run the setup file, such as *AADApplicationProxyConnectorInstaller.exe*. Accept the software license terms.
-1. During the install, you're prompted to register the connector with the Application Proxy in your Azure AD directory.
- * Provide the credentials for a global or application administrator in your Azure AD directory. The Azure AD global or application administrator credentials may be different from your Azure credentials in the portal.
+1. During the install, you're prompted to register the connector with the Application Proxy in your Microsoft Entra directory.
+ * Provide the credentials for a global or application administrator in your Microsoft Entra directory. The Microsoft Entra global or application administrator credentials may be different from your Azure credentials in the portal.
> [!NOTE] > The global or application administrator account used to register the connector must belong to the same directory where you enable the Application Proxy service. >
- > For example, if the Azure AD domain is *contoso.com*, the global/application administrator should be `admin@contoso.com` or another valid alias on that domain.
+ > For example, if the Microsoft Entra domain is *contoso.com*, the global/application administrator should be `admin@contoso.com` or another valid alias on that domain.
* If Internet Explorer Enhanced Security Configuration is turned on for the server where you install the connector, the registration screen might be blocked. To allow access, follow the instructions in the error message, or turn off Internet Explorer Enhanced Security during the install process. * If connector registration fails, see [Troubleshoot Application Proxy](application-proxy-troubleshoot.md).
-1. At the end of the setup, a note is shown for environments with an outbound proxy. To configure the Azure AD Application Proxy connector to work through the outbound proxy, run the provided script, such as `C:\Program Files\Microsoft AAD App Proxy connector\ConfigureOutBoundProxy.ps1`.
+1. At the end of the setup, a note is shown for environments with an outbound proxy. To configure the Microsoft Entra application proxy connector to work through the outbound proxy, run the provided script, such as `C:\Program Files\Microsoft AAD App Proxy connector\ConfigureOutBoundProxy.ps1`.
1. On the Application proxy page in the Microsoft Entra admin center, the new connector is listed with a status of *Active*, as shown in the following example:
- ![The new Azure AD Application Proxy connector shown as active in the Microsoft Entra admin center](./media/app-proxy-protect-ndes/connected-app-proxy.png)
+ ![The new Microsoft Entra application proxy connector shown as active in the Microsoft Entra admin center](./media/app-proxy-protect-ndes/connected-app-proxy.png)
> [!NOTE]
- > To provide high availability for applications authenticating through the Azure AD Application Proxy, you can install connectors on multiple VMs. Repeat the same steps listed in the previous section to install the connector on other servers joined to the Azure AD DS managed domain.
+ > To provide high availability for applications authenticating through the Microsoft Entra application proxy, you can install connectors on multiple VMs. Repeat the same steps listed in the previous section to install the connector on other servers joined to the Microsoft Entra DS managed domain.
1. After successful installation, go back to the Microsoft Entra admin center.
Azure AD Application Proxy is built on Azure. It gives you a massive amount of n
1. Select **+Add** to save your application.
-1. Test whether you can access your NDES server via the Azure AD Application proxy by pasting the link you copied in step 15 into a browser. You should see a default IIS welcome page.
+1. Test whether you can access your NDES server via the Microsoft Entra application proxy by pasting the link you copied in step 15 into a browser. You should see a default IIS welcome page.
1. As a final test, add the *mscep.dll* path to the existing URL you pasted in the previous step: `https://scep-test93635307549127448334.msappproxy.net/certsrv/mscep/mscep.dll` 1. You should see an **HTTP Error 403 ΓÇô Forbidden** response.
Azure AD Application Proxy is built on Azure. It gives you a massive amount of n
## Next steps
-With the Azure AD Application Proxy integrated with NDES, publish applications for users to access. For more information, see [publish applications using Azure AD Application Proxy](./application-proxy-add-on-premises-application.md).
+With the Microsoft Entra application proxy integrated with NDES, publish applications for users to access. For more information, see [publish applications using Microsoft Entra application proxy](./application-proxy-add-on-premises-application.md).
active-directory Application Proxy Add On Premises Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-add-on-premises-application.md
Title: Tutorial - Add an on-premises app - Application Proxy in Azure Active Directory
-description: Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. This tutorial shows you how to prepare your environment for use with Application Proxy. Then, it uses the Microsoft Entra admin center to add an on-premises application to your Azure AD tenant.
+ Title: Tutorial - Add an on-premises app - Application Proxy in Microsoft Entra ID
+description: Microsoft Entra ID has an Application Proxy service that enables users to access on-premises applications by signing in with their Microsoft Entra account. This tutorial shows you how to prepare your environment for use with Application Proxy. Then, it uses the Microsoft Entra admin center to add an on-premises application to your Microsoft Entra tenant.
-# Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory
+# Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID
-Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. To learn more about Application Proxy, see [What is App Proxy?](what-is-application-proxy.md). This tutorial prepares your environment for use with Application Proxy. Once your environment is ready, use the Entra admin center to add an on-premises application to your tenant.
+Microsoft Entra ID has an Application Proxy service that enables users to access on-premises applications by signing in with their Microsoft Entra account. To learn more about Application Proxy, see [What is App Proxy?](what-is-application-proxy.md). This tutorial prepares your environment for use with Application Proxy. Once your environment is ready, use the Microsoft Entra admin center to add an on-premises application to your tenant.
:::image type="content" source="./media/application-proxy-add-on-premises-application/app-proxy-diagram.png" alt-text="Application Proxy Overview Diagram" lightbox="./media/application-proxy-add-on-premises-application/app-proxy-diagram.png"::: Before you get started, make sure you're familiar with app management and **single sign-on (SSO)** concepts. Check out the following links:-- [Quickstart Series on App Management in Azure AD](../manage-apps/view-applications-portal.md)
+- [Quickstart Series on App Management in Microsoft Entra ID](../manage-apps/view-applications-portal.md)
- [What is single sign-on (SSO)?](../manage-apps/what-is-single-sign-on.md)
-Connectors are a key part of Application Proxy. To learn more about connectors, see [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md).
+Connectors are a key part of Application Proxy. To learn more about connectors, see [Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md).
This tutorial:
This tutorial:
> * Opens ports for outbound traffic and allows access to specific URLs > * Installs the connector on your Windows server, and registers it with Application Proxy > * Verifies the connector installed and registered correctly
-> * Adds an on-premises application to your Azure AD tenant
-> * Verifies a test user can sign on to the application by using an Azure AD account
+> * Adds an on-premises application to your Microsoft Entra tenant
+> * Verifies a test user can sign on to the application by using a Microsoft Entra account
## Prerequisites
-To add an on-premises application to Azure AD, you need:
+To add an on-premises application to Microsoft Entra ID, you need:
-* A [Microsoft Azure AD premium subscription](https://azure.microsoft.com/pricing/details/active-directory)
+* A [Microsoft Entra ID P1 or P2 subscription](https://azure.microsoft.com/pricing/details/active-directory)
* An application administrator account
-* User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants. Identity synchronization allows Azure AD to preauthenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
+* User identities must be synchronized from an on-premises directory or created directly within your Microsoft Entra tenants. Identity synchronization allows Microsoft Entra ID to preauthenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
### Windows server
For high availability in your production environment, we recommend having more t
#### Recommendations for the connector server
-1. Physically locate the connector server close to the application servers to optimize performance between the connector and the application. For more information, see [Optimize traffic flow with Azure Active Directory Application Proxy](application-proxy-network-topology.md).
+1. Physically locate the connector server close to the application servers to optimize performance between the connector and the application. For more information, see [Optimize traffic flow with Microsoft Entra application proxy](application-proxy-network-topology.md).
1. The connector server and the web applications servers should belong to the same Active Directory domain or span trusting domains. Having the servers in the same domain or trusting domains is a requirement for using single sign-on (SSO) with integrated Windows authentication (IWA) and Kerberos Constrained Delegation (KCD). If the connector server and web application servers are in different Active Directory domains, you need to use resource-based delegation for single sign-on. For more information, see [KCD for single sign-on with Application Proxy](./application-proxy-configure-single-sign-on-with-kcd.md). > [!WARNING]
-> If you've deployed Azure AD Password Protection Proxy, do not install Azure AD Application Proxy and Azure AD Password Protection Proxy together on the same machine. Azure AD Application Proxy and Azure AD Password Protection Proxy install different versions of the Azure AD Connect Agent Updater service. These different versions are incompatible when installed together on the same machine.
+> If you've deployed Microsoft Entra Password Protection Proxy, do not install Microsoft Entra application proxy and Microsoft Entra Password Protection Proxy together on the same machine. Microsoft Entra application proxy and Microsoft Entra Password Protection Proxy install different versions of the Microsoft Entra Connect Agent Updater service. These different versions are incompatible when installed together on the same machine.
#### TLS requirements
To enable TLS 1.2:
## Prepare your on-premises environment
-Start by enabling communication to Azure data centers to prepare your environment for Azure AD Application Proxy. If there's a firewall in the path, make sure it's open. An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy.
+Start by enabling communication to Azure data centers to prepare your environment for Microsoft Entra application proxy. If there's a firewall in the path, make sure it's open. An open firewall allows the connector to make HTTPS (TCP) requests to the Application Proxy.
> [!IMPORTANT] > If you are installing the connector for Azure Government cloud follow the [prerequisites](../hybrid/connect/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/connect/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). This requires enabling access to a different set of URLs and an additional parameter to run the installation.
Allow access to the following URLs:
You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other URLs if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week. > [!IMPORTANT]
-> Avoid all forms of inline inspection and termination on outbound TLS communications between Azure AD Application Proxy connectors and Azure AD Application Proxy Cloud services.
+> Avoid all forms of inline inspection and termination on outbound TLS communications between Microsoft Entra application proxy connectors and Microsoft Entra application proxy Cloud services.
-### DNS name resolution for Azure AD Application Proxy endpoints
+<a name='dns-name-resolution-for-azure-ad-application-proxy-endpoints'></a>
-Public DNS records for Azure AD Application Proxy endpoints are chained CNAME records pointing to an A record. Setting up the records this way ensures fault tolerance and flexibility. ItΓÇÖs guaranteed that the Azure AD Application Proxy Connector always accesses host names with the domain suffixes `*.msappproxy.net` or `*.servicebus.windows.net`. However, during the name resolution the CNAME records might contain DNS records with different host names and suffixes. Due to the difference, you must ensure that the device (depending on your setup - connector server, firewall, outbound proxy) can resolve all the records in the chain and allows connection to the resolved IP addresses. Since the DNS records in the chain might be changed from time to time, we can't provide you with any list DNS records.
+### DNS name resolution for Microsoft Entra application proxy endpoints
+
+Public DNS records for Microsoft Entra application proxy endpoints are chained CNAME records pointing to an A record. Setting up the records this way ensures fault tolerance and flexibility. ItΓÇÖs guaranteed that the Microsoft Entra application proxy Connector always accesses host names with the domain suffixes `*.msappproxy.net` or `*.servicebus.windows.net`. However, during the name resolution the CNAME records might contain DNS records with different host names and suffixes. Due to the difference, you must ensure that the device (depending on your setup - connector server, firewall, outbound proxy) can resolve all the records in the chain and allows connection to the resolved IP addresses. Since the DNS records in the chain might be changed from time to time, we can't provide you with any list DNS records.
## Install and register a connector [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. The connector is an agent that manages the outbound connection from the on-premises application servers to Application Proxy in Azure AD. You can install a connector on servers that also have other authentication agents installed such as Azure AD Connect.
+To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. The connector is an agent that manages the outbound connection from the on-premises application servers to Application Proxy in Microsoft Entra ID. You can install a connector on servers that also have other authentication agents installed such as Microsoft Entra Connect.
To install the connector:
To install the connector:
1. Read the Terms of Service. When you're ready, select **Accept terms & Download**. 1. At the bottom of the window, select **Run** to install the connector. An install wizard opens.
-1. Follow the instructions in the wizard to install the service. When you're prompted to register the connector with the Application Proxy for your Azure AD tenant, provide your application administrator credentials.
+1. Follow the instructions in the wizard to install the service. When you're prompted to register the connector with the Application Proxy for your Microsoft Entra tenant, provide your application administrator credentials.
- For Internet Explorer (IE), if **IE Enhanced Security Configuration** is set to **On**, you may not see the registration screen. To get access, follow the instructions in the error message. Make sure that **Internet Explorer Enhanced Security Configuration** is set to **Off**.
If you've previously installed a connector, reinstall to get the latest version.
If you choose to have more than one Windows server for your on-premises applications, you need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see [Connector groups](./application-proxy-connector-groups.md).
-If you have installed connectors in different regions, you can optimize traffic by selecting the closest Application Proxy cloud service region to use with each connector group, see [Optimize traffic flow with Azure Active Directory Application Proxy](application-proxy-network-topology.md)
+If you have installed connectors in different regions, you can optimize traffic by selecting the closest Application Proxy cloud service region to use with each connector group, see [Optimize traffic flow with Microsoft Entra application proxy](application-proxy-network-topology.md)
If your organization uses proxy servers to connect to the internet, you need to configure them for Application Proxy. For more information, see [Work with existing on-premises proxy servers](./application-proxy-configure-connectors-with-proxy-servers.md).
-For information about connectors, capacity planning, and how they stay up-to-date, see [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md).
+For information about connectors, capacity planning, and how they stay up-to-date, see [Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md).
## Verify the connector installed and registered correctly
To confirm the connector installed and registered correctly:
1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**. 1. View a connector to verify its details. The connectors should be expanded by default. If the connector you want to view isn't expanded, expand the connector to view the details. An active green label indicates that your connector can connect to the service. However, even though the label is green, a network issue could still block the connector from receiving messages.
- ![Azure AD Application Proxy Connectors](./media/application-proxy-add-on-premises-application/app-proxy-connectors.png)
+ ![Microsoft Entra application proxy Connectors](./media/application-proxy-add-on-premises-application/app-proxy-connectors.png)
For more help with installing a connector, see [Problem installing the Application Proxy Connector](./application-proxy-connector-installation-problem.md).
To confirm the connector installed and registered correctly:
1. Open the Windows Services Manager by clicking the **Windows** key and entering *services.msc*. 1. Check to see if the status for the following two services is **Running**.
- - **Microsoft AAD Application Proxy Connector** enables connectivity.
- - **Microsoft AAD Application Proxy Connector Updater** is an automated update service. The updater checks for new versions of the connector and updates the connector as needed.
+ - **Microsoft Entra application proxy Connector** enables connectivity.
+ - **Microsoft Entra application proxy Connector Updater** is an automated update service. The updater checks for new versions of the connector and updates the connector as needed.
![App Proxy Connector services - screenshot](./media/application-proxy-add-on-premises-application/app_proxy_services.png) 1. If the status for the services isn't **Running**, right-click to select each service and choose **Start**.
-## Add an on-premises app to Azure AD
+<a name='add-an-on-premises-app-to-azure-ad'></a>
+
+## Add an on-premises app to Microsoft Entra ID
-Now that you've prepared your environment and installed a connector, you're ready to add on-premises applications to Azure AD.
+Now that you've prepared your environment and installed a connector, you're ready to add on-premises applications to Microsoft Entra ID.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Select **New application**.
Now that you've prepared your environment and installed a connector, you're read
| **Name** | The name of the application that appears on My Apps and in the Microsoft Entra admin center. | | **Maintenance Mode** | Select if you would like to enable maintenance mode and temporarily disable access for all users to the application. | | **Internal URL** | The URL for accessing the application from inside your private network. You can provide a specific path on the backend server to publish, while the rest of the server is unpublished. In this way, you can publish different sites on the same server as different apps, and give each one its own name and access rules.<br><br>If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your application. For example, if your app is at `https://yourapp/app` and uses images located at `https://yourapp/media`, then you should publish `https://yourapp/` as the path. This internal URL doesn't have to be the landing page your users see. For more information, see [Set a custom home page for published apps](application-proxy-configure-custom-home-page.md). |
- | **External URL** | The address for users to access the app from outside your network. If you don't want to use the default Application Proxy domain, read about [custom domains in Azure AD Application Proxy](./application-proxy-configure-custom-domain.md). |
- | **Pre Authentication** | How Application Proxy verifies users before giving them access to your application.<br><br>**Azure Active Directory** - Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. We recommend keeping this option as the default so that you can take advantage of Azure AD security features like Conditional Access and Multi-Factor Authentication. **Azure Active Directory** is required for monitoring the application with Microsoft Defender for Cloud Apps.<br><br>**Passthrough** - Users don't have to authenticate against Azure AD to access the application. You can still set up authentication requirements on the backend. |
+ | **External URL** | The address for users to access the app from outside your network. If you don't want to use the default Application Proxy domain, read about [custom domains in Microsoft Entra application proxy](./application-proxy-configure-custom-domain.md). |
+ | **Pre Authentication** | How Application Proxy verifies users before giving them access to your application.<br><br>**Microsoft Entra ID** - Application Proxy redirects users to sign in with Microsoft Entra ID, which authenticates their permissions for the directory and application. We recommend keeping this option as the default so that you can take advantage of Microsoft Entra security features like Conditional Access and Multi-Factor Authentication. **Microsoft Entra ID** is required for monitoring the application with Microsoft Defender for Cloud Apps.<br><br>**Passthrough** - Users don't have to authenticate against Microsoft Entra ID to access the application. You can still set up authentication requirements on the backend. |
| **Connector Group** | Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. If you don't have any connector groups created yet, your app is assigned to **Default**.<br><br>If your application uses WebSockets to connect, all connectors in the group must be version 1.5.612.0 or later. | 1. If necessary, configure **Additional settings**. For most applications, you should keep these settings in their default states.
Now that you've prepared your environment and installed a connector, you're read
| : | :-- | | **Backend Application Timeout** | Set this value to **Long** only if your application is slow to authenticate and connect. At default, the backend application timeout has a length of 85 seconds. When set too long, the backend timeout is increased to 180 seconds. | | **Use HTTP-Only Cookie** | Select to have Application Proxy cookies include the HTTPOnly flag in the HTTP response header. If using Remote Desktop Services, keep the option unselected. |
- | **Use Persistent Cookie**| Keep the option unselected. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](./application-proxy-configure-cookie-settings.md).
+ | **Use Persistent Cookie**| Keep the option unselected. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Microsoft Entra ID](./application-proxy-configure-cookie-settings.md).
| **Translate URLs in Headers** | Keep the option selected unless your application required the original host header in the authentication request. |
- | **Translate URLs in Application Body** | Keep the option unselected unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](./application-proxy-configure-hard-coded-link-translation.md).<br><br>Select if you plan to monitor this application with Microsoft Defender for Cloud Apps. For more information, see [Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory](./application-proxy-integrate-with-microsoft-cloud-application-security.md). |
+ | **Translate URLs in Application Body** | Keep the option unselected unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](./application-proxy-configure-hard-coded-link-translation.md).<br><br>Select if you plan to monitor this application with Microsoft Defender for Cloud Apps. For more information, see [Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Microsoft Entra ID](./application-proxy-integrate-with-microsoft-cloud-application-security.md). |
| **Validate Backend SSL Certificate** | Select to enable backend SSL certificate validation for the application. | 1. Select **Add**.
Don't forget to delete any of the resources you created in this tutorial when yo
## Next steps
-In this tutorial, you prepared your on-premises environment to work with Application Proxy, and then installed and registered the Application Proxy connector. Next, you added an application to your Azure AD tenant. You verified that a user can sign on to the application by using an Azure AD account.
+In this tutorial, you prepared your on-premises environment to work with Application Proxy, and then installed and registered the Application Proxy connector. Next, you added an application to your Microsoft Entra tenant. You verified that a user can sign on to the application by using a Microsoft Entra account.
You did these things: > [!div class="checklist"] > * Opened ports for outbound traffic and allowed access to specific URLs > * Installed the connector on your Windows server, and registered it with Application Proxy > * Verified the connector installed and registered correctly
-> * Added an on-premises application to your Azure AD tenant
-> * Verified a test user can sign on to the application by using an Azure AD account
+> * Added an on-premises application to your Microsoft Entra tenant
+> * Verified a test user can sign on to the application by using a Microsoft Entra account
You're ready to configure the application for single sign-on. Use the following link to choose a single sign-on method and to find single sign-on tutorials.
active-directory Application Proxy Application Gateway Waf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-application-gateway-waf.md
Title: Using Application Gateway WAF to protect your application
-description: How to add Web Application Firewall protection for apps published with Azure Active Directory Application Proxy.
+description: How to add Web Application Firewall protection for apps published with Microsoft Entra application proxy.
# Using Application Gateway WAF to protect your application
-When using Azure Active Directory (Azure AD) Application Proxy to expose applications deployed on-premises, on sealed Azure Virtual Networks, or in other public clouds, you can integrate a Web Application Firewall (WAF) in the data flow in order to protect your application from malicious attacks.
+When using Microsoft Entra application proxy to expose applications deployed on-premises, on sealed Azure Virtual Networks, or in other public clouds, you can integrate a Web Application Firewall (WAF) in the data flow in order to protect your application from malicious attacks.
## What is Azure Web Application Firewall?
Azure Web Application Firewall (WAF) on Azure Application Gateway provides centr
## Deployment steps
-This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure WAF on Application Gateway. In this guide we'll be using the Microsoft Entra admin center. The reference architecture for this deployment is represented below.
+This article guides you through the steps to securely expose a web application on the Internet, by integrating the Microsoft Entra application proxy with Azure WAF on Application Gateway. In this guide we'll be using the Microsoft Entra admin center. The reference architecture for this deployment is represented below.
![Diagram of deployment described.](./media/application-proxy-waf/application-proxy-waf.png)
This will determine how requests will reach the backend pool servers.
![Screenshot of enabling waf in Application Gateway.](./media/application-proxy-waf/application-gateway-enable-waf.png)
- ### Configure your application to be remotely accessed through Application Proxy in Azure AD.
+ <a name='configure-your-application-to-be-remotely-accessed-through-application-proxy-in-azure-ad'></a>
+
+### Configure your application to be remotely accessed through Application Proxy in Microsoft Entra ID.
As represented in the diagram above, both connector VMs, the Application Gateway, and the backend servers were deployed in the same VNET in Azure. This setup also applies to applications and connectors deployed on-premises.
-For a detailed guide on how to add your application to Application Proxy in Azure AD, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory][appproxy-add-app]. For more information about performance considerations concerning the Application Proxy connectors, see [Optimize traffic flow with Azure Active Directory Application Proxy][appproxy-optimize].
+For a detailed guide on how to add your application to Application Proxy in Microsoft Entra ID, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID][appproxy-add-app]. For more information about performance considerations concerning the Application Proxy connectors, see [Optimize traffic flow with Microsoft Entra application proxy][appproxy-optimize].
![Screenshot of Application Proxy configuration.](./media/application-proxy-waf/application-proxy-configuration.png)
-In this example, the same URL was configured as the internal and external URL. Remote clients will access the application over the Internet on port 443, through the Application Proxy, whereas clients connected to the corporate network will access the application privately through the Application Gateway directly, also on port 443. For a detailed step on how to configure custom domains in Application Proxy, see [Configure custom domains with Azure AD Application Proxy][appproxy-custom-domain].
+In this example, the same URL was configured as the internal and external URL. Remote clients will access the application over the Internet on port 443, through the Application Proxy, whereas clients connected to the corporate network will access the application privately through the Application Gateway directly, also on port 443. For a detailed step on how to configure custom domains in Application Proxy, see [Configure custom domains with Microsoft Entra application proxy][appproxy-custom-domain].
To ensure the connector VMs send requests to the Application Gateway, an [Azure Private DNS zone][private-dns] was created with an A record pointing www.fabrikam.one to the private frontend IP of the Application Gateway. ### Test the application.
-After [adding a user for testing](./application-proxy-add-on-premises-application.md#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Azure AD, and upon successful authentication, will access the application.
+After [adding a user for testing](./application-proxy-add-on-premises-application.md#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Microsoft Entra ID, and upon successful authentication, will access the application.
![Screenshot of authentication step.](./media/application-proxy-waf/sign-in-2.png) ![Screenshot of server response.](./media/application-proxy-waf/application-gateway-response.png)
To prevent false positives, learn how to [Customize Web Application Firewall rul
[appproxy-optimize]: ./application-proxy-network-topology.md [appproxy-custom-domain]: ./application-proxy-configure-custom-domain.md [private-dns]: ../../dns/private-dns-getstarted-portal.md
-[waf-logs]: ../../application-gateway/application-gateway-diagnostics.md#firewall-log
+[waf-logs]: ../../application-gateway/application-gateway-diagnostics.md#firewall-log
active-directory Application Proxy Azure Front Door https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-azure-front-door.md
Title: Using Azure Front Door to provide geo-acceleration
-description: How to optimize performance for global connectivity scenarios using Azure Front Door (for Geo-Acceleration) with Azure Active Directory Application Proxy.
+description: How to optimize performance for global connectivity scenarios using Azure Front Door (for Geo-Acceleration) with Microsoft Entra application proxy.
# Using Azure Front Door to achieve geo-acceleration
-This article explains how to configure Azure Active Directory (Azure AD) Application Proxy to work with Azure Front Door (AFD) to achieve reduce latency and better performance.
+This article explains how to configure Microsoft Entra application proxy to work with Azure Front Door (AFD) to achieve reduce latency and better performance.
## What is Azure Front Door?
Azure Front Door helps deliver low-latency, high-throughput content at scale fro
## Deployment steps
-This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure Front Door. In this guide we'll be using the Microsoft Entra admin center. The reference architecture for this deployment is represented below.
+This article guides you through the steps to securely expose a web application on the Internet, by integrating the Microsoft Entra application proxy with Azure Front Door. In this guide we'll be using the Microsoft Entra admin center. The reference architecture for this deployment is represented below.
:::image type="content" source="./media/application-proxy-azure-front-door/azure-front-door.png" alt-text="Diagram of deployment described." lightbox="./media/application-proxy-azure-front-door/azure-front-door.png":::
This article guides you through the steps to securely expose a web application o
- A Front Door Service ΓÇô Standard or Classic tier - Apps that exist in a single region. - A custom domain to use for the application.-- For licensing information, Application Proxy is available through an Azure AD Premium subscription. Refer here for a full listing of licensing options and features: [Azure Active Directory Pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing)
+- For licensing information, Application Proxy is available through a Microsoft Entra ID P1 or P2 subscription. Refer here for a full listing of licensing options and features: [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing)
### Application Proxy Configuration
Follow these steps to configure Application Proxy for Front Door:
1. Install connector for the location that your app instances will be in (For example US West). For the connector group assign the connector to the right region (For example North America). 2. Set up your app instance with Application Proxy as follows: - Set the Internal URL to the address users access the app from the internal network, for example contoso.org
- - Set the External URL to the domain address you want the users to access the app from. For this you must configure a custom domain for our application here, for example, contoso.org. Reference: [Custom domains in Azure Active Directory Application Proxy][appproxy-custom-domain]
+ - Set the External URL to the domain address you want the users to access the app from. For this you must configure a custom domain for our application here, for example, contoso.org. Reference: [Custom domains in Microsoft Entra application proxy][appproxy-custom-domain]
- Assign the application to the appropriate connector group (For example: North America) - Note down the URL generated by Application Proxy to access the application. For example, contoso.msappproxy.net - For the application configure a CNAME Entry in your DNS provider which points the external URL to the Front DoorΓÇÖs endpoint, for example ΓÇÿcontoso.orgΓÇÖ to contoso.msappproxy.net
active-directory Application Proxy Back End Kerberos Constrained Delegation How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md
# Troubleshoot Kerberos constrained delegation configurations for Application Proxy
-The methods available for achieving SSO to published applications can vary from one application to another. One option that Azure Active Directory (Azure AD) Application Proxy offers by default is Kerberos constrained delegation (KCD). You can configure a connector, for your users, to run constrained Kerberos authentication to back-end applications.
+The methods available for achieving SSO to published applications can vary from one application to another. One option that Microsoft Entra application proxy offers by default is Kerberos constrained delegation (KCD). You can configure a connector, for your users, to run constrained Kerberos authentication to back-end applications.
The procedure for enabling KCD is straightforward. It requires no more than a general understanding of the various components and authentication flow that support SSO. But sometimes, KCD SSO doesnΓÇÖt function as expected. You need good sources of information to troubleshoot these scenarios.
This article provides a single point of reference that helps troubleshoot and se
This article makes the following assumptions: -- Deployment of Azure AD Application Proxy per [Get started with Application Proxy](application-proxy-add-on-premises-application.md) and general access to non-KCD applications work as expected.
+- Deployment of Microsoft Entra application proxy per [Get started with Application Proxy](application-proxy-add-on-premises-application.md) and general access to non-KCD applications work as expected.
- The published target application is based on Internet Information Services (IIS) and the Microsoft implementation of Kerberos.-- The server and application hosts reside in a single Azure Active Directory domain. For detailed information on cross-domain and forest scenarios, see the [KCD white paper](https://aka.ms/KCDPaper).
+- The server and application hosts reside in a single Microsoft Entra domain. For detailed information on cross-domain and forest scenarios, see the [KCD white paper](https://aka.ms/KCDPaper).
- The subject application is published in an Azure tenant with pre-authentication enabled. Users are expected to authenticate to Azure via forms-based authentication. Rich client authentication scenarios aren't covered by this article. They might be added at some point in the future. ## Prerequisites
-Azure AD Application Proxy can be deployed into many types of infrastructures or environments. The architectures vary from organization to organization. The most common causes of KCD-related issues aren't the environments. Simple misconfigurations or general mistakes cause most issues.
+Microsoft Entra application proxy can be deployed into many types of infrastructures or environments. The architectures vary from organization to organization. The most common causes of KCD-related issues aren't the environments. Simple misconfigurations or general mistakes cause most issues.
For this reason, it's best to make sure you've met all the prerequisites in [Using KCD SSO with the Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md) before you start troubleshooting. Note the section on configuring Kerberos constrained delegation on 2012R2. This process employs a different approach to configuring KCD on previous versions of Windows. Also, be mindful of these considerations:
The corresponding entries seen in the event log show as events 13019 or 12027. F
1. Use an **A** record in your internal DNS for the applicationΓÇÖs address, not a **CName**. 1. Reconfirm that the connector host has been granted the right to delegate to the designated target accountΓÇÖs SPN. Reconfirm that **Use any authentication protocol** is selected. For more information, see the [SSO configuration article](application-proxy-configure-single-sign-on-with-kcd.md).
-1. Verify that there's only one instance of the SPN in existence in Azure AD. Issue `setspn -x` from a command prompt on any domain member host.
+1. Verify that there's only one instance of the SPN in existence in Microsoft Entra ID. Issue `setspn -x` from a command prompt on any domain member host.
1. Check that a domain policy is enforced that limits the [maximum size of issued Kerberos tokens](/archive/blogs/askds/maxtokensize-and-windows-8-and-windows-server-2012). This policy stops the connector from getting a token if it's found to be excessive. A network trace that captures the exchanges between the connector host and a domain KDC is the next best step to get more low-level detail on the issues. For more information, see the [deep dive Troubleshoot paper](https://aka.ms/proxytshootpaper).
The consumer of the Kerberos ticket provided by the connector. At this stage, ex
- With Kerberos and NTLM in place, temporarily disable pre-authentication for the application in the portal. Try to access it from the internet by using the external URL. You're prompted to authenticate. You're able to do so with the same account used in the previous step. If not, there's a problem with the back-end application, not KCD. - Re-enable pre-authentication in the portal. Authenticate through Azure by attempting to connect to the application via its external URL. If SSO fails, you see a forbidden error message in the browser and event 13022 in the log:
- *Microsoft AAD Application Proxy Connector cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error.*
+ *Microsoft Entra application proxy Connector cannot authenticate the user because the backend server responds to Kerberos authentication attempts with an HTTP 401 error.*
![Shows HTTTP 401 forbidden error](./media/application-proxy-back-end-kerberos-constrained-delegation-how-to/graphic8.png)
- - Check the IIS application. Make sure that the configured application pool and the SPN are configured to use the same account in Azure AD. Navigate in IIS as shown in the following illustration:
+ - Check the IIS application. Make sure that the configured application pool and the SPN are configured to use the same account in Microsoft Entra ID. Navigate in IIS as shown in the following illustration:
![IIS application configuration window](./media/application-proxy-back-end-kerberos-constrained-delegation-how-to/graphic9.png)
The consumer of the Kerberos ticket provided by the connector. At this stage, ex
![Shows the SetSPN command window](./media/application-proxy-back-end-kerberos-constrained-delegation-how-to/graphic10.png)
- - Check the SPN defined against the applicationΓÇÖs settings in the portal. Make sure that the same SPN configured against the target Azure AD account is used by the applicationΓÇÖs app pool.
+ - Check the SPN defined against the applicationΓÇÖs settings in the portal. Make sure that the same SPN configured against the target Microsoft Entra account is used by the applicationΓÇÖs app pool.
![SPN configuration in the Microsoft Entra admin center](./media/application-proxy-back-end-kerberos-constrained-delegation-how-to/graphic11.png)
If you leave Kernel mode enabled, it improves the performance of Kerberos operat
- As an additional check, disable **Extended** protection too. In some scenarios, **Extended** protection broke KCD when it was enabled in specific configurations. In those cases, an application was published as a subfolder of the default website. This application is configured for anonymous authentication only. All the dialogs are grayed out, which suggests child objects wouldn't inherit any active settings. We recommend that you test, but donΓÇÖt forget to restore this value to **enabled**, where possible.
- This additional check puts you on track to use your published application. You can spin up additional connectors that are also configured to delegate. For more information, read the more in-depth technical walk-through, [Troubleshooting the Azure AD Application Proxy](https://aka.ms/proxytshootpaper).
+ This additional check puts you on track to use your published application. You can spin up additional connectors that are also configured to delegate. For more information, read the more in-depth technical walk-through, [Troubleshooting the Microsoft Entra application proxy](https://aka.ms/proxytshootpaper).
If you still can't make progress, Microsoft support can assist you. Create a support ticket directly within the portal. An engineer will contact you.
active-directory Application Proxy Config How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-how-to.md
Title: How to configure an Azure Active Directory Application Proxy application
-description: Learn how to create and configure an Azure Active Directory Application Proxy application in a few simple steps
+ Title: How to configure a Microsoft Entra application proxy application
+description: Learn how to create and configure a Microsoft Entra application proxy application in a few simple steps
# How to configure an Application Proxy application
-This article helps you to understand how to configure an Application Proxy application within Azure AD to expose your on-premises applications to the cloud.
+This article helps you to understand how to configure an Application Proxy application within Microsoft Entra ID to expose your on-premises applications to the cloud.
## Recommended documents
-To learn about the initial configurations and creation of an Application Proxy application through the Admin Portal, follow the [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md).
+To learn about the initial configurations and creation of an Application Proxy application through the Admin Portal, follow the [Publish applications using Microsoft Entra application proxy](application-proxy-add-on-premises-application.md).
For details on configuring Connectors, see [Enable Application Proxy in the Microsoft Entra admin center](application-proxy-add-on-premises-application.md).
-For information on uploading certificates and using custom domains, see [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
+For information on uploading certificates and using custom domains, see [Working with custom domains in Microsoft Entra application proxy](application-proxy-configure-custom-domain.md).
## Create the Application/Setting the URLs
-If you are following the steps in the [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md) documentation and are getting an error creating the application, see the error details for information and suggestions for how to fix the application. Most error messages include a suggested fix. To avoid common errors, verify:
+If you are following the steps in the [Publish applications using Microsoft Entra application proxy](application-proxy-add-on-premises-application.md) documentation and are getting an error creating the application, see the error details for information and suggestions for how to fix the application. Most error messages include a suggested fix. To avoid common errors, verify:
- You are an administrator with permission to create an Application Proxy application - The internal URL is unique
If your connectors are inactive, this means that they are unable to reach the se
## Upload certificates for custom domains
-Custom Domains allow you to specify the domain of your external URLs. To use custom domains, you need to upload the certificate for that domain. For information on using custom domains and certificates, see [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
+Custom Domains allow you to specify the domain of your external URLs. To use custom domains, you need to upload the certificate for that domain. For information on using custom domains and certificates, see [Working with custom domains in Microsoft Entra application proxy](application-proxy-configure-custom-domain.md).
If you are encountering issues uploading your certificate, look for the error messages in the portal for additional information on the problem with the certificate. Common certificate problems include:
The error message display in the top-right corner as you try to upload the certi
## Next steps
-[Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md)
+[Publish applications using Microsoft Entra application proxy](application-proxy-add-on-premises-application.md)
active-directory Application Proxy Config Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-problem.md
Title: Problem creating an Azure Active Directory Application Proxy application
+ Title: Problem creating a Microsoft Entra application proxy application
description: How to troubleshoot issues creating Application Proxy applications in the Microsoft Entra admin center
Below are some of the common issues people face when creating a new application
## Recommended documents
-To learn more about creating an Application Proxy application through the Admin Portal, see [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md).
+To learn more about creating an Application Proxy application through the Admin Portal, see [Publish applications using Microsoft Entra application proxy](application-proxy-add-on-premises-application.md).
If you are following the steps in that document and are getting an error creating the application, see the error details for information and suggestions for how to fix the application. Most error messages include a suggested fix.
active-directory Application Proxy Config Sso How To https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-config-sso-how-to.md
# How to configure single sign-on to an Application Proxy application
-Single sign-on (SSO) allows your users to access an application without authenticating multiple times. It allows the single authentication to occur in the cloud, against Azure Active Directory, and allows the service or Connector to impersonate the user to complete any additional authentication challenges from the application.
+Single sign-on (SSO) allows your users to access an application without authenticating multiple times. It allows the single authentication to occur in the cloud, against Microsoft Entra ID, and allows the service or Connector to impersonate the user to complete any additional authentication challenges from the application.
## How to configure single-sign on
-To configure SSO, first make sure that your application is configured for Pre-Authentication through Azure Active Directory.
+To configure SSO, first make sure that your application is configured for Pre-Authentication through Microsoft Entra ID.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator). 1. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select **Switch directory** and choose a directory that uses Application Proxy.
For more information on the Pre-Authentication methods, see step 4 of the [app p
## Configuring single sign-on modes for Application Proxy Applications Configure the specific type of single sign-on. The sign-on methods are classified based on what type of authentication the backend application uses. App Proxy applications support three types of sign-on: -- **Password-based sign-on:** Password-based sign-on can be used for any application that uses username and password fields to sign on. Configuration steps are in [Configure password Single sign-on for an Azure AD gallery application](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md).
+- **Password-based sign-on:** Password-based sign-on can be used for any application that uses username and password fields to sign on. Configuration steps are in [Configure password Single sign-on for a Microsoft Entra gallery application](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md).
- **Integrated Windows authentication:** For applications using integrated Windows authentication (IWA), single sign-on is enabled through Kerberos Constrained Delegation (KCD). This method gives Application Proxy Connectors permission in Active Directory to impersonate users, and to send and receive tokens on their behalf. Details on configuring KCD can be found in the [Single Sign-On with KCD documentation](application-proxy-configure-single-sign-on-with-kcd.md). - **Header-based sign-on:** Header-based sign-on is used to provide single sign-on capabilities using HTTP headers. To learn more, see [Header-based single sign-on](application-proxy-configure-single-sign-on-with-headers.md). -- **SAML single sign-on:** With SAML single sign-on, Azure AD authenticates to the application by using the user's Azure AD account. Azure AD communicates the sign-on information to the application through a connection protocol. With SAML-based single sign-on, you can map users to specific application roles based on rules you define in your SAML claims. For information about setting up SAML single sign-on, see [SAML for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-on-premises-apps.md).
+- **SAML single sign-on:** With SAML single sign-on, Microsoft Entra authenticates to the application by using the user's Microsoft Entra account. Microsoft Entra ID communicates the sign-on information to the application through a connection protocol. With SAML-based single sign-on, you can map users to specific application roles based on rules you define in your SAML claims. For information about setting up SAML single sign-on, see [SAML for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-on-premises-apps.md).
Each of these options can be found by going to your application in **Enterprise Applications**, and opening the **Single Sign-On** page on the left menu. Note that if your application was created in the old portal, you may not see all these options.
active-directory Application Proxy Configure Complex Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-complex-application.md
Title: Complex applications for Azure Active Directory Application Proxy
-description: Provides an understanding of complex application in Azure Active Directory Application Proxy, and how to configure one.
+ Title: Complex applications for Microsoft Entra application proxy
+description: Provides an understanding of complex application in Microsoft Entra application proxy, and how to configure one.
-# Understanding Azure Active Directory Application Proxy Complex application scenario (Preview)
+# Understanding Microsoft Entra application proxy Complex application scenario (Preview)
-When applications are made up of multiple individual web application using different domain suffixes or different ports or paths in the URL, the individual web application instances must be published in separate Azure AD Application Proxy apps and the following problems might arise:
-1. Pre-authentication- The client must separately acquire an access token or cookie for each Azure AD Application Proxy app. This might lead to additional redirects to login.microsoftonline.com and CORS issues.
-2. CORS issues- Cross-origin resource sharing calls (OPTIONS request) might be triggered to validate if the caller web app is allowed to access the URL of the targeted web app. These will be blocked by the Azure AD Application Proxy Cloud service, since these requests cannot contain authentication information.
+When applications are made up of multiple individual web application using different domain suffixes or different ports or paths in the URL, the individual web application instances must be published in separate Microsoft Entra application proxy apps and the following problems might arise:
+1. Pre-authentication- The client must separately acquire an access token or cookie for each Microsoft Entra application proxy app. This might lead to additional redirects to login.microsoftonline.com and CORS issues.
+2. CORS issues- Cross-origin resource sharing calls (OPTIONS request) might be triggered to validate if the caller web app is allowed to access the URL of the targeted web app. These will be blocked by the Microsoft Entra application proxy Cloud service, since these requests cannot contain authentication information.
3. Poor app management- Multiple enterprise apps are created to enable access to a private app adding friction to the app management experience. The following figure shows an example for complex application domain structure. :::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-structure-1.png" alt-text="Diagram of domain structure for a complex application showing resource sharing between primary and secondary application.":::
-With [Azure AD Application Proxy](application-proxy.md), you can address this issue by using complex application publishing that is made up of multiple URLs across various domains.
+With [Microsoft Entra application proxy](application-proxy.md), you can address this issue by using complex application publishing that is made up of multiple URLs across various domains.
:::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-flow-1.png" alt-text="Diagram of a Complex application with multiple application segments definition.":::
Before you get started with Application Proxy Complex application scenario apps,
## Configure application segment(s) for complex application. > [!NOTE]
-> Two application segment per complex distributed application are supported for [Microsoft Azure AD premium subscription](https://azure.microsoft.com/pricing/details/active-directory). License requirement for more than two application segments per complex application to be announced soon.
+> Two application segment per complex distributed application are supported for [Microsoft Entra ID P1 or P2 subscription](https://azure.microsoft.com/pricing/details/active-directory). License requirement for more than two application segments per complex application to be announced soon.
To publish complex distributed app through Application Proxy with application segments:
Alternatively, a DNS entry with a CNAME record for every individual application
for example in above instance >`'home.contoso.ashcorp.us'` points to > `home-ashcorp1.msappproxy.net`
-For more detailed instructions for Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md).
+For more detailed instructions for Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md).
## See also-- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md) -- [Plan an Azure AD Application Proxy deployment](application-proxy-deployment-plan.md) -- [Remote access to on-premises applications through Azure Active Directory Application Proxy](application-proxy.md)-- [Understand and solve Azure Active Directory Application Proxy CORS issues](application-proxy-understand-cors-issues.md)
+- [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md)
+- [Plan a Microsoft Entra application proxy deployment](application-proxy-deployment-plan.md)
+- [Remote access to on-premises applications through Microsoft Entra application proxy](application-proxy.md)
+- [Understand and solve Microsoft Entra application proxy CORS issues](application-proxy-understand-cors-issues.md)
active-directory Application Proxy Configure Connectors With Proxy Servers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-connectors-with-proxy-servers.md
Title: Work with existing on-premises proxy servers and Azure Active Directory
-description: Covers how to work with existing on-premises proxy servers with Azure Active Directory.
+ Title: Work with existing on-premises proxy servers and Microsoft Entra ID
+description: Covers how to work with existing on-premises proxy servers with Microsoft Entra ID.
# Work with existing on-premises proxy servers
-This article explains how to configure Azure Active Directory (Azure AD) Application Proxy connectors to work with outbound proxy servers. It is intended for customers with network environments that have existing proxies.
+This article explains how to configure Microsoft Entra application proxy connectors to work with outbound proxy servers. It is intended for customers with network environments that have existing proxies.
We start by looking at these main deployment scenarios: * Configure connectors to bypass your on-premises outbound proxies.
-* Configure connectors to use an outbound proxy to access Azure AD Application Proxy.
+* Configure connectors to use an outbound proxy to access Microsoft Entra application proxy.
* Configure using a proxy between the connector and backend application.
-For more information about how connectors work, see [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md).
+For more information about how connectors work, see [Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md).
## Bypass outbound proxies
The OS components attempt to locate a proxy server by carrying out a DNS lookup
You can configure the connector to bypass your on-premises proxy to ensure that it uses direct connectivity to the Azure services. We recommend this approach, as long as your network policy allows for it, because it means that you have one less configuration to maintain.
-To disable outbound proxy usage for the connector, edit the C:\Program Files\Microsoft AAD App Proxy Connector\ApplicationProxyConnectorService.exe.config file and add the *system.net* section shown in this code sample:
+To disable outbound proxy usage for the connector, edit the C:\Program Files\Microsoft Azure AD App Proxy Connector\ApplicationProxyConnectorService.exe.config file and add the *system.net* section shown in this code sample:
```xml <?xml version="1.0" encoding="utf-8" ?>
To disable outbound proxy usage for the connector, edit the C:\Program Files\Mic
</configuration> ```
-To ensure that the Connector Updater service also bypasses the proxy, make a similar change to the ApplicationProxyConnectorUpdaterService.exe.config file. This file is located at C:\Program Files\Microsoft AAD App Proxy Connector Updater.
+To ensure that the Connector Updater service also bypasses the proxy, make a similar change to the ApplicationProxyConnectorUpdaterService.exe.config file. This file is located at C:\Program Files\Microsoft Azure AD App Proxy Connector Updater.
Be sure to make copies of the original files, in case you need to revert to the default .config files.
Some environments require all outbound traffic to go through an outbound proxy,
You can configure the connector traffic to go through the outbound proxy, as shown in the following diagram:
- ![Configuring connector traffic to go through an outbound proxy to Azure AD Application Proxy](./media/application-proxy-configure-connectors-with-proxy-servers/configure-proxy-settings.png)
+ ![Configuring connector traffic to go through an outbound proxy to Microsoft Entra application proxy](./media/application-proxy-configure-connectors-with-proxy-servers/configure-proxy-settings.png)
As a result of having only outbound traffic, there's no need to configure inbound access through your firewalls.
As a result of having only outbound traffic, there's no need to configure inboun
If WPAD is enabled in the environment and configured appropriately, the connector automatically discovers the outbound proxy server and attempt to use it. However, you can explicitly configure the connector to go through an outbound proxy.
-To do so, edit the C:\Program Files\Microsoft AAD App Proxy Connector\ApplicationProxyConnectorService.exe.config file, and add the *system.net* section shown in this code sample. Change *proxyserver:8080* to reflect your local proxy server name or IP address, and the port that it's listening on. The value must have the prefix http:// even if you are using an IP address.
+To do so, edit the C:\Program Files\Microsoft Azure AD App Proxy Connector\ApplicationProxyConnectorService.exe.config file, and add the *system.net* section shown in this code sample. Change *proxyserver:8080* to reflect your local proxy server name or IP address, and the port that it's listening on. The value must have the prefix http:// even if you are using an IP address.
```xml <?xml version="1.0" encoding="utf-8" ?>
To do so, edit the C:\Program Files\Microsoft AAD App Proxy Connector\Applicatio
</configuration> ```
-Next, configure the Connector Updater service to use the proxy by making a similar change to the C:\Program Files\Microsoft AAD App Proxy Connector Updater\ApplicationProxyConnectorUpdaterService.exe.config file.
+Next, configure the Connector Updater service to use the proxy by making a similar change to the C:\Program Files\Microsoft Azure AD App Proxy Connector Updater\ApplicationProxyConnectorUpdaterService.exe.config file.
> [!NOTE] > The Connector service evaluates the **defaultProxy** configuration for usage in `%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config`, if the **defaultProxy** is not configured (by default) in ApplicationProxyConnectorService.exe.config. The same applies to the Connector Updater service (ApplicationProxyConnectorUpdaterService.exe.config) too.
To enable this, please follow the next steps:
### Step 1: Add the required registry value to the server 1. To enable using the default proxy add the following registry value (DWORD)
-`UseDefaultProxyForBackendRequests = 1` to the Connector configuration registry key located in "HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft AAD App Proxy Connector".
+`UseDefaultProxyForBackendRequests = 1` to the Connector configuration registry key located in "HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Azure AD App Proxy Connector".
### Step 2: Configure the proxy server manually using netsh command 1. Enable the group policy Make proxy settings per-machine. This is found in: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer. This needs to be set rather than having this policy set to per-user.
The following examples are specific to Message Analyzer, but the principles can
For initial troubleshooting, perform the following steps:
-1. From services.msc, stop the Azure AD Application Proxy Connector service.
+1. From services.msc, stop the Microsoft Entra application proxy Connector service.
- ![Azure AD Application Proxy Connector service in services.msc](./media/application-proxy-configure-connectors-with-proxy-servers/services-local.png)
+ ![Microsoft Entra application proxy Connector service in services.msc](./media/application-proxy-configure-connectors-with-proxy-servers/services-local.png)
1. Run Message Analyzer as an administrator. 1. Select **Start local trace**.
-1. Start the Azure AD Application Proxy Connector service.
+1. Start the Microsoft Entra application proxy Connector service.
1. Stop the network capture. ![Screenshot shows the Stop network capture button](./media/application-proxy-configure-connectors-with-proxy-servers/stop-trace.png)
If you see other response codes, such as 407 or 502, that means that the proxy i
## Next steps
-* [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md)
-* If you have problems with connector connectivity issues, ask your question in the [Microsoft Q&A question page for Azure Active Directory](/answers/topics/azure-active-directory.html) or create a ticket with our support team.
+* [Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md)
+* If you have problems with connector connectivity issues, ask your question in the [Microsoft Q&A question page for Microsoft Entra ID](/answers/topics/azure-active-directory.html) or create a ticket with our support team.
active-directory Application Proxy Configure Cookie Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-cookie-settings.md
Title: Application Proxy cookie settings
-description: Azure Active Directory (Azure AD) has access and session cookies for accessing on-premises applications through Application Proxy. In this article, you'll find out how to use and configure the cookie settings.
+description: Microsoft Entra ID has access and session cookies for accessing on-premises applications through Application Proxy. In this article, you'll find out how to use and configure the cookie settings.
-# Cookie settings for accessing on-premises applications in Azure Active Directory
+# Cookie settings for accessing on-premises applications in Microsoft Entra ID
-Azure Active Directory (Azure AD) has access and session cookies for accessing on-premises applications through Application Proxy. Find out how to use the Application Proxy cookie settings.
+Microsoft Entra ID has access and session cookies for accessing on-premises applications through Application Proxy. Find out how to use the Application Proxy cookie settings.
## What are the cookie settings?
active-directory Application Proxy Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-domain.md
Title: Custom domains in Azure Active Directory Application Proxy
-description: Configure and manage custom domains in Azure Active Directory Application Proxy.
+ Title: Custom domains in Microsoft Entra application proxy
+description: Configure and manage custom domains in Microsoft Entra application proxy.
-# Configure custom domains with Azure AD Application Proxy
+# Configure custom domains with Microsoft Entra application proxy
-When you publish an application through Azure Active Directory Application Proxy, you create an external URL for your users. This URL gets the default domain *yourtenant.msappproxy.net*. For example, if you publish an app named *Expenses* in your tenant named *Contoso*, the external URL is *https:\//expenses-contoso.msappproxy.net*. If you want to use your own domain name instead of *msappproxy.net*, you can configure a custom domain for your application.
+When you publish an application through Microsoft Entra application proxy, you create an external URL for your users. This URL gets the default domain *yourtenant.msappproxy.net*. For example, if you publish an app named *Expenses* in your tenant named *Contoso*, the external URL is *https:\//expenses-contoso.msappproxy.net*. If you want to use your own domain name instead of *msappproxy.net*, you can configure a custom domain for your application.
## Benefits of custom domains It's a good idea to set up custom domains for your apps whenever possible. Some reasons to use custom domains include: -- Links between apps work even outside the corporate network. Without a custom domain, if your app has hard-coded internal links to targets outside the Application Proxy, and the links aren't externally resolvable, they will break. When your internal and external URLs are the same, you avoid this problem. If you're not able to use custom domains, see [Redirect hardcoded links for apps published with Azure AD Application Proxy](./application-proxy-configure-hard-coded-link-translation.md) for other ways to address this issue.
+- Links between apps work even outside the corporate network. Without a custom domain, if your app has hard-coded internal links to targets outside the Application Proxy, and the links aren't externally resolvable, they will break. When your internal and external URLs are the same, you avoid this problem. If you're not able to use custom domains, see [Redirect hardcoded links for apps published with Microsoft Entra application proxy](./application-proxy-configure-hard-coded-link-translation.md) for other ways to address this issue.
- Your users will have an easier experience, because they can get to the app with the same URL from inside or outside your network. They donΓÇÖt need to learn different internal and external URLs, or track their current location.
When you select a custom domain for an external URL, an information bar shows th
## Set up and use custom domains
-To configure an on-premises app to use a custom domain, you need a verified Azure Active Directory custom domain, a PFX certificate for the custom domain, and an on-premises app to configure.
+To configure an on-premises app to use a custom domain, you need a verified Microsoft Entra custom domain, a PFX certificate for the custom domain, and an on-premises app to configure.
> [!IMPORTANT] > You are responsible for maintaining DNS records that redirect your custom domains to the *msappproxy.net* domain. If you choose to later delete your application or tenant, make sure to also delete associated DNS records for Application Proxy to prevent misuse of dangling DNS records.
To create and verify a custom domain:
1. Enter your custom domain name and select **Add Domain**. 1. On the domain page, copy the TXT record information for your domain. 1. Go to your domain registrar and create a new TXT record for your domain, based on your copied DNS information.
-1. After you register the domain, on the domain's page in Azure Active Directory, select **Verify**. Once the domain status is **Verified**, you can use the domain across all your Azure AD configurations, including Application Proxy.
+1. After you register the domain, on the domain's page in Microsoft Entra ID, select **Verify**. Once the domain status is **Verified**, you can use the domain across all your Microsoft Entra configurations, including Application Proxy.
For more detailed instructions, see [Add your custom domain name using the Microsoft Entra admin center](../fundamentals/add-custom-domain.md).
Your application is now set up to use the custom domain. Be sure to assign users
To change the domain for an app, select a different domain from the dropdown list in **External URL** on the app's **Application proxy** page. Upload a certificate for the updated domain, if necessary, and update the DNS record. If you don't see the custom domain you want in the dropdown list in **External URL**, it might not be verified.
-For more detailed instructions for Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md).
+For more detailed instructions for Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](application-proxy-add-on-premises-application.md).
## Certificates for custom domains
When a certificate expires, you get a warning telling you to upload another cert
## Next steps
-* [Enable single sign-on](application-proxy-configure-single-sign-on-with-kcd.md) to your published apps with Azure AD authentication.
+* [Enable single sign-on](application-proxy-configure-single-sign-on-with-kcd.md) to your published apps with Microsoft Entra authentication.
* [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) for your published cloud apps.
active-directory Application Proxy Configure Custom Home Page https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md
Title: Custom home page for published apps - Azure Active Directory Application Proxy
-description: Covers the basics about Azure Active Directory Application Proxy connectors
+ Title: Custom home page for published apps - Microsoft Entra application proxy
+description: Covers the basics about Microsoft Entra application proxy connectors
Last updated 09/14/2023
-# Set a custom home page for published apps by using Azure Active Directory Application Proxy
+# Set a custom home page for published apps by using Microsoft Entra application proxy
-This article discusses how to configure an app to direct a user to a custom home page. When you publish an app with Application Proxy, you set an internal URL, but sometimes that's not the page a user should see first. Set a custom home page so that a user gets the right page when they access the app. A user will see the custom home page that you set, regardless of whether they access the app from the Azure Active Directory My Apps or the Microsoft 365 app launcher.
+This article discusses how to configure an app to direct a user to a custom home page. When you publish an app with Application Proxy, you set an internal URL, but sometimes that's not the page a user should see first. Set a custom home page so that a user gets the right page when they access the app. A user will see the custom home page that you set, regardless of whether they access the app from the Microsoft Entra My Apps or the Microsoft 365 app launcher.
When a user launches the app, they're directed by default to the root domain URL for the published app. The landing page is typically set as the home page URL. Use the Azure AD PowerShell module to define a custom home page URL when you want an app user to land on a specific page within the app.
To install the package, follow these steps:
You get the ObjectId of the app by searching for the app by its display name or home page.
-1. In the same PowerShell window, import the Azure AD module.
+1. In the same PowerShell window, import the Microsoft Entra module.
```powershell Import-Module AzureAD ```
-1. Sign in to the Azure AD module as the tenant administrator.
+1. Sign in to the Microsoft Entra module as the tenant administrator.
```powershell Connect-AzureAD
You get the ObjectId of the app by searching for the app by its display name or
### Update the home page URL
-Create the home page URL, and update your app with that value. Continue using the same PowerShell window, or if you're using a new PowerShell window, sign in to the Azure AD module again using `Connect-AzureAD`. Then follow these steps:
+Create the home page URL, and update your app with that value. Continue using the same PowerShell window, or if you're using a new PowerShell window, sign in to the Microsoft Entra module again using `Connect-AzureAD`. Then follow these steps:
1. Create a variable to hold the ObjectId value you copied in the previous section. (Replace the ObjectId value used for in this SharePoint example with your app's ObjectId value.)
Create the home page URL, and update your app with that value. Continue using th
## Next steps -- [Enable remote access to SharePoint with Azure AD Application Proxy](./application-proxy-integrate-with-sharepoint-server.md)-- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md)
+- [Enable remote access to SharePoint with Microsoft Entra application proxy](./application-proxy-integrate-with-sharepoint-server.md)
+- [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](application-proxy-add-on-premises-application.md)
active-directory Application Proxy Configure For Claims Aware Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-for-claims-aware-applications.md
Title: Claims-aware apps - Azure Active Directory Application Proxy
+ Title: Claims-aware apps - Microsoft Entra application proxy
description: How to publish on-premises ASP.NET applications that accept AD FS claims for secure remote access by your users.
Make sure that the STS that the claims-aware app redirects to is available outsi
1. Publish your application according to the instructions described in [Publish applications with Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md). 2. Navigate to the application page in the portal and select **Single sign-on**.
-3. If you chose **Azure Active Directory** as your **Preauthentication Method**, select **Azure AD single sign-on disabled** as your **Internal Authentication Method**. If you chose **Passthrough** as your **Preauthentication Method**, you don't need to change anything.
+3. If you chose **Microsoft Entra ID** as your **Preauthentication Method**, select **Microsoft Entra single sign-on disabled** as your **Internal Authentication Method**. If you chose **Passthrough** as your **Preauthentication Method**, you don't need to change anything.
## Configure ADFS
If all the internal URLs for your applications are fully qualified domain names
![Add an Endpoint - set Trusted URL value - screenshot](./media/application-proxy-configure-for-claims-aware-applications/appproxyendpointtrustedurl.png) ## Next steps
-* [Enable native client apps to interact with proxy applications](application-proxy-configure-native-client-application.md)
+* [Enable native client apps to interact with proxy applications](application-proxy-configure-native-client-application.md)
active-directory Application Proxy Configure Hard Coded Link Translation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-hard-coded-link-translation.md
Title: Translate links and URLs Azure Active Directory Application Proxy
-description: Learn how to redirect hard-coded links for apps published with Azure Active Directory Application Proxy.
+ Title: Translate links and URLs Microsoft Entra application proxy
+description: Learn how to redirect hard-coded links for apps published with Microsoft Entra application proxy.
-# Redirect hard-coded links for apps published with Azure Active Directory Application Proxy
+# Redirect hard-coded links for apps published with Microsoft Entra application proxy
-Azure AD Application Proxy makes your on-premises apps available to users who are remote or on their own devices. Some apps, however, were developed with local links embedded in the HTML. These links don't work correctly when the app is used remotely. When you have several on-premises applications point to each other, your users expect the links to keep working when they're not at the office.
+Microsoft Entra application proxy makes your on-premises apps available to users who are remote or on their own devices. Some apps, however, were developed with local links embedded in the HTML. These links don't work correctly when the app is used remotely. When you have several on-premises applications point to each other, your users expect the links to keep working when they're not at the office.
The best way to make sure that links work the same both inside and outside of your corporate network is to configure the external URLs of your apps to be the same as their internal URLs. Use [custom domains](application-proxy-configure-custom-domain.md) to configure your external URLs to have your corporate domain name instead of the default application proxy domain.
These three features keep your links working no matter where your users are. Whe
> [!NOTE]
-> The last option is only for tenants that, for whatever reason, can't use custom domains to have the same internal and external URLs for their apps. Before you enable this feature, see if [custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md) can work for you.
+> The last option is only for tenants that, for whatever reason, can't use custom domains to have the same internal and external URLs for their apps. Before you enable this feature, see if [custom domains in Microsoft Entra application proxy](application-proxy-configure-custom-domain.md) can work for you.
> > Or, if the application you need to configure with link translation is SharePoint, see [Configure alternate access mappings for SharePoint 2013](/SharePoint/administration/configure-alternate-access-mappings) for another approach to mapping links.
Getting started with link translation is as easy as clicking a button:
Now, when your users access this application, the proxy will automatically scan for internal URLs that have been published through Application Proxy on your tenant. ## Next steps
-[Use custom domains with Azure AD Application Proxy](application-proxy-configure-custom-domain.md) to have the same internal and external URL
+[Use custom domains with Microsoft Entra application proxy](application-proxy-configure-custom-domain.md) to have the same internal and external URL
[Configure alternate access mappings for SharePoint 2013](/SharePoint/administration/configure-alternate-access-mappings)
active-directory Application Proxy Configure Native Client Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-native-client-application.md
Title: Publish native client apps
-description: Covers how to enable native client apps to communicate with Azure Active Directory Application Proxy Connector to provide secure remote access to your on-premises apps.
+description: Covers how to enable native client apps to communicate with Microsoft Entra application proxy Connector to provide secure remote access to your on-premises apps.
# How to enable native client applications to interact with proxy applications
-You can use Azure Active Directory (Azure AD) Application Proxy to publish web apps, but it also can be used to publish native client applications that are configured with the Microsoft Authentication Library (MSAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
+You can use Microsoft Entra application proxy to publish web apps, but it also can be used to publish native client applications that are configured with the Microsoft Authentication Library (MSAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
-To support native client applications, Application Proxy accepts Azure AD-issued tokens that are sent in the header. The Application Proxy service does the authentication for the users. This solution doesn't use application tokens for authentication.
+To support native client applications, Application Proxy accepts Microsoft Entra ID-issued tokens that are sent in the header. The Application Proxy service does the authentication for the users. This solution doesn't use application tokens for authentication.
-![Relationship between end users, Azure AD, and published applications](./media/application-proxy-configure-native-client-application/richclientflow.png)
+![Relationship between end users, Microsoft Entra ID, and published applications](./media/application-proxy-configure-native-client-application/richclientflow.png)
To publish native applications, use the Microsoft Authentication Library, which takes care of authentication and supports many client environments. Application Proxy fits into the [Desktop app that calls a web API on behalf of a signed-in user](../develop/authentication-flows-app-scenarios.md#desktop-app-that-calls-a-web-api-on-behalf-of-a-signed-in-user) scenario.
Publish your proxy application as you would any other application and assign use
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-You now need to register your application in Azure AD, as follows:
+You now need to register your application in Microsoft Entra ID, as follows:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator). 1. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select **Switch directory** and choose a directory that uses Application Proxy. 1. Browse to **Identity** > **Applications** > **App registrations**. The list of all app registrations appears.
You now need to register your application in Azure AD, as follows:
1. Under **Redirect URI**, select **Public client (mobile & desktop)**, and then type the redirect URI `https://login.microsoftonline.com/common/oauth2/nativeclient` for your application. 1. Select and read the **Microsoft Platform Policies**, and then select **Register**. An overview page for the new application registration is created and displayed.
-For more detailed information about creating a new application registration, see [Integrating applications with Azure Active Directory](../develop/quickstart-register-app.md).
+For more detailed information about creating a new application registration, see [Integrating applications with Microsoft Entra ID](../develop/quickstart-register-app.md).
## Step 3: Grant access to your proxy application
The required info in the sample code can be found in the Microsoft Entra admin c
| Info required | How to find it in the Microsoft Entra admin center | | | |
-| \<Tenant ID> | **Azure Active Directory** > **Properties** > **Directory ID** |
+| \<Tenant ID> | **Microsoft Entra ID** > **Properties** > **Directory ID** |
| \<App ID of the Native app> | **Application registration** > *your native application* > **Overview** > **Application ID** | | \<Scope> | **Application registration** > *your native application* > **API permissions** > Click on the Permission API (user_impersonation) > A panel with the caption **user_impersonation** appears on the right hand side. > The scope is the URL in the edit box. | \<Proxy App URL> | the External URL and path to the API
After you edit the MSAL code with these parameters, your users can authenticate
## Next steps
-For more information about the native application flow, see [mobile](../develop/authentication-flows-app-scenarios.md#mobile-app-that-calls-a-web-api-on-behalf-of-an-interactive-user) and [desktop](../develop/authentication-flows-app-scenarios.md#desktop-app-that-calls-a-web-api-on-behalf-of-a-signed-in-user) apps in Azure Active Directory.
+For more information about the native application flow, see [mobile](../develop/authentication-flows-app-scenarios.md#mobile-app-that-calls-a-web-api-on-behalf-of-an-interactive-user) and [desktop](../develop/authentication-flows-app-scenarios.md#desktop-app-that-calls-a-web-api-on-behalf-of-a-signed-in-user) apps in Microsoft Entra ID.
-Learn about setting up [Single sign-on to applications in Azure Active Directory](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method).
+Learn about setting up [Single sign-on to applications in Microsoft Entra ID](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method).
active-directory Application Proxy Configure Single Sign On On Premises Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md
Title: SAML single sign-on for on-premises apps with Azure Active Directory Application Proxy
+ Title: SAML single sign-on for on-premises apps with Microsoft Entra application proxy
description: Learn how to provide single sign-on for on-premises applications that are secured with SAML authentication. Provide remote access to on-premises apps with Application Proxy.
# SAML single sign-on for on-premises applications with Application Proxy
-You can provide single sign-on (SSO) to on-premises applications that are secured with SAML authentication and provide remote access to these applications through Application Proxy. With SAML single sign-on, Azure Active Directory (Azure AD) authenticates to the application by using the user's Azure AD account. Azure AD communicates the sign-on information to the application through a connection protocol. You can also map users to specific application roles based on rules you define in your SAML claims. By enabling Application Proxy in addition to SAML SSO, your users will have external access to the application and a seamless SSO experience.
+You can provide single sign-on (SSO) to on-premises applications that are secured with SAML authentication and provide remote access to these applications through Application Proxy. With SAML single sign-on, Microsoft Entra authenticates to the application by using the user's Microsoft Entra account. Microsoft Entra ID communicates the sign-on information to the application through a connection protocol. You can also map users to specific application roles based on rules you define in your SAML claims. By enabling Application Proxy in addition to SAML SSO, your users will have external access to the application and a seamless SSO experience.
-The applications must be able to consume SAML tokens issued by **Azure Active Directory**.
-This configuration doesn't apply to applications using an on-premises identity provider. For these scenarios, we recommend reviewing [Resources for migrating applications to Azure AD](../manage-apps/migration-resources.md).
+The applications must be able to consume SAML tokens issued by **Microsoft Entra ID**.
+This configuration doesn't apply to applications using an on-premises identity provider. For these scenarios, we recommend reviewing [Resources for migrating applications to Microsoft Entra ID](../manage-apps/migration-resources.md).
-SAML SSO with Application Proxy also works with the SAML token encryption feature. For more info, see [Configure Azure AD SAML token encryption](../manage-apps/howto-saml-token-encryption.md).
+SAML SSO with Application Proxy also works with the SAML token encryption feature. For more info, see [Configure Microsoft Entra SAML token encryption](../manage-apps/howto-saml-token-encryption.md).
The protocol diagrams below describe the single sign-on sequence for both a service provider-initiated (SP-initiated) flow and an identity provider-initiated (IdP-initiated) flow. Application Proxy works with SAML SSO by caching the SAML request and response to and from the on-premises application.
- ![Diagram shows interactions of Application, Application Proxy, Client, and Azure A D for S P-Initiated single sign-on.](./media/application-proxy-configure-single-sign-on-on-premises-apps/saml-sp-initiated-flow.png)
+ ![Diagram shows interactions of Application, Application Proxy, Client, and Microsoft Entra ID for S P-Initiated single sign-on.](./media/application-proxy-configure-single-sign-on-on-premises-apps/saml-sp-initiated-flow.png)
- ![Diagram shows interactions of Application, Application Proxy, Client, and Azure A D for I d P-Initiated single sign-on.](./media/application-proxy-configure-single-sign-on-on-premises-apps/saml-idp-initiated-flow.png)
+ ![Diagram shows interactions of Application, Application Proxy, Client, and Microsoft Entra ID for I d P-Initiated single sign-on.](./media/application-proxy-configure-single-sign-on-on-premises-apps/saml-idp-initiated-flow.png)
## Create an application and set up SAML SSO
-1. In the Microsoft Entra admin center, select **Azure Active Directory > Enterprise applications** and select **New application**.
+1. In the Microsoft Entra admin center, select **Microsoft Entra ID > Enterprise applications** and select **New application**.
2. Enter the display name for your new application, select **Integrate any other application you don't find in the gallery**, then select **Create**.
The protocol diagrams below describe the single sign-on sequence for both a serv
## Publish the on-premises application with Application Proxy
-Before you can provide SSO for on-premises applications, you need to enable Application Proxy and install a connector. See the tutorial [Add an on-premises application for remote access through Application Proxy in Azure AD](application-proxy-add-on-premises-application.md) to learn how to prepare your on-premises environment, install and register a connector, and test the connector. Then follow these steps to publish your new application with Application Proxy. For other settings not mentioned below, refer to the [Add an on-premises app to Azure AD](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad) section in the tutorial.
+Before you can provide SSO for on-premises applications, you need to enable Application Proxy and install a connector. See the tutorial [Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](application-proxy-add-on-premises-application.md) to learn how to prepare your on-premises environment, install and register a connector, and test the connector. Then follow these steps to publish your new application with Application Proxy. For other settings not mentioned below, refer to the [Add an on-premises app to Microsoft Entra ID](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad) section in the tutorial.
1. With the application still open in the Microsoft Entra admin center, select **Application Proxy**. Provide the **Internal URL** for the application. If you're using a custom domain, you also need to upload the TLS/SSL certificate for your application. > [!NOTE]
- > As a best practice, use custom domains whenever possible for an optimized user experience. Learn more about [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
+ > As a best practice, use custom domains whenever possible for an optimized user experience. Learn more about [Working with custom domains in Microsoft Entra application proxy](application-proxy-configure-custom-domain.md).
-2. Select **Azure Active Directory** as the **Pre Authentication** method for your application.
+2. Select **Microsoft Entra ID** as the **Pre Authentication** method for your application.
3. Copy the **External URL** for the application. You'll need this URL to complete the SAML configuration.
When you've completed all these steps, your app should be up and running. To tes
## Next steps -- [How does Azure AD Application Proxy provide single sign-on?](../manage-apps/what-is-single-sign-on.md)
+- [How does Microsoft Entra application proxy provide single sign-on?](../manage-apps/what-is-single-sign-on.md)
- [Troubleshoot Application Proxy](application-proxy-troubleshoot.md)
active-directory Application Proxy Configure Single Sign On Password Vaulting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md
Title: Single sign-on to apps with Azure Active Directory Application Proxy
-description: Turn on single sign-on for your published on-premises applications with Azure Active Directory Application Proxy in the Microsoft Entra admin center.
+ Title: Single sign-on to apps with Microsoft Entra application proxy
+description: Turn on single sign-on for your published on-premises applications with Microsoft Entra application proxy in the Microsoft Entra admin center.
# Password vaulting for single sign-on with Application Proxy
-Azure Active Directory Application Proxy helps you improve productivity by publishing on-premises applications so that remote employees can securely access them, too. In the Microsoft Entra admin center, you can also set up single sign-on (SSO) to these apps. Your users only need to authenticate with Azure AD, and they can access your enterprise application without having to sign in again.
+Microsoft Entra application proxy helps you improve productivity by publishing on-premises applications so that remote employees can securely access them, too. In the Microsoft Entra admin center, you can also set up single sign-on (SSO) to these apps. Your users only need to authenticate with Microsoft Entra ID, and they can access your enterprise application without having to sign in again.
-Application Proxy supports several [single sign-on modes](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method). Password-based sign-on is intended for applications that use a username/password combination for authentication. When you configure password-based sign-on for your application, your users have to sign in to the on-premises application once. After that, Azure Active Directory stores the sign-in information and automatically provides it to the application when your users access it remotely.
+Application Proxy supports several [single sign-on modes](../manage-apps/plan-sso-deployment.md#choosing-a-single-sign-on-method). Password-based sign-on is intended for applications that use a username/password combination for authentication. When you configure password-based sign-on for your application, your users have to sign in to the on-premises application once. After that, Microsoft Entra ID stores the sign-in information and automatically provides it to the application when your users access it remotely.
-You should already have published and tested your app with Application Proxy. If not, follow the steps in [Publish applications using Azure AD Application Proxy](application-proxy-add-on-premises-application.md) then come back here.
+You should already have published and tested your app with Application Proxy. If not, follow the steps in [Publish applications using Microsoft Entra application proxy](application-proxy-add-on-premises-application.md) then come back here.
## Set up password vaulting for your application
You should already have published and tested your app with Application Proxy. If
1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. 1. From the list, select the app that you want to set up with SSO. 1. Select **Application Proxy**.
-1. Change the **Pre Authentication type** to **Passthrough** and select **Save**. Later you can switch back to **Azure Active Directory** type again!
+1. Change the **Pre Authentication type** to **Passthrough** and select **Save**. Later you can switch back to **Microsoft Entra ID** type again!
1. Select **Single sign-on**. ![Select Single sign-on from the app's overview page](./media/application-proxy-configure-single-sign-on-password-vaulting/select-sso.png)
You should already have published and tested your app with Application Proxy. If
1. Select **Save**. 1. Select **Application Proxy**.
-1. Change the **Pre Authentication type** to **Azure Active Directory** and select **Save**.
+1. Change the **Pre Authentication type** to **Microsoft Entra ID** and select **Save**.
1. Select **Users and Groups**. 1. Assign users to the application with selecting **Add user**. 1. If you want to predefine credentials for a user, check the box front of the user name and select **Update credentials**.
-1. Select **Azure Active Directory** > **App registrations** > **All applications**.
+1. Select **Microsoft Entra ID** > **App registrations** > **All applications**.
1. From the list, select the app that you configured with Password SSO. 1. Select **Branding**. 1. Update the **Home page URL** with the **Sign on URL** from the Password SSO page and select **Save**.
Go to the My Apps portal. Sign in with your credentials (or the credentials for
## Next steps - Read about other ways to implement [Single sign-on](../manage-apps/what-is-single-sign-on.md)-- Learn about [Security considerations for accessing apps remotely with Azure AD Application Proxy](application-proxy-security.md)
+- Learn about [Security considerations for accessing apps remotely with Microsoft Entra application proxy](application-proxy-security.md)
active-directory Application Proxy Configure Single Sign On With Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md
Title: Header-based single sign-on for on-premises apps with Azure AD App Proxy
+ Title: Header-based single sign-on for on-premises apps with Microsoft Entra application proxy
description: Learn how to provide single sign-on for on-premises applications that are secured with header-based authentication.
-# Header-based single sign-on for on-premises apps with Azure AD App Proxy
+# Header-based single sign-on for on-premises apps with Microsoft Entra application proxy
-Azure Active Directory (Azure AD) Application Proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Azure AD. The header values will be sent down to the application via Application Proxy. Some benefits to using native support for header-based authentication with Application Proxy include:
+Microsoft Entra application proxy natively supports single sign-on access to applications that use headers for authentication. You can configure header values required by your application in Microsoft Entra ID. The header values will be sent down to the application via Application Proxy. Some benefits to using native support for header-based authentication with Application Proxy include:
* **Simplify providing remote access to your on-premises apps** - App Proxy allows you to simplify your existing remote access architecture. You can replace VPN access to these apps. You can also remove dependencies on on-premises identity solutions for authentication. Your users won't notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. * **No additional software or changes to your apps** - You can use your existing Application Proxy connectors and it doesn't require any additional software to be installed.
-* **Wide list of attributes and transformations available** - All header values available are based on standard claims that are issued by Azure AD. All attributes and transformations available for [configuring claims for SAML or OIDC applications](../develop/saml-claims-customization.md#attributes) are also available to be used as header values.
+* **Wide list of attributes and transformations available** - All header values available are based on standard claims that are issued by Microsoft Entra ID. All attributes and transformations available for [configuring claims for SAML or OIDC applications](../develop/saml-claims-customization.md#attributes) are also available to be used as header values.
## Pre-requisites Before you get started with single sign-on for header-based authentication apps, make sure your environment is ready with the following settings and configurations:
The following table lists common capabilities required for header-based authenti
|Requirement |Description| |-|--|
-|Federated SSO |In pre-authenticated mode, all applications are protected with Azure AD authentication and enable users to have single sign-on. |
+|Federated SSO |In pre-authenticated mode, all applications are protected with Microsoft Entra authentication and enable users to have single sign-on. |
|Remote access |Application Proxy enables remote access to the app. Users can access the application from the internet on any browser using the External URL. Application Proxy is not intended for corporate access use. |
-|Header-based integration |Application Proxy does the SSO integration with Azure AD and then passes identity or other application data as HTTP headers to the application. |
-|Application authorization |Common policies can be specified based on the application being accessed, the userΓÇÖs group membership and other policies. In Azure AD, policies are implemented using [Conditional Access](../conditional-access/overview.md). Application authorization policies only apply to the initial authentication request. |
+|Header-based integration |Application Proxy does the SSO integration with Microsoft Entra ID and then passes identity or other application data as HTTP headers to the application. |
+|Application authorization |Common policies can be specified based on the application being accessed, the userΓÇÖs group membership and other policies. In Microsoft Entra ID, policies are implemented using [Conditional Access](../conditional-access/overview.md). Application authorization policies only apply to the initial authentication request. |
|Step-up authentication |Policies can be defined to force added authentication, for example, to gain access to sensitive resources. | |Fine grained authorization |Provides access control at the URL level. Added policies can be enforced based on the URL being accessed. The internal URL configured for the app, defines the scope of app that the policy is applied to. The policy configured for the most granular path is enforced. | > [!NOTE]
-> This article features connecting header-based authentication applications to Azure AD using Application Proxy and is the recommended pattern. As an alternative, there is also an integration pattern that uses PingAccess with Azure AD to enable header-based authentication. For more details, see [Header-based authentication for single sign-on with Application Proxy and PingAccess](application-proxy-ping-access-publishing-guide.md).
+> This article features connecting header-based authentication applications to Microsoft Entra ID using Application Proxy and is the recommended pattern. As an alternative, there is also an integration pattern that uses PingAccess with Microsoft Entra ID to enable header-based authentication. For more details, see [Header-based authentication for single sign-on with Application Proxy and PingAccess](application-proxy-ping-access-publishing-guide.md).
## How it works :::image type="content" source="./media/application-proxy-configure-single-sign-on-with-headers/how-it-works-updated.png" alt-text="How header-based single sign-on works with Application Proxy." lightbox="./media/application-proxy-configure-single-sign-on-with-headers/how-it-works-updated.png"::: 1. The Admin customizes the attribute mappings required by the application in the Microsoft Entra admin center.
-2. When a user accesses the app, Application Proxy ensures the user is authenticated by Azure AD
+2. When a user accesses the app, Application Proxy ensures the user is authenticated by Microsoft Entra ID
3. The Application Proxy cloud service is aware of the attributes required. So the service fetches the corresponding claims from the ID token received during authentication. The service then translates the values into the required HTTP headers as part of the request to the Connector. 4. The request is then passed along to the Connector, which is then passed to the backend application. 5. The application receives the headers and can use these headers as needed.
The following table lists common capabilities required for header-based authenti
- The Internal URL value determines the scope of the application. If you configure Internal URL value at the root path of the application, then all sub paths underneath the root will receive the same header configuration and other application configuration. - Create a new application to set a different header configuration or user assignment for a more granular path than the application you configured. In the new application, configure the internal URL with the specific path you require and then configure the specific headers needed for this URL. Application Proxy will always match your configuration settings to the most granular path set for an application.
-2. Select **Azure Active Directory** as the **pre-authentication method**.
+2. Select **Microsoft Entra ID** as the **pre-authentication method**.
3. Assign a test user by navigating to **Users and groups** and assigning the appropriate users and groups. 4. Open a browser and navigate to the **External URL** from the Application Proxy settings. 5. Verify that you can connect to the application. Even though you can connect, you can't access the app yet since the headers aren't configured. ## Configure single sign-on
-Before you get started with single sign-on for header-based applications, you should have already installed an Application Proxy connector and the connector can access the target applications. If not, follow the steps in [Tutorial: Azure AD Application Proxy](application-proxy-add-on-premises-application.md) then come back here.
+Before you get started with single sign-on for header-based applications, you should have already installed an Application Proxy connector and the connector can access the target applications. If not, follow the steps in [Tutorial: Microsoft Entra application proxy](application-proxy-add-on-premises-application.md) then come back here.
1. After your application appears in the list of enterprise applications, select it, and selectΓÇ»**Single sign-on**. 2. Set the single sign-on mode to **Header-based**.
-3. In Basic Configuration, **Azure Active Directory**, will be selected as the default.
+3. In Basic Configuration, **Microsoft Entra ID**, will be selected as the default.
4. Select the edit pencil, in Headers to configure headers to send to the application. 5. Select **Add new header**. Provide a **Name** for the header and select either **Attribute** or **Transformation** and select from the drop-down which header your application needs. - To learn more about the list of attribute available, see [Claims Customizations- Attributes](../develop/saml-claims-customization.md#attributes).
active-directory Application Proxy Configure Single Sign On With Kcd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-single-sign-on-with-kcd.md
Title: Kerberos-based single sign-on (SSO) in Azure Active Directory with Application Proxy
-description: Covers how to provide single sign-on using Azure Active Directory Application Proxy.
+ Title: Kerberos-based single sign-on (SSO) in Microsoft Entra ID with Application Proxy
+description: Covers how to provide single sign-on using Microsoft Entra application proxy.
You can enable single sign-on to your applications using integrated Windows auth
## How single sign-on with KCD works This diagram explains the flow when a user attempts to access an on premises application that uses IWA.
-![Microsoft AAD authentication flow diagram](./media/application-proxy-configure-single-sign-on-with-kcd/authdiagram.png)
+![Microsoft Entra authentication flow diagram](./media/application-proxy-configure-single-sign-on-with-kcd/authdiagram.png)
1. The user enters the URL to access the on premises application through Application Proxy.
-2. Application Proxy redirects the request to Azure AD authentication services to preauthenticate. At this point, Azure AD applies any applicable authentication and authorization policies, such as multifactor authentication. If the user is validated, Azure AD creates a token and sends it to the user.
+2. Application Proxy redirects the request to Microsoft Entra authentication services to preauthenticate. At this point, Microsoft Entra ID applies any applicable authentication and authorization policies, such as multifactor authentication. If the user is validated, Microsoft Entra ID creates a token and sends it to the user.
3. The user passes the token to Application Proxy. 4. Application Proxy validates the token and retrieves the User Principal Name (UPN) from it, and then the Connector pulls the UPN, and the Service Principal Name (SPN) through a dually authenticated secure channel. 5. The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on premises AD, impersonating the user to get a Kerberos token to the application.
The Active Directory configuration varies, depending on whether your Application
``` ## Configure single sign-on
-1. Publish your application according to the instructions described in [Publish applications with Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md). Make sure to select **Azure Active Directory** as the **Preauthentication Method**.
+1. Publish your application according to the instructions described in [Publish applications with Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md). Make sure to select **Microsoft Entra ID** as the **Preauthentication Method**.
2. After your application appears in the list of enterprise applications, select it and click **Single sign-on**. 3. Set the single sign-on mode to **Integrated Windows authentication**. 4. Enter the **Internal Application SPN** of the application server. In this example, the SPN for our published application is `http/www.contoso.com`. This SPN needs to be in the list of services to which the connector can present delegated credentials.
The Active Directory configuration varies, depending on whether your Application
## SSO for non-Windows apps
-The Kerberos delegation flow in Azure AD Application Proxy starts when Azure AD authenticates the user in the cloud. Once the request arrives on-premises, the Azure AD Application Proxy connector issues a Kerberos ticket on behalf of the user by interacting with the local Active Directory. This process is referred to as Kerberos Constrained Delegation (KCD).
+The Kerberos delegation flow in Microsoft Entra application proxy starts when Microsoft Entra authenticates the user in the cloud. Once the request arrives on-premises, the Microsoft Entra application proxy connector issues a Kerberos ticket on behalf of the user by interacting with the local Active Directory. This process is referred to as Kerberos Constrained Delegation (KCD).
In the next phase, a request is sent to the backend application with this Kerberos ticket.
-There are several mechanisms that define how to send the Kerberos ticket in such requests. Most non-Windows servers expect to receive it in form of SPNEGO token. This mechanism is supported on Azure AD Application Proxy, but is disabled by default. A connector can be configured for SPNEGO or standard Kerberos token, but not both.
+There are several mechanisms that define how to send the Kerberos ticket in such requests. Most non-Windows servers expect to receive it in form of SPNEGO token. This mechanism is supported on Microsoft Entra application proxy, but is disabled by default. A connector can be configured for SPNEGO or standard Kerberos token, but not both.
If you configure a connector machine for SPNEGO, make sure that all other connectors in that Connector group are also configured with SPNEGO. Applications expecting standard Kerberos token should be routed through other connectors that are not configured for SPNEGO. Some web applications accept both formats without requiring any change in configuration.
If delegated login identity is used, the value might not be unique across all th
If **On-premises SAM account name** is used for the logon identity, the computer hosting the connector must be added to the domain in which the user account is located. ### Configure SSO for different identities
-1. Configure Azure AD Connect settings so the main identity is the email address (mail). This is done as part of the customize process, by changing the **User Principal Name** field in the sync settings. These settings also determine how users log in to Office365, Windows10 devices, and other applications that use Azure AD as their identity store.
+1. Configure Microsoft Entra Connect settings so the main identity is the email address (mail). This is done as part of the customize process, by changing the **User Principal Name** field in the sync settings. These settings also determine how users log in to Office365, Windows10 devices, and other applications that use Microsoft Entra ID as their identity store.
![Identifying users screenshot - User Principal Name dropdown](./media/application-proxy-configure-single-sign-on-with-kcd/app_proxy_sso_diff_id_connect_settings.png) 2. In the Application Configuration settings for the application you would like to modify, select the **Delegated Login Identity** to be used:
active-directory Application Proxy Connectivity No Working Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connectivity-no-working-connector.md
Title: No working connector group found for an Azure Active Directory Application Proxy app
-description: Address problems you might encounter when there is no working Connector in a Connector Group for your application with the Azure Active Directory Application Proxy
+ Title: No working connector group found for a Microsoft Entra application proxy app
+description: Address problems you might encounter when there is no working Connector in a Connector Group for your application with the Microsoft Entra application proxy
# No working connector group found for an Application Proxy application
-This article helps to resolve the common issues faced when there is not a connector detected for an Application Proxy application integrated with Azure Active Directory.
+This article helps to resolve the common issues faced when there is not a connector detected for an Application Proxy application integrated with Microsoft Entra ID.
## Overview of steps If there is no working Connector in a Connector Group for your application, there are a few ways to resolve the problem:
To figure out the issue, open the ΓÇ£Application ProxyΓÇ¥ menu in your Applicati
![Connector group selection in Microsoft Entra admin center](./media/application-proxy-connectivity-no-working-connector/no-active-connector.png)
-For details on each of these options, see the corresponding section below. The instructions assume that you are starting from the Connector management page. If you are looking at the error message above, you can go to this page by clicking on the warning message. You can also get to the page by going to **Azure Active Directory**, clicking on **Enterprise Applications**, then **Application Proxy.**
+For details on each of these options, see the corresponding section below. The instructions assume that you are starting from the Connector management page. If you are looking at the error message above, you can go to this page by clicking on the warning message. You can also get to the page by going to **Microsoft Entra ID**, clicking on **Enterprise Applications**, then **Application Proxy.**
![Connector group management in Microsoft Entra admin center](./media/application-proxy-connectivity-no-working-connector/app-proxy.png)
If the only Connectors in the group are inactive, they are likely on a machine t
see the ports Troubleshoot document for details on investigating this problem. ## Next steps
-[Understand Azure AD Application Proxy connectors](application-proxy-connectors.md)
--
+[Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md)
active-directory Application Proxy Connector Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-groups.md
Title: Publish apps on separate networks via connector groups
-description: Covers how to create and manage groups of connectors in Azure Active Directory Application Proxy.
+description: Covers how to create and manage groups of connectors in Microsoft Entra application proxy.
# Publish applications on separate networks and locations using connector groups
-Customers utilize Azure AD's Application Proxy for more scenarios and applications. So we've made App Proxy even more flexible by enabling more topologies. You can create Application Proxy connector groups so that you can assign specific connectors to serve specific applications. This capability gives you more control and ways to optimize your Application Proxy deployment.
+Customers utilize Microsoft Entra application proxy for more scenarios and applications. So we've made App Proxy even more flexible by enabling more topologies. You can create Application Proxy connector groups so that you can assign specific connectors to serve specific applications. This capability gives you more control and ways to optimize your Application Proxy deployment.
Each Application Proxy connector is assigned to a connector group. All the connectors that belong to the same connector group act as a separate unit for high-availability and load balancing. All connectors belong to a connector group. If you don't create groups, then all your connectors are in a default group. Your admin can create new groups and assign connectors to them in the Microsoft Entra admin center.
For applications installed on IaaS for cloud access, connector groups provide a
Take as an example an organization that has several virtual machines connected to their own IaaS hosted virtual network. To allow employees to use these applications, these private networks are connected to the corporate network using site-to-site VPN. This provides a good experience for employees that are located on-premises. But, it may not be ideal for remote employees, because it requires additional on-premises infrastructure to route access, as you can see in the diagram below:
-![Diagram that illustrates the Azure AD IaaS network](./media/application-proxy-connector-groups/application-proxy-iaas-network.png)
+![Diagram that illustrates the Microsoft Entra IaaS network](./media/application-proxy-connector-groups/application-proxy-iaas-network.png)
-With Azure AD Application Proxy connector groups, you can enable a common service to secure the access to all applications without creating additional dependency on your corporate network:
+With Microsoft Entra application proxy connector groups, you can enable a common service to secure the access to all applications without creating additional dependency on your corporate network:
-![Azure AD IaaS Multiple Cloud Vendors](./media/application-proxy-connector-groups/application-proxy-multiple-cloud-vendors.png)
+![Microsoft Entra IaaS Multiple Cloud Vendors](./media/application-proxy-connector-groups/application-proxy-multiple-cloud-vendors.png)
### Multi-forest ΓÇô different connector groups for each forest Most customers who have deployed Application Proxy are using its single-sign-on (SSO) capabilities by performing Kerberos Constrained Delegation (KCD). To achieve this, the connectorΓÇÖs machines need to be joined to a domain that can delegate the users toward the application. KCD supports cross-forest capabilities. But for companies who have distinct multi-forest environments with no trust between them, a single connector cannot be used for all forests.
-In this case, specific connectors can be deployed per forest, and set to serve applications that were published to serve only the users of that specific forest. Each connector group represents a different forest. While the tenant and most of the experience is unified for all forests, users can be assigned to their forest applications using Azure AD groups.
+In this case, specific connectors can be deployed per forest, and set to serve applications that were published to serve only the users of that specific forest. Each connector group represents a different forest. While the tenant and most of the experience is unified for all forests, users can be assigned to their forest applications using Microsoft Entra groups.
### Disaster Recovery sites There are two different approaches you can take with a disaster recovery (DR) site, depending on how your sites are implemented:
-* If your DR site is built in active-active mode where it is exactly like the main site and has the same networking and AD settings, you can create the connectors on the DR site in the same connector group as the main site. This enables Azure AD to detect failovers for you.
+* If your DR site is built in active-active mode where it is exactly like the main site and has the same networking and AD settings, you can create the connectors on the DR site in the same connector group as the main site. This enables Microsoft Entra ID to detect failovers for you.
* If your DR site is separate from the main site, you can create a different connector group in the DR site, and either 1) have backup applications or 2) manually divert the existing application to the DR connector group as needed. ### Serve multiple companies from a single tenant
-There are many different ways to implement a model in which a single service provider deploys and maintains Azure AD related services for multiple companies. Connector groups help the admin segregate the connectors and applications into different groups. One way, which is suitable for small companies, is to have a single Azure AD tenant while the different companies have their own domain name and networks. This is also true for M&A scenarios and situations where a single IT division serves several companies for regulatory or business reasons.
+There are many different ways to implement a model in which a single service provider deploys and maintains Microsoft Entra ID related services for multiple companies. Connector groups help the admin segregate the connectors and applications into different groups. One way, which is suitable for small companies, is to have a single Microsoft Entra tenant while the different companies have their own domain name and networks. This is also true for M&A scenarios and situations where a single IT division serves several companies for regulatory or business reasons.
## Sample configurations
Some examples that you can implement, include the following connector groups.
If you donΓÇÖt use connector groups, your configuration would look like this:
-![Example Azure AD No Connector Groups](./media/application-proxy-connector-groups/application-proxy-sample-config-1.png)
+![Example Microsoft Entra No Connector Groups](./media/application-proxy-connector-groups/application-proxy-sample-config-1.png)
This configuration is sufficient for small deployments and tests. It will also work well if your organization has a flat network topology.
This configuration is sufficient for small deployments and tests. It will also w
This configuration is an evolution of the default one, in which there is a specific app that runs in an isolated network such as IaaS virtual network:
-![Example Azure AD No Connector Groups and an isolated network](./media/application-proxy-connector-groups/application-proxy-sample-config-2.png)
+![Example Microsoft Entra No Connector Groups and an isolated network](./media/application-proxy-connector-groups/application-proxy-sample-config-2.png)
### Recommended configuration ΓÇô several specific groups and a default group for idle
In the example below, the company has two datacenters, A and B, with two connect
## Next steps
-[Understand Azure AD Application Proxy connectors](application-proxy-connectors.md)
+[Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md)
[Enable single-sign on](../manage-apps/what-is-single-sign-on.md)
active-directory Application Proxy Connector Installation Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-installation-problem.md
Title: Problem installing the Azure Active Directory Application Proxy Agent Connector
-description: How to troubleshoot issues you might face when installing the Application Proxy Agent Connector for Azure Active Directory.
+ Title: Problem installing the Microsoft Entra application proxy Agent Connector
+description: How to troubleshoot issues you might face when installing the Application Proxy Agent Connector for Microsoft Entra ID.
# Problem installing the Application Proxy Agent Connector
-Microsoft Azure Active Directory Application Proxy Connector is an internal domain component that uses outbound connections to establish the connectivity from the cloud available endpoint to the internal domain.
+Microsoft Entra application proxy Connector is an internal domain component that uses outbound connections to establish the connectivity from the cloud available endpoint to the internal domain.
## General Problem Areas with Connector installation When the installation of a connector fails, the root cause is usually one of the following areas. **As a precursor to any troubleshooting, be sure to reboot the connector.**
-1. **Connectivity** ΓÇô to complete a successful installation, the new connector needs to register and establish future trust properties. This is done by connecting to the Azure Active Directory Application Proxy cloud service.
+1. **Connectivity** ΓÇô to complete a successful installation, the new connector needs to register and establish future trust properties. This is done by connecting to the Microsoft Entra application proxy cloud service.
2. **Trust Establishment** ΓÇô the new connector creates a self-signed cert and registers to the cloud service.
Import-module AppProxyPSModule
Register-AppProxyConnector ```
-To learn more about the Register-AppProxyConnector command, please see [Create an unattended installation script for the Azure AD Application Proxy connector](./application-proxy-register-connector-powershell.md)
+To learn more about the Register-AppProxyConnector command, please see [Create an unattended installation script for the Microsoft Entra application proxy connector](./application-proxy-register-connector-powershell.md)
## Verify admin is used to install the connector
To learn more about the Register-AppProxyConnector command, please see [Create a
**To verify the credentials are correct:**
-Connect to `https://login.microsoftonline.com` and use the same credentials. Make sure the login is successful. You can check the user role by going to **Azure Active Directory** -&gt; **Users and Groups** -&gt; **All Users**.
+Connect to `https://login.microsoftonline.com` and use the same credentials. Make sure the login is successful. You can check the user role by going to **Microsoft Entra ID** -&gt; **Users and Groups** -&gt; **All Users**.
Select your user account, then "Directory Role" in the resulting menu. Verify that the selected role is "Application Administrator". If you are unable to access any of the pages along these steps, you do not have the required role. ## Next steps
-[Understand Azure AD Application Proxy connectors](application-proxy-connectors.md)
+[Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md)
active-directory Application Proxy Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connectors.md
Title: Understand Azure Active Directory Application Proxy connectors
-description: Learn about the Azure Active Directory Application Proxy connectors.
+ Title: Understand Microsoft Entra application proxy connectors
+description: Learn about the Microsoft Entra application proxy connectors.
-# Understand Azure AD Application Proxy connectors
+# Understand Microsoft Entra application proxy connectors
-Connectors are what make Azure AD Application Proxy possible. They're simple, easy to deploy and maintain, and super powerful. This article discusses what connectors are, how they work, and some suggestions for how to optimize your deployment.
+Connectors are what make Microsoft Entra application proxy possible. They're simple, easy to deploy and maintain, and super powerful. This article discusses what connectors are, how they work, and some suggestions for how to optimize your deployment.
## What is an Application Proxy connector?
-Connectors are lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. Connectors must be installed on a Windows Server that has access to the backend application. You can organize connectors into connector groups, with each group handling traffic to specific applications. For more information on Application proxy and a diagrammatic representation of application proxy architecture see [Using Azure AD Application Proxy to publish on-premises apps for remote users](what-is-application-proxy.md#application-proxy-connectors)
+Connectors are lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. Connectors must be installed on a Windows Server that has access to the backend application. You can organize connectors into connector groups, with each group handling traffic to specific applications. For more information on Application proxy and a diagrammatic representation of application proxy architecture see [Using Microsoft Entra application proxy to publish on-premises apps for remote users](what-is-application-proxy.md#application-proxy-connectors)
## Requirements and deployment
Connectors also poll the server to find out whether there is a newer version of
You can monitor your connectors from the machine they are running on, using either the event log and performance counters. Or you can view their status from the Application Proxy page of the Microsoft Entra admin center:
-![Example: Azure AD Application Proxy connectors](./media/application-proxy-connectors/app-proxy-connectors.png)
+![Example: Microsoft Entra application proxy connectors](./media/application-proxy-connectors/app-proxy-connectors.png)
You don't have to manually delete connectors that are unused. When a connector is running, it remains active as it connects to the service. Unused connectors are tagged as _inactive_ and are removed after 10 days of inactivity. If you do want to uninstall a connector, though, uninstall both the Connector service and the Updater service from the server. Restart your computer to fully remove the service. ## Automatic updates
-Azure AD provides automatic updates for all the connectors that you deploy. As long as the Application Proxy Connector Updater service is running, your connectors [update with the latest major connector release](application-proxy-faq.yml#why-is-my-connector-still-using-an-older-version-and-not-auto-upgraded-to-latest-version-) automatically. If you donΓÇÖt see the Connector Updater service on your server, you need to [reinstall your connector](application-proxy-add-on-premises-application.md) to get any updates.
+Microsoft Entra ID provides automatic updates for all the connectors that you deploy. As long as the Application Proxy Connector Updater service is running, your connectors [update with the latest major connector release](application-proxy-faq.yml#why-is-my-connector-still-using-an-older-version-and-not-auto-upgraded-to-latest-version-) automatically. If you donΓÇÖt see the Connector Updater service on your server, you need to [reinstall your connector](application-proxy-add-on-premises-application.md) to get any updates.
If you don't want to wait for an automatic update to come to your connector, you can do a manual upgrade. Go to the [connector download page](https://download.msappproxy.net/subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/connector/download) on the server where your connector is located and select **Download**. This process kicks off an upgrade for the local connector.
Another factor that affects performance is the quality of the networking between
- **The backend applications**: In some cases, there are additional proxies between the connector and the backend applications that can slow or prevent connections. To troubleshoot this scenario, open a browser from the connector server and try to access the application. If you run the connectors in Azure but the applications are on-premises, the experience might not be what your users expect. - **The domain controllers**: If the connectors perform single sign-on (SSO) using Kerberos Constrained Delegation, they contact the domain controllers before sending the request to the backend. The connectors have a cache of Kerberos tickets, but in a busy environment the responsiveness of the domain controllers can affect performance. This issue is more common for connectors that run in Azure but communicate with domain controllers that are on-premises.
-For more information about optimizing your network, see [Network topology considerations when using Azure Active Directory Application Proxy](application-proxy-network-topology.md).
+For more information about optimizing your network, see [Network topology considerations when using Microsoft Entra application proxy](application-proxy-network-topology.md).
## Domain joining
To provide a secure service, connectors have to authenticate toward the service,
The certificates used are specific to the Application Proxy service. They get created during the initial registration and are automatically renewed by the connectors every couple of months.
-After the first successful certificate renewal the Azure AD Application Proxy Connector service (Network Service) has no permission to remove the old certificate from the local machine store. If the certificate has expired or it won't be used by the service anymore, you can delete it safely.
+After the first successful certificate renewal the Microsoft Entra application proxy Connector service (Network Service) has no permission to remove the old certificate from the local machine store. If the certificate has expired or it won't be used by the service anymore, you can delete it safely.
To avoid problems with the certificate renewal, ensure that the network communication from the connector towards the [documented destinations](./application-proxy-add-on-premises-application.md#prepare-your-on-premises-environment) is enabled.
To see the logs, open **Event Viewer** and go to **Applications and Services Log
You can examine the state of the service in the Services window. The connector is made up of two Windows
- ![Example: Services window showing Azure AD services local](./media/application-proxy-connectors/aad-connector-services.png)
+ ![Example: Services window showing Microsoft Entra services local](./media/application-proxy-connectors/aad-connector-services.png)
## Next steps - [Publish applications on separate networks and locations using connector groups](application-proxy-connector-groups.md) - [Work with existing on-premises proxy servers](./application-proxy-configure-connectors-with-proxy-servers.md) - [Troubleshoot Application Proxy and connector errors](./application-proxy-troubleshoot.md)-- [How to silently install the Azure AD Application Proxy Connector](./application-proxy-register-connector-powershell.md)
+- [How to silently install the Microsoft Entra application proxy Connector](./application-proxy-register-connector-powershell.md)
active-directory Application Proxy Debug Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-debug-apps.md
Title: Debug Application Proxy applications
-description: Debug issues with Azure Active Directory (Azure AD) Application Proxy applications.
+description: Debug issues with Microsoft Entra application proxy applications.
# Debug Application Proxy application issues
-This article helps you troubleshoot issues with Azure Active Directory (Azure AD) Application Proxy applications. If you're using the Application Proxy service for remote access to an on-premises web application, but you're having trouble connecting to the application, use this flowchart to debug application issues.
+This article helps you troubleshoot issues with Microsoft Entra application proxy applications. If you're using the Application Proxy service for remote access to an on-premises web application, but you're having trouble connecting to the application, use this flowchart to debug application issues.
## Before you begin
This flowchart walks you through the steps for debugging some of the more common
|3 | Open a browser and try to access the app | If an error appears immediately, check to see that Application Proxy is configured correctly. For details about specific error messages, see [Troubleshoot Application Proxy problems and error messages](application-proxy-troubleshoot.md). | |4 | Check your custom domain setup or troubleshoot the error | If the page doesn't display at all, make sure your custom domain is configured correctly by reviewing [Working with custom domains](application-proxy-configure-custom-domain.md).<br></br>If the page doesn't load and an error message appears, troubleshoot the error by referring to [Troubleshoot Application Proxy problems and error messages](application-proxy-troubleshoot.md). <br></br>If it takes longer than 20 seconds for an error message to appear, there could be connectivity issue. Go to the [Debug Application Proxy connectors](application-proxy-debug-connectors.md) troubleshooting article. | |5 | If issues persist, go to connector debugging | There could be a connectivity issue between the proxy and the connector or between the connector and the back end. Go to the [Debug Application Proxy connectors](application-proxy-debug-connectors.md) troubleshooting article. |
-|6 | Publish all resources, check browser developer tools, and fix links | Make sure the publishing path includes all the necessary images, scripts, and style sheets for your application. For details, see [Add an on-premises app to Azure AD](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). <br></br>Use the browser's developer tools (F12 tools in Internet Explorer or Microsoft Edge) and check for publishing issues as described in [Application page does not display correctly](application-proxy-page-appearance-broken-problem.md). <br></br>Review options for resolving broken links in [Links on the page don't work](application-proxy-page-links-broken-problem.md). |
+|6 | Publish all resources, check browser developer tools, and fix links | Make sure the publishing path includes all the necessary images, scripts, and style sheets for your application. For details, see [Add an on-premises app to Microsoft Entra ID](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). <br></br>Use the browser's developer tools (F12 tools in Internet Explorer or Microsoft Edge) and check for publishing issues as described in [Application page does not display correctly](application-proxy-page-appearance-broken-problem.md). <br></br>Review options for resolving broken links in [Links on the page don't work](application-proxy-page-links-broken-problem.md). |
|7 | Check for network latency | If the page loads slowly, learn about ways to minimize network latency in [Considerations for reducing latency](application-proxy-network-topology.md#considerations-for-reducing-latency). | |8 | See additional troubleshooting help | If issues persist, find additional troubleshooting articles in the [Application Proxy troubleshooting documentation](application-proxy-troubleshoot.md). |
This flowchart walks you through the steps for debugging some of the more common
* [Publish applications on separate networks and locations using connector groups](application-proxy-connector-groups.md) * [Work with existing on-premises proxy servers](application-proxy-configure-connectors-with-proxy-servers.md) * [Troubleshoot Application Proxy and connector errors](application-proxy-troubleshoot.md)
-* [How to silently install the Azure AD Application Proxy Connector](application-proxy-register-connector-powershell.md)
+* [How to silently install the Microsoft Entra application proxy Connector](application-proxy-register-connector-powershell.md)
active-directory Application Proxy Debug Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-debug-connectors.md
Title: Debug Application Proxy connectors
-description: Debug issues with Azure Active Directory (Azure AD) Application Proxy connectors.
+description: Debug issues with Microsoft Entra application proxy connectors.
# Debug Application Proxy connector issues
-This article helps you troubleshoot issues with Azure Active Directory (Azure AD) Application Proxy connectors. If you're using the Application Proxy service for remote access to an on-premises web application, but you're having trouble connecting to the application, use this flowchart to debug connector issues.
+This article helps you troubleshoot issues with Microsoft Entra application proxy connectors. If you're using the Application Proxy service for remote access to an on-premises web application, but you're having trouble connecting to the application, use this flowchart to debug connector issues.
## Before you begin
This flowchart walks you through the steps for debugging some of the more common
|6 | Update the connector and updater to use the back-end proxy | If a back-end proxy is in use, you'll want to make sure the connector is using the same proxy. For details about troubleshooting and configuring connectors to work with proxy servers, see [Work with existing on-premises proxy servers](application-proxy-configure-connectors-with-proxy-servers.md). | |7 | Load the app's internal URL on the connector server | On the connector server, load the app's internal URL. | |8 | Check internal network connectivity | There's a connectivity issue in your internal network that this debugging flow is unable to diagnose. The application must be accessible internally for the connectors to work. You can enable and view connector event logs as described in [Application Proxy connectors](application-proxy-connectors.md#under-the-hood). |
-|9 | Lengthen the time-out value on the back end | In the **Additional Settings** for your application, change the **Backend Application Timeout** setting to **Long**. See [Add an on-premises app to Azure AD](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). |
+|9 | Lengthen the time-out value on the back end | In the **Additional Settings** for your application, change the **Backend Application Timeout** setting to **Long**. See [Add an on-premises app to Microsoft Entra ID](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). |
|10 | If issues persist, target specific flow issues, review app and SSO debugging flows | Use the [Debug Application Proxy application issues](application-proxy-debug-apps.md) troubleshooting flow. | ## Next steps
This flowchart walks you through the steps for debugging some of the more common
* [Publish applications on separate networks and locations using connector groups](application-proxy-connector-groups.md) * [Work with existing on-premises proxy servers](application-proxy-configure-connectors-with-proxy-servers.md) * [Troubleshoot Application Proxy and connector errors](application-proxy-troubleshoot.md)
-* [How to silently install the Azure AD Application Proxy Connector](application-proxy-register-connector-powershell.md)
+* [How to silently install the Microsoft Entra application proxy Connector](application-proxy-register-connector-powershell.md)
active-directory Application Proxy Deployment Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-deployment-plan.md
Title: Plan an Azure Active Directory Application Proxy Deployment
+ Title: Plan a Microsoft Entra application proxy Deployment
description: An end-to-end guide for planning the deployment of Application proxy within your organization
Last updated 09/14/2023
-# Plan an Azure AD Application Proxy deployment
+# Plan a Microsoft Entra application proxy deployment
-Azure Active Directory (Azure AD) Application Proxy is a secure and cost-effective remote access solution for on-premises applications. It provides an immediate transition path for ΓÇ£Cloud FirstΓÇ¥ organizations to manage access to legacy on-premises applications that arenΓÇÖt yet capable of using modern protocols. For additional introductory information, see [What is Application Proxy](./application-proxy.md).
+Microsoft Entra application proxy is a secure and cost-effective remote access solution for on-premises applications. It provides an immediate transition path for ΓÇ£Cloud FirstΓÇ¥ organizations to manage access to legacy on-premises applications that arenΓÇÖt yet capable of using modern protocols. For additional introductory information, see [What is Application Proxy](./application-proxy.md).
Application Proxy is recommended for giving remote users access to internal resources. Application Proxy replaces the need for a VPN or reverse proxy for these remote access use cases. It is not intended for users who are on the corporate network. These users who use Application Proxy for intranet access may experience undesirable performance issues.
-This article includes the resources you need to plan, operate, and manage Azure AD Application Proxy.
+This article includes the resources you need to plan, operate, and manage Microsoft Entra application proxy.
## Plan your implementation
You need to meet the following prerequisites before beginning your implementatio
* A VM hosted within any hypervisor solution * A VM hosted in Azure to enable outbound connection to the Application Proxy service.
-* See [Understand Azure AD App Proxy Connectors](application-proxy-connectors.md) for a more detailed overview.
+* See [Understand Microsoft Entra application proxy Connectors](application-proxy-connectors.md) for a more detailed overview.
* Connector machines must [be enabled for TLS 1.2](application-proxy-add-on-premises-application.md) before installing the connectors. * If possible, deploy connectors in the [same network](application-proxy-network-topology.md) and segment as the back-end web application servers. It's best to deploy connectors after you complete a discovery of applications. * We recommend that each connector group has at least two connectors to provide high availability and scale. Having three connectors is optimal in case you may need to service a machine at any point. Review the [connector capacity table](./application-proxy-connectors.md#capacity-planning) to help with deciding what type of machine to install connectors on. The larger the machine the more buffer and performant the connector will be.
-* **Network access settings**: Azure AD Application Proxy connectors [connect to Azure via HTTPS (TCP Port 443) and HTTP (TCP Port 80)](application-proxy-add-on-premises-application.md).
+* **Network access settings**: Microsoft Entra application proxy connectors [connect to Azure via HTTPS (TCP Port 443) and HTTP (TCP Port 80)](application-proxy-add-on-premises-application.md).
* Terminating connector TLS traffic isn't supported and will prevent connectors from establishing a secure channel with their respective Azure App Proxy endpoints.
You need to meet the following prerequisites before beginning your implementatio
* Load balancing of the connectors themselves is also not supported, or even necessary.
-### Important considerations before configuring Azure AD Application Proxy
+<a name='important-considerations-before-configuring-azure-ad-application-proxy'></a>
-The following core requirements must be met in order to configure and implement Azure AD Application Proxy.
+### Important considerations before configuring Microsoft Entra application proxy
-* **Azure onboarding**: Before deploying application proxy, user identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants. Identity synchronization allows Azure AD to pre-authenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
+The following core requirements must be met in order to configure and implement Microsoft Entra application proxy.
-* **Conditional Access requirements**: We do not recommend using Application Proxy for intranet access because this adds latency that will impact users. We recommend using Application Proxy with pre-authentication and Conditional Access policies for remote access from the internet. An approach to provide Conditional Access for intranet use is to modernize applications so they can directly authenticate with AAD. Refer to [Resources for migrating applications to AAD](../manage-apps/migration-resources.md) for more information.
+* **Azure onboarding**: Before deploying application proxy, user identities must be synchronized from an on-premises directory or created directly within your Microsoft Entra tenants. Identity synchronization allows Microsoft Entra ID to pre-authenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).
-* **Service limits**: To protect against overconsumption of resources by individual tenants there are throttling limits set per application and tenant. To see these limits refer to [Azure AD service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md). These throttling limits are based on a benchmark far above typical usage volume and provides ample buffer for a majority of deployments.
+* **Conditional Access requirements**: We do not recommend using Application Proxy for intranet access because this adds latency that will impact users. We recommend using Application Proxy with pre-authentication and Conditional Access policies for remote access from the internet. An approach to provide Conditional Access for intranet use is to modernize applications so they can directly authenticate with Microsoft Entra ID. Refer to [Resources for migrating applications to Microsoft Entra ID](../manage-apps/migration-resources.md) for more information.
-* **Public certificate**: If you are using custom domain names, you must procure a TLS/SSL certificate. Depending on your organizational requirements, getting a certificate can take some time and we recommend beginning the process as early as possible. Azure Application Proxy supports standard, [wildcard](application-proxy-wildcard.md), or SAN-based certificates. For more details see [Configure custom domains with Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
+* **Service limits**: To protect against overconsumption of resources by individual tenants there are throttling limits set per application and tenant. To see these limits refer to [Microsoft Entra service limits and restrictions](../enterprise-users/directory-service-limits-restrictions.md). These throttling limits are based on a benchmark far above typical usage volume and provides ample buffer for a majority of deployments.
+
+* **Public certificate**: If you are using custom domain names, you must procure a TLS/SSL certificate. Depending on your organizational requirements, getting a certificate can take some time and we recommend beginning the process as early as possible. Azure Application Proxy supports standard, [wildcard](application-proxy-wildcard.md), or SAN-based certificates. For more details see [Configure custom domains with Microsoft Entra application proxy](application-proxy-configure-custom-domain.md).
* **Domain requirements**: Single sign-on to your published applications using Kerberos Constrained Delegation (KCD) requires that the server running the Connector and the server running the app are domain joined and part of the same domain or trusting domains. For detailed information on the topic, see [KCD for single sign-on](application-proxy-configure-single-sign-on-with-kcd.md) with Application Proxy. The connector service runs in the context of the local system and should not be configured to use a custom identity.
For detailed information on the topic, see [KCD for single sign-on](application-
* **Administrative rights and roles**
- * **Connector installation** requires local admin rights to the Windows server that it's being installed on. It also requires a minimum of an *Application Administrator* role to authenticate and register the connector instance to your Azure AD tenant.
+ * **Connector installation** requires local admin rights to the Windows server that it's being installed on. It also requires a minimum of an *Application Administrator* role to authenticate and register the connector instance to your Microsoft Entra tenant.
* **Application publishing and administration** require the *Application Administrator* role. Application Administrators can manage all applications in the directory including registrations, SSO settings, user and group assignments and licensing, Application Proxy settings, and consent. It doesn't grant the ability to manage Conditional Access. The *Cloud Application Administrator* role has all the abilities of the Application Administrator, except that it does not allow management of Application Proxy settings.
-* **Licensing**: Application Proxy is available through an Azure AD Premium subscription. Refer to the [Azure Active Directory Pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) for a full list of licensing options and features.
+* **Licensing**: Application Proxy is available through a Microsoft Entra ID P1 or P2 subscription. Refer to the [Microsoft Entra pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) for a full list of licensing options and features.
### Application Discovery
The following are areas for which you should define your organizationΓÇÖs busine
**Access**
-* Remote users with domain-joined or Azure AD-joined devices can access published applications securely with seamless single sign-on (SSO).
+* Remote users with domain-joined or Microsoft Entra joined devices can access published applications securely with seamless single sign-on (SSO).
* Remote users with approved personal devices can securely access published applications provided they are enrolled in MFA and have registered the Microsoft Authenticator app on their mobile phone as an authentication method.
When you enable link translation for the Benefits app, the links to Expenses and
### Access your application
-Several options exist for managing access to App Proxy published resources, so choose the most appropriate for your given scenario and scalability needs. Common approaches include: using on-premises groups that are being synced via Azure AD Connect, creating Dynamic Groups in Azure AD based on user attributes, using self-service groups that are managed by a resource owner, or a combination of all of these. See the linked resources for the benefits of each.
+Several options exist for managing access to App Proxy published resources, so choose the most appropriate for your given scenario and scalability needs. Common approaches include: using on-premises groups that are being synced via Microsoft Entra Connect, creating Dynamic Groups in Microsoft Entra ID based on user attributes, using self-service groups that are managed by a resource owner, or a combination of all of these. See the linked resources for the benefits of each.
The most straight forward way of assigning users access to an application is going into the **Users and Groups** options from the left-hand pane of your published application and directly assigning groups or individuals.
You can also allow users to self-service access to your application by assigning
If enabled, users will then be able to log into the MyApps portal and request access, and either be auto approved and added to the already permitted self-service group, or need approval from a designated approver.
-Guest users can also be [invited to access internal applications published via Application Proxy through Azure AD B2B](../external-identities/add-users-information-worker.md).
+Guest users can also be [invited to access internal applications published via Application Proxy through Microsoft Entra B2B](../external-identities/add-users-information-worker.md).
For on premises applications that are normally accessible anonymously, requiring no authentication, you may prefer to disable the option located in the applicationΓÇÖs **Properties**. ![Picture 26](media/App-proxy-deployment-plan/assignment-required.png)
-Leaving this option set to No allows users to access the on-premises application via Azure AD App Proxy without permissions, so use with caution.
+Leaving this option set to No allows users to access the on-premises application via Microsoft Entra application proxy without permissions, so use with caution.
Once your application is published, it should be accessible by typing its external URL in a browser or by its icon at [https://myapps.microsoft.com](https://myapps.microsoft.com/).
Verify that your application is accessible through Application Proxy accessing i
2. Select **Application Proxy**.
-3. In the **Pre-Authentication** field, use the dropdown list to select **Azure Active Directory**, and select **Save**.
+3. In the **Pre-Authentication** field, use the dropdown list to select **Microsoft Entra ID**, and select **Save**.
-With pre-authentication enabled, Azure AD will challenge users first for authentication and if single sign-on is configured then the back-end application will also verify the user before access to the application is granted. Changing the pre-authentication mode from Passthrough to Azure AD also configures the external URL with HTTPS, so any application initially configured for HTTP will now be secured with HTTPS.
+With pre-authentication enabled, Microsoft Entra ID will challenge users first for authentication and if single sign-on is configured then the back-end application will also verify the user before access to the application is granted. Changing the pre-authentication mode from Passthrough to Microsoft Entra ID also configures the external URL with HTTPS, so any application initially configured for HTTP will now be secured with HTTPS.
### Enable Single Sign-On
-SSO provides the best possible user experience and security because users only need to sign in once when accessing Azure AD. Once a user has pre-authenticated, SSO is performed by the Application Proxy connector authenticating to the on-premises application, on behalf of the user. The backend application processes the login as if it were the user themselves.
+SSO provides the best possible user experience and security because users only need to sign in once when accessing Microsoft Entra ID. Once a user has pre-authenticated, SSO is performed by the Application Proxy connector authenticating to the on-premises application, on behalf of the user. The backend application processes the login as if it were the user themselves.
-Choosing the **Passthrough** option allows users to access the published application without ever having to authenticate to Azure AD.
+Choosing the **Passthrough** option allows users to access the published application without ever having to authenticate to Microsoft Entra ID.
-Performing SSO is only possible if Azure AD can identify the user requesting access to a resource, so your application must be configured to pre-authenticate users with Azure AD upon access for SSO to function, otherwise the SSO options will be disabled.
+Performing SSO is only possible if Microsoft Entra ID can identify the user requesting access to a resource, so your application must be configured to pre-authenticate users with Microsoft Entra ID upon access for SSO to function, otherwise the SSO options will be disabled.
-Read [Single sign-on to applications in Azure AD](../manage-apps/what-is-single-sign-on.md) to help you choose the most appropriate SSO method when configuring your applications.
+Read [Single sign-on to applications in Microsoft Entra ID](../manage-apps/what-is-single-sign-on.md) to help you choose the most appropriate SSO method when configuring your applications.
### Working with other types of applications
-Azure AD Application Proxy can also support applications that have been developed to use the [Microsoft Authentication Library (MSAL)](../develop/v2-overview.md). It supports native client apps by consuming Azure AD issued tokens received in the header information of client request to perform pre-authentication on behalf of the users.
+Microsoft Entra application proxy can also support applications that have been developed to use the [Microsoft Authentication Library (MSAL)](../develop/v2-overview.md). It supports native client apps by consuming Microsoft Entra ID issued tokens received in the header information of client request to perform pre-authentication on behalf of the users.
Read [publishing native and mobile client apps](./application-proxy-configure-native-client-application.md) and [claims-based applications](./application-proxy-configure-for-claims-aware-applications.md) to learn about available configurations of Application Proxy.
Read [publishing native and mobile client apps](./application-proxy-configure-na
Application security requires an advanced set of security capabilities that can protect from and respond to complex threats on-premises and in the cloud. Attackers most often gain corporate network access through weak, default, or stolen user credentials. Microsoft identity-driven security reduces use of stolen credentials by managing and protecting both privileged and non-privileged identities.
-The following capabilities can be used to support Azure AD Application Proxy:
+The following capabilities can be used to support Microsoft Entra application proxy:
* User and location-based Conditional Access: Keep sensitive data protected by limiting user access based on geo-location or an IP address with [location-based Conditional Access policies](../conditional-access/location-condition.md).
The following capabilities can be used to support Azure AD Application Proxy:
* Risk-based Conditional Access: Protect your data from malicious hackers with a [risk-based Conditional Access policy](https://www.microsoft.com/cloud-platform/conditional-access) that can be applied to all apps and all users, whether on-premises or in the cloud.
-* Azure AD My Apps: With your Application Proxy service deployed, and applications securely published, offer your users a simple hub to discover and access all their applications. Increase productivity with self-service capabilities, such as the ability to request access to new apps and groups or manage access to these resources on behalf of others, through [My Apps](https://aka.ms/AccessPanelDPDownload).
+* Microsoft Entra My Apps: With your Application Proxy service deployed, and applications securely published, offer your users a simple hub to discover and access all their applications. Increase productivity with self-service capabilities, such as the ability to request access to new apps and groups or manage access to these resources on behalf of others, through [My Apps](https://aka.ms/AccessPanelDPDownload).
## Manage your implementation ### Required roles
-Microsoft advocates the principle of granting the least possible privilege to perform needed tasks with Azure AD. [Review the different Azure roles that are available](../roles/permissions-reference.md) and choose the right one to address the needs of each persona. Some roles may need to be applied temporarily and removed after the deployment is completed.
+Microsoft advocates the principle of granting the least possible privilege to perform needed tasks with Microsoft Entra ID. [Review the different Azure roles that are available](../roles/permissions-reference.md) and choose the right one to address the needs of each persona. Some roles may need to be applied temporarily and removed after the deployment is completed.
-| Business role| Business tasks| Azure AD roles |
+| Business role| Business tasks| Microsoft Entra roles |
|||| | Help desk admin | Typically limited to qualifying end user reported issues and performing limited tasks such as changing usersΓÇÖ passwords, invalidating refresh tokens, and monitoring service health. | Helpdesk Administrator |
-| Identity admin| Read Azure AD sign-in reports and audit logs to debug App Proxy related issues.| Security reader |
+| Identity admin| Read Microsoft Entra sign-in reports and audit logs to debug App Proxy related issues.| Security reader |
| Application owner| Create and manage all aspects of enterprise applications, application registrations, and application proxy settings.| Application Admin | | Infrastructure admin | Certificate Rollover Owner | Application Admin | Minimizing the number of people who have access to secure information or resources will help in reducing the chance of a malicious actor obtaining unauthorized access, or an authorized user inadvertently impacting a sensitive resource.
-However, users still need to carry out day to day privileged operations, so enforcing just-in-time (JIT) based [Privileged Identity Management](../privileged-identity-management/pim-configure.md) policies to provide on-demand privileged access to Azure resources and Azure AD is our recommended approach towards effectively managing administrative access and auditing.
+However, users still need to carry out day to day privileged operations, so enforcing just-in-time (JIT) based [Privileged Identity Management](../privileged-identity-management/pim-configure.md) policies to provide on-demand privileged access to Azure resources and Microsoft Entra ID is our recommended approach towards effectively managing administrative access and auditing.
### Reporting and monitoring
-Azure AD provides additional insights into your organizationΓÇÖs application usage and operational health through [audit logs and reports](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). Application Proxy also makes it very easy to monitor connectors from the Microsoft Entra admin center and Windows Event Logs.
+Microsoft Entra ID provides additional insights into your organizationΓÇÖs application usage and operational health through [audit logs and reports](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). Application Proxy also makes it very easy to monitor connectors from the Microsoft Entra admin center and Windows Event Logs.
#### Application audit logs
These logs provide detailed information about logins to applications configured
#### Application Proxy Connector monitoring
-The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Microsoft Entra admin center. For more information about connector maintenance see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#maintenance).
+The connectors and the service take care of all the high availability tasks. You can monitor the status of your connectors from the Application Proxy page in the Microsoft Entra admin center. For more information about connector maintenance see [Understand Microsoft Entra application proxy Connectors](./application-proxy-connectors.md#maintenance).
-![Example: Azure AD Application Proxy connectors](./media/application-proxy-connectors/app-proxy-connectors.png)
+![Example: Microsoft Entra application proxy connectors](./media/application-proxy-connectors/app-proxy-connectors.png)
#### Windows event logs and performance counters
-Connectors have both admin and session logs. The admin logs include key events and their errors. The session logs include all the transactions and their processing details. Logs and counters are located in Windows Event Logs for more information see [Understand Azure AD Application Proxy Connectors](./application-proxy-connectors.md#under-the-hood). Follow this [tutorial to configure event log data sources in Azure Monitor](../../azure-monitor/agents/data-sources-windows-events.md).
+Connectors have both admin and session logs. The admin logs include key events and their errors. The session logs include all the transactions and their processing details. Logs and counters are located in Windows Event Logs for more information see [Understand Microsoft Entra application proxy Connectors](./application-proxy-connectors.md#under-the-hood). Follow this [tutorial to configure event log data sources in Azure Monitor](../../azure-monitor/agents/data-sources-windows-events.md).
### Troubleshooting guide and steps
active-directory Application Proxy High Availability Load Balancing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-high-availability-load-balancing.md
Title: High availability and load balancing - Azure Active Directory Application Proxy
+ Title: High availability and load balancing - Microsoft Entra application proxy
description: How traffic distribution works with your Application Proxy deployment. Includes tips for how to optimize connector performance and use load balancing for back-end servers.
An application often has many resources and opens multiple connections when it's
## Traffic flow between connectors and back-end application servers
-Another key area where high availability is a factor is the connection between connectors and the back-end servers. When an application is published through Azure AD Application Proxy, traffic from the users to the applications flows through three hops:
+Another key area where high availability is a factor is the connection between connectors and the back-end servers. When an application is published through Microsoft Entra application proxy, traffic from the users to the applications flows through three hops:
-1. The user connects to the Azure AD Application Proxy service public endpoint on Azure. The connection is established between the originating client IP address (public) of the client and the IP address of the Application Proxy endpoint.
+1. The user connects to the Microsoft Entra application proxy service public endpoint on Azure. The connection is established between the originating client IP address (public) of the client and the IP address of the Application Proxy endpoint.
2. The Application Proxy connector pulls the HTTP request of the client from the Application Proxy Service. 3. The Application Proxy connector connects to the target application. The connector uses its own IP address for establishing the connection. ![Diagram of user connecting to an application via Application Proxy](media/application-proxy-high-availability-load-balancing/application-proxy-three-hops.png) ### X-Forwarded-For header field considerations
-In some situations (like auditing, load balancing etc.), sharing the originating IP address of the external client with the on-premises environment is a requirement. To address the requirement, Azure AD Application Proxy connector adds the X-Forwarded-For header field with the originating client IP address (public) to the HTTP request. The appropriate network device (load balancer, firewall) or the web server or back-end application can then read and use the information.
+In some situations (like auditing, load balancing etc.), sharing the originating IP address of the external client with the on-premises environment is a requirement. To address the requirement, Microsoft Entra application proxy connector adds the X-Forwarded-For header field with the originating client IP address (public) to the HTTP request. The appropriate network device (load balancer, firewall) or the web server or back-end application can then read and use the information.
## Best practices for load balancing among multiple app servers When the connector group that's assigned to the Application Proxy application has two or more connectors, and youΓÇÖre running the back-end web application on multiple servers (server farm),
Refer to your software vendor's documentation to understand the load-balancing r
- [Enable single-sign on](application-proxy-configure-single-sign-on-with-kcd.md) - [Enable Conditional Access](./application-proxy-integrate-with-sharepoint-server.md) - [Troubleshoot issues you're having with Application Proxy](application-proxy-troubleshoot.md)-- [Learn how Azure AD architecture supports high availability](../architecture/architecture.md)
+- [Learn how Microsoft Entra architecture supports high availability](../architecture/architecture.md)
active-directory Application Proxy Integrate With Logic Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-logic-apps.md
Title: Securely integrate Azure Logic Apps with on-premises APIs using Azure Active Directory Application Proxy
-description: Azure Active Directory's Application Proxy lets cloud-native logic apps securely access on-premises APIs to bridge your workload.
+ Title: Securely integrate Azure Logic Apps with on-premises APIs using Microsoft Entra application proxy
+description: Microsoft Entra application proxy lets cloud-native logic apps securely access on-premises APIs to bridge your workload.
-# Securely integrate Azure Logic Apps with on-premises APIs using Azure Active Directory Application Proxy
+# Securely integrate Azure Logic Apps with on-premises APIs using Microsoft Entra application proxy
Azure Logic Apps is a service allowing easy creation of managed workflows in a no-code environment that can integrate with various external services and systems. This can help automate a wide range of business processes, such as data integration, data processing, and event-driven scenarios. While Logic Apps easily integrate with other public and cloud-based services, the need may arise to utilize Logic Apps with protected, on-premises applications and services without exposing the service to the public via port forwarding or a traditional reverse proxy.
-This article describes the steps necessary to utilize the Azure AD Application Proxy solution to provide secure access to a Logic App, while protecting the internal application from unwanted actors. The process and end result is similar to [Access on-premises APIs with Azure Active Directory Application Proxy](./application-proxy-secure-api-access.md) with special attention paid to utilizing the API from within a Logic App.
+This article describes the steps necessary to utilize the Microsoft Entra application proxy solution to provide secure access to a Logic App, while protecting the internal application from unwanted actors. The process and end result is similar to [Access on-premises APIs with Microsoft Entra application proxy](./application-proxy-secure-api-access.md) with special attention paid to utilizing the API from within a Logic App.
## Overview
The following diagram shows a traditional way to publish on-premises APIs for ac
![Diagram that shows Logic App to API direct connection.](./media/application-proxy-integrate-with-logic-apps/azure-logic-app-to-api-connection-direct.png)
-The following diagram shows how you can use Azure AD Application Proxy to securely publish APIs for use with Logic Apps (or other Azure Cloud services) without opening any incoming ports:
+The following diagram shows how you can use Microsoft Entra application proxy to securely publish APIs for use with Logic Apps (or other Azure Cloud services) without opening any incoming ports:
![Diagram that shows Logic App to API connection via Azure Application Proxy.](./media/application-proxy-integrate-with-logic-apps/azure-logic-app-to-api-connection-app-proxy.png)
-The Azure AD App Proxy and associated connector facilitate secure authorization and integration to your on-premises services without additional configuration to your network security infrastructure.
+The Microsoft Entra application proxy and associated connector facilitate secure authorization and integration to your on-premises services without additional configuration to your network security infrastructure.
## Prerequisites
To follow this tutorial, you will need:
- Admin access to an Azure directory, with an account that can create and register apps - The *Logic App Contributor* role (or higher) in an active tenant-- Azure Application Proxy connector deployed and an application configured as detailed in [Add an on-premises app - Application Proxy in Azure Active Directory](./application-proxy-add-on-premises-application.md)
+- Azure Application Proxy connector deployed and an application configured as detailed in [Add an on-premises app - Application Proxy in Microsoft Entra ID](./application-proxy-add-on-premises-application.md)
> [!NOTE] > While granting a user entitlement and testing the sign on is recommended, it is not required for this guide.
When a new Enterprise Application is created, a matching App Registration is als
1. From the *Sample App 1* detail page, take note of the *Application (client) ID* and *Directory (tenant) ID* fields. These will be used later.
- ![Screenshot of the Azure Active Directory App Registration Detail.](./media/application-proxy-integrate-with-logic-apps/app-registration-detail.png)
+ ![Screenshot of the Microsoft Entra App Registration Detail.](./media/application-proxy-integrate-with-logic-apps/app-registration-detail.png)
1. Select the **API permissions** menu item from the navigation pane
- ![Screenshot of the Azure Active Directory App Registration API Permissions Menu Item.](./media/application-proxy-integrate-with-logic-apps/api-permissions-menu.png)
+ ![Screenshot of the Microsoft Entra App Registration API Permissions Menu Item.](./media/application-proxy-integrate-with-logic-apps/api-permissions-menu.png)
1. From the *API permissions* page:
When a new Enterprise Application is created, a matching App Registration is als
3. Verify the configured permission appears
- ![Screenshot of the Azure Active Directory App Registration API Permissions Detail.](./media/application-proxy-integrate-with-logic-apps/api-permissions-detail.png)
+ ![Screenshot of the Microsoft Entra App Registration API Permissions Detail.](./media/application-proxy-integrate-with-logic-apps/api-permissions-detail.png)
1. Select the **Certificates & secrets** menu item from the navigation pane
- ![Screenshot of the Azure Active Directory App Registration Certificates and Secrets Menu Item.](./media/application-proxy-integrate-with-logic-apps/certificates-and-secrets-menu.png)
+ ![Screenshot of the Microsoft Entra App Registration Certificates and Secrets Menu Item.](./media/application-proxy-integrate-with-logic-apps/certificates-and-secrets-menu.png)
1. From the *Certificates & secrets* page:
When a new Enterprise Application is created, a matching App Registration is als
5. Click the **Copy** button for the *Value* of the newly created secret. Save this securely for use later, this value is only shown one time.
- ![Screenshot of the Azure Active Directory App Registration Client Secret Detail.](./media/application-proxy-integrate-with-logic-apps/client-secret-detail.png)
+ ![Screenshot of the Microsoft Entra App Registration Client Secret Detail.](./media/application-proxy-integrate-with-logic-apps/client-secret-detail.png)
## Configure the Logic App
When a new Enterprise Application is created, a matching App Registration is als
1. *Method*: Select the desired HTTP method to be sent to the internal API
- 2. *URI*: Fill in with the *public* FQDN of your application registered in Azure AD, along with the additional URI required for API access (e.g. *sampleapp1.msappproxy.net/api/1/status*)
+ 2. *URI*: Fill in with the *public* FQDN of your application registered in Microsoft Entra ID, along with the additional URI required for API access (e.g. *sampleapp1.msappproxy.net/api/1/status*)
> [!NOTE] > Specific values for API will depend on your internal application. Refer to your application's documentation for more information.
When a new Enterprise Application is created, a matching App Registration is als
2. *Tenant*: Enter the **Directory (tenant) ID** noted in *Configure the Application Access*
- 3. *Audience*: Enter the *public* FQDN of your application registered in Azure AD (e.g. *sampleapp1.msappproxy.net*)
+ 3. *Audience*: Enter the *public* FQDN of your application registered in Microsoft Entra ID (e.g. *sampleapp1.msappproxy.net*)
4. *Client ID*: Enter the **Application (client) ID** noted in *Configure the Application Access*
When a new Enterprise Application is created, a matching App Registration is als
## Caveats -- APIs that require authentication/authorization require special handling when using this method. Since Azure Active Directory OAuth is being used for access, the requests sent already contain an *Authorization* field that cannot also be utilized by the internal API (unless SSO is configured). As a workaround, some applications offer authentication or authorization that uses methods other than an *Authorization* header. For example, GitLab allows for a header titled *PRIVATE-TOKEN*, and Atlassian JIRA allows for requesting a Cookie that can be used in later requests
+- APIs that require authentication/authorization require special handling when using this method. Since Microsoft Entra ID OAuth is being used for access, the requests sent already contain an *Authorization* field that cannot also be utilized by the internal API (unless SSO is configured). As a workaround, some applications offer authentication or authorization that uses methods other than an *Authorization* header. For example, GitLab allows for a header titled *PRIVATE-TOKEN*, and Atlassian JIRA allows for requesting a Cookie that can be used in later requests
- While the Logic App HTTP action shows cleartext values, it is highly recommended to store the App Registration Secret Key in Azure Key Vault for secure retrieval and use. ## See Also - [How to configure an Application Proxy application](./application-proxy-config-how-to.md)-- [Access on-premises APIs with Azure Active Directory Application Proxy](./application-proxy-secure-api-access.md)-- [Common scenarios, examples, tutorials, and walkthroughs for Azure Logic Apps](../../logic-apps/logic-apps-examples-and-scenarios.md)
+- [Access on-premises APIs with Microsoft Entra application proxy](./application-proxy-secure-api-access.md)
+- [Common scenarios, examples, tutorials, and walkthroughs for Azure Logic Apps](../../logic-apps/logic-apps-examples-and-scenarios.md)
active-directory Application Proxy Integrate With Microsoft Cloud Application Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security.md
Title: Use Application Proxy to integrate on-premises apps with Defender for Cloud Apps
-description: Configure an on-premises application in Azure Active Directory to work with Microsoft Defender for Cloud Apps. Use the Defender for Cloud Apps Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Azure Active Directory (Azure AD).
+description: Configure an on-premises application in Microsoft Entra ID to work with Microsoft Defender for Cloud Apps. Use the Defender for Cloud Apps Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Microsoft Entra ID.
-# Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory
-Configure an on-premises application in Azure Active Directory (Azure AD) to use Microsoft Defender for Cloud Apps for real-time monitoring. Defender for Cloud Apps uses Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Azure Active Directory (Azure AD).
+# Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Microsoft Entra ID
+Configure an on-premises application in Microsoft Entra ID to use Microsoft Defender for Cloud Apps for real-time monitoring. Defender for Cloud Apps uses Conditional Access App Control to monitor and control sessions in real-time based on Conditional Access policies. You can apply these policies to on-premises applications that use Application Proxy in Microsoft Entra ID.
Here are some examples of the types of policies you can create with Defender for Cloud Apps:
For more information, see [Protect apps with Microsoft Defender for Cloud Apps C
License: - EMS E5 license, or-- Azure Active Directory Premium P1 and Defender for Cloud Apps Standalone.
+- Microsoft Entra ID P1 and Defender for Cloud Apps Standalone.
On-premises application:
On-premises application:
Configure Application Proxy: -- Configure Azure AD to use Application Proxy, including preparing your environment and installing the Application Proxy connector. For a tutorial, see [Add an on-premises applications for remote access through Application Proxy in Azure AD](../app-proxy/application-proxy-add-on-premises-application.md).
+- Configure Microsoft Entra ID to use Application Proxy, including preparing your environment and installing the Application Proxy connector. For a tutorial, see [Add an on-premises applications for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md).
-## Add on-premises application to Azure AD
+<a name='add-on-premises-application-to-azure-ad'></a>
-Add an on-premises application to Azure AD. For a quickstart, see [Add an on-premises app to Azure AD](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). When adding the application, be sure to set the following two settings in the **Add your on-premises application** blade:
+## Add on-premises application to Microsoft Entra ID
-- **Pre Authentication**: Enter **Azure Active Directory**.
+Add an on-premises application to Microsoft Entra ID. For a quickstart, see [Add an on-premises app to Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). When adding the application, be sure to set the following two settings in the **Add your on-premises application** blade:
+
+- **Pre Authentication**: Enter **Microsoft Entra ID**.
- **Translate URLs in Application Body**: Choose **Yes**. Those two settings are required for the application to work with Defender for Cloud Apps. ## Test the on-premises application
-After adding your application to Azure AD, use the steps in [Test the application](../app-proxy/application-proxy-add-on-premises-application.md#test-the-application) to add a user for testing, and test the sign-on.
+After adding your application to Microsoft Entra ID, use the steps in [Test the application](../app-proxy/application-proxy-add-on-premises-application.md#test-the-application) to add a user for testing, and test the sign-on.
## Deploy Conditional Access App Control
-To configure your application with the Conditional Access Application Control, follow the instructions in [Deploy Conditional Access Application Control for Azure AD apps](/cloud-app-security/proxy-deployment-aad).
+To configure your application with the Conditional Access Application Control, follow the instructions in [Deploy Conditional Access Application Control for Microsoft Entra apps](/cloud-app-security/proxy-deployment-aad).
## Test Conditional Access App Control
-To test the deployment of Azure AD applications with Conditional Access Application Control, follow the instructions in [Test the deployment for Azure AD apps](/cloud-app-security/proxy-deployment-aad).
+To test the deployment of Microsoft Entra applications with Conditional Access Application Control, follow the instructions in [Test the deployment for Microsoft Entra apps](/cloud-app-security/proxy-deployment-aad).
active-directory Application Proxy Integrate With Power Bi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-power-bi.md
Title: Enable remote access to Power BI with Azure Active Directory Application Proxy
-description: Covers the basics about how to integrate an on-premises Power BI with Azure Active Directory Application Proxy.
+ Title: Enable remote access to Power BI with Microsoft Entra application proxy
+description: Covers the basics about how to integrate an on-premises Power BI with Microsoft Entra application proxy.
-# Enable remote access to Power BI Mobile with Azure Active Directory Application Proxy
+# Enable remote access to Power BI Mobile with Microsoft Entra application proxy
-This article discusses how to use Azure AD Application Proxy to enable the Power BI mobile app to connect to Power BI Report Server (PBIRS) and SQL Server Reporting Services (SSRS) 2016 and later. Through this integration, users who are away from the corporate network can access their Power BI reports from the Power BI mobile app and be protected by Azure AD authentication. This protection includes [security benefits](application-proxy-security.md#security-benefits) such as Conditional Access and multi-factor authentication.
+This article discusses how to use Microsoft Entra application proxy to enable the Power BI mobile app to connect to Power BI Report Server (PBIRS) and SQL Server Reporting Services (SSRS) 2016 and later. Through this integration, users who are away from the corporate network can access their Power BI reports from the Power BI mobile app and be protected by Microsoft Entra authentication. This protection includes [security benefits](application-proxy-security.md#security-benefits) such as Conditional Access and multi-factor authentication.
## Prerequisites This article assumes you've already deployed Report Services and [enabled Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md). -- Enabling Application Proxy requires installing a connector on a Windows server and completing the [prerequisites](../app-proxy/application-proxy-add-on-premises-application.md#prepare-your-on-premises-environment) so that the connector can communicate with Azure AD services.
+- Enabling Application Proxy requires installing a connector on a Windows server and completing the [prerequisites](../app-proxy/application-proxy-add-on-premises-application.md#prepare-your-on-premises-environment) so that the connector can communicate with Microsoft Entra services.
- When publishing Power BI, we recommended you use the same internal and external domains. To learn more about custom domains, see [Working with custom domains in Application Proxy](./application-proxy-configure-custom-domain.md). - This integration is available for the **Power BI Mobile iOS and Android** application.
To enable a report server to use Kerberos authentication, configure the Authenti
For more information, see [Modify a Reporting Services Configuration File](/sql/reporting-services/report-server/modify-a-reporting-services-configuration-file-rsreportserver-config) and [Configure Windows Authentication on a Report Server](/sql/reporting-services/security/configure-windows-authentication-on-the-report-server). ### Ensure the Connector is trusted for delegation to the SPN added to the Reporting Services application pool account
-Configure KCD so that the Azure AD Application Proxy service can delegate user identities to the Reporting Services application pool account. Configure KCD by enabling the Application Proxy connector to retrieve Kerberos tickets for your users who have been authenticated in Azure AD. Then that server passes the context to the target application, or Reporting Services in this case.
+Configure KCD so that the Microsoft Entra application proxy service can delegate user identities to the Reporting Services application pool account. Configure KCD by enabling the Application Proxy connector to retrieve Kerberos tickets for your users who have been authenticated in Microsoft Entra ID. Then that server passes the context to the target application, or Reporting Services in this case.
To configure KCD, repeat the following steps for each connector machine:
To configure KCD, repeat the following steps for each connector machine:
For more information, see [Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md).
-## Step 2: Publish Report Services through Azure AD Application Proxy
+<a name='step-2-publish-report-services-through-azure-ad-application-proxy'></a>
-Now you're ready to configure Azure AD Application Proxy.
+## Step 2: Publish Report Services through Microsoft Entra application proxy
-1. Publish Report Services through Application Proxy with the following settings. For step-by-step instructions on how to publish an application through Application Proxy, see [Publishing applications using Azure AD Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
+Now you're ready to configure Microsoft Entra application proxy.
+
+1. Publish Report Services through Application Proxy with the following settings. For step-by-step instructions on how to publish an application through Application Proxy, see [Publishing applications using Microsoft Entra application proxy](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
- **Internal URL**: Enter the URL to the Report Server that the connector can reach in the corporate network. Make sure this URL is reachable from the server the connector is installed on. A best practice is using a top-level domain such as `https://servername/` to avoid issues with subpaths published through Application Proxy. For example, use `https://servername/` and not `https://servername/reports/` or `https://servername/reportserver/`. > [!NOTE] > We recommend using a secure HTTPS connection to the Report Server. See [Configure SSL connections on a native mode report server](/sql/reporting-services/security/configure-ssl-connections-on-a-native-mode-report-server) for information how to.
- - **External URL**: Enter the public URL the Power BI mobile app will connect to. For example, it may look like `https://reports.contoso.com` if a custom domain is used. To use a custom domain, upload a certificate for the domain, and point a DNS record to the default msappproxy.net domain for your application. For detailed steps, see [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
+ - **External URL**: Enter the public URL the Power BI mobile app will connect to. For example, it may look like `https://reports.contoso.com` if a custom domain is used. To use a custom domain, upload a certificate for the domain, and point a DNS record to the default msappproxy.net domain for your application. For detailed steps, see [Working with custom domains in Microsoft Entra application proxy](application-proxy-configure-custom-domain.md).
- - **Pre-authentication Method**: Azure Active Directory
+ - **Pre-authentication Method**: Microsoft Entra ID
2. Once your app is published, configure the single sign-on settings with the following steps:
To finish setting up your application, go to **the Users and groups** section an
Before the Power BI mobile app can connect and access Report Services, you must configure the Application Registration that was automatically created for you in step 2.
-1. On the Azure Active Directory **Overview** page, select **App registrations**.
+1. On the Microsoft Entra ID **Overview** page, select **App registrations**.
2. Under the **All applications** tab search for the application you created in step 2. 3. Select the application, then select **Authentication**. 4. Add the following Redirect URIs based on which platform you are using.
Before the Power BI mobile app can connect and access Report Services, you must
![Power BI mobile app with External URL](media/application-proxy-integrate-with-power-bi/app-proxy-power-bi-mobile-app.png)
-2. Select **Connect**. You'll be directed to the Azure Active Directory sign-in page.
+2. Select **Connect**. You'll be directed to the Microsoft Entra sign-in page.
3. Enter valid credentials for your user and select **Sign in**. You'll see the elements from your Reporting Services server.
You can use Microsoft Intune to manage the client apps that your company's workf
If the application returns an error page after trying to load a report for more than a few minutes, you might need to change the timeout setting. By default, Application Proxy supports applications that take up to 85 seconds to respond to a request. To lengthen this setting to 180 seconds, select the back-end timeout to **Long** in the App Proxy settings page for the application. For tips on how to create fast and reliable reports see [Power BI Reports Best Practices](/power-bi/power-bi-reports-performance).
-Using Azure AD Application Proxy to enable the Power BI mobile app to connect to on premises Power BI Report Server is not supported with Conditional Access policies that require the Microsoft Power BI app as an approved client app.
+Using Microsoft Entra application proxy to enable the Power BI mobile app to connect to on premises Power BI Report Server is not supported with Conditional Access policies that require the Microsoft Power BI app as an approved client app.
## Next steps
active-directory Application Proxy Integrate With Remote Desktop Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services.md
Title: Publish Remote Desktop with Azure Active Directory Application Proxy
+ Title: Publish Remote Desktop with Microsoft Entra application proxy
description: Covers how to configure App Proxy with Remote Desktop Services (RDS)
-# Publish Remote Desktop with Azure Active Directory Application Proxy
+# Publish Remote Desktop with Microsoft Entra application proxy
-Remote Desktop Service and Azure AD Application Proxy work together to improve the productivity of workers who are away from the corporate network.
+Remote Desktop Service and Microsoft Entra application proxy work together to improve the productivity of workers who are away from the corporate network.
The intended audience for this article is: - Current Application Proxy customers who want to offer more applications to their end users by publishing on-premises applications through Remote Desktop Services.-- Current Remote Desktop Services customers who want to reduce the attack surface of their deployment by using Azure AD Application Proxy. This scenario gives a set of two-step verification and Conditional Access controls to RDS.
+- Current Remote Desktop Services customers who want to reduce the attack surface of their deployment by using Microsoft Entra application proxy. This scenario gives a set of two-step verification and Conditional Access controls to RDS.
## How Application Proxy fits in the standard RDS deployment
-A standard RDS deployment includes various Remote Desktop role services running on Windows Server. Looking at the [Remote Desktop Services architecture](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture), there are multiple deployment options. Unlike other RDS deployment options, the [RDS deployment with Azure AD Application Proxy](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture) (shown in the following diagram) has a permanent outbound connection from the server running the connector service. Other deployments leave open inbound connections through a load balancer.
+A standard RDS deployment includes various Remote Desktop role services running on Windows Server. Looking at the [Remote Desktop Services architecture](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture), there are multiple deployment options. Unlike other RDS deployment options, the [RDS deployment with Microsoft Entra application proxy](/windows-server/remote/remote-desktop-services/Desktop-hosting-logical-architecture) (shown in the following diagram) has a permanent outbound connection from the server running the connector service. Other deployments leave open inbound connections through a load balancer.
![Application Proxy sits between the RDS VM and the public internet](./media/application-proxy-integrate-with-remote-desktop-services/rds-with-app-proxy.png) In an RDS deployment, the RD Web role and the RD Gateway role run on Internet-facing machines. These endpoints are exposed for the following reasons: - RD Web provides the user a public endpoint to sign in and view the various on-premises applications and desktops they can access. Upon selecting a resource, an RDP connection is created using the native app on the OS.-- RD Gateway comes into the picture once a user launches the RDP connection. The RD Gateway handles encrypted RDP traffic coming over the internet and translates it to the on-premises server that the user is connecting to. In this scenario, the traffic the RD Gateway is receiving comes from the Azure AD Application Proxy.
+- RD Gateway comes into the picture once a user launches the RDP connection. The RD Gateway handles encrypted RDP traffic coming over the internet and translates it to the on-premises server that the user is connecting to. In this scenario, the traffic the RD Gateway is receiving comes from the Microsoft Entra application proxy.
>[!TIP] >If you haven't deployed RDS before, or want more information before you begin, learn how to [seamlessly deploy RDS with Azure Resource Manager and Azure Marketplace](/windows-server/remote/remote-desktop-services/rds-in-azure).
In an RDS deployment, the RD Web role and the RD Gateway role run on Internet-fa
## Requirements - Both the RD Web and RD Gateway endpoints must be located on the same machine, and with a common root. RD Web and RD Gateway are published as a single application with Application Proxy so that you can have a single sign-on experience between the two applications.-- You should already have [deployed RDS](/windows-server/remote/remote-desktop-services/rds-in-azure), and [enabled Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md). Ensure you have satisfied the pre-requisites to enable Application Proxy, such as installing the connector, opening required ports and URLs, and enabling TLS 1.2 on the server. To learn which ports need to be opened, and other details, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md).
+- You should already have [deployed RDS](/windows-server/remote/remote-desktop-services/rds-in-azure), and [enabled Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md). Ensure you have satisfied the pre-requisites to enable Application Proxy, such as installing the connector, opening required ports and URLs, and enabling TLS 1.2 on the server. To learn which ports need to be opened, and other details, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](application-proxy-add-on-premises-application.md).
- Your end users must use a compatible browser to connect to RD Web or the RD Web client. For more details see [Support for client configurations](#support-for-other-client-configurations). - When publishing RD Web, it is recommended to use the same internal and external FQDN. If the internal and external FQDNs are different then you should disable Request Header Translation to avoid the client receiving invalid links. - If you are using the RD Web client, you *must* use the same internal and external FQDN. If the internal and external FQDNs are different, you will encounter websocket errors when making a RemoteApp connection through the RD Web client. - If you are using RD Web on Internet Explorer, you will need to enable the RDS ActiveX add-on. - If you are using the RD Web client, you will need to use the Application Proxy [connector version 1.5.1975 or later](./application-proxy-release-version-history.md).-- For the Azure AD pre-authentication flow, users can only connect to resources published to them in the **RemoteApp and Desktops** pane. Users can't connect to a desktop using the **Connect to a remote PC** pane.-- If you are using Windows Server 2019, you may need to disable HTTP2 protocol. For more information, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md).
+- For the Microsoft Entra pre-authentication flow, users can only connect to resources published to them in the **RemoteApp and Desktops** pane. Users can't connect to a desktop using the **Connect to a remote PC** pane.
+- If you are using Windows Server 2019, you may need to disable HTTP2 protocol. For more information, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md).
## Deploy the joint RDS and Application Proxy scenario
-After setting up RDS and Azure AD Application Proxy for your environment, follow the steps to combine the two solutions. These steps walk through publishing the two web-facing RDS endpoints (RD Web and RD Gateway) as applications, and then directing traffic on your RDS to go through Application Proxy.
+After setting up RDS and Microsoft Entra application proxy for your environment, follow the steps to combine the two solutions. These steps walk through publishing the two web-facing RDS endpoints (RD Web and RD Gateway) as applications, and then directing traffic on your RDS to go through Application Proxy.
### Publish the RD host endpoint 1. [Publish a new Application Proxy application](../app-proxy/application-proxy-add-on-premises-application.md) with the following values: - Internal URL: `https://<rdhost>.com/`, where `<rdhost>` is the common root that RD Web and RD Gateway share. - External URL: This field is automatically populated based on the name of the application, but you can modify it. Your users will go to this URL when they access RDS.
- - Preauthentication method: Azure Active Directory
+ - Preauthentication method: Microsoft Entra ID
- Translate URL headers: No - Use HTTP-Only Cookie: No 2. Assign users to the published RD application. Make sure they all have access to RDS, too.
-3. Leave the single sign-on method for the application as **Azure AD single sign-on disabled**.
+3. Leave the single sign-on method for the application as **Microsoft Entra single sign-on disabled**.
>[!Note]
- >Your users are asked to authenticate once to Azure AD and once to RD Web, but they have single sign-on to RD Gateway.
+ >Your users are asked to authenticate once to Microsoft Entra ID and once to RD Web, but they have single sign-on to RD Gateway.
1. Browse to **Identity** > **Applications** > **App registrations**. Choose your app from the list. 5. Under **Manage**, select **Branding**.
After setting up RDS and Azure AD Application Proxy for your environment, follow
### Direct RDS traffic to Application Proxy
-Connect to the RDS deployment as an administrator and change the RD Gateway server name for the deployment. This configuration ensures that connections go through the Azure AD Application Proxy service.
+Connect to the RDS deployment as an administrator and change the RD Gateway server name for the deployment. This configuration ensures that connections go through the Microsoft Entra application proxy service.
1. Connect to the RDS server running the RD Connection Broker role. 2. Launch **Server Manager**.
Connect to the RDS deployment as an administrator and change the RD Gateway serv
(get-wmiobject -Namespace root\cimv2\terminalservices -Class Win32_RDCentralPublishedRemoteDesktop).RDPFileContents ```
-Now that you've configured Remote Desktop, Azure AD Application Proxy has taken over as the internet-facing component of RDS. You can remove the other public internet-facing endpoints on your RD Web and RD Gateway machines.
+Now that you've configured Remote Desktop, Microsoft Entra application proxy has taken over as the internet-facing component of RDS. You can remove the other public internet-facing endpoints on your RD Web and RD Gateway machines.
### Enable the RD Web Client If you also want users to be able to use the RD Web Client follow steps at [Set up the Remote Desktop web client for your users](/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin) to enable this.
The Remote Desktop web client lets users access your organization's Remote Deskt
Test the scenario with Internet Explorer on a Windows 7 or 10 computer. 1. Go to the external URL you set up, or find your application in the [MyApps panel](https://myapps.microsoft.com).
-2. You are asked to authenticate to Azure Active Directory. Use an account that you assigned to the application.
+2. You are asked to authenticate to Microsoft Entra ID. Use an account that you assigned to the application.
3. You are asked to authenticate to RD Web. 4. Once your RDS authentication succeeds, you can select the desktop or application you want, and start working.
The configuration outlined in this article is for access to RDS via RD Web or th
*Edge Chromium IE mode is required when the My Apps portal is used for accessing the Remote Desktop app.
-The pre-authentication flow offers more security benefits than the passthrough flow. With pre-authentication you can use Azure AD authentication features like single sign-on, Conditional Access, and two-step verification for your on-premises resources. You also ensure that only authenticated traffic reaches your network.
+The pre-authentication flow offers more security benefits than the passthrough flow. With pre-authentication you can use Microsoft Entra authentication features like single sign-on, Conditional Access, and two-step verification for your on-premises resources. You also ensure that only authenticated traffic reaches your network.
To use passthrough authentication, there are just two modifications to the steps listed in this article: 1. In [Publish the RD host endpoint](#publish-the-rd-host-endpoint) step 1, set the Preauthentication method to **Passthrough**. 2. In [Direct RDS traffic to Application Proxy](#direct-rds-traffic-to-application-proxy), skip step 8 entirely. ## Next steps-- [Enable remote access to SharePoint with Azure AD Application Proxy](application-proxy-integrate-with-sharepoint-server.md)-- [Security considerations for accessing apps remotely by using Azure AD Application Proxy](application-proxy-security.md)
+- [Enable remote access to SharePoint with Microsoft Entra application proxy](application-proxy-integrate-with-sharepoint-server.md)
+- [Security considerations for accessing apps remotely by using Microsoft Entra application proxy](application-proxy-security.md)
- [Best practices for load balancing multiple app servers](application-proxy-high-availability-load-balancing.md#best-practices-for-load-balancing-among-multiple-app-servers)
active-directory Application Proxy Integrate With Sharepoint Server Saml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server-saml.md
Title: Publish an on-premises SharePoint farm with Azure Active Directory Application Proxy
-description: Covers the basics about how to integrate an on-premises SharePoint farm with Azure Active Directory Application Proxy for SAML.
+ Title: Publish an on-premises SharePoint farm with Microsoft Entra application proxy
+description: Covers the basics about how to integrate an on-premises SharePoint farm with Microsoft Entra application proxy for SAML.
-# Integrate Azure Active Directory Application Proxy with SharePoint (SAML)
+# Integrate Microsoft Entra application proxy with SharePoint (SAML)
-This step-by-step guide explains how to secure the access to the [Azure Active Directory integrated on-premises SharePoint (SAML)](../saas-apps/sharepoint-on-premises-tutorial.md) using Azure AD Application Proxy, where users in your organization (Azure AD, B2B) connect to SharePoint through the Internet.
+This step-by-step guide explains how to secure the access to the [Microsoft Entra integrated on-premises SharePoint (SAML)](../saas-apps/sharepoint-on-premises-tutorial.md) using Microsoft Entra application proxy, where users in your organization (Microsoft Entra ID, B2B) connect to SharePoint through the Internet.
> [!NOTE]
-> If you're new to Azure AD Application Proxy and want to learn more, see [Remote access to on-premises applications through Azure AD Application Proxy](./application-proxy.md).
+> If you're new to Microsoft Entra application proxy and want to learn more, see [Remote access to on-premises applications through Microsoft Entra application proxy](./application-proxy.md).
There are three primary advantages of this setup: -- Azure AD Application Proxy ensures that authenticated traffic can reach your internal network and SharePoint.
+- Microsoft Entra application proxy ensures that authenticated traffic can reach your internal network and SharePoint.
- Your users can access SharePoint sites as usual without using VPN.-- You can control the access by user assignment on the Azure AD Application Proxy level and you can increase the security with Azure AD features like Conditional Access and Multi-Factor Authentication (MFA).
+- You can control the access by user assignment on the Microsoft Entra application proxy level and you can increase the security with Microsoft Entra features like Conditional Access and Multi-Factor Authentication (MFA).
This process requires two Enterprise Applications. One is a SharePoint on-premises instance that you publish from the gallery to your list of managed SaaS apps. The second is an on-premises application (non-gallery application) you'll use to publish the first Enterprise Gallery Application. ## Prerequisites To complete this configuration, you need the following resources:
+ - A SharePoint 2013 farm or newer. The SharePoint farm must be [integrated with Microsoft Entra ID](../saas-apps/sharepoint-on-premises-tutorial.md).
+ - A Microsoft Entra tenant with a plan that includes Application Proxy. Learn more about [Microsoft Entra ID plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+ - A [custom, verified domain](../fundamentals/add-custom-domain.md) in the Microsoft Entra tenant. The verified domain must match the SharePoint URL suffix.
- An SSL certificate is required. See the details in [custom domain publishing](./application-proxy-configure-custom-domain.md).
+ - On-premises Active Directory users must be synchronized with Microsoft Entra Connect, and must be configure to [sign in to Azure](../hybrid/connect/plan-connect-user-signin.md).
- For cloud-only and B2B guest users, you need to [grant access to a guest account to SharePoint on-premises in the Microsoft Entra admin center](../saas-apps/sharepoint-on-premises-tutorial.md#manage-guest-users-access). - An Application Proxy connector installed and running on a machine within the corporate domain.
-## Step 1: Integrate SharePoint on-premises with Azure AD
+<a name='step-1-integrate-sharepoint-on-premises-with-azure-ad'></a>
-1. Configure the SharePoint on-premises app. For more information, see [Tutorial: Azure Active Directory single sign-on integration with SharePoint on-premises](../saas-apps/sharepoint-on-premises-tutorial.md).
+## Step 1: Integrate SharePoint on-premises with Microsoft Entra ID
+
+1. Configure the SharePoint on-premises app. For more information, see [Tutorial: Microsoft Entra single sign-on integration with SharePoint on-premises](../saas-apps/sharepoint-on-premises-tutorial.md).
2. Validate the configuration before moving to the next step. To validate, try to access the SharePoint on-premises from the internal network and confirm it's accessible internally. ## Step 2: Publish the SharePoint on-premises application with Application Proxy
-In this step, you create an application in your Azure AD tenant that uses Application Proxy. You set the external URL and specify the internal URL, both of which are used later in SharePoint.
+In this step, you create an application in your Microsoft Entra tenant that uses Application Proxy. You set the external URL and specify the internal URL, both of which are used later in SharePoint.
> [!NOTE] > The Internal and External URLs must match the **Sign on URL** in the SAML Based Application configuration in Step 1.
In this step, you create an application in your Azure AD tenant that uses Applic
![Screenshot that shows the Sign on URL value.](./media/application-proxy-integrate-with-sharepoint-server/sso-url-saml.png)
- 1. Create a new Azure AD Application Proxy application with custom domain. For step-by-step instructions, see [Custom domains in Azure AD Application Proxy](./application-proxy-configure-custom-domain.md).
+ 1. Create a new Microsoft Entra application proxy application with custom domain. For step-by-step instructions, see [Custom domains in Microsoft Entra application proxy](./application-proxy-configure-custom-domain.md).
- Internal URL: 'https://portal.contoso.com/' - External URL: 'https://portal.contoso.com/'
- - Pre-Authentication: Azure Active Directory
+ - Pre-Authentication: Microsoft Entra ID
- Translate URLs in Headers: No - Translate URLs in Application Body: No
active-directory Application Proxy Integrate With Sharepoint Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-sharepoint-server.md
Title: Enable remote access to SharePoint - Azure Active Directory Application Proxy
-description: Covers the basics about how to integrate on-premises SharePoint Server with Azure Active Directory Application Proxy.
+ Title: Enable remote access to SharePoint - Microsoft Entra application proxy
+description: Covers the basics about how to integrate on-premises SharePoint Server with Microsoft Entra application proxy.
-# Enable remote access to SharePoint with Azure Active Directory Application Proxy
+# Enable remote access to SharePoint with Microsoft Entra application proxy
-This step-by-step guide explains how to integrate an on-premises SharePoint farm with Azure Active Directory (Azure AD) Application Proxy.
+This step-by-step guide explains how to integrate an on-premises SharePoint farm with Microsoft Entra application proxy.
## Prerequisites To perform the configuration, you need the following resources: - A SharePoint 2013 farm or newer.-- An Azure AD tenant with a plan that includes Application Proxy. Learn more about [Azure AD plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).-- A [custom, verified domain](../fundamentals/add-custom-domain.md) in the Azure AD tenant.-- On-premises Active Directory synchronized with Azure AD Connect, through which users can [sign in to Azure](../hybrid/connect/plan-connect-user-signin.md).
+- A Microsoft Entra tenant with a plan that includes Application Proxy. Learn more about [Microsoft Entra ID plans and pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+- A [custom, verified domain](../fundamentals/add-custom-domain.md) in the Microsoft Entra tenant.
+- On-premises Active Directory synchronized with Microsoft Entra Connect, through which users can [sign in to Azure](../hybrid/connect/plan-connect-user-signin.md).
- An Application Proxy connector installed and running on a machine within the corporate domain. Configuring SharePoint with Application Proxy requires two URLs:-- An external URL, visible to end-users and determined in Azure AD. This URL can use a custom domain. Learn more about [working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
+- An external URL, visible to end-users and determined in Microsoft Entra ID. This URL can use a custom domain. Learn more about [working with custom domains in Microsoft Entra application proxy](application-proxy-configure-custom-domain.md).
- An internal URL, known only within the corporate domain and never used directly. > [!IMPORTANT]
This article uses the following values:
- External URL: `https://spsites-demo1984.msappproxy.net/` - Application pool account for the SharePoint web application: `Contoso\spapppool`
-## Step 1: Configure an application in Azure AD that uses Application Proxy
+<a name='step-1-configure-an-application-in-azure-ad-that-uses-application-proxy'></a>
-In this step, you create an application in your Azure Active Directory tenant that uses Application Proxy. You set the external URL and specify the internal URL, both of which are used later in SharePoint.
+## Step 1: Configure an application in Microsoft Entra ID that uses Application Proxy
-1. Create the app as described with the following settings. For step-by-step instructions, see [Publishing applications using Azure AD Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
+In this step, you create an application in your Microsoft Entra tenant that uses Application Proxy. You set the external URL and specify the internal URL, both of which are used later in SharePoint.
+
+1. Create the app as described with the following settings. For step-by-step instructions, see [Publishing applications using Microsoft Entra application proxy](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
* **Internal URL**: SharePoint internal URL that will be set later in SharePoint, such as `https://sharepoint`.
- * **Pre-Authentication**: Azure Active Directory
+ * **Pre-Authentication**: Microsoft Entra ID
* **Translate URLs in Headers**: No * **Translate URLs in Application Body**: No
In this step, you create an application in your Azure Active Directory tenant th
## Step 2: Configure the SharePoint web application
-The SharePoint web application must be configured with Kerberos and the appropriate alternate access mappings to work correctly with Azure AD Application Proxy. There are two possible options:
+The SharePoint web application must be configured with Kerberos and the appropriate alternate access mappings to work correctly with Microsoft Entra application proxy. There are two possible options:
- Create a new web application and use only the Default zone. This is the preferred option, as it offers the best experience with SharePoint (for example, the links in the email alerts generated by SharePoint always point to the Default zone). - Extend an existing web application to configure Kerberos in a non-default zone.
Because the Internal URL uses HTTPS protocol (`https://SharePoint/`), a certific
> Self-signed certificates are suitable only for test purposes. In production environments, we strongly recommend that you use certificates issued by a certificate authority instead. 1. Open the Internet Information Services Manager console.
-1. Expand the server in the tree view, expand **Sites**, select the **SharePoint - AAD Proxy** site, and select **Bindings**.
+1. Expand the server in the tree view, expand **Sites**, select the **SharePoint - Microsoft Entra ID Proxy** site, and select **Bindings**.
1. Select **https binding** and then select **Edit**. 1. In the TLS/SSL certificate field, choose **SharePoint** certificate and then select **OK**.
-You can now access the SharePoint site externally through Azure AD Application Proxy.
+You can now access the SharePoint site externally through Microsoft Entra application proxy.
## Step 3: Configure Kerberos Constrained Delegation
-Users will initially authenticate in Azure AD and then to SharePoint by using Kerberos through the Azure AD Proxy connector. To allow the connector to obtain a Kerberos token on behalf of the Azure AD user, you must configure Kerberos Constrained Delegation (KCD) with protocol transition. To learn more about KCD, see [Kerberos Constrained Delegation overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj553400(v=ws.11)).
+Users will initially authenticate in Microsoft Entra ID and then to SharePoint by using Kerberos through the Microsoft Entra ID Proxy connector. To allow the connector to obtain a Kerberos token on behalf of the Microsoft Entra user, you must configure Kerberos Constrained Delegation (KCD) with protocol transition. To learn more about KCD, see [Kerberos Constrained Delegation overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj553400(v=ws.11)).
### Set the SPN for the SharePoint service account
The `Setspn` command searches for the SPN before it adds it. If the SPN already
### Make sure the connector is trusted for delegation to the SPN that was added to the SharePoint application pool account
-Configure the KCD so that the Azure AD Application Proxy service can delegate user identities to the SharePoint application pool account. Configure KCD by enabling the Application Proxy connector to retrieve Kerberos tickets for your users who have been authenticated in Azure AD. Then, that server passes the context to the target application (SharePoint in this case).
+Configure the KCD so that the Microsoft Entra application proxy service can delegate user identities to the SharePoint application pool account. Configure KCD by enabling the Application Proxy connector to retrieve Kerberos tickets for your users who have been authenticated in Microsoft Entra ID. Then, that server passes the context to the target application (SharePoint in this case).
To configure the KCD, follow these steps for each connector machine: 1. Sign in to a domain controller as a domain administrator, and then open Active Directory Users and Computers.
-1. Find the computer running the Azure AD Proxy connector. In this example, it's the computer that's running SharePoint Server.
+1. Find the computer running the Microsoft Entra ID Proxy connector. In this example, it's the computer that's running SharePoint Server.
1. Double-click the computer, and then select the **Delegation** tab. 1. Make sure the delegation options are set to **Trust this computer for delegation to the specified services only**. Then, select **Use any authentication protocol**. 1. Select the **Add** button, select **Users or Computers**, and locate the SharePoint application pool account. For example: `Contoso\spapppool`.
If sign-in to the site isn't working, you can get more information about the iss
## Next steps
-* [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md)
-* [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md)
+* [Working with custom domains in Microsoft Entra application proxy](application-proxy-configure-custom-domain.md)
+* [Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md)
active-directory Application Proxy Integrate With Tableau https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-tableau.md
Title: Azure Active Directory Application Proxy and Tableau
-description: Learn how to use Azure Active Directory (Azure AD) Application Proxy to provide remote access for your Tableau deployment.
+ Title: Microsoft Entra application proxy and Tableau
+description: Learn how to use Microsoft Entra application proxy to provide remote access for your Tableau deployment.
-# Azure Active Directory Application Proxy and Tableau
+# Microsoft Entra application proxy and Tableau
-Azure Active Directory Application Proxy and Tableau have partnered to ensure you are easily able to use Application Proxy to provide remote access for your Tableau deployment. This article explains how to configure this scenario.
+Microsoft Entra application proxy and Tableau have partnered to ensure you are easily able to use Application Proxy to provide remote access for your Tableau deployment. This article explains how to configure this scenario.
## Prerequisites
To publish Tableau, you need to publish an application in the Microsoft Entra ad
For: -- Detailed instructions of steps 1-8, see [Publish applications using Azure AD Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md).
+- Detailed instructions of steps 1-8, see [Publish applications using Microsoft Entra application proxy](../app-proxy/application-proxy-add-on-premises-application.md).
- Information about how to find Tableau values for the App Proxy fields, please see the Tableau documentation. **To publish your app**:
For:
- **Internal URL**: This application should have an internal URL that is the Tableau URL itself. For example, `https://adventure-works.tableau.com`.
- - **Pre-authentication method**: Azure Active Directory (recommended but not required).
+ - **Pre-authentication method**: Microsoft Entra ID (recommended but not required).
6. Select **Add** at the top of the blade. Your application is added, and the quick start menu opens.
Your application is now ready to test. Access the external URL you used to publi
## Next steps
-For more information about Azure AD Application Proxy, see [How to provide secure remote access to on-premises applications](application-proxy.md).
+For more information about Microsoft Entra application proxy, see [How to provide secure remote access to on-premises applications](application-proxy.md).
active-directory Application Proxy Integrate With Teams https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-teams.md
Title: Access Azure Active Directory Application Proxy apps in Teams
-description: Use Azure Active Directory Application Proxy to access your on-premises application through Microsoft Teams.
+ Title: Access Microsoft Entra application proxy apps in Teams
+description: Use Microsoft Entra application proxy to access your on-premises application through Microsoft Teams.
-# Access your on-premises applications through Microsoft Teams with Azure Active Directory Application Proxy
+# Access your on-premises applications through Microsoft Teams with Microsoft Entra application proxy
-Azure Active Directory Application Proxy gives you single sign-on to on-premises applications no matter where you are. Microsoft Teams streamlines your collaborative efforts in one place. Integrating the two together means that your users can be productive with their teammates in any situation.
+Microsoft Entra application proxy gives you single sign-on to on-premises applications no matter where you are. Microsoft Teams streamlines your collaborative efforts in one place. Integrating the two together means that your users can be productive with their teammates in any situation.
-Your users can add cloud apps to their Teams channels [using tabs](https://support.office.com/article/Video-Using-Tabs-7350a03e-017a-4a00-a6ae-1c9fe8c497b3?ui=en-US&rs=en-US&ad=US), but what about the SharePoint sites or planning tool that are hosted on-premises? Application Proxy is the solution. They can add apps published through Application Proxy to their channels using the same external URLs they always use to access their apps remotely. And because Application Proxy authenticates through Azure Active Directory, your users get a single sign-on experience.
+Your users can add cloud apps to their Teams channels [using tabs](https://support.office.com/article/Video-Using-Tabs-7350a03e-017a-4a00-a6ae-1c9fe8c497b3?ui=en-US&rs=en-US&ad=US), but what about the SharePoint sites or planning tool that are hosted on-premises? Application Proxy is the solution. They can add apps published through Application Proxy to their channels using the same external URLs they always use to access their apps remotely. And because Application Proxy authenticates through Microsoft Entra ID, your users get a single sign-on experience.
## Install the Application Proxy connector and publish your app If you haven't already, [configure Application Proxy for your tenant and install the connector](../app-proxy/application-proxy-add-on-premises-application.md). Then, publish your on-premises application for remote access. When you're publishing the app, make note of the external URL because it's used to add the app to Teams.
-If you already have your apps published but don't remember their external URLs, look them up in the [Microsoft Entra admin center](https://portal.azure.com). Sign in, then navigate to **Azure Active Directory** > **Enterprise applications** > **All applications** > select your app > **Application proxy**.
+If you already have your apps published but don't remember their external URLs, look them up in the [Microsoft Entra admin center](https://portal.azure.com). Sign in, then navigate to **Microsoft Entra ID** > **Enterprise applications** > **All applications** > select your app > **Application proxy**.
## Add your app to Teams
active-directory Application Proxy Integrate With Traffic Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-integrate-with-traffic-manager.md
# Add your own Traffic Manager to Application Proxy
-This article explains how to configure Azure Active Directory (Azure AD) Application Proxy to work with Traffic Manager. With the Application Proxy geo-routing feature, you can optimize which region of the Application Proxy service your connector groups use. You can now combine this functionality with a Traffic Manager solution of your choice. This combination enables a fully dynamic geo-aware solution based on your user location. It unlocks the rich rule set of your preferred Traffic Manager to prioritize how traffic is routed to your apps protected by Application Proxy. With this combination, users can use a single URL to access the instance of the app closest to them.
+This article explains how to configure Microsoft Entra application proxy to work with Traffic Manager. With the Application Proxy geo-routing feature, you can optimize which region of the Application Proxy service your connector groups use. You can now combine this functionality with a Traffic Manager solution of your choice. This combination enables a fully dynamic geo-aware solution based on your user location. It unlocks the rich rule set of your preferred Traffic Manager to prioritize how traffic is routed to your apps protected by Application Proxy. With this combination, users can use a single URL to access the instance of the app closest to them.
:::image type="content" source="./media/application-proxy-integrate-with-traffic-manager/application-proxy-integrate-with-traffic-manager-diagram.png" alt-text="Diagram showing how Traffic Manager is integrated with Application Proxy.":::
active-directory Application Proxy Network Topology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-network-topology.md
Title: Network topology considerations for Azure Active Directory Application Proxy
-description: Covers network topology considerations when using Azure Active Directory Application Proxy.
+ Title: Network topology considerations for Microsoft Entra application proxy
+description: Covers network topology considerations when using Microsoft Entra application proxy.
-# Optimize traffic flow with Azure Active Directory Application Proxy
+# Optimize traffic flow with Microsoft Entra application proxy
-This article explains how to optimize traffic flow and network topology considerations when using Azure Active Directory (Azure AD) Application Proxy for publishing and accessing your applications remotely.
+This article explains how to optimize traffic flow and network topology considerations when using Microsoft Entra application proxy for publishing and accessing your applications remotely.
## Traffic flow
-When an application is published through Azure AD Application Proxy, traffic from the users to the applications flows through three connections:
+When an application is published through Microsoft Entra application proxy, traffic from the users to the applications flows through three connections:
-1. The user connects to the Azure AD Application Proxy service public endpoint on Azure
+1. The user connects to the Microsoft Entra application proxy service public endpoint on Azure
1. The Application Proxy connector connects to the Application Proxy service (outbound) 1. The Application Proxy connector connects to the target application
When an application is published through Azure AD Application Proxy, traffic fro
## Optimize connector groups to use closest Application Proxy cloud service
-When you sign up for an Azure AD tenant, the region of your tenant is determined by the country/region you specify. When you enable Application Proxy, the **default** Application Proxy cloud service instances for your tenant are chosen in the same region as your Azure AD tenant, or the closest region to it.
+When you sign up for a Microsoft Entra tenant, the region of your tenant is determined by the country/region you specify. When you enable Application Proxy, the **default** Application Proxy cloud service instances for your tenant are chosen in the same region as your Microsoft Entra tenant, or the closest region to it.
-For example, if your Azure AD tenant's country or region is the United Kingdom, all your Application Proxy connectors at **default** will be assigned to use service instances in European data centers. When your users access published applications, their traffic goes through the Application Proxy cloud service instances in this location.
+For example, if your Microsoft Entra tenant's country or region is the United Kingdom, all your Application Proxy connectors at **default** will be assigned to use service instances in European data centers. When your users access published applications, their traffic goes through the Application Proxy cloud service instances in this location.
If you have connectors installed in regions different from your default region, it may be beneficial to change which region your connector group is optimized for to improve performance accessing these applications. Once a region is specified for a connector group it will connect to Application Proxy cloud services in the designated region.
In order to optimize the traffic flow and reduce latency to a connector group as
All proxy solutions introduce latency into your network connection. No matter which proxy or VPN solution you choose as your remote access solution, it always includes a set of servers enabling the connection to inside your corporate network.
-Organizations typically include server endpoints in their perimeter network. With Azure AD Application Proxy, however, traffic flows through the proxy service in the cloud while the connectors reside on your corporate network. No perimeter network is required.
+Organizations typically include server endpoints in their perimeter network. With Microsoft Entra application proxy, however, traffic flows through the proxy service in the cloud while the connectors reside on your corporate network. No perimeter network is required.
The next sections contain additional suggestions to help you reduce latency even further.
If you have ExpressRoute set up with Microsoft peering, you can use the faster E
If you have a dedicated VPN or ExpressRoute set up with private peering between Azure and your corporate network, you have another option. In this configuration, the virtual network in Azure is typically considered as an extension of the corporate network. So you can install the connector in the Azure datacenter, and still satisfy the low latency requirements of the connector-to-app connection.
-Latency is not compromised because traffic is flowing over a dedicated connection. You also get improved Application Proxy service-to-connector latency because the connector is installed in an Azure datacenter close to your Azure AD tenant location.
+Latency is not compromised because traffic is flowing over a dedicated connection. You also get improved Application Proxy service-to-connector latency because the connector is installed in an Azure datacenter close to your Microsoft Entra tenant location.
:::image type="content" source="./media/application-proxy-network-topology/application-proxy-expressroute-private.png" alt-text="Diagram showing connector installed within an Azure datacenter" lightbox="./media/application-proxy-network-topology/application-proxy-expressroute-private.png":::
Latency is not compromised because traffic is flowing over a dedicated connectio
Although the focus of this article is connector placement, you can also change the placement of the application to get better latency characteristics.
-Increasingly, organizations are moving their networks into hosted environments. This enables them to place their apps in a hosted environment that is also part of their corporate network, and still be within the domain. In this case, the patterns discussed in the preceding sections can be applied to the new application location. If you're considering this option, see [Azure AD Domain Services](../../active-directory-domain-services/overview.md).
+Increasingly, organizations are moving their networks into hosted environments. This enables them to place their apps in a hosted environment that is also part of their corporate network, and still be within the domain. In this case, the patterns discussed in the preceding sections can be applied to the new application location. If you're considering this option, see [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md).
Additionally, consider organizing your connectors using [connector groups](application-proxy-connector-groups.md) to target apps that are in different locations and networks. ## Common use cases
-In this section, we walk through a few common scenarios. Assume that the Azure AD tenant (and therefore proxy service endpoint) is located in the United States (US). The considerations discussed in these use cases also apply to other regions around the globe.
+In this section, we walk through a few common scenarios. Assume that the Microsoft Entra tenant (and therefore proxy service endpoint) is located in the United States (US). The considerations discussed in these use cases also apply to other regions around the globe.
For these scenarios, we call each connection a "hop" and number them for easier discussion:
active-directory Application Proxy Page Appearance Broken Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-appearance-broken-problem.md
Title: App page doesn't display correctly for Application Proxy app
-description: Guidance when the page isnΓÇÖt displaying correctly in an Application Proxy Application you have integrated with Azure Active Directory
+description: Guidance when the page isnΓÇÖt displaying correctly in an Application Proxy Application you have integrated with Microsoft Entra ID
# Application page does not display correctly for an Application Proxy application
-This article helps you troubleshoot issues with Azure Active Directory Application Proxy applications when you navigate to the page, but something on the page doesn't look correct.
+This article helps you troubleshoot issues with Microsoft Entra application proxy applications when you navigate to the page, but something on the page doesn't look correct.
## Overview When you publish an Application Proxy app, only pages under your root are accessible when accessing the application. If the page isnΓÇÖt displaying correctly, the root internal URL used for the application may be missing some page resources. To resolve, make sure you have published *all* the resources for the page as part of your application.
If it is not possible to publish all resources within the same application, you
To do so, we recommend using the [custom domains](application-proxy-configure-custom-domain.md) solution. However, this solution requires that you own the certificate for your domain and your applications use fully qualified domain names (FQDNs). For other options, see the [troubleshoot broken links documentation](application-proxy-page-links-broken-problem.md). ## Next steps
-[Publish applications using Azure AD Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md)
+[Publish applications using Microsoft Entra application proxy](../app-proxy/application-proxy-add-on-premises-application.md)
active-directory Application Proxy Page Links Broken Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-links-broken-problem.md
Title: Links on the page don't work for an Azure Active Directory Application Proxy application
-description: How to troubleshoot issues with broken links on Application Proxy applications you have integrated with Azure Active Directory
+ Title: Links on the page don't work for a Microsoft Entra application proxy application
+description: How to troubleshoot issues with broken links on Application Proxy applications you have integrated with Microsoft Entra ID
# Links on the page don't work for an Application Proxy application
-This article helps you troubleshoot why links on your Azure Active Directory Application Proxy application don't work correctly.
+This article helps you troubleshoot why links on your Microsoft Entra application proxy application don't work correctly.
## Overview After publishing an Application Proxy app, the only links that work by default in the application are links to destinations contained within the published root URL. The links within the applications arenΓÇÖt working, the internal URL for the application probably does not include all the destinations of links within the application.
There are three ways to resolve this issue. The choices below are in listed in i
1. Make sure the internal URL is a root that contains all the relevant links for the application. This allows all links to be resolved as content published within the same application.
- If you change the internal URL but donΓÇÖt want to change the landing page for users, change the Home page URL to the previously published internal URL. This can be done by going to ΓÇ£Azure Active DirectoryΓÇ¥ -&gt; App Registrations -&gt; select the application -&gt; Branding. In the branding section, you see the field ΓÇ£Home Page URLΓÇ¥, which you can adjust to be the desired landing page. If you are still using the legacy App registrations experience the properties tab would show the "Home Page URL" details.
+ If you change the internal URL but donΓÇÖt want to change the landing page for users, change the Home page URL to the previously published internal URL. This can be done by going to ΓÇ£Microsoft Entra IDΓÇ¥ -&gt; App Registrations -&gt; select the application -&gt; Branding. In the branding section, you see the field ΓÇ£Home Page URLΓÇ¥, which you can adjust to be the desired landing page. If you are still using the legacy App registrations experience the properties tab would show the "Home Page URL" details.
> [!IMPORTANT]
- > In order to make the above changes you require rights to modify application objects in Azure AD.The user needs to be assigned [Application Administrator](../roles/delegate-app-roles.md#assign-built-in-application-admin-roles) role which grants application modificaion rights in Azure AD to the user.
+ > In order to make the above changes you require rights to modify application objects in Azure AD.The user needs to be assigned [Application Administrator](../roles/delegate-app-roles.md#assign-built-in-application-admin-roles) role which grants application modificaion rights in Microsoft Entra ID to the user.
> 2. If your applications use fully qualified domain names (FQDNs), use [custom domains](application-proxy-configure-custom-domain.md) to publish your applications. This feature allows the same URL to be used both internally and externally. This option ensures that the links in your application are externally accessible through Application Proxy since the links within the application to internal URLs are also recognized externally. All links still need to belong to a published application. However, with this option the links do not need to belong to the same application and can belong to multiple applications.
-3. If neither of these options are feasible, there are multiple options for enabling inline link translation. These options include using the Intune Managed Browser, My Apps extension, or using the link translation setting on your application. To learn more about each of these options and how to enable them, see [Redirect hardcoded links for apps published with Azure AD Application Proxy](application-proxy-configure-hard-coded-link-translation.md).
+3. If neither of these options are feasible, there are multiple options for enabling inline link translation. These options include using the Intune Managed Browser, My Apps extension, or using the link translation setting on your application. To learn more about each of these options and how to enable them, see [Redirect hardcoded links for apps published with Microsoft Entra application proxy](application-proxy-configure-hard-coded-link-translation.md).
## Next steps [Work with existing on-premises proxy servers](application-proxy-configure-connectors-with-proxy-servers.md)-
active-directory Application Proxy Page Load Speed Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-load-speed-problem.md
Title: An Azure Active Directory Application Proxy application takes too long to load
-description: Troubleshoot page load performance issues with Azure Active Directory Application Proxy
+ Title: A Microsoft Entra application proxy application takes too long to load
+description: Troubleshoot page load performance issues with Microsoft Entra application proxy
# An Application Proxy application takes too long to load
-This article helps you to understand why an Azure AD Application Proxy application may take a long time to load. It also explains what you can do to resolve this issue.
+This article helps you to understand why a Microsoft Entra application proxy application may take a long time to load. It also explains what you can do to resolve this issue.
## Overview Although your applications are working, they can experience a long latency. There might be network topology tweaks that you can make to improve speed. For an evaluation of different topologies, see the [network considerations document](application-proxy-network-topology.md).
active-directory Application Proxy Ping Access Publishing Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md
Title: Header-based authentication with PingAccess for Azure Active Directory Application Proxy
+ Title: Header-based authentication with PingAccess for Microsoft Entra application proxy
description: Publish applications with PingAccess and App Proxy to support header-based authentication.
# Header-based authentication for single sign-on with Application Proxy and PingAccess
-Azure Active Directory (Azure AD) Application Proxy has partnered with PingAccess so that your Azure AD customers can access more of your applications. PingAccess provides another option beyond integrated [header-based single sign-on](application-proxy-configure-single-sign-on-with-headers.md).
+Microsoft Entra application proxy has partnered with PingAccess so that your Microsoft Entra customers can access more of your applications. PingAccess provides another option beyond integrated [header-based single sign-on](application-proxy-configure-single-sign-on-with-headers.md).
-## What's PingAccess for Azure AD?
+<a name='whats-pingaccess-for-azure-ad'></a>
-With PingAccess for Azure AD, you can give users access and single sign-on (SSO) to applications that use headers for authentication. Application Proxy treats these applications like any other, using Azure AD to authenticate access and then passing traffic through the connector service. PingAccess sits in front of the applications and translates the access token from Azure AD into a header. The application then receives the authentication in the format it can read.
+## What's PingAccess for Microsoft Entra ID?
+
+With PingAccess for Microsoft Entra ID, you can give users access and single sign-on (SSO) to applications that use headers for authentication. Application Proxy treats these applications like any other, using Microsoft Entra ID to authenticate access and then passing traffic through the connector service. PingAccess sits in front of the applications and translates the access token from Microsoft Entra ID into a header. The application then receives the authentication in the format it can read.
Your users won't notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so they'll still balance loads automatically. ## How do I get access?
-Since this scenario comes from a partnership between Azure Active Directory and PingAccess, you need licenses for both services. However, Azure Active Directory Premium subscriptions include a basic PingAccess license that covers up to 20 applications. If you need to publish more than 20 header-based applications, you can purchase an additional license from PingAccess.
+Since this scenario comes from a partnership between Microsoft Entra ID and PingAccess, you need licenses for both services. However, Microsoft Entra ID P1 or P2 subscriptions include a basic PingAccess license that covers up to 20 applications. If you need to publish more than 20 header-based applications, you can purchase an additional license from PingAccess.
-For more information, see [Azure Active Directory editions](../fundamentals/whatis.md).
+For more information, see [Microsoft Entra editions](../fundamentals/whatis.md).
## Publish your application in Azure
-This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If you've already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section.
+This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If you've already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Microsoft Entra ID with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section.
> [!NOTE]
-> Since this scenario is a partnership between Azure AD and PingAccess, some of the instructions exist on the Ping Identity site.
+> Since this scenario is a partnership between Microsoft Entra ID and PingAccess, some of the instructions exist on the Ping Identity site.
### Install an Application Proxy connector [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-If you've enabled Application Proxy and installed a connector already, you can skip this section and go to [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy).
+If you've enabled Application Proxy and installed a connector already, you can skip this section and go to [Add your application to Microsoft Entra ID with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy).
-The Application Proxy connector is a Windows Server service that directs the traffic from your remote employees to your published applications. For more detailed installation instructions, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md).
+The Application Proxy connector is a Windows Server service that directs the traffic from your remote employees to your published applications. For more detailed installation instructions, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md).
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**.
The Application Proxy connector is a Windows Server service that directs the tra
Downloading the connector should automatically enable Application Proxy for your directory, but if not, you can select **Enable Application Proxy**.
-### Add your application to Azure AD with Application Proxy
+<a name='add-your-application-to-azure-ad-with-application-proxy'></a>
+
+### Add your application to Microsoft Entra ID with Application Proxy
There are two actions you need to take in the Microsoft Entra admin center. First, you need to publish your application with Application Proxy. Then, you need to collect some information about the application that you can use during the PingAccess steps.
There are two actions you need to take in the Microsoft Entra admin center. Firs
You'll first have to publish your application. This action involves: -- Adding your on-premises application to Azure AD
+- Adding your on-premises application to Microsoft Entra ID
- Assigning a user for testing the application and choosing header-based SSO - Setting up the application's redirect URL - Granting permissions for users and other applications to use your on-premises application
To publish your own on-premises application:
1. Fill out the required fields with information about your new application. Use the guidance below for the settings. > [!NOTE]
- > For a more detailed walkthrough of this step, see [Add an on-premises app to Azure AD](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
+ > For a more detailed walkthrough of this step, see [Add an on-premises app to Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad).
1. **Internal URL**: Normally you provide the URL that takes you to the app's sign-in page when you're on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess. > [!WARNING] > For this type of single sign-on, the internal URL must use `https` and can't use `http`. Also, there is a constraint when configuring an application that no two apps should have the same internal URL as this allows App Proxy to maintain distinction between applications.
- 1. **Pre-authentication method**: Choose **Azure Active Directory**.
+ 1. **Pre-authentication method**: Choose **Microsoft Entra ID**.
1. **Translate URL in Headers**: Choose **No**. > [!NOTE]
Then make sure your redirect URL is set to your external URL:
1. Select the link next to **Redirect URIs**, showing the number of redirect URIs set up for web and public clients. The **\<application name> - Authentication** page appears. 1. Check whether the external URL that you assigned to your application earlier is in the **Redirect URIs** list. If it isn't, add the external URL now, using a redirect URI type of **Web**, and select **Save**.
-In addition to the external URL, an authorize endpoint of Azure Active Directory on the external URL should be added to the Redirect URIs list.
+In addition to the external URL, an authorize endpoint of Microsoft Entra ID on the external URL should be added to the Redirect URIs list.
`https://*.msappproxy.net/pa/oidc/cb` `https://*.msappproxy.net/`
Finally, set up your on-premises application so that users have read access and
You need to collect these three pieces of information (all GUIDs) to set up your application with PingAccess:
-| Name of Azure AD field | Name of PingAccess field | Data format |
+| Name of Microsoft Entra ID field | Name of PingAccess field | Data format |
| | | | | **Application (client) ID** | **Client ID** | GUID | | **Directory (tenant) ID** | **Issuer** | GUID |
To collect this information:
### Use of optional claims (optional) Optional claims allows you to add standard-but-not-included-by-default claims that every user and tenant has.
-You can configure optional claims for your application by modifying the application manifest. For more info, see the [Understanding the Azure AD application manifest article](../develop/reference-app-manifest.md)
+You can configure optional claims for your application by modifying the application manifest. For more info, see the [Understanding the Microsoft Entra application manifest article](../develop/reference-app-manifest.md)
Example to include email address into the access_token that PingAccess will consume:
Example to include email address into the access_token that PingAccess will cons
### Use of claims mapping policy (optional)
-[Claims Mapping Policy (preview)](../develop/reference-claims-mapping-policy-type.md#claims-mapping-policy-properties) for attributes which do not exist in AzureAD. Claims mapping allows you to migrate old on-prem apps to the cloud by adding additional custom claims that are backed by your ADFS or user objects
+[Claims Mapping Policy (preview)](../develop/reference-claims-mapping-policy-type.md#claims-mapping-policy-properties) for attributes which do not exist in Microsoft Entra ID. Claims mapping allows you to migrate old on-prem apps to the cloud by adding additional custom claims that are backed by your ADFS or user objects
To make your application use a custom claim and include additional fields, be sure you've also [created a custom claims mapping policy and assigned it to the application](../develop/saml-claims-customization.md).
When you will configure PingAccess in the following step, the Web Session you wi
## Download PingAccess and configure your application
-Now that you've completed all the Azure Active Directory setup steps, you can move on to configuring PingAccess.
+Now that you've completed all the Microsoft Entra setup steps, you can move on to configuring PingAccess.
-The detailed steps for the PingAccess part of this scenario continue in the Ping Identity documentation. Follow the instructions in [Configuring PingAccess for Azure AD](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configuring_apps_for_azure) on the Ping Identity web site and download the [latest version of PingAccess](https://www.pingidentity.com/en/lp/azure-download.html).
+The detailed steps for the PingAccess part of this scenario continue in the Ping Identity documentation. Follow the instructions in [Configuring PingAccess for Microsoft Entra ID](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configuring_apps_for_azure) on the Ping Identity web site and download the [latest version of PingAccess](https://www.pingidentity.com/en/lp/azure-download.html).
-Those steps help you install PingAccess and set up a PingAccess account (if you don't already have one). Then, to create an Azure AD OpenID Connect (OIDC) connection, you set up a token provider with the **Directory (tenant) ID** value that you copied from the Microsoft Entra admin center. Next, to create a web session on PingAccess, you use the **Application (client) ID** and `PingAccess key` values. After that, you can set up identity mapping and create a virtual host, site, and application.
+Those steps help you install PingAccess and set up a PingAccess account (if you don't already have one). Then, to create a Microsoft Entra ID OpenID Connect (OIDC) connection, you set up a token provider with the **Directory (tenant) ID** value that you copied from the Microsoft Entra admin center. Next, to create a web session on PingAccess, you use the **Application (client) ID** and `PingAccess key` values. After that, you can set up identity mapping and create a virtual host, site, and application.
### Test your application
When you've completed all these steps, your application should be up and running
## Next steps -- [Configuring PingAccess to use Azure AD as the token provider](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configure_pa_to_use_azure_ad_as_the_token_provider)-- [Single sign-on to applications in Azure Active Directory](../manage-apps/what-is-single-sign-on.md)
+- [Configuring PingAccess to use Microsoft Entra ID as the token provider](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configure_pa_to_use_azure_ad_as_the_token_provider)
+- [Single sign-on to applications in Microsoft Entra ID](../manage-apps/what-is-single-sign-on.md)
- [Troubleshoot Application Proxy problems and error messages](application-proxy-troubleshoot.md)
active-directory Application Proxy Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-powershell-samples.md
Title: PowerShell samples for Azure Active Directory Application Proxy
-description: Use these PowerShell samples for Azure Active Directory Application Proxy to get information about Application Proxy apps and connectors in your directory, assign users and groups to apps, and get certificate information.
+ Title: PowerShell samples for Microsoft Entra application proxy
+description: Use these PowerShell samples for Microsoft Entra application proxy to get information about Application Proxy apps and connectors in your directory, assign users and groups to apps, and get certificate information.
-# Azure Active Directory Application Proxy PowerShell examples
+# Microsoft Entra application proxy PowerShell examples
-The following table includes links to PowerShell script examples for Azure AD Application Proxy. These samples require either the [AzureAD V2 PowerShell for Graph module](/powershell/azure/active-directory/install-adv2) or the [AzureAD V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true), unless otherwise noted.
+The following table includes links to PowerShell script examples for Microsoft Entra application proxy. These samples require either the [Microsoft Entra V2 PowerShell for Graph module](/powershell/azure/active-directory/install-adv2) or the [Microsoft Entra V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true), unless otherwise noted.
For more information about the cmdlets used in these samples, see [Application Proxy Application Management](/powershell/module/azuread/#application_proxy_application_management) and [Application Proxy Connector Management](/powershell/module/azuread/#application_proxy_connector_management).
For more information about the cmdlets used in these samples, see [Application P
| [List basic information for all Application Proxy apps](scripts/powershell-get-all-app-proxy-apps-basic.md) | Lists basic information (AppId, DisplayName, ObjId) about all the Application Proxy apps in your directory. | | [List extended information for all Application Proxy apps](scripts/powershell-get-all-app-proxy-apps-extended.md) | Lists extended information (AppId, DisplayName, ExternalUrl, InternalUrl, ExternalAuthenticationType) about all the Application Proxy apps in your directory. | | [List all Application Proxy apps by connector group](scripts/powershell-get-all-app-proxy-apps-by-connector-group.md) | Lists information about all the Application Proxy apps in your directory and which connector groups the apps are assigned to. |
-| [Get all Application Proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all Application Proxy apps in your directory with a token lifetime policy and its details. This sample requires the [AzureAD V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true). |
+| [Get all Application Proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all Application Proxy apps in your directory with a token lifetime policy and its details. This sample requires the [Microsoft Entra V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true). |
|**Connector groups**|| | [Get all connector groups and connectors in the directory](scripts/powershell-get-all-connectors.md) | Lists all the connector groups and connectors in your directory. | | [Move all apps assigned to a connector group to another connector group](scripts/powershell-move-all-apps-to-connector-group.md) | Moves all applications currently assigned to a connector group to a different connector group. |
For more information about the cmdlets used in these samples, see [Application P
| [Get all Application Proxy apps using wildcard publishing](scripts/powershell-get-all-wildcard-apps.md) | Lists all Application Proxy apps using wildcard publishing. | |**Custom Domain configuration**|| | [Get all Application Proxy apps using custom domains and certificate information](scripts/powershell-get-all-custom-domains-and-certs.md) | Lists all Application Proxy apps that are using custom domains and the certificate information associated with the custom domains. |
-| [Get all Azure AD Proxy application apps published with no certificate uploaded](scripts/powershell-get-all-custom-domain-no-cert.md) | Lists all Application Proxy apps that are using custom domains but don't have a valid TLS/SSL certificate uploaded. |
-| [Get all Azure AD Proxy application apps published with the identical certificate](scripts/powershell-get-custom-domain-identical-cert.md) | Lists all the Azure AD Proxy application apps published with the identical certificate. |
-| [Get all Azure AD Proxy application apps published with the identical certificate and replace it](scripts/powershell-get-custom-domain-replace-cert.md) | For Azure AD Proxy application apps that are published with an identical certificate, allows you to replace the certificate in bulk. |
+| [Get all Microsoft Entra ID Proxy application apps published with no certificate uploaded](scripts/powershell-get-all-custom-domain-no-cert.md) | Lists all Application Proxy apps that are using custom domains but don't have a valid TLS/SSL certificate uploaded. |
+| [Get all Microsoft Entra ID Proxy application apps published with the identical certificate](scripts/powershell-get-custom-domain-identical-cert.md) | Lists all the Microsoft Entra ID Proxy application apps published with the identical certificate. |
+| [Get all Microsoft Entra ID Proxy application apps published with the identical certificate and replace it](scripts/powershell-get-custom-domain-replace-cert.md) | For Microsoft Entra ID Proxy application apps that are published with an identical certificate, allows you to replace the certificate in bulk. |
active-directory Application Proxy Qlik https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-qlik.md
Title: Azure Active Directory Application Proxy and Qlik Sense
-description: Integrate Azure Active Directory Application Proxy with Qlik Sense.
+ Title: Microsoft Entra application proxy and Qlik Sense
+description: Integrate Microsoft Entra application proxy with Qlik Sense.
Last updated 09/14/2023
-# Azure Active Directory Application Proxy and Qlik Sense
-Azure Active Directory Application Proxy and Qlik Sense have partnered together to ensure you are easily able to use Application Proxy to provide remote access for your Qlik Sense deployment.
+# Microsoft Entra application proxy and Qlik Sense
+Microsoft Entra application proxy and Qlik Sense have partnered together to ensure you are easily able to use Application Proxy to provide remote access for your Qlik Sense deployment.
## Prerequisites The remainder of this scenario assumes you done the following:
To publish QlikSense, you will need to publish two applications in Azure.
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Follow these steps to publish your app. For a more detailed walkthrough of steps 1-8, see [Publish applications using Azure AD Application Proxy](../app-proxy/application-proxy-add-on-premises-application.md).
+Follow these steps to publish your app. For a more detailed walkthrough of steps 1-8, see [Publish applications using Microsoft Entra application proxy](../app-proxy/application-proxy-add-on-premises-application.md).
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
Follow these steps to publish your app. For a more detailed walkthrough of steps
4. Select **On-premises application**. 5. Fill out the required fields with information about your new app. Use the following guidance for the settings: - **Internal URL**: This application should have an internal URL that is the QlikSense URL itself. For example, **https&#58;//demo.qlikemm.com:4244**
- - **Pre-authentication method**: Azure Active Directory (Recommended but not required)
+ - **Pre-authentication method**: Microsoft Entra ID (Recommended but not required)
1. Select **Add** at the bottom of the blade. Your application is added, and the quick start menu opens. 2. In the quick start menu, select **Assign a user for testing**, and add at least one user to the application. Make sure this test account has access to the on-premises application. 3. Select **Assign** to save the test user assignment.
Your application is now ready to test. Access the external URL you used to publi
## Additional references For more information about publishing Qlik Sense with Application Proxy, refer to following the Qlik Community Articles: -- [Azure AD with integrated Windows authentication using a Kerberos Constrained Delegation with Qlik Sense](https://community.qlik.com/docs/DOC-20183)-- [Qlik Sense integration with Azure AD Application Proxy](https://community.qlik.com/t5/Technology-Partners-Ecosystem/Azure-AD-Application-Proxy/ta-p/1528396)
+- [Microsoft Entra ID with integrated Windows authentication using a Kerberos Constrained Delegation with Qlik Sense](https://community.qlik.com/docs/DOC-20183)
+- [Qlik Sense integration with Microsoft Entra application proxy](https://community.qlik.com/t5/Technology-Partners-Ecosystem/Azure-AD-Application-Proxy/ta-p/1528396)
## Next steps
active-directory Application Proxy Register Connector Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-register-connector-powershell.md
Title: Silent install Azure Active Directory Application Proxy connector
-description: Covers how to perform an unattended installation of Azure Active Directory Application Proxy Connector to provide secure remote access to your on-premises apps.
+ Title: Silent install Microsoft Entra application proxy connector
+description: Covers how to perform an unattended installation of Microsoft Entra application proxy Connector to provide secure remote access to your on-premises apps.
-# Create an unattended installation script for the Azure Active Directory Application Proxy connector
+# Create an unattended installation script for the Microsoft Entra application proxy connector
-This topic helps you create a Windows PowerShell script that enables unattended installation and registration for your Azure AD Application Proxy connector.
+This topic helps you create a Windows PowerShell script that enables unattended installation and registration for your Microsoft Entra application proxy connector.
This capability is useful when you want to:
This capability is useful when you want to:
* Integrate the connector installation and registration as part of another procedure. * Create a standard server image that contains the connector bits but is not registered.
-For the [Application Proxy connector](application-proxy-connectors.md) to work, it has to be registered with your Azure AD directory using an application administrator and password. Ordinarily this information is entered during Connector installation in a pop-up dialog box, but you can use PowerShell to automate this process instead.
+For the [Application Proxy connector](application-proxy-connectors.md) to work, it has to be registered with your Microsoft Entra directory using an application administrator and password. Ordinarily this information is entered during Connector installation in a pop-up dialog box, but you can use PowerShell to automate this process instead.
-There are two steps for an unattended installation. First, install the connector. Second, register the connector with Azure AD.
+There are two steps for an unattended installation. First, install the connector. Second, register the connector with Microsoft Entra ID.
> [!IMPORTANT] > If you are installing the connector for Azure Government cloud review the [pre-requisites](../hybrid/connect/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/connect/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud). This requires enabling access to a different set of URLs and an additional parameter to run the installation.
Use the following steps to install the connector without registering it:
AADApplicationProxyConnectorInstaller.exe REGISTERCONNECTOR="false" /q ```
-## Register the connector with Azure AD
+<a name='register-the-connector-with-azure-ad'></a>
+
+## Register the connector with Microsoft Entra ID
There are two methods you can use to register the connector: * Register the connector using a Windows PowerShell credential object
There are two methods you can use to register the connector:
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force $cred = New-Object ΓÇôTypeName System.Management.Automation.PSCredential ΓÇôArgumentList $User, $SecurePassword ```
-2. Go to **C:\Program Files\Microsoft AAD App Proxy Connector** and run the following script using the `$cred` object that you created:
+2. Go to **C:\Program Files\Microsoft Azure AD App Proxy Connector** and run the following script using the `$cred` object that you created:
```powershell .\RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft AAD App Proxy Connector\Modules\" -moduleName "AppProxyPSModule" -Authenticationmode Credentials -Usercredentials $cred -Feature ApplicationProxy -TenantId $TenantId
active-directory Application Proxy Release Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-release-version-history.md
Title: 'Azure Active Directory Application Proxy: Version release history'
-description: This article lists all releases of Azure Active Directory Application Proxy and describes new features and fixed issues.
+ Title: 'Microsoft Entra application proxy: Version release history'
+description: This article lists all releases of Microsoft Entra application proxy and describes new features and fixed issues.
-# Azure AD Application Proxy: Version release history
-This article lists the versions and features of Azure Active Directory (Azure AD) Application Proxy that have been released. The Azure AD team regularly updates Application Proxy with new features and functionality. Application Proxy connectors are [updated automatically when a new major version is released](application-proxy-faq.yml#why-is-my-connector-still-using-an-older-version-and-not-auto-upgraded-to-latest-version-).
+# Microsoft Entra application proxy: Version release history
+This article lists the versions and features of Microsoft Entra application proxy that have been released. The Microsoft Entra ID team regularly updates Application Proxy with new features and functionality. Application Proxy connectors are [updated automatically when a new major version is released](application-proxy-faq.yml#why-is-my-connector-still-using-an-older-version-and-not-auto-upgraded-to-latest-version-).
We recommend making sure that auto-updates are enabled for your connectors to ensure you have the latest features and bug fixes. Microsoft Support might ask you to install the latest connector version to resolve a problem.
Here is a list of related resources:
| Resource | Details | | | | | How to enable Application Proxy | Pre-requisites for enabling Application Proxy and installing and registering a connector are described in this [tutorial](application-proxy-add-on-premises-application.md). |
-| Understand Azure AD Application Proxy connectors | Find out more about [connector management](application-proxy-connectors.md) and how connectors [auto-upgrade](application-proxy-connectors.md#automatic-updates). |
-| Azure AD Application Proxy Connector Download | [Download the latest connector](https://download.msappproxy.net/subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/connector/download). |
+| Understand Microsoft Entra application proxy connectors | Find out more about [connector management](application-proxy-connectors.md) and how connectors [auto-upgrade](application-proxy-connectors.md#automatic-updates). |
+| Microsoft Entra application proxy Connector Download | [Download the latest connector](https://download.msappproxy.net/subscription/d3c8b69d-6bf7-42be-a529-3fe9c2e70c90/connector/download). |
## 1.5.3437.0
June 20, 2023: Released for download. This version is only available for install
- Updated ΓÇ£Third-Party NoticesΓÇ¥. ### Fixed issues-- Silent registration of connector with credentials. See [Create an unattended installation script for the Azure Active Directory Application Proxy connector](application-proxy-register-connector-powershell.md) for more details.
+- Silent registration of connector with credentials. See [Create an unattended installation script for the Microsoft Entra application proxy connector](application-proxy-register-connector-powershell.md) for more details.
- Fixed dropping of ΓÇ£SecureΓÇ¥ and ΓÇ£HttpOnlyΓÇ¥ attributes on the cookies passed by backend servers when there are trailing spaces in these attributes. - Fixed services crash when back-end server of an application sets "Set-Cookie" header with empty value.
This version is only available for install via the download page.
### New features and improvements - Improved support for Azure Government cloud environments. For steps on how to properly install the connector for Azure Government cloud review the [pre-requisites](../hybrid/connect/reference-connect-government-cloud.md#allow-access-to-urls) and [installation steps](../hybrid/connect/reference-connect-government-cloud.md#install-the-agent-for-the-azure-government-cloud).-- Support for using the Remote Desktop Services web client with Application Proxy. See [Publish Remote Desktop with Azure AD Application Proxy](application-proxy-integrate-with-remote-desktop-services.md) for more details.
+- Support for using the Remote Desktop Services web client with Application Proxy. See [Publish Remote Desktop with Microsoft Entra application proxy](application-proxy-integrate-with-remote-desktop-services.md) for more details.
- Improved websocket extension negotiations. -- Support for optimized routing between connector groups and Application Proxy cloud services based on region. See [Optimize traffic flow with Azure Active Directory Application Proxy](application-proxy-network-topology.md) for more details.
+- Support for optimized routing between connector groups and Application Proxy cloud services based on region. See [Optimize traffic flow with Microsoft Entra application proxy](application-proxy-network-topology.md) for more details.
### Fixed issues - Fixed a websocket issue that forced lowercase strings.
April 15, 2017: Released for download
If you're using an Application Proxy connector version earlier than 1.5.36.0, update to the latest version to ensure you have the latest fully supported features. ## Next steps-- Learn more about [Remote access to on-premises applications through Azure AD Application Proxy](application-proxy.md).
+- Learn more about [Remote access to on-premises applications through Microsoft Entra application proxy](application-proxy.md).
- To start using Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy](application-proxy-add-on-premises-application.md).
active-directory Application Proxy Remove Personal Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-remove-personal-data.md
Title: Remove personal data - Azure Active Directory Application Proxy
-description: Remove personal data from connectors installed on devices for Azure Active Directory Application Proxy.
+ Title: Remove personal data - Microsoft Entra application proxy
+description: Remove personal data from connectors installed on devices for Microsoft Entra application proxy.
-# Remove personal data for Azure Active Directory Application Proxy
+# Remove personal data for Microsoft Entra application proxy
-Azure Active Directory Application Proxy requires that you install connectors on your devices, which means that there might be personal data on your devices. This article provides steps for how to delete that personal data to improve privacy.
+Microsoft Entra application proxy requires that you install connectors on your devices, which means that there might be personal data on your devices. This article provides steps for how to delete that personal data to improve privacy.
## Where is the personal data?
To find personal data logged by an application that uses Kerberos Constrained De
To delete specific data:
-1. Restart the Microsoft Azure AD Application Proxy Connector service to generate a new log file. The new log file enables you to delete or modify the old log files.
+1. Restart the Microsoft Entra application proxy Connector service to generate a new log file. The new log file enables you to delete or modify the old log files.
1. Follow the [View or export specific data](#view-or-export-specific-data) process described previously to find information that needs to be deleted. Search all of the connector logs. 1. Either delete the relevant log files or selectively delete the fields that contain personal data. You can also delete all old log files if you donΓÇÖt need them anymore.
One option to ensure the connector logs do not contain personal data is to turn
## Next steps
-For an overview of Application Proxy, see [How to provide secure remote access to on-premises applications](application-proxy.md).
+For an overview of Application Proxy, see [How to provide secure remote access to on-premises applications](application-proxy.md).
active-directory Application Proxy Secure Api Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-secure-api-access.md
Title: Access on-premises APIs with Azure Active Directory Application Proxy
-description: Azure Active Directory's Application Proxy lets native apps securely access APIs and business logic you host on-premises or on cloud VMs.
+ Title: Access on-premises APIs with Microsoft Entra application proxy
+description: Microsoft Entra application proxy lets native apps securely access APIs and business logic you host on-premises or on cloud VMs.
-# Secure access to on-premises APIs with Azure Active Directory Application Proxy
+# Secure access to on-premises APIs with Microsoft Entra application proxy
-You may have business logic APIs running on-premises, or hosted on virtual machines in the cloud. Your native Android, iOS, Mac, or Windows apps need to interact with the API endpoints to use data or provide user interaction. Azure AD Application Proxy and the [Microsoft Authentication Library (MSAL)](../develop/reference-v2-libraries.md) let your native apps securely access your on-premises APIs. Azure Active Directory Application Proxy is a faster and more secure solution than opening firewall ports and controlling authentication and authorization at the app layer.
+You may have business logic APIs running on-premises, or hosted on virtual machines in the cloud. Your native Android, iOS, Mac, or Windows apps need to interact with the API endpoints to use data or provide user interaction. Microsoft Entra application proxy and the [Microsoft Authentication Library (MSAL)](../develop/reference-v2-libraries.md) let your native apps securely access your on-premises APIs. Microsoft Entra application proxy is a faster and more secure solution than opening firewall ports and controlling authentication and authorization at the app layer.
-This article walks you through setting up an Azure AD Application Proxy solution for hosting a web API service that native apps can access.
+This article walks you through setting up a Microsoft Entra application proxy solution for hosting a web API service that native apps can access.
## Overview
The following diagram shows a traditional way to publish on-premises APIs. This
![Traditional API access](./media/application-proxy-secure-api-access/overview-publish-api-open-ports.png)
-The following diagram shows how you can use Azure AD Application Proxy to securely publish APIs without opening any incoming ports:
+The following diagram shows how you can use Microsoft Entra application proxy to securely publish APIs without opening any incoming ports:
-![Azure AD Application Proxy API access](./media/application-proxy-secure-api-access/overview-publish-api-app-proxy.png)
+![Microsoft Entra application proxy API access](./media/application-proxy-secure-api-access/overview-publish-api-app-proxy.png)
-The Azure AD Application Proxy forms the backbone of the solution, working as a public endpoint for API access, and providing authentication and authorization. You can access your APIs from a vast array of platforms by using the [Microsoft Authentication Library (MSAL)](../develop/reference-v2-libraries.md) libraries.
+The Microsoft Entra application proxy forms the backbone of the solution, working as a public endpoint for API access, and providing authentication and authorization. You can access your APIs from a vast array of platforms by using the [Microsoft Authentication Library (MSAL)](../develop/reference-v2-libraries.md) libraries.
-Since Azure AD Application Proxy authentication and authorization are built on top of Azure AD, you can use Azure AD Conditional Access to ensure only trusted devices can access APIs published through Application Proxy. Use Azure AD Join or Azure AD Hybrid Joined for desktops, and Intune Managed for devices. You can also take advantage of Azure Active Directory Premium features like Azure AD Multi-Factor Authentication, and the machine learning-backed security of [Azure Identity Protection](../identity-protection/overview-identity-protection.md).
+Since Microsoft Entra application proxy authentication and authorization are built on top of Microsoft Entra ID, you can use Microsoft Entra Conditional Access to ensure only trusted devices can access APIs published through Application Proxy. Use Microsoft Entra join or Microsoft Entra hybrid joined for desktops, and Intune Managed for devices. You can also take advantage of Microsoft Entra ID P1 or P2 features like Microsoft Entra multifactor authentication, and the machine learning-backed security of [Azure Identity Protection](../identity-protection/overview-identity-protection.md).
## Prerequisites
To follow this walkthrough, you need:
## Publish the API through Application Proxy
-To publish an API outside of your intranet through Application Proxy, you follow the same pattern as for publishing web apps. For more information, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md).
+To publish an API outside of your intranet through Application Proxy, you follow the same pattern as for publishing web apps. For more information, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](application-proxy-add-on-premises-application.md).
To publish the SecretAPI web API through Application Proxy:
To publish the SecretAPI web API through Application Proxy:
1. At the top of the **Enterprise applications - All applications** page, select **New application**.
-1. On the **Browse Azure AD Gallery** page, locate section **On-premises applications** and select **Add an on-premises application**. The **Add your own on-premises application** page appears.
+1. On the **Browse Microsoft Entra Gallery** page, locate section **On-premises applications** and select **Add an on-premises application**. The **Add your own on-premises application** page appears.
1. If you don't have an Application Proxy Connector installed, you'll be prompted to install it. Select **Download Application Proxy Connector** to download and install the connector.
To publish the SecretAPI web API through Application Proxy:
1. Next to **Internal Url**, enter the URL you use to access the API from within your intranet.
- 1. Make sure **Pre-Authentication** is set to **Azure Active Directory**.
+ 1. Make sure **Pre-Authentication** is set to **Microsoft Entra ID**.
1. Select **Add** at the top of the page, and wait for the app to be created.
To publish the SecretAPI web API through Application Proxy:
![Not visible to users](./media/application-proxy-secure-api-access/5-not-visible-to-users.png)
-You've published your web API through Azure AD Application Proxy. Now, add users who can access the app.
+You've published your web API through Microsoft Entra application proxy. Now, add users who can access the app.
1. On the **SecretAPI - Overview** page, select **Users and groups** in the left navigation.
You've published your web API through Azure AD Application Proxy. Now, add users
## Register the native app and grant access to the API
-Native apps are programs developed to use on a particular platform or device. Before your native app can connect and access an API, you must register it in Azure AD. The following steps show how to register a native app and give it access to the web API you published through Application Proxy.
+Native apps are programs developed to use on a particular platform or device. Before your native app can connect and access an API, you must register it in Microsoft Entra ID. The following steps show how to register a native app and give it access to the web API you published through Application Proxy.
To register the AppProxyNativeAppSample native app: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
To register the AppProxyNativeAppSample native app:
![New application registration](./media/application-proxy-secure-api-access/8-create-reg-ga.png)
-You've now registered the AppProxyNativeAppSample app in Azure Active Directory. To give your native app access to the SecretAPI web API:
+You've now registered the AppProxyNativeAppSample app in Microsoft Entra ID. To give your native app access to the SecretAPI web API:
1. On the **App registrations** page, select the **AppProxyNativeAppSample** app.
To configure the native app code:
} ```
-To configure the native app to connect to Azure Active Directory and call the API App Proxy, update the placeholder values in the *App.config* file of the NativeClient sample app with values from Azure AD:
+To configure the native app to connect to Microsoft Entra ID and call the API App Proxy, update the placeholder values in the *App.config* file of the NativeClient sample app with values from Microsoft Entra ID:
1. Paste the **Directory (tenant) ID** in the `<add key="ida:Tenant" value="" />` field. You can find and copy this value (a GUID) from the **Overview** page of either of your apps.
After you configure the parameters, build and run the native app. When you selec
## Next steps -- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md)
+- [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](application-proxy-add-on-premises-application.md)
- [Quickstart: Configure a client application to access web APIs](../develop/quickstart-configure-app-access-web-apis.md) - [How to enable native client applications to interact with proxy applications](application-proxy-configure-native-client-application.md)
active-directory Application Proxy Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-security.md
Title: Security considerations for Azure Active Directory Application Proxy
-description: Covers security considerations for using Azure AD Application Proxy
+ Title: Security considerations for Microsoft Entra application proxy
+description: Covers security considerations for using Microsoft Entra application proxy
-# Security considerations for accessing apps remotely with Azure Active Directory Application Proxy
+# Security considerations for accessing apps remotely with Microsoft Entra application proxy
-This article explains the components that work to keep your users and applications safe when you use Azure Active Directory Application Proxy.
+This article explains the components that work to keep your users and applications safe when you use Microsoft Entra application proxy.
-The following diagram shows how Azure AD enables secure remote access to your on-premises applications.
+The following diagram shows how Microsoft Entra ID enables secure remote access to your on-premises applications.
- ![Diagram of secure remote access through Azure AD Application Proxy](./media/application-proxy-security/secure-remote-access.png)
+ ![Diagram of secure remote access through Microsoft Entra application proxy](./media/application-proxy-security/secure-remote-access.png)
## Security benefits
-Azure AD Application Proxy offers many security benefits including authenticated access, Conditional Access, traffic termination, all outbound access, cloud scale analytics and machine learning, and remote access as a service. It is important to note that even with all of the added security provided by Application Proxy, the systems being accessed must continually be updated with the latest patches.
+Microsoft Entra application proxy offers many security benefits including authenticated access, Conditional Access, traffic termination, all outbound access, cloud scale analytics and machine learning, and remote access as a service. It is important to note that even with all of the added security provided by Application Proxy, the systems being accessed must continually be updated with the latest patches.
### Authenticated access
-If you choose to use Azure Active Directory preauthentication, then only authenticated connections can access your network.
+If you choose to use Microsoft Entra preauthentication, then only authenticated connections can access your network.
-Azure AD Application Proxy relies on the Azure AD security token service (STS) for all authentication. Preauthentication, by its very nature, blocks a significant number of anonymous attacks, because only authenticated identities can access the back-end application.
+Microsoft Entra application proxy relies on the Microsoft Entra security token service (STS) for all authentication. Preauthentication, by its very nature, blocks a significant number of anonymous attacks, because only authenticated identities can access the back-end application.
If you choose Passthrough as your preauthentication method, you don't get this benefit.
Apply richer policy controls before connections to your network are established.
With [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md), you can define restrictions on how users are allowed to access your applications. You can create policies that restrict sign-ins based on location, strength of authentication, and user risk profile.
-You can also use Conditional Access to configure Multi-Factor Authentication policies, adding another layer of security to your user authentications. Additionally, your applications can also be routed to Microsoft Defender for Cloud Apps via Azure AD Conditional Access to provide real-time monitoring and controls, via [access](/cloud-app-security/access-policy-aad) and [session](/cloud-app-security/session-policy-aad) policies
+You can also use Conditional Access to configure Multi-Factor Authentication policies, adding another layer of security to your user authentications. Additionally, your applications can also be routed to Microsoft Defender for Cloud Apps via Microsoft Entra Conditional Access to provide real-time monitoring and controls, via [access](/cloud-app-security/access-policy-aad) and [session](/cloud-app-security/session-policy-aad) policies
### Traffic termination All traffic is terminated in the cloud.
-Because Azure AD Application Proxy is a reverse-proxy, all traffic to back-end applications is terminated at the service. The session can get reestablished only with the back-end server, which means that your back-end servers are not exposed to direct HTTP traffic. This configuration means that you are better protected from targeted attacks.
+Because Microsoft Entra application proxy is a reverse-proxy, all traffic to back-end applications is terminated at the service. The session can get reestablished only with the back-end server, which means that your back-end servers are not exposed to direct HTTP traffic. This configuration means that you are better protected from targeted attacks.
### All access is outbound You don't need to open inbound connections to the corporate network.
-Application Proxy connectors only use outbound connections to the Azure AD Application Proxy service, which means that there is no need to open firewall ports for incoming connections. Traditional proxies required a perimeter network (also known as *DMZ*, *demilitarized zone*, or *screened subnet*) and allowed access to unauthenticated connections at the network edge. This scenario required investments in web application firewall products to analyze traffic and protect the environment. With Application Proxy, you don't need a perimeter network because all connections are outbound and take place over a secure channel.
+Application Proxy connectors only use outbound connections to the Microsoft Entra application proxy service, which means that there is no need to open firewall ports for incoming connections. Traditional proxies required a perimeter network (also known as *DMZ*, *demilitarized zone*, or *screened subnet*) and allowed access to unauthenticated connections at the network edge. This scenario required investments in web application firewall products to analyze traffic and protect the environment. With Application Proxy, you don't need a perimeter network because all connections are outbound and take place over a secure channel.
-For more information about connectors, see [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md).
+For more information about connectors, see [Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md).
### Cloud-scale analytics and machine learning Get cutting-edge security protection.
-Because it's part of Azure Active Directory, Application Proxy can leverage [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md), with data from the Microsoft Security Response Center and Digital Crimes Unit. Together we proactively identify compromised accounts and offer protection from high-risk sign-ins. We take into account numerous factors to determine which sign-in attempts are high risk. These factors include flagging infected devices, anonymizing networks, and atypical or unlikely locations.
+Because it's part of Microsoft Entra ID, Application Proxy can leverage [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md), with data from the Microsoft Security Response Center and Digital Crimes Unit. Together we proactively identify compromised accounts and offer protection from high-risk sign-ins. We take into account numerous factors to determine which sign-in attempts are high risk. These factors include flagging infected devices, anonymizing networks, and atypical or unlikely locations.
Many of these reports and events are already available through an API for integration with your security information and event management (SIEM) systems.
Many of these reports and events are already available through an API for integr
You donΓÇÖt have to worry about maintaining and patching on-premises servers.
-Unpatched software still accounts for a large number of attacks. Azure AD Application Proxy is an Internet-scale service that Microsoft owns, so you always get the latest security patches and upgrades.
+Unpatched software still accounts for a large number of attacks. Microsoft Entra application proxy is an Internet-scale service that Microsoft owns, so you always get the latest security patches and upgrades.
-To improve the security of applications published by Azure AD Application Proxy, we block web crawler robots from indexing and archiving your applications. Each time a web crawler robot tries to retrieve the robot's settings for a published app, Application Proxy replies with a robots.txt file that includes `User-agent: * Disallow: /`.
+To improve the security of applications published by Microsoft Entra application proxy, we block web crawler robots from indexing and archiving your applications. Each time a web crawler robot tries to retrieve the robot's settings for a published app, Application Proxy replies with a robots.txt file that includes `User-agent: * Disallow: /`.
#### Azure DDoS protection service
Applications published through Application Proxy are protected against Distribut
## Under the hood
-Azure AD Application Proxy consists of two parts:
+Microsoft Entra application proxy consists of two parts:
* The cloud-based service: This service runs in Azure, and is where the external client/user connections are made.
-* [The on-premises connector](application-proxy-connectors.md): An on-premises component, the connector listens for requests from the Azure AD Application Proxy service and handles connections to the internal applications.
+* [The on-premises connector](application-proxy-connectors.md): An on-premises component, the connector listens for requests from the Microsoft Entra application proxy service and handles connections to the internal applications.
A flow between the connector and the Application Proxy service is established when:
The connector uses a client certificate to authenticate to the Application Proxy
When the connector is first set up, the following flow events take place:
-1. The connector registration to the service happens as part of the installation of the connector. Users are prompted to enter their Azure AD admin credentials. The token acquired from this authentication is then presented to the Azure AD Application Proxy service.
+1. The connector registration to the service happens as part of the installation of the connector. Users are prompted to enter their Microsoft Entra admin credentials. The token acquired from this authentication is then presented to the Microsoft Entra application proxy service.
2. The Application Proxy service evaluates the token. It checks whether the user is a Global Administrator in the tenant. If the user is not an administrator, the process is terminated. 3. The connector generates a client certificate request and passes it, along with the token, to the Application Proxy service. The service in turn verifies the token and signs the client certificate request. 4. The connector uses the client certificate for future communication with the Application Proxy service.
To learn more about what takes place in each of these steps, keep reading.
If you configured the app to use Passthrough as its preauthentication method, the steps in this section are skipped.
-If you configured the app to preauthenticate with Azure AD, users are redirected to the Azure AD STS to authenticate, and the following steps take place:
+If you configured the app to preauthenticate with Microsoft Entra ID, users are redirected to the Microsoft Entra STS to authenticate, and the following steps take place:
1. Application Proxy checks for any Conditional Access policy requirements for the specific application. This step ensures that the user has been assigned to the application. If two-step verification is required, the authentication sequence prompts the user for a second authentication method.
-2. After all checks have passed, the Azure AD STS issues a signed token for the application and redirects the user back to the Application Proxy service.
+2. After all checks have passed, the Microsoft Entra STS issues a signed token for the application and redirects the user back to the Application Proxy service.
-3. Application Proxy verifies that the token was issued to the correct application. It performs other checks also, such as ensuring that the token was signed by Azure AD, and that it is still within the valid window.
+3. Application Proxy verifies that the token was issued to the correct application. It performs other checks also, such as ensuring that the token was signed by Microsoft Entra ID, and that it is still within the valid window.
-4. Application Proxy sets an encrypted authentication cookie to indicate that authentication to the application has occurred. The cookie includes an expiration timestamp that's based on the token from Azure AD and other data, such as the user name that the authentication is based on. The cookie is encrypted with a private key known only to the Application Proxy service.
+4. Application Proxy sets an encrypted authentication cookie to indicate that authentication to the application has occurred. The cookie includes an expiration timestamp that's based on the token from Microsoft Entra ID and other data, such as the user name that the authentication is based on. The cookie is encrypted with a private key known only to the Application Proxy service.
5. Application Proxy redirects the user back to the originally requested URL.
Some processing of the application may occur here. If you configured Application
## Next steps
-[Network topology considerations when using Azure AD Application Proxy](application-proxy-network-topology.md)
+[Network topology considerations when using Microsoft Entra application proxy](application-proxy-network-topology.md)
-[Understand Azure AD Application Proxy connectors](application-proxy-connectors.md)
+[Understand Microsoft Entra application proxy connectors](application-proxy-connectors.md)
active-directory Certificate Based Authentication Federation Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-android.md
-# Azure Active Directory certificate-based authentication with federation on Android
+# Microsoft Entra certificate-based authentication with federation on Android
-Android devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory using a client certificate on their device when connecting to:
+Android devices can use certificate-based authentication (CBA) to authenticate to Microsoft Entra ID using a client certificate on their device when connecting to:
* Office mobile applications such as Microsoft Outlook and Microsoft Word * Exchange ActiveSync (EAS) clients
The device OS version must be Android 5.0 (Lollipop) and above.
A federation server must be configured.
-For Azure Active Directory to revoke a client certificate, the AD FS token must have the following claims:
+For Microsoft Entra ID to revoke a client certificate, the AD FS token must have the following claims:
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` (The serial number of the client certificate) * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` (The string for the issuer of the client certificate)
-Azure Active Directory adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
+Microsoft Entra ID adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
As a best practice, you should update your organization's AD FS error pages with the following information:
As a best practice, you should update your organization's AD FS error pages with
For more information, see [Customizing the AD FS Sign-in Pages](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)).
-Office apps with modern authentication enabled send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
+Office apps with modern authentication enabled send '*prompt=login*' to Microsoft Entra ID in their request. By default, Microsoft Entra ID translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Microsoft Entra behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task: ```powershell
active-directory Certificate Based Authentication Federation Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-get-started.md
-# Get started with certificate-based authentication in Azure Active Directory with federation
+# Get started with certificate-based authentication in Microsoft Entra ID with federation
-Certificate-based authentication (CBA) with federation enables you to be authenticated by Azure Active Directory with a client certificate on a Windows, Android, or iOS device when connecting your Exchange online account to:
+Certificate-based authentication (CBA) with federation enables you to be authenticated by Microsoft Entra ID with a client certificate on a Windows, Android, or iOS device when connecting your Exchange online account to:
- Microsoft mobile applications such as Microsoft Outlook and Microsoft Word - Exchange ActiveSync (EAS) clients
Certificate-based authentication (CBA) with federation enables you to be authent
Configuring this feature eliminates the need to enter a username and password combination into certain mail and Microsoft Office applications on your mobile device. >[!NOTE]
->As an alternative, organizations can deploy Azure AD CBA without needing federation. For more information, see [Overview of Azure AD certificate-based authentication against Azure Active Directory](concept-certificate-based-authentication.md).
+>As an alternative, organizations can deploy Microsoft Entra CBA without needing federation. For more information, see [Overview of Microsoft Entra certificate-based authentication against Microsoft Entra ID](concept-certificate-based-authentication.md).
This topic:
This topic:
To configure CBA with federation, the following statements must be true: -- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication, or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Azure AD CBA without needing federation, see [How to configure Azure AD certificate-based authentication](how-to-certificate-based-authentication.md).-- The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
+- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication, or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Microsoft Entra CBA without needing federation, see [How to configure Microsoft Entra certificate-based authentication](how-to-certificate-based-authentication.md).
+- The root certificate authority and any intermediate certificate authorities must be configured in Microsoft Entra ID.
- Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.-- You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.-- For Exchange ActiveSync clients, the client certificate must have the user's routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.
+- You must have at least one certificate authority configured in Microsoft Entra ID. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.
+- For Exchange ActiveSync clients, the client certificate must have the user's routable email address in Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name field. Microsoft Entra ID maps the RFC822 value to the Proxy Address attribute in the directory.
- Your client device must have access to at least one certificate authority that issues client certificates. - A client certificate for client authentication must have been issued to your client. >[!IMPORTANT]
->The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds. If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.
+>The maximum size of a CRL for Microsoft Entra ID to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds. If Microsoft Entra ID can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.
## Step 1: Select your device platform
active-directory Certificate Based Authentication Federation Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-ios.md
Title: Certificate-based authentication with federation on iOS
-description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication for Azure Active Directory in solutions with iOS devices
+description: Learn about the supported scenarios and the requirements for configuring certificate-based authentication for Microsoft Entra ID in solutions with iOS devices
-# Azure Active Directory certificate-based authentication with federation on iOS
+# Microsoft Entra certificate-based authentication with federation on iOS
-To improve security, iOS devices can use certificate-based authentication (CBA) to authenticate to Azure Active Directory (Azure AD) using a client certificate on their device when connecting to the following applications or
+To improve security, iOS devices can use certificate-based authentication (CBA) to authenticate to Microsoft Entra ID using a client certificate on their device when connecting to the following applications or
* Office mobile applications such as Microsoft Outlook and Microsoft Word * Exchange ActiveSync (EAS) clients
The following Active Directory Federation Services (AD FS) requirements and cons
## Configure AD FS
-For Azure AD to revoke a client certificate, the AD FS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
+For Microsoft Entra ID to revoke a client certificate, the AD FS token must have the following claims. Microsoft Entra ID adds these claims to the refresh token if they're available in the AD FS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
* `http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` - add the serial number of your client certificate * `http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` - add the string for the issuer of your client certificate
For more information, see [Customizing the AD FS sign in page](/previous-version
## Use modern authentication with Office apps
-Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to AD FS as `wauth=usernamepassworduri` (asks AD FS to do U/P Auth) and `wfresh=0` (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.
+Some Office apps with modern authentication enabled send `prompt=login` to Microsoft Entra ID in their request. By default, Microsoft Entra ID translates `prompt=login` in the request to AD FS as `wauth=usernamepassworduri` (asks AD FS to do U/P Auth) and `wfresh=0` (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Microsoft Entra behavior.
To update the default behavior, set the '*PromptLoginBehavior*' in your federated domain settings to *Disabled*. You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings) cmdlet to perform this task, as shown in the following example:
active-directory Concept Authentication Authenticator App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-authenticator-app.md
Title: Microsoft Authenticator authentication method
-description: Learn about using the Microsoft Authenticator in Azure Active Directory to help secure your sign-ins
+description: Learn about using the Microsoft Authenticator in Microsoft Entra ID to help secure your sign-ins
-# Customer intent: As an identity administrator, I want to understand how to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
+# Customer intent: As an identity administrator, I want to understand how to use the Microsoft Authenticator app in Microsoft Entra ID to improve and secure user sign-in events.
-# Authentication methods in Azure Active Directory - Microsoft Authenticator app
+# Authentication methods in Microsoft Entra ID - Microsoft Authenticator app
-The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school account or your Microsoft account and is available for [Android](https://go.microsoft.com/fwlink/?linkid=866594) and [iOS](https://go.microsoft.com/fwlink/?linkid=866594). With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or multifactor authentication events.
+The Microsoft Authenticator app provides an additional level of security to your Microsoft Entra work or school account or your Microsoft account and is available for [Android](https://go.microsoft.com/fwlink/?linkid=866594) and [iOS](https://go.microsoft.com/fwlink/?linkid=866594). With the Microsoft Authenticator app, users can authenticate in a passwordless way during sign-in, or as an additional verification option during self-service password reset (SSPR) or multifactor authentication events.
Users may receive a notification through the mobile app for them to approve or deny, or use the Authenticator app to generate an OATH verification code that can be entered in a sign-in interface. If you enable both a notification and verification code, users who register the Authenticator app can use either method to verify their identity.
The Authenticator app can be used as a software token to generate an OATH verifi
Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Authenticator app, configured for use at any time.
-## FIPS 140 compliant for Azure AD authentication
+<a name='fips-140-compliant-for-azure-ad-authentication'></a>
-Beginning with version 6.6.8, Microsoft Authenticator for iOS is compliant with [Federal Information Processing Standard (FIPS) 140](https://csrc.nist.gov/publications/detail/fips/140/3/final?azure-portal=true) for all Azure AD authentications using push multi-factor authentications (MFA), passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP).  
+## FIPS 140 compliant for Microsoft Entra authentication
+
+Beginning with version 6.6.8, Microsoft Authenticator for iOS is compliant with [Federal Information Processing Standard (FIPS) 140](https://csrc.nist.gov/publications/detail/fips/140/3/final?azure-portal=true) for all Microsoft Entra authentications using push multi-factor authentications (MFA), passwordless Phone Sign-In (PSI), and time-based one-time passcodes (TOTP).  
Consistent with the guidelines outlined in [NIST SP 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html?azure-portal=true), authenticators are required to use FIPS 140 validated cryptography. This helps federal agencies meet the requirements of [Executive Order (EO) 14028](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/?azure-portal=true) and healthcare organizations working with [Electronic Prescriptions for Controlled Substances (EPCS)](/azure/compliance/offerings/offering-epcs-us).  FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. Testing against the FIPS 140 standard is maintained by the [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program?azure-portal=true).
-No changes in configurations are required in Microsoft Authenticator or the Microsoft Entra admin center to enable FIPS 140 compliance. Beginning with Microsoft Authenticator for iOS version 6.6.8, Azure AD authentications will be FIPS 140 compliant by default.
+No changes in configurations are required in Microsoft Authenticator or the Microsoft Entra admin center to enable FIPS 140 compliance. Beginning with Microsoft Authenticator for iOS version 6.6.8, Microsoft Entra authentications will be FIPS 140 compliant by default.
Authenticator leverages the native Apple cryptography to achieve FIPS 140, Security Level 1 compliance on Apple iOS devices beginning with Microsoft Authenticator version 6.6.8. For more information about the certifications being used, see the [Apple CoreCrypto module](https://support.apple.com/guide/sccc/security-certifications-for-ios-scccfa917cb49/web?azure-portal=true). 
Microsoft Authenticator: MFA capable | <img width="43" alt="Microsoft Authentica
- To get started with passwordless sign-in, see [Enable passwordless sign-in with the Microsoft Authenticator](howto-authentication-passwordless-phone.md). - Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).-
active-directory Concept Authentication Default Enablement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-default-enablement.md
Title: Protecting authentication methods in Azure Active Directory
-description: Learn about authentication features that may be enabled by default in Azure Active Directory
+ Title: Protecting authentication methods in Microsoft Entra ID
+description: Learn about authentication features that may be enabled by default in Microsoft Entra ID
Previously updated : 09/13/2023 Last updated : 09/15/2023
# Customer intent: As an identity administrator, I want to encourage users to understand how default protection can improve our security posture.
-# Protecting authentication methods in Azure Active Directory
+# Protecting authentication methods in Microsoft Entra ID
>[!NOTE] >The Microsoft managed value for Authenticator Lite will move from disabled to enabled on June 26th, 2023. All tenants left in the default state **Microsoft managed** will be enabled for the feature on June 26th.
-Azure Active Directory (Azure AD) adds and improves security features to better protect customers against increasing attacks. As new attack vectors become known, Azure AD may respond by enabling protection by default to help customers stay ahead of emerging security threats.
+Microsoft Entra ID adds and improves security features to better protect customers against increasing attacks. As new attack vectors become known, Microsoft Entra ID may respond by enabling protection by default to help customers stay ahead of emerging security threats.
For example, in response to increasing MFA fatigue attacks, Microsoft recommended ways for customers to [defend users](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677). One recommendation to prevent users from accidental multifactor authentication (MFA) approvals is to enable [number matching](how-to-mfa-number-match.md). As a result, default behavior for number matching will be explicitly **Enabled** for all Microsoft Authenticator users. You can learn more about new security features like number matching in our blog post [Advanced Microsoft Authenticator security features are now generally available!](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/advanced-microsoft-authenticator-security-features-are-now/ba-p/2365673). There are two ways for protection of a security feature to be enabled by default: -- After a security feature is released, customers can use the Microsoft Entra admin center or Graph API to test and roll out the change on their own schedule. To help defend against new attack vectors, Azure AD may enable protection of a security feature by default for all tenants on a certain date, and there won't be an option to disable protection. Microsoft schedules default protection far in advance to give customers time to prepare for the change. Customers can't opt out if Microsoft schedules protection by default. -- Protection can be **Microsoft managed**, which means Azure AD can enable or disable protection based upon the current landscape of security threats. Customers can choose whether to allow Microsoft to manage the protection. They can change from **Microsoft managed** to explicitly make the protection **Enabled** or **Disabled** at any time.
+- After a security feature is released, customers can use the Microsoft Entra admin center or Graph API to test and roll out the change on their own schedule. To help defend against new attack vectors, Microsoft Entra ID may enable protection of a security feature by default for all tenants on a certain date, and there won't be an option to disable protection. Microsoft schedules default protection far in advance to give customers time to prepare for the change. Customers can't opt out if Microsoft schedules protection by default.
+- Protection can be **Microsoft managed**, which means Microsoft Entra ID can enable or disable protection based upon the current landscape of security threats. Customers can choose whether to allow Microsoft to manage the protection. They can change from **Microsoft managed** to explicitly make the protection **Enabled** or **Disabled** at any time.
>[!NOTE] >Only a critical security feature will have protection enabled by default.
-## Default protection enabled by Azure AD
+<a name='default-protection-enabled-by-azure-ad'></a>
+
+## Default protection enabled by Microsoft Entra ID
Number matching is a good example of protection for an authentication method that is currently optional for push notifications in Microsoft Authenticator in all tenants. Customers could choose to enable number matching for push notifications in Microsoft Authenticator for users and groups, or they could leave it disabled. Number matching is already the default behavior for passwordless notifications in Microsoft Authenticator, and users can't opt out.
As MFA fatigue attacks rise, number matching becomes more critical to sign-in se
## Microsoft managed settings
-In addition to configuring Authentication methods policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings in the Authentication methods policy to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Azure AD to enable or disable the setting.
+In addition to configuring Authentication methods policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings in the Authentication methods policy to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Microsoft Entra ID to enable or disable the setting.
-The option to let Azure AD manage the setting is a convenient way for an organization to allow Microsoft to enable or disable a feature by default. Organizations can more easily improve their security posture by trusting Microsoft to manage when a feature should be enabled by default. By configuring a setting as **Microsoft managed** (named *default* in Graph APIs), IT admins can trust Microsoft to enable a security feature they haven't explicitly disabled.
+The option to let Microsoft Entra ID manage the setting is a convenient way for an organization to allow Microsoft to enable or disable a feature by default. Organizations can more easily improve their security posture by trusting Microsoft to manage when a feature should be enabled by default. By configuring a setting as **Microsoft managed** (named *default* in Graph APIs), IT admins can trust Microsoft to enable a security feature they haven't explicitly disabled.
-For example, an admin can enable [location and application name](how-to-mfa-number-match.md) in push notifications to give users more context when they approve MFA requests with Microsoft Authenticator. The additional context can also be explicitly disabled, or set as **Microsoft managed**. Today, the **Microsoft managed** configuration for location and application name is **Disabled**, which effectively disables the option for any environment where an admin chooses to let Azure AD manage the setting.
+For example, an admin can enable [location and application name](how-to-mfa-number-match.md) in push notifications to give users more context when they approve MFA requests with Microsoft Authenticator. The additional context can also be explicitly disabled, or set as **Microsoft managed**. Today, the **Microsoft managed** configuration for location and application name is **Disabled**, which effectively disables the option for any environment where an admin chooses to let Microsoft Entra ID manage the setting.
As the security threat landscape changes over time, Microsoft may change the **Microsoft managed** configuration for location and application name to **Enabled**. For customers who want to rely upon Microsoft to improve their security posture, setting security features to **Microsoft managed** is an easy way stay ahead of security threats. They can trust Microsoft to determine the best way to configure security settings based on the current threat landscape.
The following table lists each setting that can be set to Microsoft managed and
| Setting | Configuration | |-||
-| [Registration campaign](how-to-mfa-registration-campaign.md) | Beginning in July, 2023, enabled for text message and voice call users with free and trial subscriptions. |
+| [Registration campaign](how-to-mfa-registration-campaign.md) | From Sept 25 to Oct 20, 2023, the Microsoft managed value for the registration campaign will change to Enabled for text message and voice call users across all tenants. |
| [Location in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled | | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled | | [System-preferred MFA](concept-system-preferred-multifactor-authentication.md) | Enabled | | [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled | | [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled |
-As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using text message and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication.
+As threat vectors change, Microsoft Entra ID may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using text message and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication.
## Next steps
-[Authentication methods in Azure Active Directory - Microsoft Authenticator](concept-authentication-authenticator-app.md)
-
+[Authentication methods in Microsoft Entra ID - Microsoft Authenticator](concept-authentication-authenticator-app.md)
active-directory Concept Authentication Methods Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-methods-manage.md
-# Customer intent: As an identity administrator, I want to understand what authentication options are available in Azure AD and how I can manage them.
+# Customer intent: As an identity administrator, I want to understand what authentication options are available in Microsoft Entra ID and how I can manage them.
-# Manage authentication methods for Azure AD
+# Manage authentication methods for Microsoft Entra ID
-Azure Active Directory (Azure AD) allows the use of a range of authentication methods to support a wide variety of sign-in scenarios. Administrators can specifically configure each method to meet their goals for user experience and security. This topic explains how to manage authentication methods for Azure AD, and how configuration options affect user sign-in and password reset scenarios.
+Microsoft Entra ID allows the use of a range of authentication methods to support a wide variety of sign-in scenarios. Administrators can specifically configure each method to meet their goals for user experience and security. This topic explains how to manage authentication methods for Microsoft Entra ID, and how configuration options affect user sign-in and password reset scenarios.
## Authentication methods policy The Authentication methods policy is the recommended way to manage authentication methods, including modern methods like passwordless authentication. [Authentication Policy Administrators](../roles/permissions-reference.md#authentication-policy-administrator) can edit this policy to enable authentication methods for all users or specific groups.
-Methods enabled in the Authentication methods policy can typically be used anywhere in Azure AD - for both authentication and password reset scenarios. The exception is that some methods are inherently limited to use in authentication, such as FIDO2 and Windows Hello for Business, and others are limited to use in password reset, such as security questions. For more control over which methods are usable in a given authentication scenario, consider using the **Authentication Strengths** feature.
+Methods enabled in the Authentication methods policy can typically be used anywhere in Microsoft Entra ID - for both authentication and password reset scenarios. The exception is that some methods are inherently limited to use in authentication, such as FIDO2 and Windows Hello for Business, and others are limited to use in password reset, such as security questions. For more control over which methods are usable in a given authentication scenario, consider using the **Authentication Strengths** feature.
Most methods also have configuration parameters to more precisely control how that method can be used. For example, if you enable **Voice calls**, you can also specify whether an office phone can be used in addition to a mobile phone.
Only the [converged registration experience](concept-registration-mfa-sspr-combi
## Legacy MFA and SSPR policies
-Two other policies, located in **Multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used. A [Global Administrator](../roles/permissions-reference.md#global-administrator) is needed to manage these policies.
+Two other policies, located in **multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used. A [Global Administrator](../roles/permissions-reference.md#global-administrator) is needed to manage these policies.
>[!Important]
->In March 2023, we announced the deprecation of managing authentication methods in the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies. Beginning September 30, 2024, authentication methods can't be managed in these legacy MFA and SSPR policies. We recommend customers use the manual migration control to migrate to the Authentication methods policy by the deprecation date.
+>In March 2023, we announced the deprecation of managing authentication methods in the legacy multifactor authentication and self-service password reset (SSPR) policies. Beginning September 30, 2024, authentication methods can't be managed in these legacy MFA and SSPR policies. We recommend customers use the manual migration control to migrate to the Authentication methods policy by the deprecation date.
-To manage the legacy MFA policy, click **Security** > **Multifactor Authentication** > **Additional cloud-based multifactor authentication settings**.
+To manage the legacy MFA policy, click **Security** > **multifactor authentication** > **Additional cloud-based multifactor authentication settings**.
:::image type="content" border="true" source="./media/concept-authentication-methods-manage/service-settings.png" alt-text="Screenshot of MFA service settings.":::
To manage authentication methods for self-service password reset (SSPR), click *
## How policies work together
-Settings aren't synchronized between the policies, which allows administrators to manage each policy independently. Azure AD respects the settings in all of the policies so a user who is enabled for an authentication method in _any_ policy can register and use that method. To prevent users from using a method, it must be disabled in all policies.
+Settings aren't synchronized between the policies, which allows administrators to manage each policy independently. Microsoft Entra ID respects the settings in all of the policies so a user who is enabled for an authentication method in _any_ policy can register and use that method. To prevent users from using a method, it must be disabled in all policies.
Let's walk through an example where a user who belongs to the Accounting group wants to register Microsoft Authenticator. The registration process first checks the Authentication methods policy. If the Accounting group is enabled for Microsoft Authenticator, the user can register it.
Tenants are set to either Pre-migration or Migration in Progress by default, dep
## Next steps - [How to migrate MFA and SSPR policy settings to the Authentication methods policy](how-to-authentication-methods-manage.md)-- [What authentication and verification methods are available in Azure Active Directory?](concept-authentication-methods.md)-- [How Azure AD Multi-Factor Authentication works](concept-mfa-howitworks.md)
+- [What authentication and verification methods are available in Microsoft Entra ID?](concept-authentication-methods.md)
+- [How Microsoft Entra multifactor authentication works](concept-mfa-howitworks.md)
- [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview)
active-directory Concept Authentication Methods https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-methods.md
Title: Authentication methods and features
-description: Learn about the different authentication methods and features available in Azure Active Directory to help improve and secure sign-in events
+description: Learn about the different authentication methods and features available in Microsoft Entra ID to help improve and secure sign-in events
-# Customer intent: As an identity administrator, I want to understand what authentication options are available in Azure AD and how or why I can use them to improve and secure user sign-in events.
+# Customer intent: As an identity administrator, I want to understand what authentication options are available in Microsoft Entra ID and how or why I can use them to improve and secure user sign-in events.
-# What authentication and verification methods are available in Azure Active Directory?
+# What authentication and verification methods are available in Microsoft Entra ID?
Microsoft recommends passwordless authentication methods such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app because they provide the most secure sign-in experience. Although a user can sign-in using other common methods such as a username and password, passwords should be replaced with more secure authentication methods.
-Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to a text message or phone call.
+Microsoft Entra multifactor authentication adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to a text message or phone call.
-To simplify the user on-boarding experience and register for both MFA and self-service password reset (SSPR), we recommend you [enable combined security information registration](howto-registration-mfa-sspr-combined.md). For resiliency, we recommend that you require users to register multiple authentication methods. When one method isn't available for a user during sign-in or SSPR, they can choose to authenticate with another method. For more information, see [Create a resilient access control management strategy in Azure AD](concept-resilient-controls.md).
+To simplify the user on-boarding experience and register for both MFA and self-service password reset (SSPR), we recommend you [enable combined security information registration](howto-registration-mfa-sspr-combined.md). For resiliency, we recommend that you require users to register multiple authentication methods. When one method isn't available for a user during sign-in or SSPR, they can choose to authenticate with another method. For more information, see [Create a resilient access control management strategy in Microsoft Entra ID](concept-resilient-controls.md).
Here's a [video](https://www.youtube.com/watch?v=LB2yj4HSptc&feature=youtu.be) we created to help you choose the best authentication method to keep your organization safe. ## Authentication method strength and security
-When you deploy features like Azure AD Multi-Factor Authentication in your organization, review the available authentication methods. Choose the methods that meet or exceed your requirements in terms of security, usability, and availability. Where possible, use authentication methods with the highest level of security.
+When you deploy features like Microsoft Entra multifactor authentication in your organization, review the available authentication methods. Choose the methods that meet or exceed your requirements in terms of security, usability, and availability. Where possible, use authentication methods with the highest level of security.
-The following table outlines the security considerations for the available authentication methods. Availability is an indication of the user being able to use the authentication method, not of the service availability in Azure AD:
+The following table outlines the security considerations for the available authentication methods. Availability is an indication of the user being able to use the authentication method, not of the service availability in Microsoft Entra ID:
| Authentication method | Security | Usability | Availability | |--|:--:|::|::|
For the latest information on security, check out our blog posts:
## How each authentication method works
-Some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Azure AD Multi-Factor Authentication or SSPR.
+Some authentication methods can be used as the primary factor when you sign in to an application or device, such as using a FIDO2 security key or a password. Other authentication methods are only available as a secondary factor when you use Microsoft Entra multifactor authentication or SSPR.
The following table outlines when an authentication method can be used during a sign-in event:
To learn more about how each authentication method works, see the following sepa
* Password > [!NOTE]
-> In Azure AD, a password is often one of the primary authentication methods. You can't disable the password authentication method. If you use a password as the primary authentication factor, increase the security of sign-in events using Azure AD Multi-Factor Authentication.
+> In Microsoft Entra ID, a password is often one of the primary authentication methods. You can't disable the password authentication method. If you use a password as the primary authentication factor, increase the security of sign-in events using Microsoft Entra multifactor authentication.
The following additional verification methods can be used in certain scenarios:
-* [App passwords](howto-mfa-app-passwords.md) - used for old applications that don't support modern authentication and can be configured for per-user Azure AD Multi-Factor Authentication.
+* [App passwords](howto-mfa-app-passwords.md) - used for old applications that don't support modern authentication and can be configured for per-user Microsoft Entra multifactor authentication.
* [Security questions](concept-authentication-security-questions.md) - only used for SSPR * [Email address](concept-sspr-howitworks.md#authentication-methods) - only used for SSPR
Authentication methods that are no longer available due to "Require re-register
## Next steps
-To get started, see the [tutorial for self-service password reset (SSPR)][tutorial-sspr] and [Azure AD Multi-Factor Authentication][tutorial-azure-mfa].
+To get started, see the [tutorial for self-service password reset (SSPR)][tutorial-sspr] and [Microsoft Entra multifactor authentication][tutorial-azure-mfa].
-To learn more about SSPR concepts, see [How Azure AD self-service password reset works][concept-sspr].
+To learn more about SSPR concepts, see [How Microsoft Entra self-service password reset works][concept-sspr].
-To learn more about MFA concepts, see [How Azure AD Multi-Factor Authentication works][concept-mfa].
+To learn more about MFA concepts, see [How Microsoft Entra multifactor authentication works][concept-mfa].
Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
-To review what authentication methods are in use, see [Azure AD Multi-Factor Authentication authentication method analysis with PowerShell](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/).
+To review what authentication methods are in use, see [Microsoft Entra multifactor authentication authentication method analysis with PowerShell](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/).
<!-- INTERNAL LINKS --> [tutorial-sspr]: tutorial-enable-sspr.md
active-directory Concept Authentication Oath Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-oath-tokens.md
Title: OATH tokens authentication method
-description: Learn about using OATH tokens in Azure Active Directory to help improve and secure sign-in events
+description: Learn about using OATH tokens in Microsoft Entra ID to help improve and secure sign-in events
-# Customer intent: As an identity administrator, I want to understand how to use OATH tokens in Azure AD to improve and secure user sign-in events.
+# Customer intent: As an identity administrator, I want to understand how to use OATH tokens in Microsoft Entra ID to improve and secure user sign-in events.
-# Authentication methods in Azure Active Directory - OATH tokens
+# Authentication methods in Microsoft Entra ID - OATH tokens
-OATH TOTP (Time-based One Time Password) is an open standard that specifies how one-time password (OTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes. Azure AD doesn't support OATH HOTP, a different code generation standard.
+OATH TOTP (Time-based One Time Password) is an open standard that specifies how one-time password (OTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes. Microsoft Entra ID doesn't support OATH HOTP, a different code generation standard.
## OATH software tokens
-Software OATH tokens are typically applications such as the Microsoft Authenticator app and other authenticator apps. Azure AD generates the secret key, or seed, that's input into the app and used to generate each OTP.
+Software OATH tokens are typically applications such as the Microsoft Authenticator app and other authenticator apps. Microsoft Entra ID generates the secret key, or seed, that's input into the app and used to generate each OTP.
The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup even if their device doesn't have connectivity. Third-party applications that use OATH TOTP to generate codes can also be used.
Some OATH TOTP hardware tokens are programmable, meaning they don't come with a
## OATH hardware tokens (Preview)
-Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice. Hardware OATH tokens are available for users with an Azure AD Premium P1 or P2 license.
+Microsoft Entra ID supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the vendor of their choice. Hardware OATH tokens are available for users with a Microsoft Entra ID P1 or P2 license.
>[!IMPORTANT] >The preview is only supported in Azure Global and Azure Government clouds.
-OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token. These keys must be input into Azure AD as described in the following steps. Secret keys are limited to 128 characters, which may not be compatible with all tokens. The secret key can only contain the characters *a-z* or *A-Z* and digits *2-7*, and must be encoded in *Base32*.
+OATH TOTP hardware tokens typically come with a secret key, or seed, pre-programmed in the token. These keys must be input into Microsoft Entra ID as described in the following steps. Secret keys are limited to 128 characters, which may not be compatible with all tokens. The secret key can only contain the characters *a-z* or *A-Z* and digits *2-7*, and must be encoded in *Base32*.
-Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow.
+Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Microsoft Entra ID in the software token setup flow.
OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse).
OATH hardware token | <img width="63" alt="Hardware OATH token" src="media/conce
Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview). Learn about [FIDO2 security key providers](concept-authentication-passwordless.md#fido2-security-key-providers) that are compatible with passwordless authentication.-
active-directory Concept Authentication Operator Assistance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-operator-assistance.md
Title: Operator assistance in Azure Active Directory
-description: Learn about deprecation of operator assistance feature in Azure Active Directory
+ Title: Operator assistance in Microsoft Entra ID
+description: Learn about deprecation of operator assistance feature in Microsoft Entra ID
# How to enable and disable operator assistance
-On September 30, 2023, we will retire operator assistance in Azure AD Multi-Factor Authentication and it will no longer be available. To avoid service disruption, follow the steps in this topic to disable operator assistance before September 30, 2023.
+On September 30, 2023, we will retire operator assistance in Microsoft Entra multifactor authentication and it will no longer be available. To avoid service disruption, follow the steps in this topic to disable operator assistance before September 30, 2023.
-Operator assistance is a feature within Azure AD that allows an operator to manually transfer phone calls instead of automatic transfer. When this setting is enabled, the office phone number is dialed and when answered, the system asks the operator to transfer the call to a given extension.
+Operator assistance is a feature within Microsoft Entra ID that allows an operator to manually transfer phone calls instead of automatic transfer. When this setting is enabled, the office phone number is dialed and when answered, the system asks the operator to transfer the call to a given extension.
Operator assistance can be enabled for an entire tenant or for an individual user. If the setting is **On**, the entire tenant is enabled for operator assistance. If you choose **Phone call** as the default method and have an extension specified as part of your office phone number (delineated by **x**), an operator can manually transfer the phone call.
For example, let's say a customer in U.S has an office phone number 425-555-1234
If the setting is **Off**, the system will automatically dial extensions as part of the phone number. Your admin can still specify individual users who should be enabled for operator assistance by prefixing the extension with ΓÇÿ@ΓÇÖ. For example, 425-555-1234x@5678 would indicate that operator assistance should be used, even though the setting is **Off**.
-To check the status of this feature in your own tenant, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator), then click **Protection** > **Multifactor authentication** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**.
+To check the status of this feature in your own tenant, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator), then click **Protection** > **multifactor authentication** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**.
![Screenshot of operator assistance settings](./media/concept-authentication-operator-assistance/settings.png) You can improve the reliability, security, and create a frictionless MFA experience by using the following guidance: -- You have [registered a direct phone number](https://aka.ms/mfasetup) (contains no extension) or [other method](concept-authentication-methods.md) to be used for Multi-Factor Authentication or self-service password reset if enabled. -- Your admins have registered a direct phone number (contains no extension) on behalf of the user to be used for [Multi-Factor Authentication](howto-mfa-userdevicesettings.md#add-authentication-methods-for-a-user) or [self-service password reset](tutorial-enable-sspr.md) if enabled.
+- You have [registered a direct phone number](https://aka.ms/mfasetup) (contains no extension) or [other method](concept-authentication-methods.md) to be used for multifactor authentication or self-service password reset if enabled.
+- Your admins have registered a direct phone number (contains no extension) on behalf of the user to be used for [multifactor authentication](howto-mfa-userdevicesettings.md#add-authentication-methods-for-a-user) or [self-service password reset](tutorial-enable-sspr.md) if enabled.
- Phone system supports automated attendant functionality.
active-directory Concept Authentication Passwordless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-passwordless.md
Title: Azure Active Directory passwordless sign-in
-description: Learn about options for passwordless sign-in to Azure Active Directory using FIDO2 security keys or Microsoft Authenticator
+ Title: Microsoft Entra passwordless sign-in
+description: Learn about options for passwordless sign-in to Microsoft Entra ID using FIDO2 security keys or Microsoft Authenticator
-# Passwordless authentication options for Azure Active Directory
+# Passwordless authentication options for Microsoft Entra ID
Features like multifactor authentication (MFA) are a great way to secure your organization, but users often get frustrated with the additional security layer on top of having to remember their passwords. Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are or something you know.
Features like multifactor authentication (MFA) are a great way to secure your or
| | | | | Passwordless | Windows 10 Device, phone, or security key | Biometric or PIN |
-Each organization has different needs when it comes to authentication. Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):
+Each organization has different needs when it comes to authentication. Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Microsoft Entra ID:
- Windows Hello for Business - Microsoft Authenticator
Windows Hello for Business is ideal for information workers that have their own
![Example of a user sign-in with Windows Hello for Business](./media/concept-authentication-passwordless/windows-hellow-sign-in.jpeg)
-The following steps show how the sign-in process works with Azure AD:
+The following steps show how the sign-in process works with Microsoft Entra ID:
![Diagram that outlines the steps involved for user sign-in with Windows Hello for Business](./media/concept-authentication-passwordless/windows-hello-flow.png) 1. A user signs into Windows using biometric or PIN gesture. The gesture unlocks the Windows Hello for Business private key and is sent to the Cloud Authentication security support provider, referred to as the *Cloud AP provider*.
-1. The Cloud AP provider requests a nonce (a random arbitrary number that can be used just once) from Azure AD.
-1. Azure AD returns a nonce that's valid for 5 minutes.
-1. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure AD.
-1. Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. Azure AD validates the signature and then validates the returned signed nonce. When the nonce is validated, Azure AD creates a primary refresh token (PRT) with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
+1. The Cloud AP provider requests a nonce (a random arbitrary number that can be used just once) from Microsoft Entra ID.
+1. Microsoft Entra ID returns a nonce that's valid for 5 minutes.
+1. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.
+1. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID validates the signature and then validates the returned signed nonce. When the nonce is validated, Microsoft Entra ID creates a primary refresh token (PRT) with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
1. The Cloud AP provider receives the encrypted PRT with session key. The Cloud AP provider uses the device's private transport key to decrypt the session key and protects the session key using the device's Trusted Platform Module (TPM). 1. The Cloud AP provider returns a successful authentication response to Windows. The user is then able to access Windows as well as cloud and on-premises applications without the need to authenticate again (SSO).
You can also allow your employee's phone to become a passwordless authentication
The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. Users can sign in to any platform or browser by getting a notification to their phone, matching a number displayed on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm. Refer to [Download and install the Microsoft Authenticator](https://support.microsoft.com/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a) for installation details.
-Passwordless authentication using the Authenticator app follows the same basic pattern as Windows Hello for Business. It's a little more complicated as the user needs to be identified so that Azure AD can find the Authenticator app version being used:
+Passwordless authentication using the Authenticator app follows the same basic pattern as Windows Hello for Business. It's a little more complicated as the user needs to be identified so that Microsoft Entra ID can find the Authenticator app version being used:
![Diagram that outlines the steps involved for user sign-in with the Microsoft Authenticator App](./media/concept-authentication-passwordless/authenticator-app-flow.png) 1. The user enters their username.
-1. Azure AD detects that the user has a strong credential and starts the Strong Credential flow.
+1. Microsoft Entra ID detects that the user has a strong credential and starts the Strong Credential flow.
1. A notification is sent to the app via Apple Push Notification Service (APNS) on iOS devices, or via Firebase Cloud Messaging (FCM) on Android devices. 1. The user receives the push notification and opens the app.
-1. The app calls Azure AD and receives a proof-of-presence challenge and nonce.
+1. The app calls Microsoft Entra ID and receives a proof-of-presence challenge and nonce.
1. The user completes the challenge by entering their biometric or PIN to unlock private key.
-1. The nonce is signed with the private key and sent back to Azure AD.
-1. Azure AD performs public/private key validation and returns a token.
+1. The nonce is signed with the private key and sent back to Microsoft Entra ID.
+1. Microsoft Entra ID performs public/private key validation and returns a token.
To get started with passwordless sign-in, complete the following how-to:
FIDO2 security keys are an unphishable standards-based passwordless authenticati
Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC. With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed.
-FIDO2 security keys can be used to sign in to their Azure AD or hybrid Azure AD joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.
+FIDO2 security keys can be used to sign in to their Microsoft Entra ID or Microsoft Entra hybrid joined Windows 10 devices and get single-sign on to their cloud and on-premises resources. Users can also sign in to supported browsers. FIDO2 security keys are a great option for enterprises who are very security sensitive or have scenarios or employees who aren't willing or able to use their phone as a second factor.
-We have a reference document for which [browsers support FIDO2 authentication with Azure AD](fido2-compatibility.md), as well as best practices for developers wanting to [support FIDO2 auth in the applications they develop](../develop/support-fido2-authentication.md).
+We have a reference document for which [browsers support FIDO2 authentication with Microsoft Entra ID](fido2-compatibility.md), as well as best practices for developers wanting to [support FIDO2 auth in the applications they develop](../develop/support-fido2-authentication.md).
![Sign in to Microsoft Edge with a security key](./media/concept-authentication-passwordless/concept-web-sign-in-security-key.png)
The following process is used when a user signs in with a FIDO2 security key:
1. The user plugs the FIDO2 security key into their computer. 2. Windows detects the FIDO2 security key. 3. Windows sends an authentication request.
-4. Azure AD sends back a nonce.
+4. Microsoft Entra ID sends back a nonce.
5. The user completes their gesture to unlock the private key stored in the FIDO2 security key's secure enclave. 6. The FIDO2 security key signs the nonce with the private key.
-7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
-8. Azure AD verifies the signed nonce using the FIDO2 public key.
-9. Azure AD returns PRT to enable access to on-premises resources.
+7. The primary refresh token (PRT) token request with signed nonce is sent to Microsoft Entra ID.
+8. Microsoft Entra ID verifies the signed nonce using the FIDO2 public key.
+9. Microsoft Entra ID returns PRT to enable access to on-premises resources.
### FIDO2 security key providers
The following considerations apply:
- Users can register and manage these passwordless authentication methods in their account portal. - Users can sign in with these passwordless authentication methods:
- - Authenticator app: Works in scenarios where Azure AD authentication is used, including across all browsers, during Windows 10 setup, and with integrated mobile apps on any operating system.
+ - Authenticator app: Works in scenarios where Microsoft Entra authentication is used, including across all browsers, during Windows 10 setup, and with integrated mobile apps on any operating system.
- Security keys: Work on lock screen for Windows 10 and the web in supported browsers like Microsoft Edge (both legacy and new Edge). - Users can use passwordless credentials to access resources in tenants where they are a guest, but they may still be required to perform MFA in that resource tenant. For more information, see [Possible double multi-factor authentication](../external-identities/current-limitations.md#possible-double-multi-factor-authentication).
Here are some factors for you to consider when choosing Microsoft passwordless t
||**Windows Hello for Business**|**Passwordless sign-in with the Authenticator app**|**FIDO2 security keys**| |:-|:-|:-|:-|
-|**Pre-requisite**| Windows 10, version 1809 or later<br>Azure Active Directory| Authenticator app<br>Phone (iOS and Android devices)|Windows 10, version 1903 or later<br>Azure Active Directory|
+|**Pre-requisite**| Windows 10, version 1809 or later<br>Microsoft Entra ID| Authenticator app<br>Phone (iOS and Android devices)|Windows 10, version 1903 or later<br>Microsoft Entra ID|
|**Mode**|Platform|Software|Hardware| |**Systems and devices**|PC with a built-in Trusted Platform Module (TPM)<br>PIN and biometrics recognition |PIN and biometrics recognition on phone|FIDO2 security devices that are Microsoft compatible| |**User experience**|Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices.<br>Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources.|Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN.<br>Users sign in to work or personal account from their PC or mobile phone.|Sign in using FIDO2 security device (biometrics, PIN, and NFC)<br>User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.|
Use the following table to choose which method will support your requirements an
## Next steps
-To get started with passwordless in Azure AD, complete one of the following how-tos:
+To get started with passwordless in Microsoft Entra ID, complete one of the following how-tos:
* [Enable FIDO2 security key passwordless sign-in](howto-authentication-passwordless-security-key.md) * [Enable phone-based passwordless sign-in with the Authenticator app](howto-authentication-passwordless-phone.md)
active-directory Concept Authentication Phone Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-phone-options.md
Title: Phone authentication methods
-description: Learn about using phone authentication methods in Azure Active Directory to help improve and secure sign-in events
+description: Learn about using phone authentication methods in Microsoft Entra ID to help improve and secure sign-in events
-# Customer intent: As an identity administrator, I want to understand how to use phone authentication methods in Azure AD to improve and secure user sign-in events.
+# Customer intent: As an identity administrator, I want to understand how to use phone authentication methods in Microsoft Entra ID to improve and secure user sign-in events.
-# Authentication methods in Azure Active Directory - phone options
+# Authentication methods in Microsoft Entra ID - phone options
-Microsoft recommends users move away from using text messages or voice calls for multifactor authentication (MFA). Modern authentication methods like [Microsoft Authenticator](concept-authentication-authenticator-app.md) are a recommended alternative. For more information, see [It's Time to Hang Up on Phone Transports for Authentication](https://aka.ms/hangup). Users can still verify themselves using a mobile phone or office phone as secondary form of authentication used for multifactor authentication (MFA) or self-service password reset (SSPR).
+Microsoft recommends users move away from using text messages or voice calls for multifactor authentication. Modern authentication methods like [Microsoft Authenticator](concept-authentication-authenticator-app.md) are a recommended alternative. For more information, see [It's Time to Hang Up on Phone Transports for Authentication](https://aka.ms/hangup). Users can still verify themselves using a mobile phone or office phone as secondary form of authentication used for multifactor authentication or self-service password reset (SSPR).
You can [configure and enable users for SMS-based authentication](howto-authentication-sms-signin.md) for direct authentication using text message. Text messages are convenient for Frontline workers. With text messages, users don't need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface. >[!NOTE]
->Phone call verification isn't available for Azure AD tenants with trial subscriptions. For example, if you sign up for a trial license Microsoft Enterprise Mobility and Security (EMS), phone call verification isn't available. Phone numbers must be provided in the format *+CountryCode PhoneNumber*, for example, *+1 4251234567*. There must be a space between the country/region code and the phone number.
+>Phone call verification isn't available for Microsoft Entra tenants with trial subscriptions. For example, if you sign up for a trial license Microsoft Enterprise Mobility and Security (EMS), phone call verification isn't available. Phone numbers must be provided in the format *+CountryCode PhoneNumber*, for example, *+1 4251234567*. There must be a space between the country/region code and the phone number.
## Mobile phone verification
-For Azure AD Multi-Factor Authentication or SSPR, users can choose to receive a text message with a verification code to enter in the sign-in interface, or receive a phone call.
+For Microsoft Entra multifactor authentication or SSPR, users can choose to receive a text message with a verification code to enter in the sign-in interface, or receive a phone call.
If users don't want their mobile phone number to be visible in the directory but want to use it for password reset, administrators shouldn't populate the phone number in the directory. Instead, users should populate their **Authentication Phone** at [My Sign-Ins](https://aka.ms/setupsecurityinfo). Administrators can see this information in the user's profile, but it's not published elsewhere.
If users don't want their mobile phone number to be visible in the directory but
> [!NOTE] > Phone extensions are supported only for office phones.
-Microsoft doesn't guarantee consistent text message or voice-based Azure AD Multi-Factor Authentication prompt delivery by the same number. In the interest of our users, we may add or remove short codes at any time as we make route adjustments to improve text message deliverability. Microsoft doesn't support short codes for countries/regions besides the United States and Canada.
+Microsoft doesn't guarantee consistent text message or voice-based Microsoft Entra multifactor authentication prompt delivery by the same number. In the interest of our users, we may add or remove short codes at any time as we make route adjustments to improve text message deliverability. Microsoft doesn't support short codes for countries/regions besides the United States and Canada.
> [!NOTE] > Starting July 2023, we will apply delivery method optimizations such that tenants with a free or trial subscription may receive a text message or voice call. ### Text message verification
-With text message verification during SSPR or Azure AD Multi-Factor Authentication, a text message is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.
+With text message verification during SSPR or Microsoft Entra multifactor authentication, a text message is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.
Text messages can be sent over channels such as Short Message Service (SMS), Rich Communication Services (RCS), or WhatsApp.
Some users with phone numbers that have country codes belonging to India, Indone
### Phone call verification
-With phone call verification during SSPR or Azure AD Multi-Factor Authentication, an automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to press # on their keypad.
+With phone call verification during SSPR or Microsoft Entra multifactor authentication, an automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to press # on their keypad.
The calling number that a user receives the voice call from differs for each country. See [phone call settings](howto-mfa-mfasettings.md#phone-call-settings) to view all possible voice call numbers. ## Office phone verification
-With office phone call verification during SSPR or Azure AD Multi-Factor Authentication, an automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to press # on their keypad.
+With office phone call verification during SSPR or Microsoft Entra multifactor authentication, an automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to press # on their keypad.
## Troubleshooting phone options
-If you have problems with phone authentication for Azure AD, review the following troubleshooting steps:
+If you have problems with phone authentication for Microsoft Entra ID, review the following troubleshooting steps:
* "You've hit our limit on verification calls" or "You've hit our limit on text verification codes" error messages during sign-in * Microsoft may limit repeated authentication attempts that are performed by the same user or organization in a short period of time. This limitation does not apply to Microsoft Authenticator or verification codes. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.
If you have problems with phone authentication for Azure AD, review the followin
* Call forwarded to voicemail. * Ensure that the user has their phone turned on and that service is available in their area, or use alternate method. * User is blocked
- * Have an Azure AD administrator unblock the user in the Microsoft Entra admin center.
+ * Have a Microsoft Entra administrator unblock the user in the Microsoft Entra admin center.
* Text messaging platforms like SMS, RCS, or WhatsApp aren't subscribed on the device. * Have the user change methods or activate a text messaging platform on the device. * Faulty telecom providers, such as when no phone input is detected, missing DTMF tones issues, blocked caller ID on multiple devices, or blocked text messages across multiple devices.
If you have problems with phone authentication for Azure AD, review the followin
* Phone number is blocked and unable to be used for Voice MFA
- - There are a few country codes blocked for voice MFA unless your Azure AD administrator has opted in for those country codes. Have your Azure AD administrator opt-in to receive MFA for those country codes.
+ - There are a few country codes blocked for voice MFA unless your Microsoft Entra administrator has opted in for those country codes. Have your Microsoft Entra administrator opt-in to receive MFA for those country codes.
- Or, use Microsoft Authenticator instead of voice authentication. ## Next steps
-To get started, see the [tutorial for self-service password reset (SSPR)][tutorial-sspr] and [Azure AD Multi-Factor Authentication][tutorial-azure-mfa].
+To get started, see the [tutorial for self-service password reset (SSPR)][tutorial-sspr] and [Microsoft Entra multifactor authentication][tutorial-azure-mfa].
-To learn more about SSPR concepts, see [How Azure AD self-service password reset works][concept-sspr].
+To learn more about SSPR concepts, see [How Microsoft Entra self-service password reset works][concept-sspr].
-To learn more about MFA concepts, see [How Azure AD Multi-Factor Authentication works][concept-mfa].
+To learn more about MFA concepts, see [How Microsoft Entra multifactor authentication works][concept-mfa].
Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
Learn more about configuring authentication methods using the [Microsoft Graph R
[concept-sspr]: concept-sspr-howitworks.md [concept-mfa]: concept-mfa-howitworks.md--
active-directory Concept Authentication Security Questions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-security-questions.md
Title: Security questions authentication method
-description: Learn about using security questions in Azure Active Directory to help improve and secure sign-in events
+description: Learn about using security questions in Microsoft Entra ID to help improve and secure sign-in events
-# Customer intent: As an identity administrator, I want to understand how to use security questions in Azure AD to improve and secure user sign-in events.
+# Customer intent: As an identity administrator, I want to understand how to use security questions in Microsoft Entra ID to improve and secure user sign-in events.
-# Authentication methods in Azure Active Directory - security questions
+# Authentication methods in Microsoft Entra ID - security questions
Security questions aren't used as an authentication method during a sign-in event. Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR.
For both default and custom security questions, the following requirements and l
To get started, see the [tutorial for self-service password reset (SSPR)][tutorial-sspr].
-To learn more about SSPR concepts, see [How Azure AD self-service password reset works][concept-sspr].
+To learn more about SSPR concepts, see [How Microsoft Entra self-service password reset works][concept-sspr].
Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
active-directory Concept Authentication Strengths https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-strengths.md
Title: Overview of Azure Active Directory authentication strength
-description: Learn how admins can use Azure AD Conditional Access to distinguish which authentication methods can be used based on relevant security factors.
+ Title: Overview of Microsoft Entra authentication strength
+description: Learn how admins can use Microsoft Entra Conditional Access to distinguish which authentication methods can be used based on relevant security factors.
Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + text message.
-Authentication strength is based on the [Authentication methods policy](concept-authentication-methods.md), where administrators can scope authentication methods for specific users and groups to be used across Azure Active Directory (Azure AD) federated applications. Authentication strength allows further control over the usage of these methods based upon specific scenarios such as sensitive resource access, user risk, location, and more.
+Authentication strength is based on the [Authentication methods policy](concept-authentication-methods.md), where administrators can scope authentication methods for specific users and groups to be used across Microsoft Entra ID federated applications. Authentication strength allows further control over the usage of these methods based upon specific scenarios such as sensitive resource access, user risk, location, and more.
Administrators can specify an authentication strength to access a resource by creating a Conditional Access policy with the **Require authentication strength** control. They can choose from three built-in authentication strengths: **Multifactor authentication strength**, **Passwordless MFA strength**, and **Phishing-resistant MFA strength**. They can also create a custom authentication strength based on the authentication method combinations they want to allow.
An authentication strength can include a combination of authentication methods.
Or -- Azure AD Certificate-Based Authentication (Multi-Factor)
+- Microsoft Entra Certificate-Based Authentication (Multi-Factor)
:::image type="content" border="true" source="./media/concept-authentication-strengths/authentication-strength-definitions.png" alt-text="Screenshot showing the phishing-resistant MFA strength definition.":::
Users may register for authentications for which they are enabled, and in other
### How an authentication strength policy is evaluated during sign-in
-The authentication strength Conditional Access policy defines which methods can be used. Azure AD checks the policy during sign-in to determine the userΓÇÖs access to the resource. For example, an administrator configures a Conditional Access policy with a custom authentication strength that requires FIDO2 Security Key or Password + text message. The user accesses a resource protected by this policy. During sign-in, all settings are checked to determine which methods are allowed, which methods are registered, and which methods are required by the Conditional Access policy. To be used, a method must be allowed, registered by the user (either before or as part of the access request), and satisfy the authentication strength.
+The authentication strength Conditional Access policy defines which methods can be used. Microsoft Entra ID checks the policy during sign-in to determine the userΓÇÖs access to the resource. For example, an administrator configures a Conditional Access policy with a custom authentication strength that requires FIDO2 Security Key or Password + text message. The user accesses a resource protected by this policy. During sign-in, all settings are checked to determine which methods are allowed, which methods are registered, and which methods are required by the Conditional Access policy. To be used, a method must be allowed, registered by the user (either before or as part of the access request), and satisfy the authentication strength.
### How multiple Conditional Access authentication strength policies are evaluated
The following factors determine if the user gains access to the resource:
- Which methods are allowed for user sign-in in the Authentication methods policy? - Is the user registered for any available method?
-When a user accesses a resource protected by an authentication strength Conditional Access policy, Azure AD evaluates if the methods they have previously used satisfy the authentication strength. If a satisfactory method was used, Azure AD grants access to the resource. For example, let's say a user signs in with password + text message. They access a resource protected by MFA authentication strength. In this case, the user can access the resource without another authentication prompt.
+When a user accesses a resource protected by an authentication strength Conditional Access policy, Microsoft Entra ID evaluates if the methods they have previously used satisfy the authentication strength. If a satisfactory method was used, Microsoft Entra ID grants access to the resource. For example, let's say a user signs in with password + text message. They access a resource protected by MFA authentication strength. In this case, the user can access the resource without another authentication prompt.
Let's suppose they next access a resource protected by Phishing-resistant MFA authentication strength. At this point, they'll be prompted to provide a phishing-resistant authentication method, such as Windows Hello for Business.
The following authentication methods can't be registered as part of combined reg
### Federated user experience
-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider by setting the federatedIdpMfaBehavior. If the federatedIdpMfaBehavior setting is set to enforceMfaByFederatedIdp, the user must authenticate on their federated IdP and can only satisfy the **Federated Multi-Factor** combination of the authentication strength requirement. For more information about the federation settings, see [Plan support for MFA](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md#plan-support-for-mfa).
+For federated domains, MFA may be enforced by Microsoft Entra Conditional Access or by the on-premises federation provider by setting the federatedIdpMfaBehavior. If the federatedIdpMfaBehavior setting is set to enforceMfaByFederatedIdp, the user must authenticate on their federated IdP and can only satisfy the **Federated Multi-Factor** combination of the authentication strength requirement. For more information about the federation settings, see [Plan support for MFA](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md#plan-support-for-mfa).
If a user from a federated domain has multifactor authentication settings in scope for Staged Rollout, the user can complete multifactor authentication in the cloud and satisfy any of the **Federated single-factor + something you have** combinations. For more information about staged rollout, see [Enable Staged Rollout](how-to-mfa-server-migration-utility.md#enable-staged-rollout).
If a user from a federated domain has multifactor authentication settings in sco
The Authentication methods policy is especially useful for restricting external access to sensitive apps in your organization because you can enforce specific authentication methods, such as phishing-resistant methods, for external users.
-When you apply an authentication strength Conditional Access policy to external Azure AD users, the policy works together with MFA trust settings in your cross-tenant access settings to determine where and how the external user must perform MFA. An Azure AD user authenticates in their home Azure AD tenant. Then when they access your resource, Azure AD applies the policy and checks to see if you've enabled MFA trust. Note that enabling MFA trust is optional for B2B collaboration but is *required* for [B2B direct connect](../external-identities/b2b-direct-connect-overview.md#multi-factor-authentication-mfa).
+When you apply an authentication strength Conditional Access policy to external Microsoft Entra users, the policy works together with MFA trust settings in your cross-tenant access settings to determine where and how the external user must perform MFA. A Microsoft Entra user authenticates in their home Microsoft Entra tenant. Then when they access your resource, Microsoft Entra ID applies the policy and checks to see if you've enabled MFA trust. Note that enabling MFA trust is optional for B2B collaboration but is *required* for [B2B direct connect](../external-identities/b2b-direct-connect-overview.md#multi-factor-authentication-mfa).
-In external user scenarios, the authentication methods that can satisfy authentication strength vary, depending on whether the user is completing MFA in their home tenant or the resource tenant. The following table indicates the allowed methods in each tenant. If a resource tenant has opted to trust claims from external Azure AD organizations, only those claims listed in the ΓÇ£Home tenantΓÇ¥ column below will be accepted by the resource tenant for MFA. If the resource tenant has disabled MFA trust, the external user must complete MFA in the resource tenant using one of the methods listed in the ΓÇ£Resource tenantΓÇ¥ column.
+In external user scenarios, the authentication methods that can satisfy authentication strength vary, depending on whether the user is completing MFA in their home tenant or the resource tenant. The following table indicates the allowed methods in each tenant. If a resource tenant has opted to trust claims from external Microsoft Entra organizations, only those claims listed in the ΓÇ£Home tenantΓÇ¥ column below will be accepted by the resource tenant for MFA. If the resource tenant has disabled MFA trust, the external user must complete MFA in the resource tenant using one of the methods listed in the ΓÇ£Resource tenantΓÇ¥ column.
|Authentication method |Home tenant | Resource tenant | ||||
For more information about how to set authentication strengths for external user
### User experience for external users
-An authentication strength Conditional Access policy works together with [MFA trust settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) in your cross-tenant access settings. First, an Azure AD user authenticates with their own account in their home tenant. Then when this user tries to access your resource, Azure AD applies the authentication strength Conditional Access policy and checks to see if you've enabled MFA trust.
+An authentication strength Conditional Access policy works together with [MFA trust settings](../external-identities/cross-tenant-access-settings-b2b-collaboration.md#to-change-inbound-trust-settings-for-mfa-and-device-claims) in your cross-tenant access settings. First, a Microsoft Entra user authenticates with their own account in their home tenant. Then when this user tries to access your resource, Microsoft Entra ID applies the authentication strength Conditional Access policy and checks to see if you've enabled MFA trust.
-- **If MFA trust is enabled**, Azure AD checks the user's authentication session for a claim indicating that MFA has been fulfilled in the user's home tenant. See the preceding table for authentication methods that are acceptable for MFA when completed in an external user's home tenant. If the session contains a claim indicating that MFA policies have already been met in the user's home tenant, and the methods satisfy the authentication strength requirements, the user is allowed access. Otherwise, Azure AD presents the user with a challenge to complete MFA in the home tenant using an acceptable authentication method.-- **If MFA trust is disabled**, Azure AD presents the user with a challenge to complete MFA in the resource tenant using an acceptable authentication method. (See the table above for authentication methods that are acceptable for MFA by an external user.)
+- **If MFA trust is enabled**, Microsoft Entra ID checks the user's authentication session for a claim indicating that MFA has been fulfilled in the user's home tenant. See the preceding table for authentication methods that are acceptable for MFA when completed in an external user's home tenant. If the session contains a claim indicating that MFA policies have already been met in the user's home tenant, and the methods satisfy the authentication strength requirements, the user is allowed access. Otherwise, Microsoft Entra ID presents the user with a challenge to complete MFA in the home tenant using an acceptable authentication method.
+- **If MFA trust is disabled**, Microsoft Entra ID presents the user with a challenge to complete MFA in the resource tenant using an acceptable authentication method. (See the table above for authentication methods that are acceptable for MFA by an external user.)
## Limitations
The following known issues are currently being addressed:
## FAQ ### Should I use authentication strength or the Authentication methods policy?
-Authentication strength is based on the Authentication methods policy. The Authentication methods policy helps to scope and configure authentication methods to be used across Azure AD by specific users and groups. Authentication strength allows another restriction of methods for specific scenarios, such as sensitive resource access, user risk, location, and more.
+Authentication strength is based on the Authentication methods policy. The Authentication methods policy helps to scope and configure authentication methods to be used across Microsoft Entra ID by specific users and groups. Authentication strength allows another restriction of methods for specific scenarios, such as sensitive resource access, user risk, location, and more.
For example, the administrator of Contoso wants to allow their users to use Microsoft Authenticator with either push notifications or passwordless authentication mode. The administrator goes to the Microsoft Authenticator settings in the Authentication method policy, scopes the policy for the relevant users and set the **Authentication mode** to **Any**.
As a result, users in Contoso can access most of the resources in the tenant usi
## Prerequisites -- **Azure AD Premium P1** - Your tenant needs to have Azure AD Premium P1 license to use Conditional Access. If needed, you can enable a [free trial](https://www.microsoft.com/security/business/get-started/start-free-trial).
+- **Microsoft Entra ID P1** - Your tenant needs to have Microsoft Entra ID P1 license to use Conditional Access. If needed, you can enable a [free trial](https://www.microsoft.com/security/business/get-started/start-free-trial).
- **Enable combined registration** - Authentication strengths are supported when using [combined MFA and SSPR registration](howto-registration-mfa-sspr-combined.md). Using the legacy registration will result in poor user experience as the user may register methods that aren't required by the authentication method policy. ## Next steps
active-directory Concept Authentication Web Browser Cookies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-web-browser-cookies.md
Title: Web browser cookies used in Azure Active Directory authentication
-description: Learn about Web browser cookies used in Azure Active Directory authentication.
+ Title: Web browser cookies used in Microsoft Entra authentication
+description: Learn about Web browser cookies used in Microsoft Entra authentication.
-# Customer intent: As an Azure AD administrator, I want to understand which weh browser cookies are used for Azure AD.
+# Customer intent: As a Microsoft Entra administrator, I want to understand which weh browser cookies are used for Microsoft Entra ID.
-# Web browser cookies used in Azure Active Directory authentication
+# Web browser cookies used in Microsoft Entra authentication
-During authentication against Azure Active Directory (Azure AD) through a web browser, multiple cookies are involved in the process. Some of the cookies are common on all requests. Other cookies are used for specific authentication flows or specific client-side conditions.
+During authentication against Microsoft Entra ID through a web browser, multiple cookies are involved in the process. Some of the cookies are common on all requests. Other cookies are used for specific authentication flows or specific client-side conditions.
Persistent session tokens are stored as persistent cookies on the web browser's cookie jar. Non-persistent session tokens are stored as session cookies on the web browser, and are destroyed when the browser session is closed.
Persistent session tokens are stored as persistent cookies on the web browser's
| ESTSAUTHPERSISTENT | Common | Contains user's session information to facilitate SSO. Persistent. | | ESTSAUTHLIGHT | Common | Contains Session GUID Information. Lite session state cookie used exclusively by client-side JavaScript in order to facilitate OIDC sign-out. Security feature. | | SignInStateCookie | Common | Contains list of services accessed to facilitate sign-out. No user information. Security feature. |
-| CCState | Common | Contains session information state to be used between Azure AD and the [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). |
+| CCState | Common | Contains session information state to be used between Microsoft Entra ID and the [Microsoft Entra Backup Authentication Service](../conditional-access/resilience-defaults.md). |
| build | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. | | fpc | Common | Tracks browser related information. Used for tracking requests and throttling. | | esctx | Common | Session context cookie information. For CSRF protection. Binds a request to a specific browser instance so the request can't be replayed outside the browser. No user information. |
Persistent session tokens are stored as persistent cookies on the web browser's
| clrc | Common | Client-side cookie (set by JavaScript) to control local cached sessions on the client. | | CkTst | Common | Client-side cookie (set by JavaScript). No longer in active use. | | wlidperf | Common | Client-side cookie (set by JavaScript) that tracks local time for performance purposes. |
-| x-ms-gateway-slice | Common | Azure AD Gateway cookie used for tracking and load balance purposes. |
-| stsservicecookie | Common | Azure AD Gateway cookie also used for tracking purposes. |
+| x-ms-gateway-slice | Common | Microsoft Entra Gateway cookie used for tracking and load balance purposes. |
+| stsservicecookie | Common | Microsoft Entra Gateway cookie also used for tracking purposes. |
| x-ms-refreshtokencredential | Specific | Available when [Primary Refresh Token (PRT)](../devices/concept-primary-refresh-token.md) is in use. | | estsStateTransient | Specific | Applicable to new session information model only. Transient. | | estsStatePersistent | Specific | Same as estsStateTransient, but persistent. | | ESTSNCLOGIN | Specific | National Cloud Login related Cookie. | | UsGovTraffic | Specific | US Gov Cloud Traffic Cookie. | | ESTSWCTXFLOWTOKEN | Specific | Saves flowToken information when redirecting to ADFS. |
-| CcsNtv | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). Native flows. |
-| CcsWeb | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md). Web flows. |
-| Ccs* | Specific | Cookies with prefix Ccs*, have the same purpose as the ones without prefix, but only apply when [Azure AD Backup Authentication Service](../conditional-access/resilience-defaults.md) is in use. |
+| CcsNtv | Specific | To control when Microsoft Entra Gateway will send requests to [Microsoft Entra Backup Authentication Service](../conditional-access/resilience-defaults.md). Native flows. |
+| CcsWeb | Specific | To control when Microsoft Entra Gateway will send requests to [Microsoft Entra Backup Authentication Service](../conditional-access/resilience-defaults.md). Web flows. |
+| Ccs* | Specific | Cookies with prefix Ccs*, have the same purpose as the ones without prefix, but only apply when [Microsoft Entra Backup Authentication Service](../conditional-access/resilience-defaults.md) is in use. |
| threxp | Specific | Used for throttling control. | | rrc | Specific | Cookie used to identify a recent B2B invitation redemption. | | debug | Specific | Cookie used to track if user's browser session is enabled for DebugMode. |
Persistent session tokens are stored as persistent cookies on the web browser's
> [!NOTE] > Cookies identified as client-side cookies are set locally on the client device by JavaScript, hence, will be marked with HttpOnly=false. >
-> Cookie definitions and respective names are subject to change at any moment in time according to Azure AD service requirements.
+> Cookie definitions and respective names are subject to change at any moment in time according to Microsoft Entra service requirements.
## Next steps
-To learn more about self-service password reset concepts, see [How Azure AD self-service password reset works][concept-sspr].
+To learn more about self-service password reset concepts, see [How Microsoft Entra self-service password reset works][concept-sspr].
-To learn more about multi-factor authentication concepts, see [How Azure AD Multi-Factor Authentication works][concept-mfa].
+To learn more about multifactor authentication concepts, see [How Microsoft Entra multifactor authentication works][concept-mfa].
<!-- INTERNAL LINKS --> [concept-sspr]: concept-sspr-howitworks.md [concept-mfa]: concept-mfa-howitworks.md-
active-directory Concept Certificate Based Authentication Certificateuserids https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md
Title: Certificate user IDs for Azure AD certificate-based authentication
-description: Learn about certificate user IDs for Azure AD certificate-based authentication without federation
+ Title: Certificate user IDs for Microsoft Entra certificate-based authentication
+description: Learn about certificate user IDs for Microsoft Entra certificate-based authentication without federation
# Certificate user IDs
-Users in Azure AD can have a multivalued attribute named **certificateUserIds**. The attribute allows up to four values, and each value can be of 120-character length. It can store any value and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.
+Users in Microsoft Entra ID can have a multivalued attribute named **certificateUserIds**. The attribute allows up to four values, and each value can be of 120-character length. It can store any value and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.
## Supported patterns for certificate user IDs
The values stored in **certificateUserIds** should be in the format described in
For cloud-only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds. Cloud-only users can use both UX and MSGraph to write into certificateUserIds. For synched users, AD users with role **Hybrid Identity Administrator** can write into the attribute. Only Azure ADConnect can be used to update CertificateUserIds by syncing the value from on-prem for synched users. >[!NOTE]
->Active Directory Administrators (including accounts with delegated administrative privilege over synched user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Azure AD for any synched accounts.
+>Active Directory Administrators (including accounts with delegated administrative privilege over synched user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Microsoft Entra ID for any synched accounts.
## Update certificate user IDs
For the configuration, you can use the [Azure Active Directory PowerShell Versio
Update-MgUser -UserId $userObjectId -AuthorizationInfo $user.AuthorizationInfo ```
-## Update certificate user IDs using Azure AD Connect
+<a name='update-certificate-user-ids-using-azure-ad-connect'></a>
-To update certificate user IDs for federated users, configure Azure AD Connect to sync userPrincipalName to certificateUserIds.
+## Update certificate user IDs using Microsoft Entra Connect
-1. On the Azure AD Connect server, find and start the **Synchronization Rules Editor**.
+To update certificate user IDs for federated users, configure Microsoft Entra Connect to sync userPrincipalName to certificateUserIds.
+
+1. On the Microsoft Entra Connect server, find and start the **Synchronization Rules Editor**.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/sync-rules-editor.png" alt-text="Screenshot of Synchronization Rules Editor.":::
To update certificate user IDs for federated users, configure Azure AD Connect t
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/outbound.png" alt-text="Screenshot of outbound synchronization rule.":::
-1. Find the rule **Out to AAD ΓÇô User Identity**, click **Edit**, and click **Yes** to confirm.
+1. Find the rule **Out to Microsoft Entra ID ΓÇô User Identity**, click **Edit**, and click **Yes** to confirm.
:::image type="content" border="true" source="./media/concept-certificate-based-authentication-certificateuserids/user-identity.png" alt-text="Screenshot of user identity.":::
To synchronize X509:\<RFC822>RFC822Name, create an outbound synchronization rule
1. Click **OK** to confirm. > [!NOTE]
-> Make sure you use the latest version of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594).
+> Make sure you use the latest version of [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594).
+
+For more information about declarative provisioning expressions, see [Microsoft Entra Connect: Declarative Provisioning Expressions](../hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning-expressions.md).
-For more information about declarative provisioning expressions, see [Azure AD Connect: Declarative Provisioning Expressions](../hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning-expressions.md).
+<a name='synchronize-alternativesecurityid-attribute-from-ad-to-azure-ad-cba-certificateuserids'></a>
-## Synchronize alternativeSecurityId attribute from AD to Azure AD CBA CertificateUserIds
+## Synchronize alternativeSecurityId attribute from AD to Microsoft Entra CBA CertificateUserIds
AlternativeSecurityId isn't part of the default attributes. An administrator needs to add the attribute to the person object, and then create the appropriate synchronization rules.
alt-security-identity-add.
|Option | Value | |-|-|
- |Name | Descriptive name of the rule, such as: Out to AAD - certificateUserIds |
- |Connected System | Your Azure AD domain |
+ |Name | Descriptive name of the rule, such as: Out to Microsoft Entra ID - certificateUserIds |
+ |Connected System | Your Microsoft Entra domain |
|Connected System Object Type | user | |Metaverse Object Type | person | |Precedence | Choose a random high number not currently used |
IIF(IsPresent([alternativeSecurityId]),
## Next steps -- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)-- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md)-- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)-- [Azure AD CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)-- [Azure AD CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)-- [Windows smart card logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)
+- [Overview of Microsoft Entra CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Microsoft Entra CBA](concept-certificate-based-authentication-technical-deep-dive.md)
+- [How to configure Microsoft Entra CBA](how-to-certificate-based-authentication.md)
+- [Microsoft Entra CBA on iOS devices](concept-certificate-based-authentication-mobile-ios.md)
+- [Microsoft Entra CBA on Android devices](concept-certificate-based-authentication-mobile-android.md)
+- [Windows smart card logon using Microsoft Entra CBA](concept-certificate-based-authentication-smartcard.md)
- [How to migrate federated users](concept-certificate-based-authentication-migration.md) - [FAQ](certificate-based-authentication-faq.yml)
active-directory Concept Certificate Based Authentication Limitations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-limitations.md
Title: Limitations with Azure AD certificate-based authentication without federation
-description: Learn supported and unsupported scenarios for Azure AD certificate-based authentication
+ Title: Limitations with Microsoft Entra certificate-based authentication without federation
+description: Learn supported and unsupported scenarios for Microsoft Entra certificate-based authentication
-# Limitations with Azure AD certificate-based authentication
+# Limitations with Microsoft Entra certificate-based authentication
-This topic covers supported and unsupported scenarios for Azure Active Directory (Azure AD) certificate-based authentication.
+This topic covers supported and unsupported scenarios for Microsoft Entra certificate-based authentication.
## Supported scenarios
The following scenarios aren't supported:
## Next steps -- [Overview of Azure AD CBA](concept-certificate-based-authentication.md)-- [Technical deep dive for Azure AD CBA](concept-certificate-based-authentication-technical-deep-dive.md) -- [How to configure Azure AD CBA](how-to-certificate-based-authentication.md)-- [Windows SmartCard logon using Azure AD CBA](concept-certificate-based-authentication-smartcard.md)-- [Azure AD CBA on mobile devices (Android and iOS)](./concept-certificate-based-authentication-mobile-ios.md)
+- [Overview of Microsoft Entra CBA](concept-certificate-based-authentication.md)
+- [Technical deep dive for Microsoft Entra CBA](concept-certificate-based-authentication-technical-deep-dive.md)
+- [How to configure Microsoft Entra CBA](how-to-certificate-based-authentication.md)
+- [Windows SmartCard logon using Microsoft Entra CBA](concept-certificate-based-authentication-smartcard.md)
+- [Microsoft Entra CBA on mobile devices (Android and iOS)](./concept-certificate-based-authentication-mobile-ios.md)
- [CertificateUserIDs](concept-certificate-based-authentication-certificateuserids.md) - [How to migrate federated users](concept-certificate-based-authentication-migration.md) - [FAQ](certificate-based-authentication-faq.yml)
active-directory Concept Certificate Based Authentication Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-migration.md
Title: Migrate from federation to Azure AD CBA
-description: Learn how to migrate from Federated server to Azure AD
+ Title: Migrate from federation to Microsoft Entra CBA
+description: Learn how to migrate from Federated server to Microsoft Entra ID
-# Migrate from federation to Azure AD certificate-based authentication (CBA)
+# Migrate from federation to Microsoft Entra certificate-based authentication (CBA)
-This article explains how to migrate from running federated servers such as Active Directory Federation Services (AD FS) on-premises to cloud authentication using Azure Active Directory (Azure AD) certificate-based authentication (CBA).
+This article explains how to migrate from running federated servers such as Active Directory Federation Services (AD FS) on-premises to cloud authentication using Microsoft Entra certificate-based authentication (CBA).
## Staged Rollout
-[Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md) helps customers transition from AD FS to Azure AD by testing cloud authentication with selected groups of users before switching the entire tenant.
+[Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md) helps customers transition from AD FS to Microsoft Entra ID by testing cloud authentication with selected groups of users before switching the entire tenant.
## Enable Staged Rollout for certificate-based authentication on your tenant
This article explains how to migrate from running federated servers such as Acti
To configure Staged Rollout, follow these steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [User Administrator](../roles/permissions-reference.md#user-administrator).
-1. Search for and select **Azure AD Connect**.
-1. On the Azure AD Connect page, under the Staged Rollout of cloud authentication, click **Enable Staged Rollout for managed user sign-in**.
+1. Search for and select **Microsoft Entra Connect**.
+1. On the Microsoft Entra Connect page, under the Staged Rollout of cloud authentication, click **Enable Staged Rollout for managed user sign-in**.
1. On the **Enable Staged Rollout** feature page, click **On** for the option [Certificate-based authentication](./certificate-based-authentication-federation-get-started.md) 1. Click **Manage groups** and add groups you want to be part of cloud authentication. To avoid a time-out, ensure that the security groups contain no more than 200 members initially. For more information, see [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). >[!NOTE]
-> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Azure AD. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
+> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Microsoft Entra ID. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
-## Use Azure AD connect to update certificateUserIds attribute
+<a name='use-azure-ad-connect-to-update-certificateuserids-attribute'></a>
-An AD FS admin can use **Synchronization Rules Editor** to create rules to sync the values of attributes from AD FS to Azure AD user objects. For more information, see [Sync rules for certificateUserIds](concept-certificate-based-authentication-certificateuserids.md#update-certificate-user-ids-using-azure-ad-connect).
+## Use Microsoft Entra Connect to update certificateUserIds attribute
-Azure AD Connect requires a special role named **Hybrid Identity Administrator**, which grants the necessary permissions. You need this role for permission to write to the new cloud attribute.
+An AD FS admin can use **Synchronization Rules Editor** to create rules to sync the values of attributes from AD FS to Microsoft Entra user objects. For more information, see [Sync rules for certificateUserIds](concept-certificate-based-authentication-certificateuserids.md#update-certificate-user-ids-using-azure-ad-connect).
+
+Microsoft Entra Connect requires a special role named **Hybrid Identity Administrator**, which grants the necessary permissions. You need this role for permission to write to the new cloud attribute.
>[!NOTE]
->If a user is using synchronized attributes, such as the onPremisesUserPrincipalName attribute in the user object for username binding, be aware that any user that has administrative access to the Azure AD Connect server can change the synchronized attribute mapping, and change the value of the synchronized attribute. The user does not need to be a cloud admin. The AD FS admin should make sure the administrative access to the Azure AD Connect server should be limite