Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Aad Sspr Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/aad-sspr-technical-profile.md | Title: Azure AD SSPR technical profiles in custom policies + Title: Microsoft Entra SSPR technical profiles in custom policies -description: Custom policy reference for Azure AD SSPR technical profiles in Azure AD B2C. +description: Custom policy reference for Microsoft Entra SSPR technical profiles in Azure AD B2C. -# Define an Azure AD SSPR technical profile in an Azure AD B2C custom policy +# Define a Microsoft Entra SSPR technical profile in an Azure AD B2C custom policy [!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)] -Azure Active Directory B2C (Azure AD B2C) provides support for verifying an email address for self-service password reset (SSPR). Use the Azure AD SSPR technical profile to generate and send a code to an email address, and then verify the code. The Azure AD SSPR technical profile may also return an error message. The validation technical profile validates the user-provided data before the user journey continues. With the validation technical profile, an error message displays on a self-asserted page. +Azure Active Directory B2C (Azure AD B2C) provides support for verifying an email address for self-service password reset (SSPR). Use the Microsoft Entra SSPR technical profile to generate and send a code to an email address, and then verify the code. The Microsoft Entra SSPR technical profile may also return an error message. The validation technical profile validates the user-provided data before the user journey continues. With the validation technical profile, an error message displays on a self-asserted page. This technical profile: - Doesn't provide an interface to interact with the user. Instead, the user interface is called from a [self-asserted](self-asserted-technical-profile.md) technical profile, or a [display control](display-controls.md) as a [validation technical profile](validation-technical-profile.md).-- Uses the Azure AD SSPR service to generate and send a code to an email address, and then verifies the code.+- Uses the Microsoft Entra SSPR service to generate and send a code to an email address, and then verifies the code. - Validates an email address via a verification code. ## Protocol The **Name** attribute of the **Protocol** element needs to be set to `Proprieta Web.TPEngine.Providers.AadSsprProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ``` -The following example shows an Azure AD SSPR technical profile: +The following example shows a Microsoft Entra SSPR technical profile: ```xml <TechnicalProfile Id="AadSspr-SendCode"> The first mode of this technical profile is to generate a code and send it. The ### Input claims -The **InputClaims** element contains a list of claims to send to Azure AD SSPR. You can also map the name of your claim to the name defined in the SSPR technical profile. +The **InputClaims** element contains a list of claims to send to Microsoft Entra SSPR. You can also map the name of your claim to the name defined in the SSPR technical profile. | ClaimReferenceId | Required | Description | | | -- | -- | | emailAddress | Yes | The identifier for the user who owns the email address. The `PartnerClaimType` property of the input claim must be set to `emailAddress`. | -The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before sending to the Azure AD SSPR service. +The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before sending to the Microsoft Entra SSPR service. ### Output claims -The Azure AD SSPR protocol provider does not return any **OutputClaims**, thus there is no need to specify output claims. You can, however, include claims that aren't returned by the Azure AD SSPR protocol provider as long as you set the `DefaultValue` attribute. +The Microsoft Entra SSPR protocol provider does not return any **OutputClaims**, thus there is no need to specify output claims. You can, however, include claims that aren't returned by the Microsoft Entra SSPR protocol provider as long as you set the `DefaultValue` attribute. The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones. The following metadata can be used to configure the error messages displayed upo ### Example: send an email -The following example shows an Azure AD SSPR technical profile that is used to send a code via email. +The following example shows a Microsoft Entra SSPR technical profile that is used to send a code via email. ```xml <TechnicalProfile Id="AadSspr-SendCode"> The second mode of this technical profile is to verify a code. The following opt ### Input claims -The **InputClaims** element contains a list of claims to send to Azure AD SSPR. You can also map the name of your claim to the name defined in the SSPR technical profile. +The **InputClaims** element contains a list of claims to send to Microsoft Entra SSPR. You can also map the name of your claim to the name defined in the SSPR technical profile. | ClaimReferenceId | Required | Description | | | -- | -- | -- | | emailAddress| Yes | Same email address as previously used to send a code. It is also used to locate an email verification session. The `PartnerClaimType` property of the input claim must be set to `emailAddress`.| | verificationCode | Yes | The verification code provided by the user to be verified. The `PartnerClaimType` property of the input claim must be set to `verificationCode`. | -The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before calling the Azure AD SSPR service. +The **InputClaimsTransformations** element may contain a collection of **InputClaimsTransformation** elements that are used to modify the input claims or generate new ones before calling the Microsoft Entra SSPR service. ### Output claims -The Azure AD SSPR protocol provider does not return any **OutputClaims**, thus there is no need to specify output claims. You can, however, include claims that aren't returned by the Azure AD SSPR protocol provider as long as you set the `DefaultValue` attribute. +The Microsoft Entra SSPR protocol provider does not return any **OutputClaims**, thus there is no need to specify output claims. You can, however, include claims that aren't returned by the Microsoft Entra SSPR protocol provider as long as you set the `DefaultValue` attribute. The **OutputClaimsTransformations** element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones. The following metadata can be used to configure the error messages displayed upo ### Example: verify a code -The following example shows an Azure AD SSPR technical profile used to verify the code. +The following example shows a Microsoft Entra SSPR technical profile used to verify the code. ```xml <TechnicalProfile Id="AadSspr-VerifyCode"> |
active-directory-b2c | Access Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/access-tokens.md | An *access token* contains claims that you can use in Azure Active Directory B2C This article shows you how to request an access token for a web application and web API. For more information about tokens in Azure AD B2C, see the [overview of tokens in Azure Active Directory B2C](tokens-overview.md). > [!NOTE]-> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Azure AD, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Azure AD or Azure AD B2C) that is issuing the tokens. +> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls a another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Microsoft Entra ID, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Microsoft Entra ID or Azure AD B2C) that is issuing the tokens. ## Prerequisites |
active-directory-b2c | Active Directory Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/active-directory-technical-profile.md | Title: Define an Azure AD technical profile in a custom policy + Title: Define a Microsoft Entra technical profile in a custom policy -description: Define an Azure Active Directory technical profile in a custom policy in Azure Active Directory B2C. +description: Define a Microsoft Entra technical profile in a custom policy in Azure Active Directory B2C. -# Define an Azure Active Directory technical profile in an Azure Active Directory B2C custom policy +# Define a Microsoft Entra technical profile in an Azure Active Directory B2C custom policy [!INCLUDE [active-directory-b2c-advanced-audience-warning](../../includes/active-directory-b2c-advanced-audience-warning.md)] -Azure Active Directory B2C (Azure AD B2C) provides support for the Azure Active Directory user management. This article describes the specifics of a technical profile for interacting with a claims provider that supports this standardized protocol. +Azure Active Directory B2C (Azure AD B2C) provides support for the Microsoft Entra user management. This article describes the specifics of a technical profile for interacting with a claims provider that supports this standardized protocol. ## Protocol The **Name** attribute of the **Protocol** element needs to be set to `Proprietary`. The **handler** attribute must contain the fully qualified name of the protocol handler assembly `Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null`. -Following [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) Azure AD technical profiles include the **AAD-Common** technical profile. The Azure AD technical profiles don't specify the protocol because the protocol is configured in the **AAD-Common** technical profile: +Following [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) Microsoft Entra technical profiles include the **AAD-Common** technical profile. The Microsoft Entra technical profiles don't specify the protocol because the protocol is configured in the **AAD-Common** technical profile: - **AAD-UserReadUsingAlternativeSecurityId** and **AAD-UserReadUsingAlternativeSecurityId-NoError** - Look up a social account in the directory. - **AAD-UserWriteUsingAlternativeSecurityId** - Create a new social account. The following example shows the **AAD-Common** technical profile: ## InputClaims -The InputClaims element contains a claim, which is used to look up an account in the directory, or create a new one. There must be exactly one InputClaim element in the input claims collection for all Azure AD technical profiles. You may need to map the name of the claim defined in your policy to the name defined in Azure Active Directory. +The InputClaims element contains a claim, which is used to look up an account in the directory, or create a new one. There must be exactly one InputClaim element in the input claims collection for all Microsoft Entra technical profiles. You may need to map the name of the claim defined in your policy to the name defined in Microsoft Entra ID. -To read, update, or delete an existing user account, the input claim is a key that uniquely identifies the account in Azure AD directory. For example, **objectId**, **userPrincipalName**, **signInNames.emailAddress**, **signInNames.userName**, or **alternativeSecurityId**. +To read, update, or delete an existing user account, the input claim is a key that uniquely identifies the account in Microsoft Entra directory. For example, **objectId**, **userPrincipalName**, **signInNames.emailAddress**, **signInNames.userName**, or **alternativeSecurityId**. To create a new user account, the input claim is a key that uniquely identifies a local or federated account. For example, local account: **signInNames.emailAddress**, or **signInNames.userName**. For a federated account: the **alternativeSecurityId**. The [InputClaimsTransformations](technicalprofiles.md#input-claims-transformatio ## OutputClaims -The **OutputClaims** element contains a list of claims returned by the Azure AD technical profile. You may need to map the name of the claim defined in your policy to the name defined in Azure Active Directory. You can also include claims that aren't returned by the Azure Active Directory, as long as you set the `DefaultValue` attribute. +The **OutputClaims** element contains a list of claims returned by the Microsoft Entra technical profile. You may need to map the name of the claim defined in your policy to the name defined in Microsoft Entra ID. You can also include claims that aren't returned by the Microsoft Entra ID, as long as you set the `DefaultValue` attribute. The [OutputClaimsTransformations](technicalprofiles.md#output-claims-transformations) element may contain a collection of **OutputClaimsTransformation** elements that are used to modify the output claims or generate new ones. For example, the **AAD-UserWriteUsingLogonEmail** technical profile creates a lo ## PersistedClaims -The **PersistedClaims** element contains all of the values that should be persisted by Azure AD with possible mapping information between a claim type already defined in the [ClaimsSchema](claimsschema.md) section in the policy and the Azure AD attribute name. +The **PersistedClaims** element contains all of the values that should be persisted by Microsoft Entra ID with possible mapping information between a claim type already defined in the [ClaimsSchema](claimsschema.md) section in the policy and the Microsoft Entra attribute name. The **AAD-UserWriteUsingLogonEmail** technical profile, which creates new local account, persists following claims: The **AAD-UserWriteUsingLogonEmail** technical profile, which creates new local </PersistedClaims> ``` -The name of the claim is the name of the Azure AD attribute unless the **PartnerClaimType** attribute is specified, which contains the Azure AD attribute name. +The name of the claim is the name of the Microsoft Entra attribute unless the **PartnerClaimType** attribute is specified, which contains the Microsoft Entra attribute name. ## Requirements of an operation -- There must be exactly one **InputClaim** element in the claims bag for all Azure AD technical profiles.+- There must be exactly one **InputClaim** element in the claims bag for all Microsoft Entra technical profiles. - The [user profile attributes article](user-profile-attributes.md) describes the supported Azure AD B2C user profile attributes you can use in the input claims, output claims, and persisted claims. - If the operation is `Write` or `DeleteClaims`, then it must also appear in a **PersistedClaims** element. - The value of the **userPrincipalName** claim must be in the format of `user@tenant.onmicrosoft.com`. - The **displayName** claim is required and cannot be an empty string. -## Azure AD technical profile operations +<a name='azure-ad-technical-profile-operations'></a> ++## Microsoft Entra technical profile operations ### Read The following settings can be used to configure the error message displayed upon ## Next steps -See the following article, for example of using Azure AD technical profile: +See the following article, for example of using Microsoft Entra technical profile: - [Add claims and customize user input using custom policies in Azure Active Directory B2C](configure-user-input.md) |
active-directory-b2c | Add Api Connector Token Enrichment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-api-connector-token-enrichment.md | Additionally, these claims are typically sent in all requests for this step: > [!IMPORTANT] > If a claim does not have a value at the time the API endpoint is called, the claim will not be sent to the API. Your API should be designed to explicitly check and handle the case in which a claim is not in the request. ## Expected response types from the web API at this step-When the web API receives an HTTP request from Azure AD during a user flow, it can return a "continuation response." +When the web API receives an HTTP request from Microsoft Entra ID during a user flow, it can return a "continuation response." ### Continuation response A continuation response indicates that the user flow should continue to the next step: issuing the token. In a continuation response, the API can return additional claims. A claim returned by the API that you wish to return in the token must be a built-in claim or [defined as a custom attribute](user-flow-custom-attributes.md) and must be selected in the **Application claims** configuration of the user flow. Repeat this step for the **ProfileEdit.xml**, and **PasswordReset.xml** user jou Save the files you changed: *TrustFrameworkBase.xml*, and *TrustFrameworkExtensions.xml*, *SignUpOrSignin.xml*, *ProfileEdit.xml*, and *PasswordReset.xml*. ## Test the custom policy 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD tenant by selecting the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Microsoft Entra tenant by selecting the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **Identity Experience Framework**. 1. Select **Upload Custom Policy**, and then upload the policy files that you changed: *TrustFrameworkBase.xml*, and *TrustFrameworkExtensions.xml*, *SignUpOrSignin.xml*, *ProfileEdit.xml*, and *PasswordReset.xml*. |
active-directory-b2c | Add Api Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-api-connector.md | These steps only exist for **Sign up and sign in (Recommended)** and **Sign up ( ## After federating with an identity provider during sign-up -An API connector at this step in the sign-up process is invoked immediately after the user authenticates with an identity provider (like Google, Facebook, & Azure AD). This step precedes the ***attribute collection page***, which is the form presented to the user to collect user attributes. This step is not invoked if a user is registering with a local account. +An API connector at this step in the sign-up process is invoked immediately after the user authenticates with an identity provider (like Google, Facebook, and Microsoft Entra ID). This step precedes the ***attribute collection page***, which is the form presented to the user to collect user attributes. This step is not invoked if a user is registering with a local account. ### Example request sent to the API at this step ```http The exact claims sent to the API depend on the information is provided by the id ### Expected response types from the web API at this step -When the web API receives an HTTP request from Azure AD during a user flow, it can return these responses: +When the web API receives an HTTP request from Microsoft Entra ID during a user flow, it can return these responses: - Continuation response - Blocking response The claims that are sent to the API depend on the information is collected from ### Expected response types from the web API at this step -When the web API receives an HTTP request from Azure AD during a user flow, it can return these responses: +When the web API receives an HTTP request from Microsoft Entra ID during a user flow, it can return these responses: - Continuation response - Blocking response The claims that are sent to the API depend on the information defined for the us ### Expected response types from the web API at this step -When the web API receives an HTTP request from Azure AD during a user flow, it can return these responses: +When the web API receives an HTTP request from Microsoft Entra ID during a user flow, it can return these responses: - Continuation response To return the promo code claim back to the relying party application, add an out ## Test the custom policy 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD tenant by selecting the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Microsoft Entra tenant by selecting the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **Identity Experience Framework**. 1. Select **Upload Custom Policy**, and then upload the policy files that you changed: *TrustFrameworkExtensions.xml*, and *SignUpOrSignin.xml*. |
active-directory-b2c | Add Identity Provider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-identity-provider.md | You typically use only one identity provider in your applications, but you have * [AD FS](identity-provider-adfs.md) * [Amazon](identity-provider-amazon.md) * [Apple](identity-provider-apple-id.md)-* [Azure AD (Single-tenant)](identity-provider-azure-ad-single-tenant.md) -* [Azure AD (Multi-tenant)](identity-provider-azure-ad-multi-tenant.md) +* [Microsoft Entra ID (Single-tenant)](identity-provider-azure-ad-single-tenant.md) +* [Microsoft Entra ID (Multi-tenant)](identity-provider-azure-ad-multi-tenant.md) * [Azure AD B2C](identity-provider-azure-ad-b2c.md) * [eBay](identity-provider-ebay.md) * [Facebook](identity-provider-facebook.md) |
active-directory-b2c | Add Sign In Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-sign-in-policy.md | The **SelfAsserted-LocalAccountSignin-Email** technical profile is a [self-asser ## Update and test your policy 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD tenant by selecting the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Azure AD B2C tenant by selecting the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **Identity Experience Framework**. 1. Select **Upload Custom Policy**, and then upload the policy file that you changed, *TrustFrameworkExtensions.xml*. |
active-directory-b2c | Analytics With Application Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/analytics-with-application-insights.md | When you use Application Insights, consider the following: When you use Application Insights with Azure AD B2C, all you need to do is create a resource and get the instrumentation key. For information, see [Create an Application Insights resource](/previous-versions/azure/azure-monitor/app/create-new-resource). 1. Sign in to the [Azure portal](https://portal.azure.com/).-1. Make sure you're using the directory that has your Azure AD subscription, and not your Azure AD B2C directory. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find the Azure AD directory that has your subscription in the **Directory name** list, and then select **Switch** +1. Make sure you're using the directory that has your Microsoft Entra subscription, and not your Azure AD B2C directory. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find the Microsoft Entra directory that has your subscription in the **Directory name** list, and then select **Switch** 1. Choose **Create a resource** in the upper-left corner of the Azure portal, and then search for and select **Application Insights**. 1. Select **Create**. 1. For **Name**, enter a name for the resource. Add new orchestration steps that refer to the technical profiles. Save and upload the *TrustFrameworkExtensions.xml* file. Then call the relying party policy from your application or use **Run Now** in the Azure portal. Wait for your events to be available in Application Insights. -1. Open the **Application Insights** resource in your Azure Active Directory tenant. +1. Open the **Application Insights** resource in your Microsoft Entra tenant. 1. Select **Usage**, and then select **Events**. 1. Set **During** to **Last hour** and **By** to **3 minutes**. You might need to refresh the window to see the results. To disable Application Insights logs, change the `DisableTelemetry` metadata to Learn how to [create custom KPI dashboards using Azure Application Insights](../azure-monitor/app/tutorial-app-dashboards.md). |
active-directory-b2c | Api Connectors Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/api-connectors-overview.md | Title: About API connectors in Azure AD B2C -description: Use Azure Active Directory (Azure AD) API connectors to customize and extend your user flows and custom policies by using REST APIs or outbound webhooks to external identity data sources. +description: Use Microsoft Entra API connectors to customize and extend your user flows and custom policies by using REST APIs or outbound webhooks to external identity data sources. There are three places in a user flow where you can enable an API connector: ### After federating with an identity provider during sign-up -An API connector at this step in the sign-up process is invoked immediately after the user authenticates with an identity provider (like Google, Facebook, & Azure AD). This step precedes the ***attribute collection page***, which is the form presented to the user to collect user attributes. This step isn't invoked if a user is registering with a local account. The following are examples of API connector scenarios you might enable at this step: +An API connector at this step in the sign-up process is invoked immediately after the user authenticates with an identity provider (like Google, Facebook, and Microsoft Entra ID). This step precedes the ***attribute collection page***, which is the form presented to the user to collect user attributes. This step isn't invoked if a user is registering with a local account. The following are examples of API connector scenarios you might enable at this step: - Use the email or federated identity that the user provided to look up claims in an existing system. Return these claims from the existing system, pre-fill the attribute collection page, and make them available to return in the token. - Implement an allow or blocklist based on social identity. An API connector at this step in the sign-up process is invoked after the attrib - Validate user input data and ask a user to resubmit data. - Block a user sign-up based on data entered by the user. - Verify user identity.-- Query external systems for existing data about the user to return it in the application token or store it in Azure AD.+- Query external systems for existing data about the user to return it in the application token or store it in Microsoft Entra ID. ### Before sending the token (preview) Using Azure AD B2C, you can add your own business logic to a user journey by cal - **Use external identity data source to validate user input data**. For example, you can verify that the email address provided by the user exists in your customer's database, and if not, present an error. You can as well think of API connectors as a way of supporting outbound webhooks because the call is made when an event occurs, for example, a sign up. - **Process claims**. If a user enters their first name in all lowercase or all uppercase letters, your REST API can format the name with only the first letter capitalized and return it to Azure AD B2C. However, when using a custom policy, [ClaimsTransformations](claimstransformations.md) is preferred over calling a RESTful API. -- **Dynamically enrich user data by further integrating with corporate line-of-business applications**. Your RESTful service can receive the user's email address, query the customer's database, and return the user's loyalty number to Azure AD B2C. Then return claims can be stored in the user's Azure AD account, evaluated in the next orchestration steps, or included in the access token.+- **Dynamically enrich user data by further integrating with corporate line-of-business applications**. Your RESTful service can receive the user's email address, query the customer's database, and return the user's loyalty number to Azure AD B2C. Then return claims can be stored in the user's Microsoft Entra account, evaluated in the next orchestration steps, or included in the access token. - **Run custom business logic**. You can send push notifications, update corporate databases, run a user migration process, manage permissions, audit databases, and perform any other workflows. ![Diagram of a RESTful service claims exchange](media/api-connectors-overview/restful-service-claims-exchange.png) |
active-directory-b2c | App Registrations Training Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/app-registrations-training-guide.md | The new **[App registrations](https://aka.ms/b2cappregistrations)** experience f ## Overview Previously, you had to manage your Azure AD B2C consumer-facing applications separately from the rest of your apps using the legacy experience. That meant different app creation experiences across different places in Azure. -The new experience shows all Azure AD B2C app registrations and Azure AD app registrations in one place and provides a consistent way to manage them. From creating a customer-facing app to managing an app with Microsoft Graph permissions for resource management, you only need to learn one way to do things. +The new experience shows all Azure AD B2C app registrations and Microsoft Entra app registrations in one place and provides a consistent way to manage them. From creating a customer-facing app to managing an app with Microsoft Graph permissions for resource management, you only need to learn one way to do things. -You can reach the new experience by navigating to **App registrations** in an Azure AD B2C tenant from both the **Azure AD B2C** or the **Azure Active Directory** services in the Azure portal. +You can reach the new experience by navigating to **App registrations** in an Azure AD B2C tenant from both the **Azure AD B2C** or the **Microsoft Entra ID** services in the Azure portal. -The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://devblogs.microsoft.com/microsoft365dev/new-app-registrations-experience-is-now-generally-available/) for any Azure AD tenant, but is tailored for Azure AD B2C tenants. +The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://devblogs.microsoft.com/microsoft365dev/new-app-registrations-experience-is-now-generally-available/) for any Microsoft Entra tenant, but is tailored for Azure AD B2C tenants. ## What's not changing? - Your applications and related configurations can be found as-is in the new experience. You do not need to register the applications again and users of your applications will not need to sign-in again. > [!NOTE]-> To view all your previously created applications, navigate to the **App registrations** blade and select the **All applications** tab. This will display apps created in the legacy experience, the new experience, and those created in the Azure AD service. +> To view all your previously created applications, navigate to the **App registrations** blade and select the **All applications** tab. This will display apps created in the legacy experience, the new experience, and those created in the Microsoft Entra service. ## Key new features -- A **unified app list** shows all your applications that authenticate with Azure AD B2C and Azure AD in one convenient place. In addition, you can take advantage of features already available for Azure AD applications, including the **Created on** date, **Certificates & secrets** status, search bar, and much more.+- A **unified app list** shows all your applications that authenticate with Azure AD B2C and Microsoft Entra ID in one convenient place. In addition, you can take advantage of features already available for Microsoft Entra applications, including the **Created on** date, **Certificates & secrets** status, search bar, and much more. - **Combined app registration** allows you to quickly register an app, whether it's a customer-facing app or an app to access Microsoft Graph. The Azure AD B2C App registrations experience is based on the general [App Regis In the new experience, you select a support account type from the following options: - Accounts in this organizational directory only-- Accounts in any organizational directory (Any Azure AD directory ΓÇô Multitenant)+- Accounts in any organizational directory (Any Microsoft Entra directory ΓÇô Multitenant) - Accounts in any identity provider or organizational directory (for authenticating users with user flows) To understand the different account types, select **Help me choose** in the creation experience. The **iOS/macOS** and **Android** platforms are a type of public client. They pr ## Application certificates & secrets -In the new experience, instead of **Keys**, you use the **Certificates & secrets** blade to manage certificates and secrets. Certificates & secrets enable applications to identify themselves to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). We recommend using a certificate instead of a client secret for client credential scenarios when authenticating against Azure AD. Certificates can't be used to authenticate against Azure AD B2C. +In the new experience, instead of **Keys**, you use the **Certificates & secrets** blade to manage certificates and secrets. Certificates & secrets enable applications to identify themselves to the authentication service when receiving tokens at a web addressable location (using an HTTPS scheme). We recommend using a certificate instead of a client secret for client credential scenarios when authenticating against Microsoft Entra ID. Certificates can't be used to authenticate against Azure AD B2C. ## Features not applicable in Azure AD B2C tenants-The following Azure AD app registrations capabilities are not applicable to or available in Azure AD B2C tenants: +The following Microsoft Entra app registrations capabilities are not applicable to or available in Azure AD B2C tenants: - **Roles and administrators** - Not currently available for Azure AD B2C. - **Branding** - UI/UX customization is configured in the **Company branding** experience or as part of a user flow. Learn to [customize the user interface in Azure Active Directory B2C](customize-ui-with-html.md). - **Publisher domain verification** - Your app is registered on *.onmicrosoft.com*, which isn't a verified domain. Additionally, the publisher domain is primarily used for granting user consent, which doesn't apply to Azure AD B2C apps for user authentication. [Learn more about publisher domain](../active-directory/develop/howto-configure-publisher-domain.md). The following Azure AD app registrations capabilities are not applicable to or a The new experience has the following limitations: - At this time, Azure AD B2C doesn't differentiate between being able to issue access or ID tokens for implicit flows; both types of tokens are available for implicit grant flow if the **ID tokens** option is selected in the **Authentication** blade. <!--- Changing the value for supported accounts isn't supported in the UI. You'll need to use the app manifest, unless you're switching between Azure AD single-tenant and multi-tenant.+- Changing the value for supported accounts isn't supported in the UI. You'll need to use the app manifest, unless you're switching between Microsoft Entra single-tenant and multi-tenant. ## Next steps |
active-directory-b2c | Application Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/application-types.md | These steps can differ slightly based on the type of application you're building ## Web applications -For web applications (including .NET, PHP, Java, Ruby, Python, and Node.js) that are hosted on a web server and accessed through a browser, Azure AD B2C supports [OpenID Connect](protocols-overview.md) for all user experiences. In the Azure AD B2C implementation of OpenID Connect, your web application initiates user experiences by issuing authentication requests to Azure AD. The result of the request is an `id_token`. This security token represents the user's identity. It also provides information about the user in the form of claims: +For web applications (including .NET, PHP, Java, Ruby, Python, and Node.js) that are hosted on a web server and accessed through a browser, Azure AD B2C supports [OpenID Connect](protocols-overview.md) for all user experiences. In the Azure AD B2C implementation of OpenID Connect, your web application initiates user experiences by issuing authentication requests to Microsoft Entra ID. The result of the request is an `id_token`. This security token represents the user's identity. It also provides information about the user in the form of claims: ```json // Partial raw id_token In a web application, each execution of a [policy](user-flow-overview.md) takes 6. The `id_token` is validated and a session cookie is set. 7. A secure page is returned to the user. -Validation of the `id_token` by using a public signing key that is received from Azure AD is sufficient to verify the identity of the user. This process also sets a session cookie that can be used to identify the user on subsequent page requests. +Validation of the `id_token` by using a public signing key that is received from Microsoft Entra ID is sufficient to verify the identity of the user. This process also sets a session cookie that can be used to identify the user on subsequent page requests. To see this scenario in action, try one of the web application sign-in code samples in our [Getting started section](overview.md). To learn how to secure a web API by using Azure AD B2C, check out the web API tu Applications that are installed on devices, such as mobile and desktop applications, often need to access back-end services or web APIs on behalf of users. You can add customized identity management experiences to your native applications and securely call back-end services by using Azure AD B2C and the [OAuth 2.0 authorization code flow](authorization-code-flow.md). -In this flow, the application executes [policies](user-flow-overview.md) and receives an `authorization_code` from Azure AD after the user completes the policy. The `authorization_code` represents the application's permission to call back-end services on behalf of the user who is currently signed in. The application can then exchange the `authorization_code` in the background for an `access_token` and a `refresh_token`. The application can use the `access_token` to authenticate to a back-end web API in HTTP requests. It can also use the `refresh_token` to get a new `access_token` when an older one expires. +In this flow, the application executes [policies](user-flow-overview.md) and receives an `authorization_code` from Microsoft Entra ID after the user completes the policy. The `authorization_code` represents the application's permission to call back-end services on behalf of the user who is currently signed in. The application can then exchange the `authorization_code` in the background for an `access_token` and a `refresh_token`. The application can use the `access_token` to authenticate to a back-end web API in HTTP requests. It can also use the `refresh_token` to get a new `access_token` when an older one expires. ## Daemons/server-side applications Applications that contain long-running processes or that operate without the presence of a user also need a way to access secured resources such as web APIs. These applications can authenticate and get tokens by using their identities (rather than a user's delegated identity) and by using the OAuth 2.0 client credentials flow. Client credential flow isn't the same as on-behalf-flow and on-behalf-flow shouldn't be used for server-to-server authentication. -For Azure AD B2C, the [OAuth 2.0 client credentials flow](./client-credentials-grant-flow.md) is currently in public preview. However, you can set up client credential flow using Azure AD and the Microsoft identity platform `/token` endpoint (`https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token`) for a [Microsoft Graph application](microsoft-graph-get-started.md) or your own application. For more information, check out the [Azure AD token reference](../active-directory/develop/id-tokens.md) article. +For Azure AD B2C, the [OAuth 2.0 client credentials flow](./client-credentials-grant-flow.md) is currently in public preview. However, you can set up client credential flow using Microsoft Entra ID and the Microsoft identity platform `/token` endpoint (`https://login.microsoftonline.com/your-tenant-name.onmicrosoft.com/oauth2/v2.0/token`) for a [Microsoft Graph application](microsoft-graph-get-started.md) or your own application. For more information, check out the [Microsoft Entra token reference](../active-directory/develop/id-tokens.md) article. ## Unsupported application types |
active-directory-b2c | Authorization Code Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/authorization-code-flow.md | This article focuses on the **public clients** OAuth 2.0 authorization code flow > [!NOTE] > To add identity management to a web app by using Azure AD B2C, use [OpenID Connect](openid-connect.md) instead of OAuth 2.0. -Azure AD B2C extends the standard OAuth 2.0 flows to do more than simple authentication and authorization. It introduces the [user flow](user-flow-overview.md). With user flows, you can use OAuth 2.0 to add user experiences to your application, such as sign-up, sign-in, and profile management. Identity providers that use the OAuth 2.0 protocol include [Amazon](identity-provider-amazon.md), [Azure Active Directory](identity-provider-azure-ad-single-tenant.md), [Facebook](identity-provider-facebook.md), [GitHub](identity-provider-github.md), [Google](identity-provider-google.md), and [LinkedIn](identity-provider-linkedin.md). +Azure AD B2C extends the standard OAuth 2.0 flows to do more than simple authentication and authorization. It introduces the [user flow](user-flow-overview.md). With user flows, you can use OAuth 2.0 to add user experiences to your application, such as sign-up, sign-in, and profile management. Identity providers that use the OAuth 2.0 protocol include [Amazon](identity-provider-amazon.md), [Microsoft Entra ID](identity-provider-azure-ad-single-tenant.md), [Facebook](identity-provider-facebook.md), [GitHub](identity-provider-github.md), [Google](identity-provider-google.md), and [LinkedIn](identity-provider-linkedin.md). To try the HTTP requests in this article: client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 At this point, the user is asked to complete the user flow's workflow. This might involve the user entering their username and password, signing in with a social identity, signing up for the directory, or any other number of steps. User actions depend on how the user flow is defined. -After the user completes the user flow, Azure AD returns a response to your app at the value you used for `redirect_uri`. It uses the method specified in the `response_mode` parameter. The response is exactly the same for each of the user action scenarios, independent of the user flow that was executed. +After the user completes the user flow, Microsoft Entra ID returns a response to your app at the value you used for `redirect_uri`. It uses the method specified in the `response_mode` parameter. The response is exactly the same for each of the user action scenarios, independent of the user flow that was executed. A successful response that uses `response_mode=query` looks like this: grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&sco | client_id |Required |The application ID assigned to your app in the [Azure portal](https://portal.azure.com).| | client_secret | Yes, in Web Apps | The application secret that was generated in the [Azure portal](https://portal.azure.com/). Client secrets are used in this flow for Web App scenarios, where the client can securely store a client secret. For Native App (public client) scenarios, client secrets cannot be securely stored, and therefore are not used in this call. If you use a client secret, please change it on a periodic basis. | | grant_type |Required |The type of grant. For the authorization code flow, the grant type must be `authorization_code`. |-| scope |Recommended |A space-separated list of scopes. A single scope value indicates to Azure AD both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. The `offline_access` scope indicates that your app needs a refresh token for long-lived access to resources. You also can use the `openid` scope to request an ID token from Azure AD B2C. | +| scope |Recommended |A space-separated list of scopes. A single scope value indicates to Microsoft Entra ID both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. The `offline_access` scope indicates that your app needs a refresh token for long-lived access to resources. You also can use the `openid` scope to request an ID token from Azure AD B2C. | | code |Required |The authorization code that you acquired in from the `/authorize` endpoint. | | redirect_uri |Required |The redirect URI of the application where you received the authorization code. | | code_verifier | recommended | The same `code_verifier` used to obtain the authorization code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). | A successful token response looks like this: | Parameter | Description | | | | | not_before |The time at which the token is considered valid, in epoch time. |-| token_type |The token type value. The only type that Azure AD supports is Bearer. | +| token_type |The token type value. The only type that Microsoft Entra ID supports is Bearer. | | access_token |The signed JSON Web Token (JWT) that you requested. | | scope |The scopes that the token is valid for. You also can use scopes to cache tokens for later use. | | expires_in |The length of time that the token is valid (in seconds). | grant_type=refresh_token&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&scope=90 | client_id |Required |The application ID assigned to your app in the [Azure portal](https://portal.azure.com). | | client_secret | Yes, in Web Apps | The application secret that was generated in the [Azure portal](https://portal.azure.com/). Client secrets are used in this flow for Web App scenarios, where the client can securely store a client secret. For Native App (public client) scenarios, client secrets cannot be securely stored, and therefore are not used in this call. If you use a client secret, please change it on a periodic basis. | | grant_type |Required |The type of grant. For this leg of the authorization code flow, the grant type must be `refresh_token`. |-| scope |Recommended |A space-separated list of scopes. A single scope value indicates to Azure AD both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. The `offline_access` scope indicates that your app will need a refresh token for long-lived access to resources. You also can use the `openid` scope to request an ID token from Azure AD B2C. | +| scope |Recommended |A space-separated list of scopes. A single scope value indicates to Microsoft Entra ID both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. The `offline_access` scope indicates that your app will need a refresh token for long-lived access to resources. You also can use the `openid` scope to request an ID token from Azure AD B2C. | | redirect_uri |Optional |The redirect URI of the application where you received the authorization code. | | refresh_token |Required |The original refresh token that you acquired in the second leg of the flow. | A successful token response looks like this: | Parameter | Description | | | | | not_before |The time at which the token is considered valid, in epoch time. |-| token_type |The token type value. The only type that Azure AD supports is Bearer. | +| token_type |The token type value. The only type that Microsoft Entra ID supports is Bearer. | | access_token |The signed JWT that you requested. | | scope |The scopes that the token is valid for. You also can use the scopes to cache tokens for later use. | | expires_in |The length of time that the token is valid (in seconds). | |
active-directory-b2c | Azure Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/azure-monitor.md | Watch this video to learn how to configure monitoring for Azure AD B2C using Azu ## Deployment overview -Azure AD B2C uses [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring-health.md). Unlike Azure AD tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we send the logs. -To enable _Diagnostic settings_ in Azure Active Directory within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/overview.md) to [delegate a resource](../lighthouse/concepts/architecture.md), which allows your Azure AD B2C (the **Service Provider**) to manage an Azure AD (the **Customer**) resource. +Azure AD B2C uses [Microsoft Entra ID monitoring](../active-directory/reports-monitoring/overview-monitoring-health.md). Unlike Microsoft Entra tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we send the logs. +To enable _Diagnostic settings_ in Microsoft Entra ID within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/overview.md) to [delegate a resource](../lighthouse/concepts/architecture.md), which allows your Azure AD B2C (the **Service Provider**) to manage a Microsoft Entra ID (the **Customer**) resource. > [!TIP]-> Azure Lighthouse is typically used to manage resources for multiple customers. However, it can also be used to manage resources **within an enterprise that has multiple Azure AD tenants of its own**, which is what we are doing here, except that we are only delegating the management of single resource group. +> Azure Lighthouse is typically used to manage resources for multiple customers. However, it can also be used to manage resources **within an enterprise that has multiple Microsoft Entra tenants of its own**, which is what we are doing here, except that we are only delegating the management of single resource group. After you complete the steps in this article, you'll have created a new resource group (here called _azure-ad-b2c-monitor_) and have access to that same resource group that contains the [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) in your **Azure AD B2C** portal. You'll also be able to transfer the logs from Azure AD B2C to your Log Analytics workspace. During this deployment, you'll authorize a user or group in your Azure AD B2C directory to configure the Log Analytics workspace instance within the tenant that contains your Azure subscription. To create the authorization, you deploy an [Azure Resource Manager](../azure-resource-manager/index.yml) template to the subscription that contains the Log Analytics workspace. -The following diagram depicts the components you'll configure in your Azure AD and Azure AD B2C tenants. +The following diagram depicts the components you'll configure in your Microsoft Entra ID and Azure AD B2C tenants. ![Resource group projection](./media/azure-monitor/resource-group-projection.png) -During this deployment, you'll configure your Azure AD B2C tenant where logs are generated. You'll also configure Azure AD tenant where the Log Analytics workspace will be hosted. The Azure AD B2C accounts used (such as your admin account) should be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) role on the Azure AD B2C tenant. The Azure AD account you'll use to run the deployment must be assigned the [Owner](../role-based-access-control/built-in-roles.md#owner) role in the Azure AD subscription. It's also important to make sure you're signed in to the correct directory as you complete each step as described. +During this deployment, you'll configure your Azure AD B2C tenant where logs are generated. You'll also configure Microsoft Entra tenant where the Log Analytics workspace will be hosted. The Azure AD B2C accounts used (such as your admin account) should be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) role on the Azure AD B2C tenant. The Microsoft Entra account you'll use to run the deployment must be assigned the [Owner](../role-based-access-control/built-in-roles.md#owner) role in the Microsoft Entra subscription. It's also important to make sure you're signed in to the correct directory as you complete each step as described. -In summary, you'll use Azure Lighthouse to allow a user or group in your Azure AD B2C tenant to manage a resource group in a subscription associated with a different tenant (the Azure AD tenant). After this authorization is completed, the subscription and log analytics workspace can be selected as a target in the Diagnostic settings in Azure AD B2C. +In summary, you'll use Azure Lighthouse to allow a user or group in your Azure AD B2C tenant to manage a resource group in a subscription associated with a different tenant (the Microsoft Entra tenant). After this authorization is completed, the subscription and log analytics workspace can be selected as a target in the Diagnostic settings in Azure AD B2C. ## Prerequisites - An Azure AD B2C account with [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) role on the Azure AD B2C tenant. -- An Azure AD account with the [Owner](../role-based-access-control/built-in-roles.md#owner) role in the Azure AD subscription. See how to [Assign a user as an administrator of an Azure subscription](../role-based-access-control/role-assignments-portal-subscription-admin.md). +- A Microsoft Entra account with the [Owner](../role-based-access-control/built-in-roles.md#owner) role in the Microsoft Entra subscription. See how to [Assign a user as an administrator of an Azure subscription](../role-based-access-control/role-assignments-portal-subscription-admin.md). ## 1. Create or choose resource group First, create, or choose a resource group that contains the destination Log Analytics workspace that will receive data from Azure AD B2C. You'll specify the resource group name when you deploy the Azure Resource Manager template. 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your *Azure AD* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your *Microsoft Entra ID* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. [Create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups) or choose an existing one. This example uses a resource group named _azure-ad-b2c-monitor_. ## 2. Create a Log Analytics workspace First, create, or choose a resource group that contains the destination Log Anal A **Log Analytics workspace** is a unique environment for Azure Monitor log data. You'll use this Log Analytics workspace to collect data from Azure AD B2C [audit logs](view-audit-logs.md), and then visualize it with queries and workbooks, or create alerts. 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your *Azure AD* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your *Microsoft Entra ID* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md). This example uses a Log Analytics workspace named _AzureAdB2C_, in a resource group named _azure-ad-b2c-monitor_. ## 3. Delegate resource management -In this step, you choose your Azure AD B2C tenant as a **service provider**. You also define the authorizations you need to assign the appropriate Azure built-in roles to groups in your Azure AD tenant. +In this step, you choose your Azure AD B2C tenant as a **service provider**. You also define the authorizations you need to assign the appropriate Azure built-in roles to groups in your Microsoft Entra tenant. ### 3.1 Get your Azure AD B2C tenant ID First, get the **Tenant ID** of your Azure AD B2C directory (also known as the d 1. Sign in to the [Azure portal](https://portal.azure.com/). 1. Make sure you're using the directory that contains your *Azure AD B2C* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.-1. Select **Azure Active Directory**, select **Overview**. +1. Select **Microsoft Entra ID**, select **Overview**. 1. Record the **Tenant ID**. ### 3.2 Select a security group Now select an Azure AD B2C group or user to which you want to give permission to the resource group you created earlier in the directory containing your subscription. -To make management easier, we recommend using Azure AD user _groups_ for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. In this walkthrough, we'll add a security group. +To make management easier, we recommend using Microsoft Entra user _groups_ for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. In this walkthrough, we'll add a security group. > [!IMPORTANT]-> In order to add permissions for an Azure AD group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/how-to-manage-groups.md). +> In order to add permissions for a Microsoft Entra group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Microsoft Entra ID](../active-directory/fundamentals/how-to-manage-groups.md). -1. With **Azure Active Directory** still selected in your **Azure AD B2C** directory, select **Groups**, and then select a group. If you don't have an existing group, create a **Security** group, then add members. For more information, follow the procedure [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/how-to-manage-groups.md). +1. With **Microsoft Entra ID** still selected in your **Azure AD B2C** directory, select **Groups**, and then select a group. If you don't have an existing group, create a **Security** group, then add members. For more information, follow the procedure [Create a basic group and add members using Microsoft Entra ID](../active-directory/fundamentals/how-to-manage-groups.md). 1. Select **Overview**, and record the group's **Object ID**. ### 3.3 Create an Azure Resource Manager template -To create the custom authorization and delegation in Azure Lighthouse, we use an Azure Resource Manager template. This template grants Azure AD B2C access to the Azure AD resource group, which you created earlier, for example, _azure-ad-b2c-monitor_. Deploy the template from the GitHub sample by using the **Deploy to Azure** button, which opens the Azure portal and lets you configure and deploy the template directly in the portal. For these steps, make sure you're signed in to your Azure AD tenant (not the Azure AD B2C tenant). +To create the custom authorization and delegation in Azure Lighthouse, we use an Azure Resource Manager template. This template grants Azure AD B2C access to the Microsoft Entra resource group, which you created earlier, for example, _azure-ad-b2c-monitor_. Deploy the template from the GitHub sample by using the **Deploy to Azure** button, which opens the Azure portal and lets you configure and deploy the template directly in the portal. For these steps, make sure you're signed in to your Microsoft Entra tenant (not the Azure AD B2C tenant). 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your *Azure AD tenant*. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your *Microsoft Entra tenant*. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Use the **Deploy to Azure** button to open the Azure portal and deploy the template directly in the portal. For more information, see [create an Azure Resource Manager template](../lighthouse/how-to/onboard-customer.md#create-an-azure-resource-manager-template). [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazure-ad-b2c%2Fsiem%2Fmaster%2Ftemplates%2FrgDelegatedResourceManagement.json) To create the custom authorization and delegation in Azure Lighthouse, we use an | | - | | Subscription | Select the directory that contains the Azure subscription where the _azure-ad-b2c-monitor_ resource group was created. | | Region | Select the region where the resource will be deployed. |- | Msp Offer Name | A name describing this definition. For example, _Azure AD B2C Monitoring_. It's the name that will be displayed in Azure Lighthouse. The **MSP Offer Name** must be unique in your Azure AD. To monitor multiple Azure AD B2C tenants, use different names. | + | Msp Offer Name | A name describing this definition. For example, _Azure AD B2C Monitoring_. It's the name that will be displayed in Azure Lighthouse. The **MSP Offer Name** must be unique in your Microsoft Entra ID. To monitor multiple Azure AD B2C tenants, use different names. | | Msp Offer Description | A brief description of your offer. For example, _Enables Azure Monitor in Azure AD B2C_. | | Managed By Tenant ID | The **Tenant ID** of your Azure AD B2C tenant (also known as the directory ID). |- | Authorizations | Specify a JSON array of objects that include the Azure AD `principalId`, `principalIdDisplayName`, and Azure `roleDefinitionId`. The `principalId` is the **Object ID** of the B2C group or user that will have access to resources in this Azure subscription. For this walkthrough, specify the group's Object ID that you recorded earlier. For the `roleDefinitionId`, use the [built-in role](../role-based-access-control/built-in-roles.md) value for the _Contributor role_, `b24988ac-6180-42a0-ab88-20f7382dd24c`. | - | Rg Name | The name of the resource group you create earlier in your Azure AD tenant. For example, _azure-ad-b2c-monitor_. | + | Authorizations | Specify a JSON array of objects that include the Microsoft Entra ID `principalId`, `principalIdDisplayName`, and Azure `roleDefinitionId`. The `principalId` is the **Object ID** of the B2C group or user that will have access to resources in this Azure subscription. For this walkthrough, specify the group's Object ID that you recorded earlier. For the `roleDefinitionId`, use the [built-in role](../role-based-access-control/built-in-roles.md) value for the _Contributor role_, `b24988ac-6180-42a0-ab88-20f7382dd24c`. | + | Rg Name | The name of the resource group you create earlier in your Microsoft Entra tenant. For example, _azure-ad-b2c-monitor_. | The following example demonstrates an Authorizations array with one security group. To create the custom authorization and delegation in Azure Lighthouse, we use an ] ``` -After you deploy the template, it can take a few minutes (typically no more than five) for the resource projection to complete. You can verify the deployment in your Azure AD tenant and get the details of the resource projection. For more information, see [View and manage service providers](../lighthouse/how-to/view-manage-service-providers.md). +After you deploy the template, it can take a few minutes (typically no more than five) for the resource projection to complete. You can verify the deployment in your Microsoft Entra tenant and get the details of the resource projection. For more information, see [View and manage service providers](../lighthouse/how-to/view-manage-service-providers.md). ## 4. Select your subscription After you've deployed the template and waited a few minutes for the resource projection to complete, follow these steps to associate your subscription with your Azure AD B2C directory. > [!NOTE]-> On the **Portal settings | Directories + subscriptions** page, ensure that your Azure AD B2C and Azure AD tenants are selected under **Current + delegated directories**. +> On the **Portal settings | Directories + subscriptions** page, ensure that your Azure AD B2C and Microsoft Entra tenants are selected under **Current + delegated directories**. 1. Sign out of the [Azure portal](https://portal.azure.com) and sign back in with your **Azure AD B2C** administrative account. This account must be a member of the security group you specified in the [Delegate resource management](#3-delegate-resource-management) step. Signing out and singing back in allows your session credentials to be refreshed in the next step. 1. Select the **Directories + subscriptions** icon in the portal toolbar.-1. On the **Portal settings | Directories + subscriptions** page, in the **Directory name** list, find your Azure AD directory that contains the Azure subscription and the _azure-ad-b2c-monitor_ resource group you created, and then select **Switch**. +1. On the **Portal settings | Directories + subscriptions** page, in the **Directory name** list, find your Microsoft Entra directory that contains the Azure subscription and the _azure-ad-b2c-monitor_ resource group you created, and then select **Switch**. 1. Verify that you've selected the correct directory and your Azure subscription is listed and selected in the **Default subscription filter**. ![Screenshot of the default subscription filter](./media/azure-monitor/default-subscription-filter.png) To configure monitoring settings for Azure AD B2C activity logs: 1. Make sure you're using the directory that contains your Azure AD B2C tenant: 1. Select the **Directories + subscriptions** icon in the portal toolbar. 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.-1. Select **Azure Active Directory** +1. Select **Microsoft Entra ID** 1. Under **Monitoring**, select **Diagnostic settings**. 1. If there are existing settings for the resource, you'll see a list of settings already configured. Either select **Add diagnostic setting** to add a new setting, or select **Edit settings** to edit an existing setting. Each setting can have no more than one of each of the destination types. If you see the error message, _To set up Diagnostic settings to use Azure Monito ## 6. Visualize your data -Now you can configure your Log Analytics workspace to visualize your data and configure alerts. These configurations can be made in both your Azure AD tenant and your Azure AD B2C tenant. +Now you can configure your Log Analytics workspace to visualize your data and configure alerts. These configurations can be made in both your Microsoft Entra tenant and your Azure AD B2C tenant. ### 6.1 Create a Query Log queries help you to fully use the value of the data collected in Azure Monitor Logs. A powerful query language allows you to join data from multiple tables, aggregate large sets of data, and perform complex operations with minimal code. Virtually any question can be answered and analysis performed as long as the supporting data has been collected, and you understand how to construct the right query. For more information, see [Get started with log queries in Azure Monitor](../azure-monitor/logs/get-started-queries.md). 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your *Azure AD* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. +1. Make sure you're using the directory that contains your *Microsoft Entra ID* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. From **Log Analytics workspace** window, select **Logs** 1. In the query editor, paste the following [Kusto Query Language](/azure/data-explorer/kusto/query/) query. This query shows policy usage by operation over the past x days. The default duration is set to 90 days (90d). Notice that the query is focused only on the operation where a token/code is issued by policy. Workbooks provide a flexible canvas for data analysis and the creation of rich v Follow the instructions below to create a new workbook using a JSON Gallery Template. This workbook provides a **User Insights** and **Authentication** dashboard for Azure AD B2C tenant. 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your *Azure AD* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. +1. Make sure you're using the directory that contains your *Microsoft Entra ID* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. From the **Log Analytics workspace** window, select **Workbooks**. 1. From the toolbar, select **+ New** option to create a new workbook. 1. On the **New workbook** page, select the **Advanced Editor** using the **</>** option on the toolbar. Alerts are created by alert rules in Azure Monitor and can automatically run sav Use the following instructions to create a new Azure Alert, which will send an [email notification](../azure-monitor/alerts/action-groups.md) whenever there's a 25% drop in the **Total Requests** compared to previous period. Alert will run every 5 minutes and look for the drop in the last hour compared to the hour before it. The alerts are created using Kusto query language. 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your *Azure AD* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. +1. Make sure you're using the directory that contains your *Microsoft Entra ID* tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. From **Log Analytics workspace**, select **Logs**. 1. Create a new **Kusto query** by using this query. To stop collecting logs to your Log Analytics workspace, delete the diagnostic s ## Delete Log Analytics workspace and resource group 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your *Azure AD* tenant: +1. Make sure you're using the directory that contains your *Microsoft Entra ID* tenant: 1. Select the **Directories + subscriptions** icon in the portal toolbar.- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch** button next to it. + 1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch** button next to it. 1. Choose the resource group that contains the Log Analytics workspace. This example uses a resource group named _azure-ad-b2c-monitor_ and a Log Analytics workspace named `AzureAdB2C`. 1. [Delete the Logs Analytics workspace](../azure-monitor/logs/delete-workspace.md#azure-portal). 1. Select the **Delete** button to delete the resource group. To stop collecting logs to your Log Analytics workspace, delete the diagnostic s - For more information about adding and configuring diagnostic settings in Azure Monitor, see [Tutorial: Collect and analyze resource logs from an Azure resource](../azure-monitor/essentials/monitor-azure-resource.md). -- For information about streaming Azure AD logs to an event hub, see [Tutorial: Stream Azure Active Directory logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md).+- For information about streaming Microsoft Entra ID logs to an event hub, see [Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). |
active-directory-b2c | B2c Global Identity Funnel Based Design | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2c-global-identity-funnel-based-design.md | This use case demonstrates how a user can travel across regions and maintain the 1. The user's email is located to have been signed up in NOAM Azure AD B2C tenant. -1. The EMEA Azure AD B2C tenant performs an Azure AD ROPC flow against the NOAM Azure AD B2C tenant to verify credentials. +1. The EMEA Azure AD B2C tenant performs a Microsoft Entra ROPC flow against the NOAM Azure AD B2C tenant to verify credentials. >[!NOTE] >This call will also fetch a token for the user to perform a Graph API call. The EMEA Azure AD B2C tenant performs a Graph API call to the NOAM Azure AD B2C tenant to fetch the user's profile. This call is authenticated by the access token for Graph API acquired in the last step. |
active-directory-b2c | B2c Global Identity Proof Of Concept Regional | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2c-global-identity-proof-of-concept-regional.md | The **ValidationTechnicalProfiles** will perform the following logic: 1. Get a token to call your protected API endpoints using the `REST-getTokenforExternalApiCalls` technical profile. - * Follow the documentation [here](secure-rest-api.md?tabs=windows&pivots=b2c-custom-policy#using-oauth2-bearer) to obtain and protect your API using an Azure AD bearer token. + * Follow the documentation [here](secure-rest-api.md?tabs=windows&pivots=b2c-custom-policy#using-oauth2-bearer) to obtain and protect your API using a Microsoft Entra bearer token. 1. Verify if the user already exists in the user-region mapping via your secured external REST API endpoint: * This API call is made before all sign-up's, it's critical to make sure this API has appropriate load balancing, resiliency, and failover mechanisms to uphold uptime requirements. The **ValidationTechnicalProfiles** will perform the following logic when the us 1. Get a token to call your protected API endpoints using the `REST-getTokenforExternalApiCalls` technical profile. - * Follow the documentation [here](secure-rest-api.md?tabs=windows&pivots=b2c-custom-policy#using-oauth2-bearer) to obtain and protect your API using an Azure AD bearer token. + * Follow the documentation [here](secure-rest-api.md?tabs=windows&pivots=b2c-custom-policy#using-oauth2-bearer) to obtain and protect your API using a Microsoft Entra bearer token. 1. Look up the user-region mapping via your secured external REST API endpoint * This API call is made before all sign-up's, it's critical to make sure this API has appropriate load balancing, resiliency, and failover mechanisms to uphold uptime requirements. The **ValidationTechnicalProfiles** will perform the following logic when the us - [Build a global identity solution with region-based approach](b2c-global-identity-region-based-design.md) - [Azure AD B2C global identity proof of concept funnel-based configuration](b2c-global-identity-proof-of-concept-funnel.md)- |
active-directory-b2c | B2c Global Identity Region Based Design | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2c-global-identity-region-based-design.md | This use case demonstrates how a user can travel across regions and maintain the 1. The user's email is located to have been signed up in NOAM Azure AD B2C tenant. -1. The EMEA Azure AD B2C tenant performs an Azure AD ROPC flow against the NOAM Azure AD B2C tenant to verify credentials. +1. The EMEA Azure AD B2C tenant performs a Microsoft Entra ROPC flow against the NOAM Azure AD B2C tenant to verify credentials. >[!NOTE] >This call will also fetch a token for the user to perform a Graph API call. The EMEA Azure AD B2C tenant performs a Graph API call to the NOAM Azure AD B2C tenant to fetch the user's profile. This call is authenticated by the access token for Graph API acquired in the last step. |
active-directory-b2c | B2c Global Identity Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2c-global-identity-solutions.md | -Azure Active Directory B2C (Azure AD B2C) is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/whatis.md). It's built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allows self-service sign-up to applications. +Azure Active Directory B2C (Azure AD B2C) is a separate service from [Microsoft Entra ID](../active-directory/fundamentals/whatis.md). It's built on the same technology as Microsoft Entra ID but for a different purpose. It allows businesses to build customer facing applications, and then allows self-service sign-up to applications. Azure AD B2C is a globally distributed service made up of several components: |
active-directory-b2c | B2clogin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/b2clogin.md | With Azure AD B2C [custom domain](./custom-domain.md) the corresponding updated ## Endpoints that are not affected -Some customers use the shared capabilities of Azure AD enterprise tenants. For example, acquiring an access token to call the [MS Graph API](microsoft-graph-operations.md#code-discussion) of the Azure AD B2C tenant. +Some customers use the shared capabilities of Microsoft Entra enterprise tenants. For example, acquiring an access token to call the [MS Graph API](microsoft-graph-operations.md#code-discussion) of the Azure AD B2C tenant. -All endpoints, which don't contain a policy parameter aren't affected by the change. They're accessed only with the Azure AD's login.microsoftonline.com endpoints, and can't be used with the *b2clogin.com*, or custom domains. The following example shows a valid token endpoint of the Azure AD platform: +All endpoints, which don't contain a policy parameter aren't affected by the change. They're accessed only with the Microsoft Entra ID's login.microsoftonline.com endpoints, and can't be used with the *b2clogin.com*, or custom domains. The following example shows a valid token endpoint of the Microsoft identity platform: ```http https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/token |
active-directory-b2c | Billing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/billing.md | -Azure Active Directory B2C (Azure AD B2C) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This billing model applies to both Azure AD B2C tenants and [Azure AD guest user collaboration (B2B)](../active-directory/external-identities/external-identities-pricing.md). MAU billing helps you reduce costs by offering a free tier and flexible, predictable pricing. +Azure Active Directory B2C (Azure AD B2C) pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This billing model applies to both Azure AD B2C tenants and [Microsoft Entra guest user collaboration (B2B)](../active-directory/external-identities/external-identities-pricing.md). MAU billing helps you reduce costs by offering a free tier and flexible, predictable pricing. In this article, learn about MAU and Go Local billing, linking Azure AD B2C tenants to a subscription, and changing the pricing tier. To take advantage of MAU billing, your Azure AD B2C tenant must be linked to an | An Azure AD B2C tenant already billed on a per-MAU basis | Do nothing. When users authenticate to your Azure AD B2C tenant, you'll be automatically billed using the MAU-based billing model. | | An Azure AD B2C tenant not yet linked to a subscription | [Link your Azure AD B2C tenant to a subscription](#link-an-azure-ad-b2c-tenant-to-a-subscription) to activate MAU billing. | | An Azure AD B2C tenant that was linked to a subscription before November 1, 2019 | [Switch to MAU billing (recommended)](#switch-to-mau-billing-pre-november-2019-azure-ad-b2c-tenants), or stay on the per-authentication billing model. |-| An Azure AD B2C tenant and you want to use premium features (like risk-based Conditional Access policies) | [Change to an Azure AD pricing tier](#change-your-azure-ad-pricing-tier) that supports the features you want to use. | +| An Azure AD B2C tenant and you want to use premium features (like risk-based Conditional Access policies) | [Change to a Microsoft Entra pricing tier](#change-your-azure-ad-pricing-tier) that supports the features you want to use. | | | | ## About the monthly active users (MAU) billing model MAU billing went into effect for Azure AD B2C tenants on **November 1, 2019**. A Your Azure AD B2C tenant must also be linked to the appropriate Azure pricing tier based on the features you want to use. Premium features require Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/). You might need to upgrade your pricing tier as you use new features. For example, for risk-based Conditional Access policies, you’ll need to select the Azure AD B2C Premium P2 pricing tier for your tenant. > [!NOTE]-> Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features, but the **free tier doesn’t apply to free trial, credit-based, or sponsorship subscriptions**. Once the free trial period or credits expire for these types of subscriptions, you'll begin to be charged for Azure AD B2C MAUs. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription. +> Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features, but the **free tier doesn’t apply to free trial, credit-based, or sponsorship subscriptions**. Once the free trial period or credits expire for these types of subscriptions, you'll begin to be charged for Azure AD B2C MAUs. To determine the total number of MAUs, we combine MAUs from all your tenants (both Microsoft Entra ID and Azure AD B2C) that are linked to the same subscription. ## About Go-Local add-on Azure AD B2C's [Go-Local add-on](data-residency.md#go-local-add-on) enables you ## Link an Azure AD B2C tenant to a subscription -Usage charges for Azure AD B2C are billed to an Azure subscription. You need to explicitly link an Azure AD B2C tenant to an Azure subscription by creating an Azure AD B2C *resource* within the target Azure subscription. Several Azure AD B2C resources can be created in a single Azure subscription, along with other Azure resources like virtual machines, and storage accounts. You can see all of the resources within a subscription by going to the Azure Active Directory (Azure AD) tenant that the subscription is associated with. +Usage charges for Azure AD B2C are billed to an Azure subscription. You need to explicitly link an Azure AD B2C tenant to an Azure subscription by creating an Azure AD B2C *resource* within the target Azure subscription. Several Azure AD B2C resources can be created in a single Azure subscription, along with other Azure resources like virtual machines, and storage accounts. You can see all of the resources within a subscription by going to the Microsoft Entra tenant that the subscription is associated with. A subscription linked to an Azure AD B2C tenant can be used for the billing of Azure AD B2C usage or other Azure resources, including additional Azure AD B2C resources. It can't be used to add other Azure license-based services or Office 365 licenses within the Azure AD B2C tenant. A subscription linked to an Azure AD B2C tenant can be used for the billing of A ### Create the link 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that has your Azure AD subscription, and not the directory containing your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that has your Microsoft Entra subscription, and not the directory containing your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Select **Create a resource**, and then, in the **Search services and Marketplace** field, search for and select **Azure Active Directory B2C**. 1. Select **Create**. 1. Select **Link an existing Azure AD B2C Tenant to my Azure subscription**. A subscription linked to an Azure AD B2C tenant can be used for the billing of A After you complete these steps for an Azure AD B2C tenant, your Azure subscription is billed based on your Azure Direct or Enterprise Agreement details, if applicable. -## Change your Azure AD pricing tier +<a name='change-your-azure-ad-pricing-tier'></a> ++## Change your Microsoft Entra pricing tier A tenant must be linked to the appropriate Azure pricing tier based on the features you want to use with your Azure AD B2C tenant. Premium features require Azure AD B2C Premium P1 or P2, as described in the [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/). To change your pricing tier, follow these steps: 1. Sign in to the [Azure portal](https://portal.azure.com/). -1. Make sure you're using the Azure AD directory that contains the subscription your Azure B2C tenant and not the Azure AD B2C tenant itself: +1. Make sure you're using the Microsoft Entra directory that contains the subscription your Azure B2C tenant and not the Azure AD B2C tenant itself: 1. In the Azure portal toolbar, select the **Directories + subscriptions** (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::) icon. - 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch** button next to it. + 1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch** button next to it. 1. In the search box at the top of the portal, enter the name of your Azure AD B2C tenant. Then select the tenant in the search results under **Resources**. To change your pricing tier, follow these steps: ![Screenshot that shows how to select the pricing tier.](media/billing/select-tier.png) -Learn about the [Azure AD features, which are supported in Azure AD B2C](supported-azure-ad-features.md). +Learn about the [Microsoft Entra features, which are supported in Azure AD B2C](supported-azure-ad-features.md). ## Switch to MAU billing (pre-November 2019 Azure AD B2C tenants) Here's how to make the switch to MAU billing for an existing Azure AD B2C resour 1. To select the Azure AD B2C directory that you want to upgrade to MAU billing, select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.-1. On the **Overview** page of the Azure AD B2C tenant, select the link under **Resource name**. You're directed to the Azure AD B2C resource in your Azure AD tenant.<br/> +1. On the **Overview** page of the Azure AD B2C tenant, select the link under **Resource name**. You're directed to the Azure AD B2C resource in your Microsoft Entra tenant.<br/> ![Screenshot that shows how to select the Azure AD B2C resource in Azure portal.](./media/billing/portal-mau-02-b2c-resource-link.png) The management of Azure AD B2C using role-based access control isn't affected by ### Move using Azure Resource Manager -Azure AD B2C tenants can be moved to another subscription using Azure Resource Manager if the source and destination subscriptions exist within the same Azure Active Directory tenant. +Azure AD B2C tenants can be moved to another subscription using Azure Resource Manager if the source and destination subscriptions exist within the same Microsoft Entra tenant. To learn how to move Azure resources like your Azure AD B2C tenant to another subscription, see [Move resources to new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md). Before you start the move, be sure to read the entire article to fully understan ### Move by unlinking and relinking -If the source and destination subscriptions are associated with different Azure Active Directory tenants, you can't perform the move via Azure Resource Manager as explained above. However, you can still achieve the same result by unlinking the Azure AD B2C tenant from the source subscription and relinking it to the destination subscription. This method is safe because the only object you delete is the *billing link*, not the Azure AD B2C tenant itself. None of the users, apps, user flows, etc. will be affected. +If the source and destination subscriptions are associated with different Microsoft Entra tenants, you can't perform the move via Azure Resource Manager as explained above. However, you can still achieve the same result by unlinking the Azure AD B2C tenant from the source subscription and relinking it to the destination subscription. This method is safe because the only object you delete is the *billing link*, not the Azure AD B2C tenant itself. None of the users, apps, user flows, etc. will be affected. -1. In the Azure AD B2C directory itself, [invite a guest user](user-overview.md#guest-user) from the destination Azure AD tenant (the one that the destination Azure subscription is linked to) and ensure this user has the **Global administrator** role in Azure AD B2C. +1. In the Azure AD B2C directory itself, [invite a guest user](user-overview.md#guest-user) from the destination Microsoft Entra tenant (the one that the destination Azure subscription is linked to) and ensure this user has the **Global administrator** role in Azure AD B2C. 1. Navigate to the *Azure resource* representing Azure AD B2C in your source Azure subscription as explained in the [Manage your Azure AD B2C tenant resources](#manage-your-azure-ad-b2c-tenant-resources) section above. Don't switch to the actual Azure AD B2C tenant. 1. Select the **Delete** button on the **Overview** page. This action *doesn't* delete the related Azure AD B2C tenant's users or applications. It merely removes the billing link from the source subscription.-1. Sign in to the Azure portal with the user account that was added as an administrator in Azure AD B2C in step 1. Then navigate to the destination Azure subscription, which is linked to the destination Azure Active Directory tenant. +1. Sign in to the Azure portal with the user account that was added as an administrator in Azure AD B2C in step 1. Then navigate to the destination Azure subscription, which is linked to the destination Microsoft Entra tenant. 1. Re-establish the billing link in the destination subscription by following the [Create the link](#create-the-link) procedure above.-1. Your Azure AD B2C resource has now moved to the destination Azure subscription (linked to the target Azure Active Directory) and will be billed through this subscription from now on. +1. Your Azure AD B2C resource has now moved to the destination Azure subscription (linked to the target Microsoft Entra ID) and will be billed through this subscription from now on. ## Next steps |
active-directory-b2c | Claim Resolver Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/claim-resolver-overview.md | You can use claims resolvers with the following elements: | Item | Element | Settings | | -- | -- | --| |Application Insights technical profile |`InputClaim` | |-|[Azure Active Directory](active-directory-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2| +|[Microsoft Entra](active-directory-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2| |[OAuth2](oauth2-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2| |[OpenID Connect](openid-connect-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2| |[Claims transformation](claims-transformation-technical-profile.md) technical profile| `InputClaim`, `OutputClaim`| 1, 2| |
active-directory-b2c | Claimsproviders | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/claimsproviders.md | The **ClaimsProvider** element contains the following child elements: | DisplayName | 1:1 | A string that contains the name of the claims provider. | | [TechnicalProfiles](technicalprofiles.md) | 0:1 | A set of technical profiles supported by the claim provider | -**ClaimsProvider** organizes how your technical profiles relate to the claims provider. The following example shows the Azure Active Directory claims provider with the Azure Active Directory technical profiles: +**ClaimsProvider** organizes how your technical profiles relate to the claims provider. The following example shows the Microsoft Entra claims provider with the Microsoft Entra technical profiles: ```xml <ClaimsProvider> |
active-directory-b2c | Client Credentials Grant Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/client-credentials-grant-flow.md | The app architecture and registrations are illustrated in the following diagram: ![Diagram of a web app with web A P I call registrations and tokens.](./media/client-credentials-grant-flow/application-architecture.png) -## Step 1. Register the web API app +## Step 1: Register the web API app In this step you register the web API (**App 2**) with its scopes. Later you'll grant your application (**App 1**) permission to those scopes. If you already have such app registration, skip to the next step [Step 1.1 Define web API roles (scopes)](#step-11-define-web-api-roles-scopes). can't contain spaces. The following example demonstrates two app roles, read and 1. At the top of the page, select **Save** to save the manifest changes. -## Step 2. Register an application +## Step 2: Register an application To enable your app to sign in with Azure AD B2C using client credentials flow, you can use an existing application or register a new one (**App 1**). To grant your app (**App 1**) permissions, follow these steps: 1. Select **Yes**. 1. Select **Refresh**, and then verify that **Granted for ...** appears under **Status** for both scopes. -## Step 3. Obtain an access token +## Step 3: Obtain an access token There are no specific actions to enable the client credentials for user flows or custom policies. Both Azure AD B2C user flows and custom policies support the client credentials flow. If you haven't done so already, create a [user flow or a custom policy](add-sign-up-and-sign-in-policy.md). Then, use your favorite API development application to generate an authorization request. Construct a call like this example with the following information as the body of the POST request: curl --location --request POST 'https://<your-tenant>.b2clogin.com/<your-tenant> --form 'scope="<Your API id uri>/.default"' ``` -## Step 4. Customize the token +## Step 4: Customize the token ::: zone pivot="b2c-user-flow" |
active-directory-b2c | Conditional Access Identity Protection Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/conditional-access-identity-protection-overview.md | -Enhance the security of Azure Active Directory B2C (Azure AD B2C) with Azure AD Identity Protection and Conditional Access. The Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine actions and enforce organizational policies. Together, these capabilities give Azure AD B2C application owners greater control over risky authentications and access policies. +Enhance the security of Azure Active Directory B2C (Azure AD B2C) with Microsoft Entra ID Protection and Conditional Access. The Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine actions and enforce organizational policies. Together, these capabilities give Azure AD B2C application owners greater control over risky authentications and access policies. -If you're already familiar with [Identity Protection](../active-directory/identity-protection/overview-identity-protection.md) and [Conditional Access](../active-directory/conditional-access/overview.md) in Azure AD, using these capabilities with Azure AD B2C will be a familiar experience, with the minor differences discussed in this article. +If you're already familiar with [Identity Protection](../active-directory/identity-protection/overview-identity-protection.md) and [Conditional Access](../active-directory/conditional-access/overview.md) in Microsoft Entra ID, using these capabilities with Azure AD B2C will be a familiar experience, with the minor differences discussed in this article. ![Conditional Access in a B2C tenant](media/conditional-access-identity-protection-overview/conditional-access-b2c.png) If you're already familiar with [Identity Protection](../active-directory/identi By pairing Conditional Access policies with Identity Protection risk detection, you can respond to risky authentications with the appropriate policy action. -- **Gain a new level of visibility into the authentication risks for your apps and your customer base**. With signals from billions of monthly authentications across Azure AD and Microsoft Account, the risk detection algorithms will now flag authentications as low, medium, or high risk for your local consumer or citizen authentications.+- **Gain a new level of visibility into the authentication risks for your apps and your customer base**. With signals from billions of monthly authentications across Microsoft Entra ID and Microsoft Account, the risk detection algorithms will now flag authentications as low, medium, or high risk for your local consumer or citizen authentications. - **Automatically address risks by configuring your own adaptive authentication**. For specified applications, you can require a specific set of users to provide a second authentication factor, as in multi-factor authentication (MFA). Or you can block access based on the risk level detected. As with other Azure AD B2C experiences, you can customize resulting end-user experience with your organization’s voice, style, and brand. You can also display mitigation alternatives if the user isn't able to gain access. - **Control access based on location, groups, and apps**.  Conditional Access can also be used to control non-risk based situations. For example, you can require MFA for customers accessing a specific app, or block access from specified geographies. - **Integrate with Azure AD B2C user flows and Identity Experience Framework custom policies**. Use your existing customized experiences and add the controls you need to interface with Conditional Access. You can also implement advanced scenarios for granting access, such as knowledge-based access or your own preferred MFA provider. ## Feature differences and limitations -Identity Protection and Conditional Access in Azure AD B2C generally work the same way as in Azure AD, with the following exceptions: +Identity Protection and Conditional Access in Azure AD B2C generally work the same way as in Microsoft Entra ID, with the following exceptions: - Microsoft Defender for Cloud isn't available in Azure AD B2C. You can also manage Conditional Access policies in Azure AD B2C with Microsoft G ## Next steps - [Add Conditional Access to user flows](conditional-access-user-flow.md)-- [Learn about Identity Protection in Azure AD](../active-directory/identity-protection/overview-identity-protection.md)+- [Learn about Identity Protection in Microsoft Entra ID](../active-directory/identity-protection/overview-identity-protection.md) - [Learn about Conditional Access](../active-directory/conditional-access/overview.md) |
active-directory-b2c | Conditional Access Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/conditional-access-technical-profile.md | -Azure Active Directory (Azure AD) Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. Automating risk assessment with policy conditions means risky sign-ins are at once identified and remediated or blocked. +Microsoft Entra Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. Automating risk assessment with policy conditions means risky sign-ins are at once identified and remediated or blocked. ## Protocol |
active-directory-b2c | Conditional Access User Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/conditional-access-user-flow.md | zone_pivot_groups: b2c-policy-type # Add Conditional Access to user flows in Azure Active Directory B2C [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]-Conditional Access can be added to your Azure Active Directory B2C (Azure AD B2C) user flows or custom policies to manage risky sign-ins to your applications. Azure Active Directory (Azure AD) Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. +Conditional Access can be added to your Azure Active Directory B2C (Azure AD B2C) user flows or custom policies to manage risky sign-ins to your applications. Microsoft Entra Conditional Access is the tool used by Azure AD B2C to bring signals together, make decisions, and enforce organizational policies. ![Conditional access flow](media/conditional-access-user-flow/conditional-access-flow.png) Automating risk assessment with policy conditions means risky sign-ins are identified immediately and then either remediated or blocked. The following example shows a Conditional Access technical profile used to remed These are the components that enable Conditional Access in Azure AD B2C: - **User flow** or **custom policy** that guides the user through the sign-in and sign-up process.-- **Conditional Access policy** that brings signals together to make decisions and enforce organizational policies. When a user signs into your application via an Azure AD B2C policy, the Conditional Access policy uses Azure AD Identity Protection signals to identify risky sign-ins and presents the appropriate remediation action.+- **Conditional Access policy** that brings signals together to make decisions and enforce organizational policies. When a user signs into your application via an Azure AD B2C policy, the Conditional Access policy uses Microsoft Entra ID Protection signals to identify risky sign-ins and presents the appropriate remediation action. - **Registered application** that directs users to the appropriate Azure AD B2C user flow or custom policy. - [TOR Browser](https://www.torproject.org/download/) to simulate a risky sign-in. ## Service limitations and considerations -When using the Azure AD Conditional Access, consider the following: +When using the Microsoft Entra Conditional Access, consider the following: - Identity Protection is available for both local and social identities, such as Google or Facebook. For social identities, you need to manually activate Conditional Access. Detection is limited because social account credentials are managed by the external identity provider.-- In Azure AD B2C tenants, only a subset of [Azure AD Conditional Access](../active-directory/conditional-access/overview.md) policies is available.+- In Azure AD B2C tenants, only a subset of [Microsoft Entra Conditional Access](../active-directory/conditional-access/overview.md) policies are available. ## Prerequisites To add a Conditional Access policy, disable security defaults: 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.-1. Under **Azure services**, select **Azure Active Directory**. Or use the search box to find and select **Azure Active Directory**. +1. Under **Azure services**, select **Microsoft Entra ID**. Or use the search box to find and select **Microsoft Entra ID**. 1. Select **Properties**, and then select **Manage Security defaults**. ![Disable the security defaults](media/conditional-access-user-flow/disable-security-defaults.png) To add a Conditional Access policy: ## Template 1: Sign-in risk-based Conditional Access -Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multifactor authentication to prove that they are really who they say they are. A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Azure AD B2C tenants with P2 licenses can create Conditional Access policies incorporating Azure AD Identity Protection sign-in risk detections. +Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multifactor authentication to prove that they are really who they say they are. A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Azure AD B2C tenants with P2 licenses can create Conditional Access policies incorporating Microsoft Entra ID Protection sign-in risk detections. Note the limitations on Identity Protection detections for B2C. If risk is detected, users can perform multifactor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators. The following template can be used to create a Conditional Access policy with di ## Add Conditional Access to a user flow -After you've added the Azure AD Conditional Access policy, enable Conditional Access in your user flow or custom policy. When you enable Conditional Access, you don't need to specify a policy name. +After you've added the Microsoft Entra Conditional Access policy, enable Conditional Access in your user flow or custom policy. When you enable Conditional Access, you don't need to specify a policy name. Multiple Conditional Access policies may apply to an individual user at any time. In this case, the most strict access control policy takes precedence. For example, if one policy requires MFA while the other blocks access, the user will be blocked. ## Enable multifactor authentication (optional) |
active-directory-b2c | Configure Authentication In Azure Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-authentication-in-azure-web-app.md | To register your application, follow these steps: ## Step 3: Configure the Azure App 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD tenant (not the Azure AD B2C tenant). Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find the Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Microsoft Entra tenant (not the Azure AD B2C tenant). Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find the Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Navigate to your Azure web app. 1. Select **Authentication** in the menu on the left. Select **Add identity provider**. 1. Select **OpenID Connect** in the identity provider dropdown. From your server code, the provider-specific tokens are injected into the reques ## Next steps * After successful authentication, you can show display name on the navigation bar. To view the claims that the Azure AD B2C token returns to your app, check out the [Work with user identities in Azure App Service authentication](../app-service/configure-authentication-user-identities.md).-* Learn how to [Work with OAuth tokens in Azure App Service authentication](../app-service/configure-authentication-oauth-tokens.md). +* Learn how to [Work with OAuth tokens in Azure App Service authentication](../app-service/configure-authentication-oauth-tokens.md). |
active-directory-b2c | Configure Security Analytics Sentinel | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-security-analytics-sentinel.md | In this tutorial, learn how to: To define where logs and metrics for a resource are sent, -1. Enable **Diagnostic settings** in Azure AD, in your Azure AD B2C tenant. +1. Enable **Diagnostic settings** in Microsoft Entra ID, in your Azure AD B2C tenant. 2. Configure Azure AD B2C to send logs to Azure Monitor. Learn more, [Monitor Azure AD B2C with Azure Monitor](./azure-monitor.md). |
active-directory-b2c | Configure User Input | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/configure-user-input.md | To collect the city claim after initial sign-in with a federated account, it mus ## Read and write a claim -The following technical profiles are [Active Directory technical profiles](active-directory-technical-profile.md), which read and write data to Azure Active Directory. +The following technical profiles are [Active Directory technical profiles](active-directory-technical-profile.md), which read and write data to Microsoft Entra ID. Use `PersistedClaims` to write data to the user profile and `OutputClaims` to read data from the user profile within the respective Active Directory technical profiles. Override these technical profiles in the extension file. Find the **ClaimsProviders** element. Add a new ClaimsProviders as follows: |
active-directory-b2c | Cookie Definitions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/cookie-definitions.md | The following sections provide information about the cookies used in Azure Activ ## SameSite -The Microsoft Azure AD B2C service is compatible with SameSite browser configurations, including support for `SameSite=None` with the `Secure` attribute. +The Azure B2C service is compatible with SameSite browser configurations, including support for `SameSite=None` with the `Secure` attribute. To safeguard access to sites, web browsers will introduce a new secure-by-default model that assumes all cookies should be protected from external access unless otherwise specified. The Chrome browser is the first to implement this change, starting with [Chrome 80 in February 2020](https://www.chromium.org/updates/same-site/). For more information about preparing for the change in Chrome, see [Developers: Get Ready for New SameSite=None; Secure Cookie Settings](https://blog.chromium.org/2019/10/developers-get-ready-for-new.html) on the Chromium Blog. |
active-directory-b2c | Custom Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-domain.md | The following diagram illustrates Azure Front Door integration: When using custom domains, consider the following: -- You can set up multiple custom domains. For the maximum number of supported custom domains, see [Azure AD service limits and restrictions](../active-directory/enterprise-users/directory-service-limits-restrictions.md) for Azure AD B2C and [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-front-door-classic-limits) for Azure Front Door.+- You can set up multiple custom domains. For the maximum number of supported custom domains, see [Microsoft Entra service limits and restrictions](../active-directory/enterprise-users/directory-service-limits-restrictions.md) for Azure AD B2C and [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-front-door-classic-limits) for Azure Front Door. - Azure Front Door is a separate Azure service, so extra charges will be incurred. For more information, see [Front Door pricing](https://azure.microsoft.com/pricing/details/frontdoor). - After you configure custom domains, users will still be able to access the Azure AD B2C default domain name *<tenant-name>.b2clogin.com* (unless you're using a custom policy and you [block access](#optional-block-access-to-the-default-domain-name). - If you have multiple applications, migrate them all to the custom domain because the browser stores the Azure AD B2C session under the domain name currently being used. When using custom domains, consider the following: [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)] -## Step 1. Add a custom domain name to your Azure AD B2C tenant +## Step 1: Add a custom domain name to your Azure AD B2C tenant Every new Azure AD B2C tenant comes with an initial domain name, <domainname>.onmicrosoft.com. You can't change or delete the initial domain name, but you can add a custom domain. Follow these steps to add a custom domain to your Azure AD B2C tenant: -1. [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name). +1. [Add your custom domain name to Microsoft Entra ID](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name). > [!IMPORTANT]- > For these steps, be sure to sign in to your **Azure AD B2C** tenant and select the **Azure Active Directory** service. + > For these steps, be sure to sign in to your **Azure AD B2C** tenant and select the **Microsoft Entra ID** service. -1. [Add your DNS information to the domain registrar](../active-directory/fundamentals/add-custom-domain.md#add-your-dns-information-to-the-domain-registrar). After you add your custom domain name to Azure AD, create a DNS `TXT`, or `MX` record for your domain. Creating this DNS record for your domain verifies ownership of your domain name. +1. [Add your DNS information to the domain registrar](../active-directory/fundamentals/add-custom-domain.md#add-your-dns-information-to-the-domain-registrar). After you add your custom domain name to Microsoft Entra ID, create a DNS `TXT`, or `MX` record for your domain. Creating this DNS record for your domain verifies ownership of your domain name. The following examples demonstrate TXT records for *login.contoso.com* and *account.contoso.com*: Follow these steps to add a custom domain to your Azure AD B2C tenant: |login | TXT | MS=ms12345678 | |account | TXT | MS=ms87654321 | - The TXT record must be associated with the subdomain, or hostname of the domain. For example, the *login* part of the *contoso.com* domain. If the hostname is empty or `@`, Azure AD won't be able to verify the custom domain you added. In the following examples, both records are configured incorrectly. + The TXT record must be associated with the subdomain, or hostname of the domain. For example, the *login* part of the *contoso.com* domain. If the hostname is empty or `@`, Microsoft Entra ID won't be able to verify the custom domain you added. In the following examples, both records are configured incorrectly. |Name (hostname) |Type |Data | |||| Follow these steps to add a custom domain to your Azure AD B2C tenant: > After the domain is verified, **delete** the DNS TXT record you created. -## Step 2. Create a new Azure Front Door instance +## Step 2: Create a new Azure Front Door instance Follow these steps to create an Azure Front Door: Follow these steps to create an Azure Front Door: 1. Select the **Directories + subscriptions** icon in the portal toolbar. - 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch** button next to the directory. + 1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch** button next to the directory. 1. Follow the steps in [Create Front Door profile - Quick Create](../frontdoor/create-front-door-portal.md#create-front-door-profilequick-create) to create a Front Door for your Azure AD B2C tenant using the following settings: Follow these steps to create an Azure Front Door: :::image type="content" source="./media/custom-domain/azure-front-door-custom-domain-origins.png" alt-text="Screenshot of how to update custom domain origins."::: -## Step 3. Set up your custom domain on Azure Front Door +## Step 3: Set up your custom domain on Azure Front Door In this step, you add the custom domain you registered in [Step 1](#step-1-add-a-custom-domain-name-to-your-azure-ad-b2c-tenant) to your Azure Front Door. The **default-route** routes the traffic from the client to Azure Front Door. Th 1. Select the **Enable route** checkbox. 1. Select **Update** to save the changes. -## Step 4. Configure CORS +## Step 4: Configure CORS If you [customize the Azure AD B2C user interface](customize-ui-with-html.md) with an HTML template, you need to [Configure CORS](customize-ui-with-html.md?pivots=b2c-user-flow.md#3-configure-cors) with your custom domain. When using custom domains, consider the following points: ### Azure AD B2C returns the resource you're looking for has been removed, had its name changed, or is temporarily unavailable. - **Symptom** - You configure a custom domain, but when you try to sign in with the custom domain, you get *the resource you are looking for has been removed, had its name changed, or is temporarily unavailable* error message.-- **Possible causes** - This issue could be related to the Azure AD custom domain verification. +- **Possible causes** - This issue could be related to the Microsoft Entra custom domain verification. - **Resolution**: Make sure the custom domain is [registered and **successfully verified**](#step-1-add-a-custom-domain-name-to-your-azure-ad-b2c-tenant) in your Azure AD B2C tenant. ### Identify provider returns an error |
active-directory-b2c | Custom Policies Series Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policies-series-overview.md | This how-to guide series consists of multiple articles. We recommend that you st |[Create branching in user journey by using Azure Active Directory B2C custom policy](custom-policies-series-branch-user-journey.md) | Learn how to create different user experiences for different users based on the value of a claim.| |[Validate custom policy files by using TrustFrameworkPolicy schema](custom-policies-series-install-xml-extensions.md)| Learn how to validate your custom files against a custom policy schema. You also learn how to easily navigate your policy files by using Azure AD B2C Visual Studio Code (VS Code) extension.| |[Call a REST API by using Azure Active Directory B2C custom policy](custom-policies-series-call-rest-api.md)| Learn how to write a custom policy that integrates with your own RESTful service.|-|[Create and read a user account by using Azure Active Directory B2C custom policy](custom-policies-series-store-user.md)| Learn how to store into and read user details from Azure AD storage by using Azure AD B2C custom policy. You use the Azure Active Directory technical profile.| +|[Create and read a user account by using Azure Active Directory B2C custom policy](custom-policies-series-store-user.md)| Learn how to store into and read user details from Microsoft Entra storage by using Azure AD B2C custom policy. You use the Microsoft Entra technical profile.| |[Set up a sign-up and sign-in flow by using Azure Active Directory B2C custom policy](custom-policies-series-sign-up-or-sign-in.md). | Learn how to configure a sign-up and sign-in flow for a local account(using email and password) by using Azure Active Directory B2C custom policy. You show a user a sign-in interface for them to sign in by using their existing account, but they can create a new account if they don't already have one.| | [Set up a sign-up and sign-in flow with a social account by using Azure Active Directory B2C custom policy](custom-policies-series-sign-up-or-sign-in-federation.md) | Learn how to configure a sign-up and sign-in flow for a social account, Facebook. You also learn to combine local and social sign-up and sign-in flow.| This how-to guide series consists of multiple articles. We recommend that you st - Learn about [Azure AD B2C TrustFrameworkPolicy BuildingBlocks](buildingblocks.md) -- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md)+- [Write your first Azure Active Directory B2C custom policy - Hello World!](custom-policies-series-hello-world.md) |
active-directory-b2c | Custom Policies Series Sign Up Or Sign In Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policies-series-sign-up-or-sign-in-federation.md | Use the steps outlined in [Create the Facebook key](identity-provider-facebook.m To configure sign in with Facebook, you need to perform the following steps: - Declare more claims-- Define more claims transformations to help with claims manipulations such as creating *AlternativeSecurityId*.+- Define more claims transformations to help with claims manipulations such as creating `AlternativeSecurityId`. - Configure Facebook claims provider-- Configure Azure AD technical profiles to read and write the social account from and to the Azure AD database.+- Configure Microsoft Entra technical profiles to read and write the social account from and to the Microsoft Entra database. - Configure a self-asserted technical profile (for accepting additional input from user or updating user details) and its content definition. ### Step 3.1 - Declare more claims -In the `ContosoCustomPolicy.XML` file, locate the *ClaimsSchema* section, and then declare more claims by using the following code: +In the `ContosoCustomPolicy.XML` file, locate the `ClaimsSchema` section, and then declare more claims by using the following code: ```xml <!--<ClaimsSchema>--> In the `ContosoCustomPolicy.XML` file, locate the *ClaimsSchema* section, and th ### Step 3.2 - Define claims transformations -In the `ContosoCustomPolicy.XML` file, locate the *ClaimsTransformations* element, and add claims transformations by using the following code: +In the `ContosoCustomPolicy.XML` file, locate the `ClaimsTransformations` element, and add claims transformations by using the following code: ```xml <!--<ClaimsTransformations>--> In the `ContosoCustomPolicy.XML` file, locate the *ClaimsTransformations* elemen <!--</ClaimsTransformations>--> ``` -We've defined three Claims Transformations, which we use to generate values for *alternativeSecurityId* and *userPrincipalName* claims. These ClaimsTransformations are invoked in the OAuth2 technical profile in [step 3.3](#step-33configure-facebook-claims-provider). +We've defined three Claims Transformations, which we use to generate values for `alternativeSecurityId` and `userPrincipalName` claims. These ClaimsTransformations are invoked in the OAuth2 technical profile in [step 3.3](#step-33configure-facebook-claims-provider). ### Step 3.3 - Configure Facebook claims provider To enable users to sign in using a Facebook account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. You can define a Facebook account as a claims provider. -In the `ContosoCustomPolicy.XML` file, locate *ClaimsProviders* element, add a new claims provider by using the following code: +In the `ContosoCustomPolicy.XML` file, locate `ClaimsProviders` element, add a new claims provider by using the following code: ```xml <!--<ClaimsProviders>--> In the `ContosoCustomPolicy.XML` file, locate *ClaimsProviders* element, add a n ``` Replace:-- `facebook-app-id` with the value of Facebook *appID* you obtained in [step 1](#step-1create-facebook-application). +- `facebook-app-id` with the value of Facebook `appID` you obtained in [step 1](#step-1create-facebook-application). - `facebook-policy-key` with the name of the Facebook policy key you obtained in [step 2](#step-2create-facebook-policy-key). -Notice the claims transformations we defined in [step 3.2](#step-32define-claims-transformations) in the *OutputClaimsTransformations* collection. +Notice the claims transformations we defined in [step 3.2](#step-32define-claims-transformations) in the `OutputClaimsTransformations` collection. -### Step 3.4 - Create Azure AD technical profiles +<a name='step-34create-azure-ad-technical-profiles'></a> -Just like in sign-in with a local account, you need to configure the [Azure AD Technical Profiles](active-directory-technical-profile.md), which you use to connect to Azure AD storage, to store or read a user social account. +### Step 3.4 - Create Microsoft Entra technical profiles -1. In the `ContosoCustomPolicy.XML` file, locate the *AAD-UserUpdate* technical profile and then add a new technical profile by using the following code: +Just like in sign-in with a local account, you need to configure the [Microsoft Entra Technical Profiles](active-directory-technical-profile.md), which you use to connect to Microsoft Entra storage, to store or read a user social account. ++1. In the `ContosoCustomPolicy.XML` file, locate the `AAD-UserUpdate` technical profile and then add a new technical profile by using the following code: ```xml <TechnicalProfile Id="AAD-UserWriteUsingAlternativeSecurityId"> Just like in sign-in with a local account, you need to configure the [Azure AD T </TechnicalProfile> ```- We've added a new Azure AD Technical Profile *AAD-UserWriteUsingAlternativeSecurityId* that writes a new social account into Azure AD. + We've added a new Microsoft Entra Technical Profile `AAD-UserWriteUsingAlternativeSecurityId` that writes a new social account into Microsoft Entra ID. 1. Replace *B2C_1A_TokenSigningKeyContainer* with the token signing key you created in [Configure the signing](custom-policies-series-hello-world.md#step-1configure-the-signing-and-encryption-keys). -1. In the `ContosoCustomPolicy.XML` file, add another Azure AD technical profile after the *AAD-UserWriteUsingAlternativeSecurityId* Technical Profile by using the following code: +1. In the `ContosoCustomPolicy.XML` file, add another Microsoft Entra technical profile after the `AAD-UserWriteUsingAlternativeSecurityId` Technical Profile by using the following code: ```xml <TechnicalProfile Id="AAD-UserReadUsingAlternativeSecurityId"> Just like in sign-in with a local account, you need to configure the [Azure AD T </TechnicalProfile> ``` - We've added a new Azure AD Technical Profile *AAD-UserReadUsingAlternativeSecurityId* that reads a new social account from Azure AD. It uses `alternativeSecurityId` as a unique identifier for the social account. + We've added a new Microsoft Entra Technical Profile `AAD-UserReadUsingAlternativeSecurityId` that reads a new social account from Microsoft Entra ID. It uses `alternativeSecurityId` as a unique identifier for the social account. 1. Replace *B2C_1A_TokenSigningKeyContainer* with the token signing key you created in [Configure the signing](custom-policies-series-hello-world.md#step-1configure-the-signing-and-encryption-keys). Just like in sign-in with a local account, you need to configure the [Azure AD T After a user signs in, you can collect some information from them by using a self-asserted technical profile. So, you need to configure content definition for the self-asserted technical profile. -In the `ContosoCustomPolicy.XML` file, locate the *ContentDefinitions* element, and then add a new content definition in the `ContentDefinitions` collection by using the following code: +In the `ContosoCustomPolicy.XML` file, locate the `ContentDefinitions` element, and then add a new content definition in the `ContentDefinitions` collection by using the following code: ```xml <ContentDefinition Id="socialAccountsignupContentDefinition"> We use this content definition as a metadata in a self-asserted technical profil The self-asserted technical profile you configure in this step is used to collect more information from the user or update similar information obtained from the social account. -In the `ContosoCustomPolicy.XML` file, locate the *ClaimsProviders* section, and then add a new claims provider by using the following code: +In the `ContosoCustomPolicy.XML` file, locate the `ClaimsProviders` section, and then add a new claims provider by using the following code: ```xml <!--<ClaimsProviders>--> In the `ContosoCustomPolicy.XML` file, locate the *ClaimsProviders* section, and <!--</ClaimsProviders>--> ``` -The claims provider we've added contains a self-asserted technical profile, *SelfAsserted-Social*. The self-asserted technical profile uses the *AAD-UserWriteUsingAlternativeSecurityId* Technical Profile as a validation technical profile. So, the *AAD-UserWriteUsingAlternativeSecurityId* Technical Profile executes when the user selects the **Continue** button (see screenshot in [step 7](#step-7test-policy)). +The claims provider we've added contains a self-asserted technical profile, `SelfAsserted-Social`. The self-asserted technical profile uses the `AAD-UserWriteUsingAlternativeSecurityId` Technical Profile as a validation technical profile. So, the `AAD-UserWriteUsingAlternativeSecurityId` Technical Profile executes when the user selects the **Continue** button (see screenshot in [step 7](#step-7test-policy)). -Also, notice that we've added the content definition, *socialAccountsignupContentDefinition*, that we configured in [step 3.5](#step-35configure-content-definition) in the metadata section. +Also, notice that we've added the content definition, `socialAccountsignupContentDefinition`, that we configured in [step 3.5](#step-35configure-content-definition) in the metadata section. ## Step 4 - Update the User journey orchestration steps In the orchestration, we've used make reference to technical profiles that enabl When the custom policy runs: -- **Orchestration Step 1** - This step includes a *ClaimsProviderSelections* element, which lists the available sign-in options a user can choose from. In this case, we've only have one option, *FacebookExchange*, so when the policy runs, users are taken directly to Facebook.com in step 2 as shown by the `TargetClaimsExchangeId` attribute. +- **Orchestration Step 1** - This step includes a `ClaimsProviderSelections` element, which lists the available sign-in options a user can choose from. In this case, we've only have one option, `FacebookExchange`, so when the policy runs, users are taken directly to Facebook.com in step 2 as shown by the `TargetClaimsExchangeId` attribute. -- **Orchestration Step 2** - The *Facebook-OAUTH* technical profile executes, so the user is redirected to Facebook to sign in. +- **Orchestration Step 2** - The `Facebook-OAUTH` technical profile executes, so the user is redirected to Facebook to sign in. -- **Orchestration Step 3** - In step 3, the *AAD-UserReadUsingAlternativeSecurityId* technical profile executes to try to read the user social account from Azure AD storage. If the social account is found, `objectId` is returned as an output claim. +- **Orchestration Step 3** - In step 3, the `AAD-UserReadUsingAlternativeSecurityId` technical profile executes to try to read the user social account from Microsoft Entra storage. If the social account is found, `objectId` is returned as an output claim. - **Orchestration Step 4** - This step runs if the user doesn't already exist (`objectId` doesn't exist). It shows the form that collects more information from the user or updates similar information obtained from the social account. -- **Orchestration Step 5** - This step runs if the user doesn't already exist (`objectId` doesn't exist), so the *AAD-UserWriteUsingAlternativeSecurityId* Technical Profile executes to write the social account into Azure AD. +- **Orchestration Step 5** - This step runs if the user doesn't already exist (`objectId` doesn't exist), so the `AAD-UserWriteUsingAlternativeSecurityId` Technical Profile executes to write the social account into Microsoft Entra ID. - **Orchestration Step 6** - Finally, step 6 assembles and returns the JWT token at the end of the policyΓÇÖs execution. ## Step 5 - Update relying party output claims -In the `ContosoCustomPolicy.XML` file, locate the *RelyingParty* element, and then replace all the output claims collection with the following code: +In the `ContosoCustomPolicy.XML` file, locate the `RelyingParty` element, and then replace all the output claims collection with the following code: ```xml <OutputClaim ClaimTypeReferenceId="displayName" /> Follow the steps in [Test the custom policy](custom-policies-series-validate-use You're redirected to a Facebook sign-in page. Enter your Facebook credentials, and then select **Log In**. You're directly redirected to Facebook as we set it so in our orchestration steps since we don't have multiple sign-in options to choose from. Typically, in an app, you'd add a button like **Sign in with Facebook**, which when selected, runs the policy. -If it's the first time running this policy (social account doesn't already exist in Azure AD storage), you see a screenshot such as the one shown below. You won't see this screen in subsequent policy executions as the social account already exist in Azure AD storage. +If it's the first time running this policy (social account doesn't already exist in Microsoft Entra storage), you see a screenshot such as the one shown below. You won't see this screen in subsequent policy executions as the social account already exist in Microsoft Entra storage. :::image type="content" source="media/custom-policies-series-sign-up-or-sign-in-federation/screenshot-of-sign-in-social-account.png" alt-text="Screenshot of sign-in flow with social account."::: Use the following steps to add a combined local and social account: <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="localIdpAuthentication" AlwaysUseDefaultValue="true" /> ``` -1. In the `UserJourneys` section, add a new user journey, *LocalAndSocialSignInAndSignUp* by using the following code: +1. In the `UserJourneys` section, add a new user journey, `LocalAndSocialSignInAndSignUp` by using the following code: ```xml <!--<UserJourneys>--> Use the following steps to add a combined local and social account: <!--</UserJourneys>--> ``` -1. In the user journey you've created, *LocalAndSocialSignInAndSignUp*, add orchestration steps by using the following code: +1. In the user journey you've created, `LocalAndSocialSignInAndSignUp`, add orchestration steps by using the following code: ```xml <!--<UserJourneys> Use the following steps to add a combined local and social account: ## Next steps -- Learn more about how to [Define an OAuth2 technical profile in an Azure Active Directory B2C custom policy](oauth2-technical-profile.md).+- Learn more about how to [Define an OAuth2 technical profile in an Azure Active Directory B2C custom policy](oauth2-technical-profile.md). |
active-directory-b2c | Custom Policies Series Sign Up Or Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policies-series-sign-up-or-sign-in.md | In this article, you learn how to write an Azure Active Directory B2C (Azure AD ## Overview -Azure AD B2C uses OpenID Connect authentication protocol to verify user credentials. In Azure AD B2C, you send the user credentials alongside other information to a secure endpoint, which then determines if the credentials are valid or not. In a nutshell, when you use Azure AD B2C's implementation of OpenID Connect, you can outsource sign-up, sign in, and other identity management experiences in your web applications to Azure Active Directory (Azure AD). +Azure AD B2C uses OpenID Connect authentication protocol to verify user credentials. In Azure AD B2C, you send the user credentials alongside other information to a secure endpoint, which then determines if the credentials are valid or not. In a nutshell, when you use Azure AD B2C's implementation of OpenID Connect, you can outsource sign-up, sign in, and other identity management experiences in your web applications to Microsoft Entra ID. Azure AD B2C custom policy provides a OpenID Connect technical profile, which you use to make a call to a secure Microsoft endpoint. Learn more about [OpenID Connect technical profile](openid-connect-technical-profile.md). When the custom policy runs: - **Orchestration Step 4** - This step runs if the user signs up (objectId doesn't exist), so we display the sign-up form by invoking the *UserInformationCollector* self-asserted technical profile. This step runs whether a user signs up or signs in. -- **Orchestration Step 5** - This step reads account information from Azure AD (we invoke *AAD-UserRead* Azure AD technical profile), so it runs whether a user signs up or signs in. +- **Orchestration Step 5** - This step reads account information from Microsoft Entra ID (we invoke *AAD-UserRead* Microsoft Entra technical profile), so it runs whether a user signs up or signs in. - **Orchestration Step 6** - This step invokes the *UserInputMessageClaimGenerator* technical profile to assemble the userΓÇÖs greeting message. |
active-directory-b2c | Custom Policies Series Store User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policies-series-store-user.md | -Azure Active Directory B2C (Azure AD B2C) is built on Azure Active Directory (Azure AD), and so it uses Azure AD storage to store user accounts. Azure AD B2C directory user profile comes with a built-in set of attributes, such as given name, surname, city, postal code, and phone number, but you can [extend the user profile with your own custom attributes](user-flow-custom-attributes.md) without requiring an external data store. +Azure Active Directory B2C (Azure AD B2C) is built on Microsoft Entra ID, and so it uses Microsoft Entra storage to store user accounts. Azure AD B2C directory user profile comes with a built-in set of attributes, such as given name, surname, city, postal code, and phone number, but you can [extend the user profile with your own custom attributes](user-flow-custom-attributes.md) without requiring an external data store. -Your custom policy can connect to Azure AD storage by using [Azure AD technical profile](active-directory-technical-profile.md) to store, update or delete user information. In this article, you'll learn how to configure a set of Azure AD technical profiles to store and read a user account before a JWT token is returned. +Your custom policy can connect to Microsoft Entra storage by using [Microsoft Entra technical profile](active-directory-technical-profile.md) to store, update or delete user information. In this article, you'll learn how to configure a set of Microsoft Entra technical profiles to store and read a user account before a JWT token is returned. ## Scenario overview You need to declare two more claims, `userPrincipalName`, and `passwordPolicies` Learn more about the uses of the `userPrincipalName` and `passwordPolicies` claims in [User profile attributes](user-profile-attributes.md) article. -## Step 2 - Create Azure AD technical profiles +<a name='step-2create-azure-ad-technical-profiles'></a> -You need to configure two [Azure AD Technical Profile](active-directory-technical-profile.md). One technical profile writes user details into Azure AD storage, and the other reads a user account from Azure AD storage. +## Step 2 - Create Microsoft Entra technical profiles -1. In the `ContosoCustomPolicy.XML` file, locate the *ClaimsProviders* element, and add a new claims provider by using the code below. This claims provider holds the Azure AD technical profiles: +You need to configure two [Microsoft Entra Technical Profile](active-directory-technical-profile.md). One technical profile writes user details into Microsoft Entra storage, and the other reads a user account from Microsoft Entra storage. ++1. In the `ContosoCustomPolicy.XML` file, locate the *ClaimsProviders* element, and add a new claims provider by using the code below. This claims provider holds the Microsoft Entra technical profiles: ```xml <ClaimsProvider> You need to configure two [Azure AD Technical Profile](active-directory-technica </TechnicalProfiles> </ClaimsProvider> ``` -1. In the claims provider you just created, add an Azure AD technical profile by using the following code: +1. In the claims provider you just created, add a Microsoft Entra technical profile by using the following code: ```xml <TechnicalProfile Id="AAD-UserWrite"> You need to configure two [Azure AD Technical Profile](active-directory-technica </TechnicalProfile> ``` - We've added a new Azure AD technical profile, *AAD-UserWrite*. You need to take note of the following important parts of the technical profile: - - - *Operation*: The operation specifies the action to be performed, in this case, *Write*. Learn more about other [operations in an Azure AD technical provider](active-directory-technical-profile.md#azure-ad-technical-profile-operations). - - - *Persisted claims*: The *PersistedClaims* element contains all of the values that should be stored into Azure AD storage. - - - *InputClaims*: The *InputClaims* element contains a claim, which is used to look up an account in the directory, or create a new one. There must be exactly one input claim element in the input claims collection for all Azure AD technical profiles. This technical profile uses the *email* claim, as the key identifier for the user account. Learn more about [other key identifiers you can use uniquely identify a user account](active-directory-technical-profile.md#inputclaims). + We've added a new Microsoft Entra technical profile, `AAD-UserWrite`. You need to take note of the following important parts of the technical profile: ++ - *Operation*: The operation specifies the action to be performed, in this case, *Write*. Learn more about other [operations in a Microsoft Entra technical provider](active-directory-technical-profile.md#azure-ad-technical-profile-operations). ++ - *Persisted claims*: The *PersistedClaims* element contains all of the values that should be stored into Microsoft Entra storage. ++ - *InputClaims*: The *InputClaims* element contains a claim, which is used to look up an account in the directory, or create a new one. There must be exactly one input claim element in the input claims collection for all Microsoft Entra technical profiles. This technical profile uses the *email* claim, as the key identifier for the user account. Learn more about [other key identifiers you can use uniquely identify a user account](active-directory-technical-profile.md#inputclaims). 1. In the `ContosoCustomPolicy.XML` file, locate the `AAD-UserWrite` technical profile, and then add a new technical profile after it by using the following code: You need to configure two [Azure AD Technical Profile](active-directory-technica </TechnicalProfile> ``` - We've added a new Azure AD technical profile, `AAD-UserRead`. We've configured this technical profile to perform a read operation, and to return `objectId`, `userPrincipalName`, `givenName`, `surname` and `displayName` claims if a user account with the `email` in the `InputClaim` section is found. + We've added a new Microsoft Entra technical profile, `AAD-UserRead`. We've configured this technical profile to perform a read operation, and to return `objectId`, `userPrincipalName`, `givenName`, `surname` and `displayName` claims if a user account with the `email` in the `InputClaim` section is found. -## Step 3 - Use the Azure AD technical profile +<a name='step-3use-the-azure-ad-technical-profile'></a> -After we collect user details by using the `UserInformationCollector` self-asserted technical profile, we need to write a user account into Azure AD storage by using the `AAD-UserWrite` technical profile. To do so, use the `AAD-UserWrite` technical profile as a validation technical profile in the `UserInformationCollector` self-asserted technical profile. +## Step 3 - Use the Microsoft Entra technical profile ++After we collect user details by using the `UserInformationCollector` self-asserted technical profile, we need to write a user account into Microsoft Entra storage by using the `AAD-UserWrite` technical profile. To do so, use the `AAD-UserWrite` technical profile as a validation technical profile in the `UserInformationCollector` self-asserted technical profile. In the `ContosoCustomPolicy.XML` file, locate the `UserInformationCollector` technical profile, and then add `AAD-UserWrite` technical profile as a validation technical profile in the `ValidationTechnicalProfiles` collection. You need to add this after the `CheckCompanyDomain` validation technical profile. We use the `ClaimGenerator` technical profile to execute three claims transforma </OutputClaimsTransformations> </TechnicalProfile> ```- We've broken the technical profile into two separate technical profiles. The *UserInputMessageClaimGenerator* technical profile generates the message sent as claim in the JWT token. The *UserInputDisplayNameGenerator* technical profile generates the `displayName` claim. The `displayName` claim value must be available before the `AAD-UserWrite` technical profile writes the user record into Azure AD storage. In the new code, we remove the *GenerateRandomObjectIdTransformation* as the `objectId` is created and returned by Azure AD after an account is created, so we don't need to generate it ourselves within the policy. + We've broken the technical profile into two separate technical profiles. The *UserInputMessageClaimGenerator* technical profile generates the message sent as claim in the JWT token. The *UserInputDisplayNameGenerator* technical profile generates the `displayName` claim. The `displayName` claim value must be available before the `AAD-UserWrite` technical profile writes the user record into Microsoft Entra storage. In the new code, we remove the *GenerateRandomObjectIdTransformation* as the `objectId` is created and returned by Microsoft Entra ID after an account is created, so we don't need to generate it ourselves within the policy. 1. In the `ContosoCustomPolicy.XML` file, locate the `UserInformationCollector` self-asserted technical profile, and then add the `UserInputDisplayNameGenerator` technical profile as a validation technical profile. After you do so, the `UserInformationCollector` technical profile's `ValidationTechnicalProfiles` collection should look similar to the following code: We use the `ClaimGenerator` technical profile to execute three claims transforma <!--</TechnicalProfile>--> ``` - You must add the validation technical profile before `AAD-UserWrite` as the `displayName` claim value must be available before the `AAD-UserWrite` technical profile writes the user record into Azure AD storage. + You must add the validation technical profile before `AAD-UserWrite` as the `displayName` claim value must be available before the `AAD-UserWrite` technical profile writes the user record into Microsoft Entra storage. ## Step 5 - Update the user journey orchestration steps After the policy finishes execution, and you receive your ID token, check that t :::image type="content" source="media/custom-policies-series-store-user/screenshot-of-create-users-custom-policy.png" alt-text="A screenshot of creating a user account in Azure AD."::: -In our *AAD-UserWrite* Azure AD Technical Profile, we specify that if the user already exists, we raise an error message. +In our `AAD-UserWrite` Microsoft Entra Technical Profile, we specify that if the user already exists, we raise an error message. Test your custom policy again by using the same **Email Address**. Instead of the policy executing to completion to issue an ID token, you should see an error message similar to the screenshot below. To declare the claim, in the `ContosoCustomPolicy.XML` file, locate the `ClaimsS ### Configure a send and verify code technical profile -Azure AD B2C uses [Azure AD SSPR technical profile](aad-sspr-technical-profile.md) to verify an email address. This technical profile can generate and send a code to an email address or verifies the code depending on how you configure it. +Azure AD B2C uses [Microsoft Entra SSPR technical profile](aad-sspr-technical-profile.md) to verify an email address. This technical profile can generate and send a code to an email address or verifies the code depending on how you configure it. In the `ContosoCustomPolicy.XML` file, locate the `ClaimsProviders` element and add the claims provider by using the following code: To configure a display control, use the following steps: 1. Use the procedure in [step 6](#step-6upload-policy) and [step 7](#step-7test-policy) to upload your policy file, and test it. This time, you must verify your email address before a user account is created. -## Update user account by using Azure AD technical profile +<a name='update-user-account-by-using-azure-ad-technical-profile'></a> ++## Update user account by using Microsoft Entra technical profile -You can configure an Azure AD technical profile to update a user account instead of attempting to create a new one. To do so, set the Azure AD technical profile to throw an error if the specified user account doesn't already exist in the `Metadata` collection by using the following code. The *Operation* needs to be set to *Write*: +You can configure a Microsoft Entra technical profile to update a user account instead of attempting to create a new one. To do so, set the Microsoft Entra technical profile to throw an error if the specified user account doesn't already exist in the `Metadata` collection by using the following code. The *Operation* needs to be set to *Write*: ```xml <!--<Item Key="Operation">Write</Item>--> In this article, you've learned how to store user details using [built-in user p - Learn how to [add password expiration to custom policy](https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-after-90-days). -- Learn more about [Azure AD Technical Profile](active-directory-technical-profile.md). +- Learn more about [Microsoft Entra Technical Profile](active-directory-technical-profile.md). |
active-directory-b2c | Custom Policy Developer Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-developer-notes.md | The following table summarizes the Security Assertion Markup Language (SAML) app |[AD FS](identity-provider-adfs.md) | NA | GA | | |[Amazon](identity-provider-amazon.md) | GA | GA | | |[Apple](identity-provider-apple-id.md) | GA | GA | |-|[Azure AD (Single-tenant)](identity-provider-azure-ad-single-tenant.md) | GA | GA | | -|[Azure AD (Multi-tenant)](identity-provider-azure-ad-multi-tenant.md) | NA | GA | | +|[Microsoft Entra ID (Single-tenant)](identity-provider-azure-ad-single-tenant.md) | GA | GA | | +|[Microsoft Entra ID (Multi-tenant)](identity-provider-azure-ad-multi-tenant.md) | NA | GA | | |[Azure AD B2C](identity-provider-azure-ad-b2c.md) | GA | GA | | |[eBay](identity-provider-ebay.md) | NA | Preview | | |[Facebook](identity-provider-facebook.md) | GA | GA | | The following table summarizes the Security Assertion Markup Language (SAML) app ||::|::|| |[OAuth2](oauth2-technical-profile.md) | NA | GA | For example, [Google](identity-provider-google.md), [GitHub](identity-provider-github.md), and [Facebook](identity-provider-facebook.md).| |[OAuth1](oauth1-technical-profile.md) | NA | GA | For example, [Twitter](identity-provider-twitter.md). |-|[OpenID Connect](openid-connect-technical-profile.md) | GA | GA | For example, [Azure AD](identity-provider-azure-ad-single-tenant.md). | +|[OpenID Connect](openid-connect-technical-profile.md) | GA | GA | For example, [Microsoft Entra ID](identity-provider-azure-ad-single-tenant.md). | |[SAML2](identity-provider-generic-saml.md) | NA | GA | For example, [Salesforce](identity-provider-salesforce-saml.md) and [AD-FS](identity-provider-adfs.md). | | WSFED | NA | NA | | The following table summarizes the Security Assertion Markup Language (SAML) app | - | :--: | -- | | [MFA using time-based one-time password (TOTP) with authenticator apps](multi-factor-authentication.md#verification-methods) | GA | Users can use any authenticator app that supports TOTP verification, such as the [Microsoft Authenticator app](https://www.microsoft.com/security/mobile-authenticator-app).| | [Phone factor authentication](phone-factor-technical-profile.md) | GA | |-| [Azure AD MFA authentication](multi-factor-auth-technical-profile.md) | GA | | +| [Microsoft Entra multifactor authentication authentication](multi-factor-auth-technical-profile.md) | GA | | | [One-time password](one-time-password-technical-profile.md) | GA | |-| [Azure Active Directory](active-directory-technical-profile.md) as local directory | GA | | +| [Microsoft Entra ID](active-directory-technical-profile.md) as local directory | GA | | | [Predicate validations](predicates.md) | GA | For example, password complexity. | | [Display controls](display-controls.md) | GA | | | [Sub journeys](subjourneys.md) | GA | | |
active-directory-b2c | Custom Policy Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-overview.md | Within an Azure AD B2C custom policy, you can integrate your own business logic - Within the **base policy**, we highly recommend avoiding making any changes. When necessary, make comments where the changes are made. - When you're overriding an element, such as technical profile metadata, avoid copying the entire technical profile from the base policy. Instead, copy only the required section of the element. See [Disable email verification](./disable-email-verification.md) for an example of how to make the change. - To reduce duplication of technical profiles, where core functionality is shared, use [technical profile inclusion](technicalprofiles.md#include-technical-profile).-- Avoid writing to the Azure AD directory during sign-in, which may lead to throttling issues.+- Avoid writing to the Microsoft Entra directory during sign-in, which may lead to throttling issues. - If your policy has external dependencies, such as REST APIs, makes sure they're highly available. - For a better user experience, make sure your custom HTML templates, are globally deployed using [online content delivery](../cdn/index.yml). Azure Content Delivery Network (CDN) lets you reduce load times, save bandwidth, and improve response speed. - If you want to make a change to user journey, copy the entire user journey from the base policy to the extension policy. Provide a unique user journey ID to the user journey you've copied. Then in the [relying party policy](relyingparty.md), change the [default user journey](relyingparty.md#defaultuserjourney) element to point to the new user journey. |
active-directory-b2c | Custom Policy Reference Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-reference-sso.md | The following table shows which session provider to use depending on the type of |Session provider |Applicable technical profile types| Purpose |Write claims|Read claims| ||||||-|[DefaultSSOSessionProvider](#defaultssosessionprovider) | [Self-asserted](self-asserted-technical-profile.md), [Azure Active Directory](active-directory-technical-profile.md), [Azure AD Multi-Factor Authentication](multi-factor-auth-technical-profile.md), [Claims transformation](claims-transformation-technical-profile.md)| Skips technical profile execution.| Yes | Yes | +|[DefaultSSOSessionProvider](#defaultssosessionprovider) | [Self-asserted](self-asserted-technical-profile.md), [Microsoft Entra ID](active-directory-technical-profile.md), [Microsoft Entra multifactor authentication](multi-factor-auth-technical-profile.md), [Claims transformation](claims-transformation-technical-profile.md)| Skips technical profile execution.| Yes | Yes | |[ExternalLoginSSOSessionProvider](#externalloginssosessionprovider) | [OAuth1 identity provider](oauth1-technical-profile.md), [Oauth2 identity provider](oauth2-technical-profile.md), [OpenID Connect identity provider](openid-connect-technical-profile.md), [SAML identity provider](saml-identity-provider-technical-profile.md)| Accelerate identity provider selection page. Performing single-logout.|Yes|Yes| |[OAuthSSOSessionProvider](#oauthssosessionprovider) |[JWT token issuer](jwt-issuer-technical-profile.md) | Manages session between OAuth2 or OpenId Connect relying party and Azure AD B2C. Performs single-logout. | No | No | |[SamlSSOSessionProvider](#samlssosessionprovider) | [SAML token issuer](saml-issuer-technical-profile.md) | Manages session between SAML relying party and Azure AD B2C. Performs single-logout. | No | No | For example, the `SM-AAD`session management technical profile uses the `DefaultS ## ExternalLoginSSOSessionProvider -The `ExternalLoginSSOSessionProvider` session provider is used to skip the "identity provider selection" screen and sign-out from a federated identity provider. ItΓÇÖs typically referenced in a technical profile configured for a federated identity provider, such as Facebook, or Azure Active Directory. +The `ExternalLoginSSOSessionProvider` session provider is used to skip the "identity provider selection" screen and sign-out from a federated identity provider. ItΓÇÖs typically referenced in a technical profile configured for a federated identity provider, such as Facebook or Microsoft Entra ID. - **Fresh logon** - The `PersistedClaims` element will write claims into the session cookie. Persisted claims canΓÇÖt be rewritten. The `NoopSSOSessionProvider` session provider is used to suppress single sign on - [Claims transformation](claims-transformation-technical-profile.md) - To create, or transform claims that are later used to determine which orchestration steps to process or skip. - [Restful](restful-technical-profile.md) - Fetch updated data from a Restful service each time the policy runs. You can also call a Restful for extended logging, and auditing. - [Self-asserted](self-asserted-technical-profile.md) - Force the user to provide data each time the policy runs. For example, verify emails with one-time pass-code, or ask the user's consent.-- [Phonefactor](phone-factor-technical-profile.md) - Force the user to perform Multi Factor Authentication as part of a "step up authentication", even during subsequent logons (single sign-on).+- [Phonefactor](phone-factor-technical-profile.md) - Force the user to perform multifactor authentication as part of a "step up authentication" even during subsequent logons (single sign-on). This type of session provider doesn't persist claims to the user's session cookie. The following `SM-Noop` technical profile is type of `NoopSSOSessionProvider` session provider. The `SM-Noop` technical profile can be found in the [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack). To suppress single sign on behavior of a technical profile, add a reference to ` ## Next steps Learn how to [configure session behavior](session-behavior.md).- |
active-directory-b2c | Customize Ui With Html | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/customize-ui-with-html.md | Create a custom page content with your product's brand name in the title. In this article, we use Azure Blob storage to host our content. You can choose to host your content on a web server, but you must [enable CORS on your web server](https://enable-cors.org/server.html). > [!NOTE]-> In an Azure AD B2C tenant, you can't provision Blob storage. You must create this resource in your Azure AD tenant. +> In an Azure AD B2C tenant, you can't provision Blob storage. You must create this resource in your Microsoft Entra tenant. To host your HTML content in Blob storage, use the following steps: 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD tenant, and which has a subscription: +1. Make sure you're using the directory that contains your Microsoft Entra tenant, and which has a subscription: 1. Select the **Directories + subscriptions** icon in the portal toolbar.- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the Directory name list, and then select **Switch**. + 1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the Directory name list, and then select **Switch**. 1. In the Azure portal, search for and select **Storage accounts** 1. Select **+ Create**. 1. Select a **Subscription** for your storage account. To host your HTML content in Blob storage, use the following steps: 1. Select the geographical **Region** for your storage account. 1. **Performance** can remain **Standard**. 1. **Redundancy** can remain **Geo-redundant storage (GRS)**-1. Select **Review + create** and wait a few seconds for Azure AD to run a validation. +1. Select **Review + create** and wait a few seconds for Microsoft Entra ID to run a validation. 1. Select **Create** to create the storage account. After the deployment is completed, the storage account page opens automatically or you need to select **Go to resource**. #### 2.1 Create a container |
active-directory-b2c | Customize Ui | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/customize-ui.md | Example of the Classic template rendered on sign up sign in page: ### Company branding -You can customize your Azure AD B2C pages with a banner logo, background image, and background color by using Azure Active Directory [Company branding](../active-directory/fundamentals/how-to-customize-branding.md). The company branding includes signing up, signing in, profile editing, and password resetting. +You can customize your Azure AD B2C pages with a banner logo, background image, and background color by using Microsoft Entra ID [Company branding](../active-directory/fundamentals/how-to-customize-branding.md). The company branding includes signing up, signing in, profile editing, and password resetting. The following example shows a *Sign up and sign in* page with a custom logo, background image, using Ocean Blue template: Classic: ## Configure company branding -To customize your user flow pages, you first configure company branding in Azure Active Directory, then you enable it in your user flows in Azure AD B2C. +To customize your user flow pages, you first configure company branding in Microsoft Entra ID, then you enable it in your user flows in Azure AD B2C. Start by setting the banner logo, background image, and background color within **Company branding**. Start by setting the banner logo, background image, and background color within 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. In the Azure portal, search for and select **Azure AD B2C**. 1. Under **Manage**, select **Company branding**.-1. Follow the steps in [Add branding to your organization's Azure Active Directory sign-in page](../active-directory/fundamentals/how-to-customize-branding.md). +1. Follow the steps in [Add branding to your organization's Microsoft Entra sign-in page](../active-directory/fundamentals/how-to-customize-branding.md). Keep these things in mind when you configure company branding in Azure AD B2C: |
active-directory-b2c | Data Residency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/data-residency.md | -Azure Active Directory B2C (Azure AD B2C) stores customer data in a geographic location based on how a tenant was created and provisioned. For the Azure portal or Azure AD API, the location is defined when a customer selects a location from the pre-defined list. +Azure Active Directory B2C (Azure AD B2C) stores customer data in a geographic location based on how a tenant was created and provisioned. For the Azure portal or Microsoft Entra API, the location is defined when a customer selects a location from the pre-defined list. Region availability and data residency are two different concepts that apply to Azure AD B2C. This article explains the differences between these two concepts, and compares how they apply to Azure versus Azure AD B2C. [Region availability](#region-availability) refers to where a service is available for use whereas [Data residency](#data-residency) refers to where user data is stored. The following locations are in the process of being added to the list. For now, > Argentina, Brazil, Chile, Colombia, Ecuador, Iraq, Paraguay, Peru, Uruguay, and Venezuela -To find the exact location where your data is located per country/region, refer to [where Azure Active Directory data is located](https://aka.ms/aaddatamap)service. +To find the exact location where your data is located per country/region, refer to [where Microsoft Entra data is located](https://aka.ms/aaddatamap)service. ### Go-Local add-on |
active-directory-b2c | Deploy Custom Policies Devops | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/deploy-custom-policies-devops.md | With a Microsoft Graph application registered, you're ready to configure a repos 1. In the root directory of your repository, create a folder named `Scripts`. Create a PowerShell file *DeployToB2C.ps1*. Paste the following PowerShell script into *DeployToB2C.ps1*. 1. **Commit** and **Push** the changes. -The following script acquires an access token from Azure AD. With the token, the script calls the MS Graph API to upload the policies in the *B2CAssets* folder. You can also change the content of the policy before uploading it. For example, replace the `tenant-name.onmicrosoft.com` with your tenant name. +The following script acquires an access token from Microsoft Entra ID. With the token, the script calls the MS Graph API to upload the policies in the *B2CAssets* folder. You can also change the content of the policy before uploading it. For example, replace the `tenant-name.onmicrosoft.com` with your tenant name. ```PowerShell [Cmdletbinding()] |
active-directory-b2c | Disable Email Verification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/disable-email-verification.md | The **LocalAccountSignUpWithLogonEmail** technical profile is a [self-asserted]( ## Update and test the relying party file 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD tenant. Select the **Directories + Subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Microsoft Entra tenant. Select the **Directories + Subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **Identity Experience Framework**. 1. Select **Upload Custom Policy**, and then upload the two policy files that you changed. The **LocalAccountSignUpWithLogonEmail** technical profile is a [self-asserted]( ## Next steps - Learn how to [customize the user interface in Azure Active Directory B2C](customize-ui-with-html.md)- |
active-directory-b2c | Display Control Time Based One Time Password | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/display-control-time-based-one-time-password.md | -Use time-based one-time password (TOTP) [display controls](display-controls.md) to enable multifactor authentication (MFA) using the TOTP method. End users need to use an authenticator app that generates TOTP codes, such as the [Microsoft Authenticator app](https://www.microsoft.com/security/mobile-authenticator-app) or any other authenticator app that supports TOTP verification. +Use time-based one-time password (TOTP) [display controls](display-controls.md) to enable multifactor authentication using the TOTP method. End users need to use an authenticator app that generates TOTP codes, such as the [Microsoft Authenticator app](https://www.microsoft.com/security/mobile-authenticator-app) or any other authenticator app that supports TOTP verification. To enable TOTP within your custom policy, use the following display controls: The following XML code shows the `EnableOTPAuthentication` self-asserted technic ## Verification flow -The verification TOTP code is done by another self-asserted technical profile that uses display claims and a validation technical profile. For more information, see [Define an Azure AD MFA technical profile in an Azure AD B2C custom policy](multi-factor-auth-technical-profile.md). +The verification TOTP code is done by another self-asserted technical profile that uses display claims and a validation technical profile. For more information, see [Define a Microsoft Entra multifactor authentication technical profile in an Azure AD B2C custom policy](multi-factor-auth-technical-profile.md). The following screenshot illustrates a TOTP verification page. The following screenshot illustrates a TOTP verification page. - Learn more about multifactor authentication in [Enable multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md?pivots=b2c-custom-policy) -- Learn how to validate a TOTP code in [Define an Azure AD MFA technical profile](multi-factor-auth-technical-profile.md).+- Learn how to validate a TOTP code in [Define a Microsoft Entra multifactor authentication technical profile](multi-factor-auth-technical-profile.md). -- Explore a sample [Azure AD B2C MFA with TOTP using any Authenticator app custom policy in GitHub](https://github.com/azure-ad-b2c/samples/tree/master/policies/totp). +- Explore a sample [Azure AD B2C MFA with TOTP using any Authenticator app custom policy in GitHub](https://github.com/azure-ad-b2c/samples/tree/master/policies/totp). |
active-directory-b2c | Display Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/display-controls.md | The **Precondition** element contains following elements: | `Value` | 1:n | The data that is used by the check. If the type of this check is `ClaimsExist`, this field specifies a ClaimTypeReferenceId to query for. If the type of check is `ClaimEquals`, this field specifies a ClaimTypeReferenceId to query for. Specify the value to be checked in another value element.| | `Action` | 1:1 | The action that should be taken if the precondition check within an orchestration step is true. The value of the **Action** is set to `SkipThisValidationTechnicalProfile`, which specifies that the associated validation technical profile should not be executed. | -The following example sends and verifies the email address using [Azure AD SSPR technical profile](aad-sspr-technical-profile.md). +The following example sends and verifies the email address using [Microsoft Entra SSPR technical profile](aad-sspr-technical-profile.md). ```xml <DisplayControl Id="emailVerificationControl" UserInterfaceControlType="VerificationControl"> |
active-directory-b2c | Enable Authentication In Node Web App With Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/enable-authentication-in-node-web-app-with-api.md | In the `index.js` file, add the following code: Take note of the following code snippets in the `index.js`file: -- Imports the passport Azure AD library+- Imports the passport Microsoft Entra library :::code language="JavaScript" source="~/active-directory-b2c-javascript-nodejs-webapi/index.js" id="ms_docref_import_azuread_lib"::: Take note of the following code snippets in the `index.js`file: :::code language="JavaScript" source="~/active-directory-b2c-javascript-nodejs-webapi/index.js" id="ms_docref_azureadb2c_options"::: -- Instantiate the passport Azure AD library with the Azure AD B2C options+- Instantiate the passport Microsoft Entra library with the Azure AD B2C options :::code language="JavaScript" source="~/active-directory-b2c-javascript-nodejs-webapi/index.js" id="ms_docref_init_azuread_lib"::: npm install @azure/msal-node - If the `accessToken` isn't in the session, call the anonymous API endpoint (`http://localhost:5000/public`), otherwise, call the protected API endpoint (`http://localhost:5000/hello`). - `/signout`: - Signs out the user.- - clears the web app session is and makes an http call to the Azure AD B2c logout endpoint. + - clears the web app session is and makes an http call to the Azure AD B2C logout endpoint. ## Step 3: Run the web app and API |
active-directory-b2c | External Identities Videos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/external-identities-videos.md | -Learn the basics of External Identities - Azure Active Directory B2C (Azure AD B2C) and Azure Active Directory B2B (Azure AD B2B) in the Microsoft identity platform. +Learn the basics of External Identities - Azure Active Directory B2C (Azure AD B2C) and Microsoft Entra B2B in the Microsoft identity platform. ## Azure Active Directory B2C architecture deep dive series Learn how to perform various use cases in Azure AD B2C. | Video title | Video |Video title|Video| |:|:|:|:|-|[Azure AD: Monitoring and reporting Azure AD B2C using Azure Monitor](https://www.youtube.com/watch?v=Mu9GQy-CbXI&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=1) 6:57|[:::image type="icon" source="./media/external-identities-videos/monitoring-reporting.png" border="false":::](https://www.youtube.com/watch?v=Mu9GQy-CbXI&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=2)|[Azure AD B2C user migration using Microsoft Graph API](https://www.youtube.com/watch?v=9BRXBtkBzL4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=5) 7:09| [:::image type="icon" source="./media/external-identities-videos/user-migration-msgraph-api.png" border="false":::](https://www.youtube.com/watch?v=9BRXBtkBzL4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=6)| +|[Monitoring and reporting Azure AD B2C using Azure Monitor](https://www.youtube.com/watch?v=Mu9GQy-CbXI&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=1) 6:57|[:::image type="icon" source="./media/external-identities-videos/monitoring-reporting.png" border="false":::](https://www.youtube.com/watch?v=Mu9GQy-CbXI&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=2)|[Azure AD B2C user migration using Microsoft Graph API](https://www.youtube.com/watch?v=9BRXBtkBzL4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=5) 7:09| [:::image type="icon" source="./media/external-identities-videos/user-migration-msgraph-api.png" border="false":::](https://www.youtube.com/watch?v=9BRXBtkBzL4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=6)| | [Azure AD B2C user migration strategies](https://www.youtube.com/watch?v=lCWR6PGUgz0&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=2) 8:22| [:::image type="icon" source="./media/external-identities-videos/user-migration-stratagies.png" border="false":::](https://www.youtube.com/watch?v=lCWR6PGUgz0&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=3)| [How to localize or customize language using Azure AD B2C](https://www.youtube.com/watch?v=yqrX5_tA7Ms&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=13) 20:41| [:::image type="icon" source="./media/external-identities-videos/language-localization.png" border="false":::](https://www.youtube.com/watch?v=yqrX5_tA7Ms&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=14) | |[Configure monitoring: Azure AD B2C using Azure Monitor](https://www.youtube.com/watch?v=tF2JS6TGc3g&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=14) 17:23 | [:::image type="icon" source="./media/external-identities-videos/configure-monitoring.png" border="false":::](https://www.youtube.com/watch?v=tF2JS6TGc3g&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=15) | [Configuring custom domains in Azure AD B2C using Azure Front Door](https://www.youtube.com/watch?v=mVNB59VK-DQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=13) 19:45| [:::image type="icon" source="./media/external-identities-videos/configure-custom-domains.png" border="false":::](https://www.youtube.com/watch?v=mVNB59VK-DQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=14) | |
active-directory-b2c | Find Help Open Support Ticket | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/find-help-open-support-ticket.md | If you're unable to find answers by using self-help resources, you can open an o 1. Sign in to the [Azure portal](https://portal.azure.com). -1. Make sure you're using the Azure Active Directory (Azure AD) tenant that contains your Azure subscription: +1. Make sure you're using the Microsoft Entra tenant that contains your Azure subscription: 1. In the Azure portal toolbar, select the **Directories + subscriptions** (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::) icon. - 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch** button next to it. + 1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch** button next to it. -1. In the Azure portal, search for and select **Azure Active Directory**. +1. In the Azure portal, search for and select **Microsoft Entra ID**. 1. In the left menu, under **Troubleshooting + Support**, select **New support request**. |
active-directory-b2c | Force Password Reset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/force-password-reset.md | To enable the **Forced password reset** setting in a sign-up or sign-in user flo ## Test the user flow -1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator or a password administrator. For more information about the available roles, see [Assigning administrator roles in Azure Active Directory](../active-directory/roles/permissions-reference.md#all-roles). +1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator or a password administrator. For more information about the available roles, see [Assigning administrator roles in Microsoft Entra ID](../active-directory/roles/permissions-reference.md#all-roles). 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. In the Azure portal, search for and select **Azure AD B2C**. Once a password expiration policy has been set, you must also configure force pa ### Password expiry duration -By default, the password is set not to expire. However, the value is configurable by using the [Set-MsolPasswordPolicy](/powershell/module/msonline/set-msolpasswordpolicy) cmdlet from the Azure Active Directory Module for Windows PowerShell. This command updates the tenant, so that all users' passwords expire after number of days you configure. +By default, the password is set not to expire. However, the value is configurable by using the [Set-MsolPasswordPolicy](/powershell/module/msonline/set-msolpasswordpolicy) cmdlet from the Azure AD Module for Windows PowerShell. This command updates the tenant, so that all users' passwords expire after number of days you configure. ## Next steps |
active-directory-b2c | Id Token Hint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/id-token-hint.md | When using a symmetric key, the **CryptographicKeys** element contains the follo ### Issue a token with symmetric keys -#### Step 1. Create a shared key +#### Step 1: Create a shared key Create a key that can be used to sign the token. For example, use the following PowerShell code to generate a key. $newClientSecret This code creates a secret string like `VK62QTn0m1hMcn0DQ3RPYDAr6yIiSvYgdRwjZtU5QhI=`. -#### Step 2. Add the signing key to Azure AD B2C +#### Step 2: Add the signing key to Azure AD B2C The same key that is used by the token issuer needs to be created in your Azure AD B2C policy keys. The same key that is used by the token issuer needs to be created in your Azure 1. Confirm that you've created the key `B2C_1A_IdTokenHintKey`. -#### Step 3. Add the ID token hint technical profile +#### Step 3: Add the ID token hint technical profile The following technical profile validates the token and extracts the claims. The following technical profile validates the token and extracts the claims. </ClaimsProvider> ``` -#### Step 4. Prepare your policy +#### Step 4: Prepare your policy Complete the [Configure your policy](#configure-your-policy) step. -#### Step 5. Prepare the code +#### Step 5: Prepare the code The [GitHub sample](https://github.com/azure-ad-b2c/id_token_hint/tree/master/dotnet_core_symmetric_key) is an ASP.NET web application and console app that generates an ID token that is signed using a symmetric key. ### Issue a token with asymmetric keys -With an asymmetric key, the token is signed using RSA certificates. This application hosts an Open ID Connect metadata endpoint and JSON Web Keys (JWKs) endpoint that is used by Azure AD B2C to validate the signature of the ID token. +With an asymmetric key, the token is signed using RSA certificates. This application hosts an OpenID Connect metadata endpoint and JSON Web Keys (JWKs) endpoint that is used by Azure AD B2C to validate the signature of the ID token. The token issuer must provide following endpoints: The token issuer must provide following endpoints: See the [`TokenMetadataController.cs`](https://github.com/azure-ad-b2c/id-token-builder/blob/master/source-code/B2CIdTokenBuilder/Controllers/TokenMetadataController.cs) .NET MVC controller sample. -#### Step 1. Prepare a self-signed certificate +#### Step 1: Prepare a self-signed certificate If you don't already have a certificate, you can use a self-signed certificate for this how-to guide. On Windows, you can use PowerShell's [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate) cmdlet to generate a certificate. New-SelfSignedCertificate ` ``` -#### Step 2. Add the ID token hint technical profile +#### Step 2: Add the ID token hint technical profile The following technical profile validates the token and extracts the claims. Change the metadata URI to your token issuer well-known configuration endpoint. The following technical profile validates the token and extracts the claims. Cha </ClaimsProvider> ``` -#### Step 3. Prepare your policy +#### Step 3: Prepare your policy Complete the [Configure your policy](#configure-your-policy) step. -#### Step 4. Prepare the code +#### Step 4: Prepare the code This [GitHub sample](https://github.com/azure-ad-b2c/id-token-builder) ASP.NET web application generates ID tokens and hosts the metadata endpoints required to use the "id_token_hint" parameter in Azure AD B2C. |
active-directory-b2c | Identity Protection Investigate Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-protection-investigate-risk.md | When using Identity Protection, consider the following: - Identity Protection is on by default. - Identity Protection is available for both local and social identities, such as Google or Facebook. For social identities, Conditional Access must be activated. Detection is limited because the social account credentials are managed by the external identity provider.-- In Azure AD B2C tenants, only a subset of the [Azure AD Identity Protection risk detections](../active-directory/identity-protection/overview-identity-protection.md) is available. The following risk detections are supported by Azure AD B2C: +- In Azure AD B2C tenants, only a subset of the [Microsoft Entra ID Protection risk detections](../active-directory/identity-protection/overview-identity-protection.md) is available. The following risk detections are supported by Azure AD B2C: |Risk detection type |Description | ||| When using Identity Protection, consider the following: |Unfamiliar sign-in properties | Sign-in with properties we've not seen recently for the given user. | |Admin confirmed user compromised | An admin has indicated that a user was compromised. | |Password spray | Sign-in through a password spray attack. |-|Azure AD threat intelligence | Microsoft's internal and external threat intelligence sources have identified a known attack pattern. | +|Microsoft Entra threat intelligence | Microsoft's internal and external threat intelligence sources have identified a known attack pattern. | ## Pricing tier Administrators can then choose to return to the user's risk or sign-ins report t ## Next steps -- [Add Conditional Access to a user flow](conditional-access-user-flow.md).+- [Add Conditional Access to a user flow](conditional-access-user-flow.md). |
active-directory-b2c | Identity Provider Azure Ad B2c | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-b2c.md | This article describes how to set up a federation with another Azure AD B2C tena [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)] ### Verify the application's publisher domain-As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../active-directory/develop/howto-configure-publisher-domain.md) ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../active-directory/develop/publisher-verification-overview.md) about this change.) Note that for Azure AD B2C user flows, the publisherΓÇÖs domain appears only when using a [Microsoft account](../active-directory-b2c/identity-provider-microsoft-account.md) or other Azure AD tenant as the identity provider. To meet these new requirements, do the following: +As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../active-directory/develop/howto-configure-publisher-domain.md) ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../active-directory/develop/publisher-verification-overview.md) about this change.) Note that for Azure AD B2C user flows, the publisherΓÇÖs domain appears only when using a [Microsoft account](../active-directory-b2c/identity-provider-microsoft-account.md) or other Microsoft Entra tenant as the identity provider. To meet these new requirements, do the following: 1. [Verify your company identity using your Microsoft Partner Network (MPN) account](/partner-center/verification-responses). This process verifies information about your company and your companyΓÇÖs primary contact. 1. Complete the publisher verification process to associate your MPN account with your app registration using one of the following options:- - If the app registration for the Microsoft account identity provider is in an Azure AD tenant, [verify your app in the App Registration portal](../active-directory/develop/mark-app-as-publisher-verified.md). + - If the app registration for the Microsoft account identity provider is in a Microsoft Entra tenant, [verify your app in the App Registration portal](../active-directory/develop/mark-app-as-publisher-verified.md). - If your app registration for the Microsoft account identity provider is in an Azure AD B2C tenant, [mark your app as publisher verified using Microsoft Graph APIs](../active-directory/develop/troubleshoot-publisher-verification.md#making-microsoft-graph-api-calls) (for example, using Graph Explorer). The UI for setting an appΓÇÖs verified publisher is currently disabled for Azure AD B2C tenants. ## Create an Azure AD B2C application If the sign-in process is successful, your browser is redirected to `https://jwt ## Next steps -Learn how to [pass the other Azure AD B2C token to your application](idp-pass-through-user-flow.md). +Learn how to [pass the other Azure AD B2C token to your application](idp-pass-through-user-flow.md). |
active-directory-b2c | Identity Provider Azure Ad Multi Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant.md | Title: Set up sign-in for multi-tenant Azure AD by custom policies + Title: Set up sign-in for multi-tenant Microsoft Entra ID by custom policies -description: Add a multi-tenant Azure AD identity provider using custom policies in Azure Active Directory B2C. +description: Add a multi-tenant Microsoft Entra identity provider using custom policies in Azure Active Directory B2C. -# Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C +# Set up sign-in for multi-tenant Microsoft Entra ID using custom policies in Azure Active Directory B2C [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)] zone_pivot_groups: b2c-policy-type ::: zone pivot="b2c-custom-policy" -This article shows you how to enable sign-in for users using the multi-tenant endpoint for Azure Active Directory (Azure AD). Allowing users from multiple Azure AD tenants to sign in using Azure AD B2C, without you having to configure an identity provider for each tenant. However, guest members in any of these tenants **will not** be able to sign in. For that, you need to [individually configure each tenant](identity-provider-azure-ad-single-tenant.md). +This article shows you how to enable sign-in for users using the multi-tenant endpoint for Microsoft Entra ID. Allowing users from multiple Microsoft Entra tenants to sign in using Azure AD B2C, without you having to configure an identity provider for each tenant. However, guest members in any of these tenants **will not** be able to sign in. For that, you need to [individually configure each tenant](identity-provider-azure-ad-single-tenant.md). ## Prerequisites This article shows you how to enable sign-in for users using the multi-tenant en > [!NOTE] > In this article, it assumed that **SocialAndLocalAccounts** starter pack is used in the previous steps mentioned in pre-requisite. -## Register an Azure AD app +<a name='register-an-azure-ad-app'></a> -To enable sign-in for users with an Azure AD account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). +## Register a Microsoft Entra app ++To enable sign-in for users with a Microsoft Entra account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your organizational Azure AD tenant (for example, Contoso). Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your organizational Microsoft Entra tenant (for example, Contoso). Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **New registration**. 1. Enter a **Name** for your application. For example, `Azure AD B2C App`.-1. Select **Accounts in any organizational directory (Any Azure AD directory ΓÇô Multitenant)** for this application. +1. Select **Accounts in any organizational directory (Any Microsoft Entra directory ΓÇô Multitenant)** for this application. 1. For the **Redirect URI**, accept the value of **Web**, and enter the following URL in all lowercase letters, where `your-B2C-tenant-name` is replaced with the name of your Azure AD B2C tenant. ``` To enable sign-in for users with an Azure AD account in Azure Active Directory B ### Configuring optional claims -If you want to get the `family_name`, and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/optional-claims.md). +If you want to get the `family_name`, and `given_name` claims from Microsoft Entra ID, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Microsoft Entra app](../active-directory/develop/optional-claims.md). -1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Azure Active Directory**. +1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Microsoft Entra ID**. 1. From the **Manage** section, select **App registrations**. 1. Select the application you want to configure optional claims for in the list. 1. From the **Manage** section, select **Token configuration**. You need to store the application key that you created in your Azure AD B2C tena 1. For **Key usage**, select `Signature`. 1. Select **Create**. -## Configure Azure AD as an identity provider +<a name='configure-azure-ad-as-an-identity-provider'></a> ++## Configure Microsoft Entra ID as an identity provider -To enable users to sign in using an Azure AD account, you need to define Azure AD as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated. +To enable users to sign in using a Microsoft Entra account, you need to define Microsoft Entra ID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated. -You can define Azure AD as a claims provider by adding Azure AD to the **ClaimsProvider** element in the extension file of your policy. +You can define Microsoft Entra ID as a claims provider by adding Microsoft Entra ID to the **ClaimsProvider** element in the extension file of your policy. 1. Open the *SocialAndLocalAccounts/**TrustFrameworkExtensions.xml*** file (see the files you've used in the prerequisites). 1. Find the **ClaimsProviders** element. If it does not exist, add it under the root element. You can define Azure AD as a claims provider by adding Azure AD to the **ClaimsP 1. Under the **ClaimsProvider** element, update the value for **Domain** to a unique value that can be used to distinguish it from other identity providers. 1. Under the **TechnicalProfile** element, update the value for **DisplayName**, for example, `Multi-Tenant AAD`. This value is displayed on the sign-in button on your sign-in page.-1. Set **client_id** to the application ID of the Azure AD multi-tenant application that you registered earlier. +1. Set **client_id** to the application ID of the Microsoft Entra multi-tenant application that you registered earlier. 1. Under **CryptographicKeys**, update the value of **StorageReferenceId** to the name of the policy key that created earlier. For example, `B2C_1A_AADAppSecret`. ### Restrict access -Using `https://login.microsoftonline.com/` as the value for **ValidTokenIssuerPrefixes** allows all Azure AD users to sign in to your application. Update the list of valid token issuers and restrict access to a specific list of Azure AD tenant users who can sign in. +Using `https://login.microsoftonline.com/` as the value for **ValidTokenIssuerPrefixes** allows all Microsoft Entra users to sign in to your application. Update the list of valid token issuers and restrict access to a specific list of Microsoft Entra tenant users who can sign in. -To obtain the values, look at the OpenID Connect discovery metadata for each of the Azure AD tenants that you would like to have users sign in from. The format of the metadata URL is similar to `https://login.microsoftonline.com/your-tenant/v2.0/.well-known/openid-configuration`, where `your-tenant` is your Azure AD tenant name. For example: +To obtain the values, look at the OpenID Connect discovery metadata for each of the Microsoft Entra tenants that you would like to have users sign in from. The format of the metadata URL is similar to `https://login.microsoftonline.com/your-tenant/v2.0/.well-known/openid-configuration`, where `your-tenant` is your Microsoft Entra tenant name. For example: `https://login.microsoftonline.com/fabrikam.onmicrosoft.com/v2.0/.well-known/openid-configuration` -Perform these steps for each Azure AD tenant that should be used to sign in: +Perform these steps for each Microsoft Entra tenant that should be used to sign in: 1. Open your browser and go to the OpenID Connect metadata URL for the tenant. Find the `issuer` object and record its value. It should look similar to `https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0`. 1. Copy and paste the value into the **ValidTokenIssuerPrefixes** key. Separate multiple issuers with a comma. An example with two issuers appears in the previous `ClaimsProvider` XML sample. Perform these steps for each Azure AD tenant that should be used to sign in: 1. Select your relying party policy, for example `B2C_1A_signup_signin`. 1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`. 1. Select the **Run now** button.-1. From the sign-up or sign-in page, select **Common AAD** to sign in with Azure AD account. +1. From the sign-up or sign-in page, select **Common Microsoft Entra ID** to sign in with Microsoft Entra account. -To test the multi-tenant sign-in capability, perform the last two steps using the credentials for a user that exists another Azure AD tenant. Copy the **Run now endpoint** and open it in a private browser window, for example, Incognito Mode in Google Chrome or an InPrivate window in Microsoft Edge. Opening in a private browser window allows you to test the full user journey by not using any currently cached Azure AD credentials. +To test the multi-tenant sign-in capability, perform the last two steps using the credentials for a user that exists another Microsoft Entra tenant. Copy the **Run now endpoint** and open it in a private browser window, for example, Incognito Mode in Google Chrome or an InPrivate window in Microsoft Edge. Opening in a private browser window allows you to test the full user journey by not using any currently cached Microsoft Entra credentials. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C. ## Next steps -- Learn how to [pass the Azure AD token to your application](idp-pass-through-user-flow.md).-- Check out the Azure AD multi-tenant federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory), and how to pass Azure AD access token [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory-with-access-token)+- Learn how to [pass the Microsoft Entra token to your application](idp-pass-through-user-flow.md). +- Check out the Microsoft Entra multi-tenant federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory), and how to pass Microsoft Entra access token [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory-with-access-token) ::: zone-end |
active-directory-b2c | Identity Provider Azure Ad Single Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-azure-ad-single-tenant.md | Title: Set up sign-in for an Azure AD organization + Title: Set up sign-in for a Microsoft Entra organization -description: Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C. +description: Set up sign-in for a specific Microsoft Entra organization in Azure Active Directory B2C. -# Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C +# Set up sign-in for a specific Microsoft Entra organization in Azure Active Directory B2C -This article shows you how to enable sign-in for users from a specific Azure AD organization using a user flow in Azure AD B2C. +This article shows you how to enable sign-in for users from a specific Microsoft Entra organization using a user flow in Azure AD B2C. [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)] This article shows you how to enable sign-in for users from a specific Azure AD [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)] ### Verify the application's publisher domain-As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../active-directory/develop/howto-configure-publisher-domain.md) ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../active-directory/develop/publisher-verification-overview.md) about this change.) Note that for Azure AD B2C user flows, the publisherΓÇÖs domain appears only when using a [Microsoft account](../active-directory-b2c/identity-provider-microsoft-account.md) or other Azure AD tenant as the identity provider. To meet these new requirements, do the following: +As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../active-directory/develop/howto-configure-publisher-domain.md) ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../active-directory/develop/publisher-verification-overview.md) about this change.) Note that for Azure AD B2C user flows, the publisherΓÇÖs domain appears only when using a [Microsoft account](../active-directory-b2c/identity-provider-microsoft-account.md) or other Microsoft Entra tenant as the identity provider. To meet these new requirements, do the following: 1. [Verify your company identity using your Microsoft Partner Network (MPN) account](/partner-center/verification-responses). This process verifies information about your company and your companyΓÇÖs primary contact. 1. Complete the publisher verification process to associate your MPN account with your app registration using one of the following options:- - If the app registration for the Microsoft account identity provider is in an Azure AD tenant, [verify your app in the App Registration portal](../active-directory/develop/mark-app-as-publisher-verified.md). + - If the app registration for the Microsoft account identity provider is in a Microsoft Entra tenant, [verify your app in the App Registration portal](../active-directory/develop/mark-app-as-publisher-verified.md). - If your app registration for the Microsoft account identity provider is in an Azure AD B2C tenant, [mark your app as publisher verified using Microsoft Graph APIs](../active-directory/develop/troubleshoot-publisher-verification.md#making-microsoft-graph-api-calls) (for example, using Graph Explorer). The UI for setting an appΓÇÖs verified publisher is currently disabled for Azure AD B2C tenants. -## Register an Azure AD app +<a name='register-an-azure-ad-app'></a> -To enable sign-in for users with an Azure AD account from a specific Azure AD organization, in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). +## Register a Microsoft Entra app ++To enable sign-in for users with a Microsoft Entra account from a specific Microsoft Entra organization, in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your organizational Azure AD tenant (for example, Contoso): +1. Make sure you're using the directory that contains your organizational Microsoft Entra tenant (for example, Contoso): 1. Select the **Directories + subscriptions** icon in the portal toolbar.- 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. -1. In the Azure portal, search for and select **Azure Active Directory**. + 2. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. +1. In the Azure portal, search for and select **Microsoft Entra ID**. 1. In the left menu, under **Manage**, select **App registrations**. 1. Select **+ New registration**. 1. Enter a **Name** for your application. For example, `Azure AD B2C App`. To enable sign-in for users with an Azure AD account from a specific Azure AD or ::: zone pivot="b2c-user-flow" -## Configure Azure AD as an identity provider +<a name='configure-azure-ad-as-an-identity-provider'></a> ++## Configure Microsoft Entra ID as an identity provider 1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**. 1. Select **Identity providers**, and then select **New OpenID Connect provider**.-1. Enter a **Name**. For example, enter *Contoso Azure AD*. -1. For **Metadata url**, enter the following URL replacing `{tenant}` with the domain name of your Azure AD tenant: +1. Enter a **Name**. For example, enter *Contoso Microsoft Entra ID*. +1. For **Metadata url**, enter the following URL replacing `{tenant}` with the domain name of your Microsoft Entra tenant: ``` https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration To enable sign-in for users with an Azure AD account from a specific Azure AD or 1. Select **Save**. -## Add Azure AD identity provider to a user flow +<a name='add-azure-ad-identity-provider-to-a-user-flow-'></a> -At this point, the Azure AD identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Azure AD identity provider to a user flow: +## Add Microsoft Entra identity provider to a user flow ++At this point, the Microsoft Entra identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Microsoft Entra identity provider to a user flow: 1. In your Azure AD B2C tenant, select **User flows**.-1. Click the user flow that you want to add the Azure AD identity provider. +1. Click the user flow that you want to add the Microsoft Entra identity provider. 1. Under **Settings**, select **Identity providers**-1. Under **Custom identity providers**, select **Contoso Azure AD**. +1. Under **Custom identity providers**, select **Contoso Microsoft Entra ID**. 1. Select **Save**. 1. To test your policy, select **Run user flow**. 1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`. 1. Select the **Run user flow** button.-1. From the sign-up or sign-in page, select **Contoso Azure AD** to sign in with Azure AD Contoso account. +1. From the sign-up or sign-in page, select **Contoso Microsoft Entra ID** to sign in with Microsoft Entra Contoso account. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C. You need to store the application key that you created in your Azure AD B2C tena 1. For **Key usage**, select `Signature`. 1. Select **Create**. -## Configure Azure AD as an identity provider +<a name='configure-azure-ad-as-an-identity-provider'></a> ++## Configure Microsoft Entra ID as an identity provider -To enable users to sign in using an Azure AD account, you need to define Azure AD as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated. +To enable users to sign in using a Microsoft Entra account, you need to define Microsoft Entra ID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated. -You can define Azure AD as a claims provider by adding Azure AD to the **ClaimsProvider** element in the extension file of your policy. +You can define Microsoft Entra ID as a claims provider by adding Microsoft Entra ID to the **ClaimsProvider** element in the extension file of your policy. 1. Open the *TrustFrameworkExtensions.xml* file. 2. Find the **ClaimsProviders** element. If it does not exist, add it under the root element. You can define Azure AD as a claims provider by adding Azure AD to the **ClaimsP ### Update the technical profile -To get a token from the Azure AD endpoint, you need to define the protocols that Azure AD B2C should use to communicate with Azure AD. This is done inside the **TechnicalProfile** element of **ClaimsProvider**. +To get a token from the Microsoft Entra endpoint, you need to define the protocols that Azure AD B2C should use to communicate with Microsoft Entra ID. This is done inside the **TechnicalProfile** element of **ClaimsProvider**. 1. Update the ID of the **TechnicalProfile** element. This ID is used to refer to this technical profile from other parts of the policy, for example `AADContoso-OpenIdConnect`. 1. Update the value for **DisplayName**. This value will be displayed on the sign-in button on your sign-in screen. 1. Update the value for **Description**.-1. Azure AD uses the OpenID Connect protocol, so make sure that the value for **Protocol** is `OpenIdConnect`. -1. Set value of the **METADATA** to `https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration`, where `tenant-name` is your Azure AD tenant name. For example, `https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration` +1. Microsoft Entra ID uses the OpenID Connect protocol, so make sure that the value for **Protocol** is `OpenIdConnect`. +1. Set value of the **METADATA** to `https://login.microsoftonline.com/tenant-name.onmicrosoft.com/v2.0/.well-known/openid-configuration`, where `tenant-name` is your Microsoft Entra tenant name. For example, `https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration` 1. Set **client_id** to the application ID from the application registration. 1. Under **CryptographicKeys**, update the value of **StorageReferenceId** to the name of the policy key that you created earlier. For example, `B2C_1A_ContosoAppSecret`. To get a token from the Azure AD endpoint, you need to define the protocols that 1. Select your relying party policy, for example `B2C_1A_signup_signin`. 1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`. 1. Select the **Run now** button.-1. From the sign-up or sign-in page, select **Contoso Employee** to sign in with Azure AD Contoso account. +1. From the sign-up or sign-in page, select **Contoso Employee** to sign in with Microsoft Entra Contoso account. If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C. If the sign-in process is successful, your browser is redirected to `https://jwt ### [Optional] Configuring optional claims -If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/optional-claims.md). +If you want to get the `family_name` and `given_name` claims from Microsoft Entra ID, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Microsoft Entra app](../active-directory/develop/optional-claims.md). -1. Sign in to the [Azure portal](https://portal.azure.com) using your organizational Azure AD tenant. Or if you're already signed in, make sure you're using the directory that contains your organizational Azure AD tenant (for example, Contoso): +1. Sign in to the [Azure portal](https://portal.azure.com) using your organizational Microsoft Entra tenant. Or if you're already signed in, make sure you're using the directory that contains your organizational Microsoft Entra tenant (for example, Contoso): 1. Select the **Directories + subscriptions** icon in the portal toolbar.- 2. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. -1. In the Azure portal, search for and select **Azure Active Directory**. + 2. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. +1. In the Azure portal, search for and select **Microsoft Entra ID**. 1. In the left menu, under **Manage**, select **App registrations**. 1. Select the application you want to configure optional claims for in the list, such as `Azure AD B2C App`. 1. From the **Manage** section, select **Token configuration**. If you want to get the `family_name` and `given_name` claims from Azure AD, you ## Next steps -Learn how to [pass the Azure AD token to your application](idp-pass-through-user-flow.md). +Learn how to [pass the Microsoft Entra token to your application](idp-pass-through-user-flow.md). |
active-directory-b2c | Identity Provider Generic Saml Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-generic-saml-options.md | If both `SPNameQualifier` or `NameQualifier` attributes aren't presented in the The SAML requests are sent to the identity provider as specified in the identity provider's metadata `SingleSignOnService` element. Most of the identity providers' authorization requests are carried directly in the URL query string of an HTTP GET request (as the messages are relatively short). Refer to your identity provider documentation for how to configure the bindings for both SAML requests. -The following XML is an example of an Azure AD metadata single sign-on service with two bindings. The `HTTP-Redirect` takes precedence over the `HTTP-POST` because it appears first in the SAML identity provider metadata. +The following XML is an example of a Microsoft Entra metadata single sign-on service with two bindings. The `HTTP-Redirect` takes precedence over the `HTTP-POST` because it appears first in the SAML identity provider metadata. ```xml <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> Azure AD B2C uses `Sha1` to sign the SAML request. Use the **XmlSignatureAlgorit ### Include key info -When the identity provider indicates that Azure AD B2C binding is set to `HTTP-POST`, Azure AD B2C includes the signature and the algorithm in the body of the SAML request. You can also configure Azure AD to include the public key of the certificate when the binding is set to `HTTP-POST`. Use the **IncludeKeyInfo** metadata to `true`, or `false`. In the following example, Azure AD doesn't include the public key of the certificate. +When the identity provider indicates that Azure AD B2C binding is set to `HTTP-POST`, Azure AD B2C includes the signature and the algorithm in the body of the SAML request. You can also configure Microsoft Entra ID to include the public key of the certificate when the binding is set to `HTTP-POST`. Use the **IncludeKeyInfo** metadata to `true`, or `false`. In the following example, Microsoft Entra ID doesn't include the public key of the certificate. ```xml <Metadata> |
active-directory-b2c | Identity Provider Microsoft Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/identity-provider-microsoft-account.md | zone_pivot_groups: b2c-policy-type To enable sign-in for users with a Microsoft account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in the [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). If you don't already have a Microsoft account, you can get one at [https://www.live.com/](https://www.live.com/). 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the directory that contains your Azure AD tenant. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the directory that contains your Microsoft Entra tenant. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**. 1. Select **New registration**. 1. Enter a **Name** for your application. For example, *MSAapp1*. To enable sign-in for users with a Microsoft account in Azure Active Directory B 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**. 1. Select **Identity providers**, then select **Microsoft Account**. 1. Enter a **Name**. For example, *MSA*.-1. For the **Client ID**, enter the Application (client) ID of the Azure AD application that you created earlier. +1. For the **Client ID**, enter the Application (client) ID of the Microsoft Entra application that you created earlier. 1. For the **Client secret**, enter the client secret that you recorded. 1. Select **Save**. If the sign-in process is successful, your browser is redirected to `https://jwt ## Configuring optional claims -If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/optional-claims.md). +If you want to get the `family_name` and `given_name` claims from Microsoft Entra ID, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Microsoft Entra app](../active-directory/develop/optional-claims.md). -1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Azure Active Directory**. +1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Microsoft Entra ID**. 1. From the **Manage** section, select **App registrations**. 1. Select the application you want to configure optional claims for in the list. 1. From the **Manage** section, select **Token configuration (preview)**. If you want to get the `family_name` and `given_name` claims from Azure AD, you ## Create a policy key -Now that you've created the application in your Azure AD tenant, you need to store that application's client secret in your Azure AD B2C tenant. +Now that you've created the application in your Microsoft Entra tenant, you need to store that application's client secret in your Azure AD B2C tenant. 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. Now that you've created the application in your Azure AD tenant, you need to sto To enable users to sign in using a Microsoft account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated. -You can define Azure AD as a claims provider by adding the **ClaimsProvider** element in the extension file of your policy. +You can define Microsoft Entra ID as a claims provider by adding the **ClaimsProvider** element in the extension file of your policy. 1. Open the *TrustFrameworkExtensions.xml* policy file. 1. Find the **ClaimsProviders** element. If it does not exist, add it under the root element. You can define Azure AD as a claims provider by adding the **ClaimsProvider** el </ClaimsProvider> ``` -1. Replace the value of **client_id** with the Azure AD application's *Application (client) ID* that you recorded earlier. +1. Replace the value of **client_id** with the Microsoft Entra application's *Application (client) ID* that you recorded earlier. 1. Save the file. -You've now configured your policy so that Azure AD B2C knows how to communicate with your Microsoft account application in Azure AD. +You've now configured your policy so that Azure AD B2C knows how to communicate with your Microsoft account application in Microsoft Entra ID. [!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)] |
active-directory-b2c | Implicit Flow Single Page Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/implicit-flow-single-page-application.md | The parameters in the HTTP GET request are explained in the table below. | response_type | Yes | Must include `id_token` for OpenID Connect sign in. It can also include the response type `token`. If you use `token`, your app can immediately receive an access token from the authorize endpoint, without making a second request to the authorize endpoint. If you use the `token` response type, the `scope` parameter must contain a scope that indicates which resource to issue the token for. | | redirect_uri | No | The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs that you added to a registered application in the portal, except that it must be URL-encoded. | | response_mode | No | Specifies the method to use to send the resulting token back to your app. For implicit flows, use `fragment`. |-| scope | Yes | A space-separated list of scopes. A single scope value indicates to Azure AD both of the permissions that are being requested. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web apps. It indicates that your app needs a refresh token for long-lived access to resources. | +| scope | Yes | A space-separated list of scopes. A single scope value indicates to Microsoft Entra ID both of the permissions that are being requested. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web apps. It indicates that your app needs a refresh token for long-lived access to resources. | | state | No | A value included in the request that also is returned in the token response. It can be a string of any content that you want to use. Usually, a randomly generated, unique value is used, to prevent cross-site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred, for example, the page the user was on, or the user flow that was being executed. | | nonce | Yes | A value included in the request (generated by the app) that is included in the resulting ID token as a claim. The app can then verify this value to mitigate token replay attacks. Usually, the value is a randomized, unique string that can be used to identify the origin of the request. | | prompt | No | The type of user interaction that's required. Currently, the only valid value is `login`. This parameter forces the user to enter their credentials on that request. Single Sign-On doesn't take effect. | Several more validations that you should perform are described in detail in the * Ensuring that the user has proper authorization and privileges. -* Ensuring that a certain strength of authentication has occurred, such as by using Azure AD Multi-Factor Authentication. +* Ensuring that a certain strength of authentication has occurred, such as by using Microsoft Entra multifactor authentication. For more information about the claims in an ID token, see the [Azure AD B2C token reference](tokens-overview.md). After you've validated the ID token, you can begin a session with the user. In y If the only thing your web apps needs to do is execute user flows, you can skip the next few sections. The information in the following sections is applicable only to web apps that need to make authenticated calls to a web API that is protected by Azure AD B2C itself. -Now that you've signed the user into your SPA, you can get access tokens for calling web APIs that are secured by Azure AD. Even if you've already received a token by using the `token` response type, you can use this method to acquire tokens for additional resources without redirecting the user to sign in again. +Now that you've signed the user into your SPA, you can get access tokens for calling web APIs that are secured by Microsoft Entra ID. Even if you've already received a token by using the `token` response type, you can use this method to acquire tokens for additional resources without redirecting the user to sign in again. In a typical web app flow, you would make a request to the `/token` endpoint. However, the endpoint doesn't support CORS requests, so making AJAX calls to get a refresh token isn't an option. Instead, you can use the implicit flow in a hidden HTML iframe element to get new tokens for other web APIs. Here's an example, with line breaks for legibility: |
active-directory-b2c | Language Customization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/language-customization.md | Chrome and Firefox both request for their set language. If it's a supported lang ## Supported languages -Azure AD B2C includes support for the following languages by using ISO 639-1 codes. User flow languages are provided by Azure AD B2C. The multi-factor authentication (MFA) notification languages are provided by [Azure AD MFA](../active-directory/authentication/concept-mfa-howitworks.md). +Azure AD B2C includes support for the following languages by using ISO 639-1 codes. User flow languages are provided by Azure AD B2C. The multifactor authentication notification languages are provided by [Microsoft Entra multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md). | Language | Language code | User flows | MFA notifications | |--| :--: | :-: | :-: | |
active-directory-b2c | Localization String Ids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/localization-string-ids.md | The Following are the IDs for a content definition with an ID of `api.phonefacto | | - | | | `button_verify` | Call Me | `All` | | `country_code_label` | Country Code | `All` |-| `cancel_message` | The user has canceled multi-factor authentication | `All` | +| `cancel_message` | The user has canceled multifactor authentication | `All` | | `text_button_send_second_code` | send a new code | `All` | | `code_pattern` | \\d{6} | `All` | | `intro_mixed` | We have the following number on record for you. We can send a code via SMS or phone to authenticate you. | `All` | The following IDs are used for [Restful service technical profile](restful-techn </LocalizedResources> ``` -## Azure AD MFA error messages +<a name='azure-ad-mfa-error-messages'></a> -The following IDs are used for an [Azure AD MFA technical profile](multi-factor-auth-technical-profile.md) error message: +## Microsoft Entra multifactor authentication error messages ++The following IDs are used for an [Microsoft Entra multifactor authentication technical profile](multi-factor-auth-technical-profile.md) error message: | ID | Default value | | | - | The following IDs are used for an [Azure AD MFA technical profile](multi-factor- | `UserMessageIfThrottled` | Your request has been throttled, please try again later.| | `UserMessageIfWrongCodeEntered` |Wrong code entered, please try again.| -### Azure AD MFA example +<a name='azure-ad-mfa-example'></a> ++### Microsoft Entra multifactor authentication example ```xml <LocalizedResources Id="api.localaccountsignup.en"> The following IDs are used for an [Azure AD MFA technical profile](multi-factor- </LocalizedResources> ``` -## Azure AD SSPR +<a name='azure-ad-sspr'></a> -The following IDs are used for [Azure AD SSPR technical profile](aad-sspr-technical-profile.md) error messages: +## Microsoft Entra SSPR ++The following IDs are used for [Microsoft Entra SSPR technical profile](aad-sspr-technical-profile.md) error messages: | ID | Default value | | | - | The following IDs are used for [Azure AD SSPR technical profile](aad-sspr-techni |`UserMessageIfVerificationFailedNoRetry` | You have exceeded maximum number of verification attempts.| |`UserMessageIfVerificationFailedRetryAllowed` | The verification has failed, please try again.| -### Azure AD SSPR example +<a name='azure-ad-sspr-example'></a> ++### Microsoft Entra SSPR example ```xml <LocalizedResources Id="api.localaccountsignup.en"> |
active-directory-b2c | Manage User Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/manage-user-data.md | The process of exporting customer data from Azure AD B2C is similar to the delet Azure AD B2C user data is limited to: -- **Data stored in the Azure Active Directory**: You can retrieve data in an Azure AD B2C authentication user journey by using the object ID or any sign-in name, such as an email address or username.+- **Data stored in the Microsoft Entra ID**: You can retrieve data in an Azure AD B2C authentication user journey by using the object ID or any sign-in name, such as an email address or username. - **User-specific audit events report**: You can index data by using the object ID. In the following example of an export data flow, the steps that are described as being performed by the application can also be performed by either a backend process or a user with an administrator role in the directory: -1. The user signs in to the application. Azure AD B2C enforces authentication with Azure AD Multi-Factor Authentication if needed. +1. The user signs in to the application. Azure AD B2C enforces authentication with Microsoft Entra multifactor authentication if needed. 2. The application uses the user credentials to call a Microsoft Graph API operation to retrieve the user attributes. The Microsoft Graph API provides the attribute data in JSON format. Depending on the schema, you can set the ID token contents to include all personal data about a user. 3. The application retrieves the user audit activity. The Microsoft Graph API provides the event data to the application. 4. The application aggregates the data and makes it available to the user. ## Next steps -To learn how to manage how users access your application, see [Manage user access](manage-user-access.md). +To learn how to manage how users access your application, see [Manage user access](manage-user-access.md). |
active-directory-b2c | Manage Users Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/manage-users-portal.md | As described in [Overview of user accounts in Azure AD B2C](user-overview.md), t * Guest * Consumer -This article focuses on working with **consumer accounts** in the Azure portal. For information about creating and deleting Work and Guest accounts, see [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users.md). +This article focuses on working with **consumer accounts** in the Azure portal. For information about creating and deleting Work and Guest accounts, see [Add or delete users using Microsoft Entra ID](../active-directory/fundamentals/add-users.md). ## Create a consumer user 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.-1. In the left menu, select **Azure Active Directory**. Or, select **All services** and search for and select **Azure Active Directory**. +1. In the left menu, select **Microsoft Entra ID**. Or, select **All services** and search for and select **Microsoft Entra ID**. 1. Under **Manage**, select **Users**. 1. Select **New user**. 1. Select **Create Azure AD B2C user**. To reset a user's password: 1. In your Azure AD B2C directory, select **Users**, and then select the user you want to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. -For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/users-restore.md). +For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Microsoft Entra ID](../active-directory/fundamentals/users-restore.md). ## Export consumer users -1. In your Azure AD B2C directory, search for **Azure Active Directory**. +1. In your Azure AD B2C directory, search for **Microsoft Entra ID**. 1. Select **Users**, and then select **Bulk Operations** and **Download Users**. 1. Select **Start**, and then select **File is ready! Click here to download**. |
active-directory-b2c | Microsoft Graph Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/microsoft-graph-get-started.md | There are two modes of communication you can use when working with the Microsoft You enable the **Automated** interaction scenario by creating an application registration shown in the following sections. -Azure AD B2C authentication service directly supports OAuth 2.0 client credentials grant flow (**currently in public preview**), but you can't use it to manage your Azure AD B2C resources via Microsoft Graph API. However, you can set up [client credential flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) using Azure AD and the Microsoft identity platform `/token` endpoint for an application in your Azure AD B2C tenant. +Azure AD B2C authentication service directly supports OAuth 2.0 client credentials grant flow (**currently in public preview**), but you can't use it to manage your Azure AD B2C resources via Microsoft Graph API. However, you can set up [client credential flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) using Microsoft Entra ID and the Microsoft identity platform `/token` endpoint for an application in your Azure AD B2C tenant. ## Register management application Your application needs a client secret to prove its identity when requesting a t Now that you've registered your management application and have granted it the required permissions, your applications and services (for example, Azure Pipelines) can use its credentials and permissions to interact with the Microsoft Graph API. -* [Get an access token from Azure AD](/graph/auth-v2-service#4-get-an-access-token) +* [Get an access token from Microsoft Entra ID](/graph/auth-v2-service#4-get-an-access-token) * [Use the access token to call Microsoft Graph](/graph/auth-v2-service#4-get-an-access-token) * [B2C operations supported by Microsoft Graph](microsoft-graph-operations.md) * [Manage Azure AD B2C user accounts with Microsoft Graph](microsoft-graph-operations.md)-* [Get audit logs with the Azure AD reporting API](view-audit-logs.md#get-audit-logs-with-the-azure-ad-reporting-api) +* [Get audit logs with the Microsoft Entra reporting API](view-audit-logs.md#get-audit-logs-with-the-azure-ad-reporting-api) <!-- LINKS --> [ms-graph]: /graph/-[ms-graph-api]: /graph/api/overview +[ms-graph-api]: /graph/api/overview |
active-directory-b2c | Microsoft Graph Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/microsoft-graph-operations.md | Watch this video to learn about Azure AD B2C user migration using Microsoft Grap ## User phone number management -A phone number that can be used by a user to sign-in using [SMS or voice calls](sign-in-options.md#phone-sign-in), or [multifactor authentication](multi-factor-authentication.md). For more information, see [Azure AD authentication methods API](/graph/api/resources/phoneauthenticationmethod). +A phone number that can be used by a user to sign-in using [SMS or voice calls](sign-in-options.md#phone-sign-in), or [multifactor authentication](multi-factor-authentication.md). For more information, see [Microsoft Entra authentication methods API](/graph/api/resources/phoneauthenticationmethod). - [Add](/graph/api/authentication-post-phonemethods) - [List](/graph/api/authentication-list-phonemethods) Note, the [list](/graph/api/authentication-list-phonemethods) operation returns ## Self-service password reset email address -An email address that can be used by a [username sign-in account](sign-in-options.md#username-sign-in) to reset the password. For more information, see [Azure AD authentication methods API](/graph/api/resources/emailauthenticationmethod). +An email address that can be used by a [username sign-in account](sign-in-options.md#username-sign-in) to reset the password. For more information, see [Microsoft Entra authentication methods API](/graph/api/resources/emailauthenticationmethod). - [Add](/graph/api/authentication-post-emailmethods) - [List](/graph/api/authentication-list-emailmethods) Configure pre-built policies for sign-up, sign-in, combined sign-up and sign-in, ## User flow authentication methods (beta) -Choose a mechanism for letting users register via local accounts. Local accounts are the accounts where Azure AD does the identity assertion. For more information, see [b2cAuthenticationMethodsPolicy resource type](/graph/api/resources/b2cauthenticationmethodspolicy). +Choose a mechanism for letting users register via local accounts. Local accounts are the accounts where Azure AD B2C does the identity assertion. For more information, see [b2cAuthenticationMethodsPolicy resource type](/graph/api/resources/b2cauthenticationmethodspolicy). - [Get](/graph/api/b2cauthenticationmethodspolicy-get) - [Update](/graph/api/b2cauthenticationmethodspolicy-update) The top-level resource for policy keys in the Microsoft Graph API is the [Truste ## Application extension (directory extension) properties -Application extension properties are also known as directory or Azure AD extensions. To manage them in Azure AD B2C, use the [identityUserFlowAttribute resource type](/graph/api/resources/identityuserflowattribute) and its associated methods. +Application extension properties are also known as directory or Microsoft Entra extensions. To manage them in Azure AD B2C, use the [identityUserFlowAttribute resource type](/graph/api/resources/identityuserflowattribute) and its associated methods. - [Create user flow attribute](/graph/api/identityuserflowattribute-post) - [List user flow attributes](/graph/api/identityuserflowattribute-list) You can store up to 100 directory extension values per user. To manage the direc For user flows, these extension properties are [managed by using the Azure portal](user-flow-custom-attributes.md). For custom policies, Azure AD B2C creates the property for you, the first time the policy writes a value to the extension property. > [!NOTE]-> In Azure AD, directory extensions are managed through the [extensionProperty resource type](/graph/api/resources/extensionproperty) and its associated methods. However, because they are used in B2C through the `b2c-extensions-app` app which should not be updated, they are managed in Azure AD B2C using the [identityUserFlowAttribute resource type](/graph/api/resources/identityuserflowattribute) and its associated methods. +> In Microsoft Entra ID, directory extensions are managed through the [extensionProperty resource type](/graph/api/resources/extensionproperty) and its associated methods. However, because they are used in B2C through the `b2c-extensions-app` app which should not be updated, they are managed in Azure AD B2C using the [identityUserFlowAttribute resource type](/graph/api/resources/identityuserflowattribute) and its associated methods. ## Tenant usage |
active-directory-b2c | Multi Factor Auth Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/multi-factor-auth-technical-profile.md | Title: Azure AD MFA technical profiles in custom policies + Title: Microsoft Entra multifactor authentication technical profiles in custom policies -description: Custom policy reference for Azure AD Multi-Factor Authentication (MFA) technical profiles in Azure AD B2C. +description: Custom policy reference for Microsoft Entra multifactor authentication technical profiles in Azure AD B2C. -# Define an Azure AD MFA technical profile in an Azure AD B2C custom policy +# Define a Microsoft Entra multifactor authentication technical profile in an Azure AD B2C custom policy Azure Active Directory B2C (Azure AD B2C) provides support for verifying a phone number by using a verification code, or verifying a Time-based One-time Password (TOTP) code. The **Name** attribute of the **Protocol** element needs to be set to `Proprieta Web.TPEngine.Providers.AzureMfaProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ``` -The following example shows an Azure AD MFA technical profile: +The following example shows a Microsoft Entra multifactor authentication technical profile: ```xml <TechnicalProfile Id="AzureMfa-SendSms"> The following example shows an Azure AD MFA technical profile: ## Verify phone mode -In the verify phone mode, the technical profile generates and sends a code to a phone number, and then verifies the code. The Azure AD MFA technical profile may also return an error message. The validation technical profile validates the user-provided data before the user journey continues. With the validation technical profile, an error message displays on a self-asserted page. The technical profile: +In the verify phone mode, the technical profile generates and sends a code to a phone number, and then verifies the code. The Microsoft Entra multifactor authentication technical profile may also return an error message. The validation technical profile validates the user-provided data before the user journey continues. With the validation technical profile, an error message displays on a self-asserted page. The technical profile: - Doesn't provide an interface to interact with the user. Instead, the user interface is called from a [self-asserted](self-asserted-technical-profile.md) technical profile, or a [display control](display-controls.md) as a [validation technical profile](validation-technical-profile.md).-- Uses the Azure AD MFA service to generate and send a code to a phone number, and then verifies the code. +- Uses the Microsoft Entra multifactor authentication service to generate and send a code to a phone number, and then verifies the code. - Validates a phone number via text messages. The technical profile provides methods to [send the verification code](#send-sms) via SMS text message, and [verify the code](#verify-code). The following screenshot shows the phone verifier flow. To verify a phone, the first step generates a code and sends it to the phone num #### Input claims -The **InputClaims** element contains a list of claims to send to Azure AD MFA. You can also map the name of your claim to the name defined in the MFA technical profile. +The **InputClaims** element contains a list of claims to send to Microsoft Entra multifactor authentication. You can also map the name of your claim to the name defined in the MFA technical profile. | ClaimReferenceId | Required | Description | The **InputClaims** element contains a list of claims to send to Azure AD MFA. Y #### Output claims -The Azure AD MFA protocol provider doesn't return any output claims, so there's no need to specify output claims. +The Microsoft Entra multifactor authentication protocol provider doesn't return any output claims, so there's no need to specify output claims. #### Metadata The following metadata can be used to configure the error messages displayed upo #### Example: send an SMS -The following example shows an Azure AD MFA technical profile that is used to send a code via SMS. +The following example shows a Microsoft Entra multifactor authentication technical profile that is used to send a code via SMS. ```xml <TechnicalProfile Id="AzureMfa-SendSms"> The verify code step verifies a code sent to the user. The following options can #### Input claims -The **InputClaims** element contains a list of claims to send to Azure AD MFA. You can also map the name of your claim to the name defined in the MFA technical profile. +The **InputClaims** element contains a list of claims to send to Microsoft Entra multifactor authentication. You can also map the name of your claim to the name defined in the MFA technical profile. | ClaimReferenceId | Required | Description | | | -- | -- | The **InputClaims** element contains a list of claims to send to Azure AD MFA. Y #### Output claims -The Azure AD MFA protocol provider doesn't return any output claims, so there's no need to specify output claims. +The Microsoft Entra multifactor authentication protocol provider doesn't return any output claims, so there's no need to specify output claims. #### Metadata The following metadata can be used to configure the error messages displayed upo #### Example: verify a code -The following example shows an Azure AD MFA technical profile used to verify the code. +The following example shows a Microsoft Entra multifactor authentication technical profile used to verify the code. ```xml <TechnicalProfile Id="AzureMfa-VerifySms"> For subsequent sign-ins, use the [Get available devices](#get-available-devices) The technical profile: - Doesn't provide an interface to interact with the user. Instead, the user interface is called from a [self-asserted](self-asserted-technical-profile.md) technical profile, with the [TOTP display controls](display-control-time-based-one-time-password.md).-- Uses the Azure AD MFA service to validate the TOTP code. +- Uses the Microsoft Entra multifactor authentication service to validate the TOTP code. - Checks if a user has already enrolled their device. The following screenshot shows a TOTP enrollment and verification flow. It starts by checking the number of available devices. If the number of available devices is zero, the user goes through the enrollment orchestration step. Otherwise, the user goes through the verification orchestration step. The get available device mode checks the number of devices available for the use #### Input claims -The **InputClaims** element contains a list of claims to send to Azure AD MFA. You can also map the name of your claim to the name defined in the MFA technical profile. +The **InputClaims** element contains a list of claims to send to Microsoft Entra multifactor authentication. You can also map the name of your claim to the name defined in the MFA technical profile. | ClaimReferenceId | Required | Description | | | -- | -- | The **InputClaims** element contains a list of claims to send to Azure AD MFA. Y #### Output claims -The output claims element contains a list of claims to return from Azure AD MFA. You can also map the name of your claim to the name defined in the MFA technical profile. +The output claims element contains a list of claims to return from Microsoft Entra multifactor authentication. You can also map the name of your claim to the name defined in the MFA technical profile. | ClaimReferenceId | Required | Description | | | -- | -- | The Metadata element contains the following attribute. #### Example: Get available devices -The following example shows an Azure AD MFA technical profile used to get the number of available devices. +The following example shows a Microsoft Entra multifactor authentication technical profile used to get the number of available devices. ```xml <TechnicalProfile Id="AzureMfa-GetAvailableDevices"> The begin verify TOTP starts the verification process. This validation technical #### Input claims -The **InputClaims** element contains a list of claims to send to Azure AD MFA. You can also map the name of your claim to the name defined in the MFA technical profile. +The **InputClaims** element contains a list of claims to send to Microsoft Entra multifactor authentication. You can also map the name of your claim to the name defined in the MFA technical profile. | ClaimReferenceId | Required | Description | | | -- | -- | The **InputClaims** element contains a list of claims to send to Azure AD MFA. Y #### Output claims -The Azure AD MFA protocol provider doesn't return any output claims, so there's no need to specify output claims. +The Microsoft Entra multifactor authentication protocol provider doesn't return any output claims, so there's no need to specify output claims. #### Metadata The Metadata element contains the following attribute. #### Example: Begin verify TOTP -The following example shows an Azure AD MFA technical profile used to begin the TOTP verification process. +The following example shows a Microsoft Entra multifactor authentication technical profile used to begin the TOTP verification process. ```xml <TechnicalProfile Id="AzureMfa-BeginVerifyOTP"> The verify TOTP method verifies a TOTP code. This validation technical profile i #### Input claims -The **InputClaims** element contains a list of claims to send to Azure AD MFA. You can also map the name of your claim to the name defined in the MFA technical profile. +The **InputClaims** element contains a list of claims to send to Microsoft Entra multifactor authentication. You can also map the name of your claim to the name defined in the MFA technical profile. | ClaimReferenceId | Required | Description | | | -- | -- | The **InputClaims** element contains a list of claims to send to Azure AD MFA. Y #### Output claims -The Azure AD MFA protocol provider doesn't return any output claims, so there's no need to specify output claims. +The Microsoft Entra multifactor authentication protocol provider doesn't return any output claims, so there's no need to specify output claims. #### Metadata The Metadata element contains the following attribute. #### Example: Verify TOTP -The following example shows an Azure AD MFA technical profile used to verify a TOTP code. +The following example shows a Microsoft Entra multifactor authentication technical profile used to verify a TOTP code. ```xml <TechnicalProfile Id="AzureMfa-VerifyOTP"> The following example shows an Azure AD MFA technical profile used to verify a T ## Next steps -- [Enable multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md)+- [Enable multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md) |
active-directory-b2c | Multi Factor Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/multi-factor-authentication.md | zone_pivot_groups: b2c-policy-type [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)] -Azure Active Directory B2C (Azure AD B2C) integrates directly with [Azure AD Multi-Factor Authentication](../active-directory/authentication/concept-mfa-howitworks.md) so that you can add a second layer of security to sign-up and sign-in experiences in your applications. You enable multifactor authentication without writing a single line of code. If you already created sign up and sign-in user flows, you can still enable multifactor authentication. +Azure Active Directory B2C (Azure AD B2C) integrates directly with [Microsoft Entra multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md) so that you can add a second layer of security to sign-up and sign-in experiences in your applications. You enable multifactor authentication without writing a single line of code. If you already created sign up and sign-in user flows, you can still enable multifactor authentication. This feature helps applications handle scenarios such as: With [Conditional Access](conditional-access-identity-protection-overview.md) us - **Authenticator app - TOTP** - The user must install an authenticator app that supports time-based one-time password (TOTP) verification, such as the [Microsoft Authenticator app](https://www.microsoft.com/security/mobile-authenticator-app), on a device that they own. During the first sign-up or sign-in, the user scans a QR code or enters a code manually using the authenticator app. During subsequent sign-ins, the user types the TOTP code that appears on the authenticator app. See [how to set up the Microsoft Authenticator app](#enroll-a-user-in-totp-with-an-authenticator-app-for-end-users). > [!IMPORTANT]-> Authenticator app - TOTP provides stronger security than SMS/Phone and email is the least secure. [SMS/Phone-based multi-factor authentication incurs separate charges from the normal Azure AD B2C MAU's pricing model](https://azure.microsoft.com/pricing/details/active-directory/external-identities/). +> Authenticator app - TOTP provides stronger security than SMS/Phone and email is the least secure. [SMS/Phone-based multifactor authentication incurs separate charges from the normal Azure AD B2C MAU's pricing model](https://azure.microsoft.com/pricing/details/active-directory/external-identities/). ## Set multifactor authentication With [Conditional Access](conditional-access-identity-protection-overview.md) us > > - With general availability of Conditional Access in Azure AD B2C, users are now prompted to enroll in an MFA method during sign-up. Any sign-up user flows you created prior to general availability won't automatically reflect this new behavior, but you can include the behavior by creating new user flows. > - If you select **Conditional**, you'll also need to [add Conditional Access to user flows](conditional-access-user-flow.md), and specify the apps you want the policy to apply to.- > - Multi-factor authentication (MFA) is disabled by default for sign-up user flows. You can enable MFA in user flows with phone sign-up, but because a phone number is used as the primary identifier, email one-time passcode is the only option available for the second authentication factor. + > - Multifactor authentication is disabled by default for sign-up user flows. You can enable MFA in user flows with phone sign-up, but because a phone number is used as the primary identifier, email one-time passcode is the only option available for the second authentication factor. 1. Select **Save**. MFA is now enabled for this user flow. Learn how to [delete a user's Software OATH token authentication method](/graph/ ## Next steps -- Learn about the [TOTP display control](display-control-time-based-one-time-password.md) and [Azure AD MFA technical profile](multi-factor-auth-technical-profile.md)+- Learn about the [TOTP display control](display-control-time-based-one-time-password.md) and [Microsoft Entra multifactor authentication technical profile](multi-factor-auth-technical-profile.md) ::: zone-end |
active-directory-b2c | Openid Connect Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/openid-connect-technical-profile.md | -Azure Active Directory B2C (Azure AD B2C) provides support for the [OpenID Connect](https://openid.net/certification/) protocol identity provider. OpenID Connect 1.0 defines an identity layer on top of OAuth 2.0 and represents the state of the art in modern authentication protocols. With an OpenID Connect technical profile, you can federate with an OpenID Connect based identity provider, such as Azure AD. Federating with an identity provider allows users to sign in with their existing social or enterprise identities. +Azure Active Directory B2C (Azure AD B2C) provides support for the [OpenID Connect](https://openid.net/certification/) protocol identity provider. OpenID Connect 1.0 defines an identity layer on top of OAuth 2.0 and represents the state of the art in modern authentication protocols. With an OpenID Connect technical profile, you can federate with an OpenID Connect based identity provider, such as Microsoft Entra ID. Federating with an identity provider allows users to sign in with their existing social or enterprise identities. ## Protocol The technical profile also returns claims that aren't returned by the identity p | response_mode | No | The method that the identity provider uses to send the result back to Azure AD B2C. Possible values: `query`, `form_post` (default), or `fragment`. | | scope | No | The scope of the request that is defined according to the OpenID Connect Core 1.0 specification. Such as `openid`, `profile`, and `email`. | | HttpBinding | No | The expected HTTP binding to the access token and claims token endpoints. Possible values: `GET` or `POST`. |-| ValidTokenIssuerPrefixes | No | A key that can be used to sign in to each of the tenants when using a multi-tenant identity provider such as Azure Active Directory. | +| ValidTokenIssuerPrefixes | No | A key that can be used to sign in to each of the tenants when using a multi-tenant identity provider such as Microsoft Entra ID. | | UsePolicyInRedirectUri | No | Indicates whether to use a policy when constructing the redirect URI. When you configure your application in the identity provider, you need to specify the redirect URI. The redirect URI points to Azure AD B2C, `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/oauth2/authresp`. If you specify `true`, you need to add a redirect URI for each policy you use. For example: `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/{policy-name}/oauth2/authresp`. | | MarkAsFailureOnStatusCode5xx | No | Indicates whether a request to an external service should be marked as a failure if the Http status code is in the 5xx range. The default is `false`. | | DiscoverMetadataByTokenIssuer | No | Indicates whether the OIDC metadata should be discovered by using the issuer in the JWT token.If you need to build the metadata endpoint URL based on Issuer, set this to `true`.| When you configure the redirect URI of your identity provider, enter `https://{y Examples: - [Add Microsoft Account (MSA) as an identity provider using custom policies](identity-provider-microsoft-account.md)-- [Sign in by using Azure AD accounts](identity-provider-azure-ad-single-tenant.md)-- [Allow users to sign in to a multi-tenant Azure AD identity provider using custom policies](identity-provider-azure-ad-multi-tenant.md)-+- [Sign in by using Microsoft Entra accounts](identity-provider-azure-ad-single-tenant.md) +- [Allow users to sign in to a multi-tenant Microsoft Entra identity provider using custom policies](identity-provider-azure-ad-multi-tenant.md) |
active-directory-b2c | Openid Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/openid-connect.md | -OpenID Connect is an authentication protocol, built on top of OAuth 2.0, that can be used to securely sign users in to web applications. By using the Azure Active Directory B2C (Azure AD B2C) implementation of OpenID Connect, you can outsource sign-up, sign in, and other identity management experiences in your web applications to Azure Active Directory (Azure AD). This guide shows you how to do so in a language-independent manner. It describes how to send and receive HTTP messages without using any of our open-source libraries. +OpenID Connect is an authentication protocol, built on top of OAuth 2.0, that can be used to securely sign users in to web applications. By using the Azure Active Directory B2C (Azure AD B2C) implementation of OpenID Connect, you can outsource sign-up, sign in, and other identity management experiences in your web applications to Microsoft Entra ID. This guide shows you how to do so in a language-independent manner. It describes how to send and receive HTTP messages without using any of our open-source libraries. > [!NOTE] > Most of the open-source authentication libraries acquire and validate the JWT tokens for your application. We recommend exploring those options, rather than implementing your own code. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](../active-directory/develop/msal-overview.md), and [Microsoft Identity Web authentication library](../active-directory/develop/microsoft-identity-web.md). There are also several more validations that you should perform. The validations - Ensuring that the user/organization has signed up for the application. - Ensuring that the user has proper authorization/privileges.-- Ensuring that a certain strength of authentication has occurred, such as Azure AD Multi-Factor Authentication.+- Ensuring that a certain strength of authentication has occurred, such as Microsoft Entra multifactor authentication. After the ID token is validated, you can begin a session with the user. You can use the claims in the ID token to obtain information about the user in your application. Uses for this information include display, records, and authorization. |
active-directory-b2c | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/overview.md | Azure Active Directory B2C provides business-to-customer identity as a service. Azure AD B2C is a customer identity access management (CIAM) solution capable of supporting millions of users and billions of authentications per day. It takes care of the scaling and safety of the authentication platform, monitoring, and automatically handling threats like denial-of-service, password spray, or brute force attacks. -Azure AD B2C is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/whatis.md). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign-up and into those applications with no restrictions on user account. +Azure AD B2C is a separate service from [Microsoft Entra ID](../active-directory/fundamentals/whatis.md). It is built on the same technology as Microsoft Entra ID but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign-up and into those applications with no restrictions on user account. ## Who uses Azure AD B2C? Any business or individual who wishes to authenticate end users to their web/mobile applications using a white-label authentication solution. Apart from authentication, Azure AD B2C service is used for authorization such as access to API resources by authenticated users. Azure AD B2C is designed to be used by **IT administrators** and **developers**. |
active-directory-b2c | Partner Akamai Secure Hybrid Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-akamai-secure-hybrid-access.md | Once the Application is deployed in a private environment and a connector is cap In this sample, we'll use a [ASP.NET MVC web app](../active-directory/develop/web-app-tutorial-01-register-application.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform. -1. Configure the OIDC to SAML bridging in the **AZURE AD B2C SAML IdP** created with the previous steps. +1. Configure the OIDC to SAML bridging in the **Azure AD B2C SAML IdP** created with the previous steps. [ ![Screenshot shows the akamai oidc app oidc settings.](./media/partner-akamai-secure-hybrid-access/akamai-oidc-idp-settings.png)](./media/partner-akamai-secure-hybrid-access/akamai-oidc-idp-settings.png#lightbox) |
active-directory-b2c | Partner Asignio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-asignio.md | zone_pivot_groups: b2c-policy-type # Configure Asignio with Azure Active Directory B2C for multifactor authentication -Learn to integrate Azure Active Directory (Azure AD B2C) authentication with [Asignio](https://www.web.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication. +Learn to integrate Microsoft Entra ID (Azure AD B2C) authentication with [Asignio](https://www.web.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication. ## Before you begin Learn more: ## Prerequisites -* An Azure AD subscription. +* An Azure subscription. + * If you don't have on, get an [Azure free account](https://azure.microsoft.com/free/) - An Azure AD B2C tenant linked to the Azure subscription Complete [Tutorial: Register a web application in Azure Active Directory B2C](tu ## Configure Asignio as an identity provider in Azure AD B2C -For the following instructions, use the Azure AD tenant with the Azure subscription. +For the following instructions, use the Microsoft Entra tenant with the Azure subscription. 1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the Global Administrator of the Azure AD B2C tenant. 2. In the Azure portal toolbar, select **Directories + subscriptions**.-3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD directory. +3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Microsoft Entra directory. 4. Select **Switch**. 5. In the top-left corner of the Azure portal, select **All services**. 6. Search for and select **Azure AD B2C**. |
active-directory-b2c | Partner Bindid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-bindid.md | The following architecture diagram illustrates the implementation. To get started, you need: -* An Azure AD subscription +* A Microsoft Entra subscription * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) * An Azure AD B2C tenant linked to the Azure subscription * See, [Tutorial: Create an Azure Active Directory B2C tenant](./tutorial-create-tenant.md) |
active-directory-b2c | Partner Bloksec | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-bloksec.md | The following architecture diagram illustrates the sign-up, sign-in flow in the To get started, you need: -* An Azure AD subscription +* An Azure subscription * If you don't have one, get an [Azfree account](https://azure.microsoft.com/free/) * An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to the Azure subscription * A BlokSec [demo](https://bloksec.com/) |
active-directory-b2c | Partner Datawiza | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-datawiza.md | In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2 To get started, you'll need: -- An Azure AD subscription+- A Microsoft Entra subscription - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - [Docker](https://docs.docker.com/get-docker/), an open platform for developing, shipping, and running applications, is required to run DAB To integrate your legacy on-premises app with Azure AD B2C, contact [Datawiza](h Go to docs.datawiza.com to: -1. Learn how to register your web application in an Azure AD B2C tenant, and configure a sign up-and sign-in user flow . See, [Microsoft Azure AD B2C](https://docs.datawiza.com/idp/azureb2c.html#microsoft-azure-ad-b2c-configuration). +1. Learn how to register your web application in an Azure AD B2C tenant, and configure a sign up-and sign-in user flow. For more info, see [Azure AD B2C](https://docs.datawiza.com/idp/azureb2c.html#microsoft-azure-ad-b2c-configuration). + 2. [Configure a user flow](https://docs.datawiza.com/idp/azureb2c.html#configure-a-user-flow) in the Azure portal. >[!NOTE] Learn more: [Pass User Attributes](https://docs.datawiza.com/step-by-step/step4. 1. Navigate to the on-premises application URL. 2. The DAP redirects to the page you configured in your user flow. 3. From the list, select the IdP.-4. At the prompt, enter your credentials. If necessary, include an Azure AD Multi-Factor Authentication (MFA) token. +4. At the prompt, enter your credentials. If necessary, include a Microsoft Entra multifactor authentication token. 5. You're redirected to Azure AD B2C, which forwards the application request to the DAP redirect URI. 6. The DAB evaluates policies, calculates headers, and sends the user to the upstream application. 7. The requested application appears. |
active-directory-b2c | Partner Dynamics 365 Fraud Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-dynamics-365-fraud-protection.md | Microsoft DFP integration includes the following components: - **Azure AD B2C tenant**: Authenticates the user and acts as a client of Microsoft DFP. Hosts a fingerprinting script collecting identification and diagnostic data of users who execute a target policy. It blocks or challenges sign-in or sign-up attempts based on the rule evaluation result returned by Microsoft DFP. - **Custom UI templates**: Customizes HTML content of the pages rendered by Azure AD B2C. These pages include the JavaScript snippet required for Microsoft DFP fingerprinting. - **Microsoft DFP fingerprinting service**: Dynamically embedded script that logs device telemetry and self-asserted user details to create a uniquely identifiable fingerprint for the user.-- **Microsoft DFP API endpoints**: Provides the decision result and accepts a final status reflecting the operation undertaken by the client application. Azure AD B2C communicates with the Microsoft DFP endpoints using REST API connectors. API authentication occurs with a client_credentials grant to the Azure AD tenant in which Microsoft DFP is licensed and installed to obtain a bearer token.+- **Microsoft DFP API endpoints**: Provides the decision result and accepts a final status reflecting the operation undertaken by the client application. Azure AD B2C communicates with the Microsoft DFP endpoints using REST API connectors. API authentication occurs with a client_credentials grant to the Microsoft Entra tenant in which Microsoft DFP is licensed and installed to obtain a bearer token. The following architecture diagram shows the implementation. The following architecture diagram shows the implementation. ## Configure your application under Microsoft DFP -[Set up your Azure AD tenant](/dynamics365/fraud-protection/integrate-real-time-api) to use Microsoft DFP. +[Set up your Microsoft Entra tenant](/dynamics365/fraud-protection/integrate-real-time-api) to use Microsoft DFP. ## Set up your custom domain Learn more: [UI customization documentation](./customize-ui-with-html.md?pivots= ### Add policy keys for your Microsoft DFP client app ID and secret -1. In the Azure AD tenant where Microsoft DFP is set up, create an [Azure AD application and grant admin consent](/dynamics365/fraud-protection/integrate-real-time-api#create-azure-active-directory-applications). +1. In the Microsoft Entra tenant where Microsoft DFP is set up, create an [Microsoft Entra application and grant admin consent](/dynamics365/fraud-protection/integrate-real-time-api#create-azure-active-directory-applications). 2. Create a secret value for this application registration. Note the application client ID and client secret value. 3. Save the client ID and client secret values as [policy keys in your Azure AD B2C tenant](./policy-keys-overview.md). In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integr |{Settings:ContentDefinitionBaseUri}|Endpoint in where you deployed the UI files|`https://<my-storage-account>.blob.core.windows.net/<my-storage-container>`| |{Settings:DfpApiBaseUrl}|The base path for your DFP API instance, found in the DFP portal| `https://tenantname-01234567-89ab-cdef-0123-456789abcdef.api.dfp.dynamics.com/v1.0/`| |{Settings:DfpApiAuthScope}|The client_credentials scope for the DFP API service|`https://api.dfp.dynamics-int.com/.default or https://api.dfp.dynamics.com/.default`|-|{Settings:DfpTenantId}|The ID of the Azure AD tenant (not B2C) where DFP is licensed and installed|`01234567-89ab-cdef-0123-456789abcdef` or `consoto.onmicrosoft.com` | +|{Settings:DfpTenantId}|The ID of the Microsoft Entra tenant (not B2C) where DFP is licensed and installed|`01234567-89ab-cdef-0123-456789abcdef` or `consoto.onmicrosoft.com` | |{Settings:DfpAppClientIdKeyContainer}|Name of the policy key-in which you save the DFP client ID|`B2C_1A_DFPClientId`| |{Settings:DfpAppClientSecretKeyContainer}|Name of the policy key-in which you save the DFP client secret |`B2C_1A_DFPClientSecret`| |{Settings:DfpEnvironment}| The ID of the DFP environment.|Environment ID is a global unique identifier of the DFP environment that you send the data to. Your custom policy should call the API endpoint, including the query string parameter `x-ms-dfpenvid=your-env-id>`| -*You can set up application insights in an Azure AD tenant or subscription. This value is optional but [recommended to assist with debugging](./troubleshoot-with-application-insights.md). +*You can set up application insights in a Microsoft Entra tenant or subscription. This value is optional but [recommended to assist with debugging](./troubleshoot-with-application-insights.md). >[!NOTE] >Add consent notification to the attribute collection page. Include notification that user telemetry and identity information is recorded for account protection. |
active-directory-b2c | Partner Experian | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-experian.md | In this tutorial, you can use the following attributes in CrossCore risk analysi To get started, you'll need: -- An Azure AD subscription+- A Microsoft Entra subscription - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - [An Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription The following architecture diagram shows the implementation. 2. Publish the code from Visual Studio. >[!NOTE]->Use the deployed service URL to configure Azure AD with the required settings. +>Use the deployed service URL to configure Microsoft Entra ID with the required settings. ### Deploy the client certificate |
active-directory-b2c | Partner F5 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-f5.md | Learn to integrate Azure Active Directory B2C (Azure AD B2C) with F5 BIG-IP Acce Deploy F5 BIG-IP Application Delivery Controller (ADC) as a secure gateway between private networks and the internet. There are features for application-level inspection and customizable access controls. If deployed as a reverse proxy, use the BIG-IP to enable secure hybrid access to business applications, with a federated identity access layer managed by APM. -Go to f5.com resources and white papers for: [Easily Configure Secure Access to All Your Applications via Azure AD](https://www.f5.com/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory) +Go to f5.com resources and white papers for: [Easily Configure Secure Access to All Your Applications via Microsoft Entra ID](https://www.f5.com/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory) ## Prerequisites Ideally, an application upgrade supports direct management and governance with a The secure hybrid access solution has of the following components: * **Application** - back-end service protected by Azure AD B2C and BIG-IP secure hybrid access-* **Azure AD B2C** - identity provider (IdP) and Open ID Connect (OIDC) authorization server that verifies user credentials, multifactor authentication, and SSO to the BIG-IP APM +* **Azure AD B2C** - identity provider (IdP) and OpenID Connect (OIDC) authorization server that verifies user credentials, multifactor authentication, and SSO to the BIG-IP APM * **BIG-IP** - reverse proxy for the application. The BIG-IP APM is the OIDC client, delegating authentication to the OIDC authorization server, before header-based SSO to the back-end service. The following diagram illustrates the service provider (SP) initiated flow for this scenario. To learn more BIG-IP iRules, go to support.f5.com for [K42052145: Configuring au **Optimized login flow** -To improve the user sign-in experience, suppress the OAuth user sign-in prompt that appears before Azure AD preauthentication. +To improve the user sign-in experience, suppress the OAuth user sign-in prompt that appears before Microsoft Entra preauthentication. 1. Navigate to **Access** > **Guided Configuration**. 2. On the far right of the row, select the **padlock** icon. When complete, revert the previous settings. #### BIG-IP error message -If you see a BIG-IP error message after Azure AD B2C authentication, the issue might relate to SSO from Azure AD to the BIG-IP. +If you see a BIG-IP error message after Azure AD B2C authentication, the issue might relate to SSO from Microsoft Entra ID to the BIG-IP. 1. Navigate to **Access** > **Overview** > **Access reports**. 2. Run the report for the last hour 3. Review logs for clues. 4. Select the **View session variables** link.- 5. Determine if the APM receives the expected Azure AD claims. + 5. Determine if the APM receives the expected Microsoft Entra claims. #### No BIG-IP error message |
active-directory-b2c | Partner Grit App Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-grit-app-proxy.md | Benefits of using Grit's app proxy are as follows: - No application code change and easy deployment resulting in faster ROI -- Enables users to use modern authentication experiences such as Multi-Factor authentication, biometrics, and password-less resulting in enhanced security.+- Enables users to use modern authentication experiences such as multifactor authentication, biometrics, and password-less resulting in enhanced security. - Significant savings on the license cost of the legacy authentication solution If the users need to be denied permission to certain pages based on group member 2. The Grit app proxy redirects to the page you configured in your user flow. From the list, select the IdP. -3. At the prompt, enter your credentials. If necessary, include an Azure AD Multi-Factor authentication (MFA) token. +3. At the prompt, enter your credentials. If necessary, include a Microsoft Entra multifactor authentication token. 4. You're redirected to Azure AD B2C, which forwards the application request to the Grit's app proxy redirect URI. |
active-directory-b2c | Partner Grit Editor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-grit-editor.md | Use the Visual IEF Editor to: To get started with the IEF Editor, ensure the following prerequisites are met: -- An Azure AD subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/).+- A Microsoft Entra subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/). - An Azure AD B2C tenant linked to the Azure subscription. Learn more at [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md). - [Visual IEF Editor](https://www.gritiefedit.com) is free and works only with Google Chrome browser. - Review and download policies from [Azure AD B2C customer policies starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack) |
active-directory-b2c | Partner Grit Iam | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-grit-iam.md | Use Grit's B2BB2C solution for: To get started, ensure the following prerequisites are met: - A Grit IAM account. You can go to [Grit IAM B2B2C solution](https://www.gritiam.com/b2b2c) to get a demo.-- An Azure AD subscription. If you don't have one, you can create a [free Azure account](https://azure.microsoft.com/free/).+- A Microsoft Entra subscription. If you don't have one, you can create a [free Azure account](https://azure.microsoft.com/free/). - An Azure AD B2C tenant linked to the Azure subscription. You can learn more at [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md). - Configure your application in the Azure portal. Contoso does business with end customers and large enterprises, like Fabrikam_bi This integration is composed of the following components: -- **Azure AD B2C Identity Experience Framework (IEF)**: An engine that executes user journeys, which can include validating credentials, performing MFA, checking user access. It's aided by the Azure AD database and the API layer, which's configured using XML.+- **Azure AD B2C Identity Experience Framework (IEF)**: An engine that executes user journeys, which can include validating credentials, performing MFA, checking user access. It's aided by the Microsoft Entra database and the API layer, which's configured using XML. -- **Grit API layer**: This layer exposes user profile data and metadata about organizations and applications. The data is stored in Azure AD and Cosmos DB.+- **Grit API layer**: This layer exposes user profile data and metadata about organizations and applications. The data is stored in Microsoft Entra ID and Cosmos DB. - **Grit Onboarding portal**: Used by admins to onboard applications and organizations. |
active-directory-b2c | Partner Haventec | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-haventec.md | The Authenticate integration includes the following components: * **Azure AD B2C** - authorization server that verifies user credentials * Also known as the identity provider (IdP)-* **Web and mobile applications** - Open ID Connect (OIDC) mobile or web applications protected by Authenticate and Azure AD B2C +* **Web and mobile applications** - OpenID Connect (OIDC) mobile or web applications protected by Authenticate and Azure AD B2C * **Haventec Authenticate service** - external IdP for the Azure AD B2C tenant The following diagram illustrates sign-up and sign-in user flows in the Haventec Authenticate integration. Use the following instructions to prepare for and integrate Azure AD B2C with Au To get started, you need: -* An Azure AD subscription +* An Azure subscription + * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) * An Azure AD B2C tenant linked to the Azure subscription * see, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) For the following instructions, Haventec is a new OIDC identity provider in the * Go to docs.haventec.com for [Haventec Documentation](https://docs.haventec.com/) * [Azure AD B2C custom policy overview](custom-policy-overview.md)-- |
active-directory-b2c | Partner Hypr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-hypr.md | In this tutorial, learn to configure Azure Active Directory B2C (Azure AD B2C) w To get started, you'll need: -- An Azure AD subscription+* An Azure subscription + - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - A HYPR cloud tenant The following architecture diagram shows the implementation. ## Configure the Azure AD B2C policy 1. Go to [Azure-AD-B2C-HYPR-Sample/policy/](https://github.com/HYPR-Corp-Public/Azure-AD-B2C-HYPR-Sample/tree/master/policy).+ 2. Follow the instructions in [Custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) to download [Active-directory-b2c-custom-policy-starterpack/LocalAccounts/](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/LocalAccounts) 3. Configure the policy for the Azure AD B2C tenant. |
active-directory-b2c | Partner Idemia | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-idemia.md | To get started, you need: * Access to users with an IDEMIA, US state issued Mobile ID credential (mID) * Or during the test phase, the mID demo application from IDEMIA-* An Azure AD subscription +* An Azure subscription + * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) * An [Azure AD B2C tenant](tutorial-create-tenant.md) linked to the Azure subscription * Your business web application registered in an Azure AD B2C tenant Select one of the following values: |Parameter value| Effect on user authentication process | |||-|`loa-2`| Crypto-based Azure AD Multi-Factor Authentication (MFA) only| +|`loa-2`| Crypto-based Microsoft Entra multifactor authentication only| |`loa-3`| Crypto-based MFA, plus another factor| |`loa-4`| Crypto-based MFA, plus the user performs PIN and biometric authentication | |
active-directory-b2c | Partner Idology | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-idology.md | In this sample tutorial, we provide guidance on how to integrate Azure AD B2C wi To get started, you'll need: -* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * [An Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription. ## Scenario description The IDology integration includes the following components: - Azure AD B2C ΓÇô The authorization server responsible for verifying the userΓÇÖs credentials. It's also known as the identity provider. - IDology ΓÇô The IDology service takes input provided by the user and verifies the userΓÇÖs identity.-- Custom REST API ΓÇô This API implements the integration between Azure AD and the IDology service.+- Custom REST API ΓÇô This API implements the integration between Microsoft Entra ID and the IDology service. The following architecture diagram shows the implementation. The following architecture diagram shows the implementation. Deploy the provided [API code](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/IDology/Api) to an Azure service. The code can be published from Visual Studio, following these [instructions](/visualstudio/deployment/quickstart-deploy-aspnet-web-app). -You'll need the URL of the deployed service to configure Azure AD with the required settings. +You'll need the URL of the deployed service to configure Microsoft Entra ID with the required settings. ### Part 2 - Configure the API |
active-directory-b2c | Partner Itsme | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-itsme.md | The itsme digital ID app allows you to sign in securely without card-readers, pa To get started, you'll need: -* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * [An Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription. * Your Client ID, also known as Partner code, provided by itsme. * Your Service code provided by itsme. |
active-directory-b2c | Partner Jumio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-jumio.md | In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) w To get started, you'll need: -- An Azure AD subscription+* An Azure subscription + - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription After you create a Jumio account, use it to configure Azure AD B2C. From [samples/Jumio/API/Jumio.Api/](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/Jumio/API/Jumio.Api), deploy the code to an Azure service. You can publish the code from Visual Studio. >[!NOTE]->To configure Azure AD, you'll need the deployed service URL. +>To configure Microsoft Entra ID, you'll need the deployed service URL. ### Deploy the client certificate |
active-directory-b2c | Partner Keyless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-keyless.md | Keyless appears as a new OpenID Connect (OIDC) IdP with B2C identity providers. 12. Leave the **Multi-factor Authentication** field. 13. Select **Enforce conditional access policies**. 14. Under **User attributes and token claims**, in the **Collect attribute** option, select **Email Address**. -15. Add user attributes Azure AD collects with claims Azure AD B2C returns to the client application. +15. Add user attributes Microsoft Entra ID collects with claims Azure AD B2C returns to the client application. 16. Select **Create**. 17. Select the new **User flow**. 18. On the left panel, select **Application Claims**. |
active-directory-b2c | Partner Lexisnexis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-lexisnexis.md | ThreatMetrix risk analysis attributes: To get started, you'll need: -- An Azure AD subscription +* An Azure subscription + - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - [An Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription The following architecture diagram shows the implementation. To deploy the API code to an Azure service, go to [/samples/ThreatMetrix/Api](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/ThreatMetrix/Api). You can publish the code from Visual Studio. >[!NOTE]->You'll need deployed service URL to configure Azure AD. +>You'll need deployed service URL to configure Microsoft Entra ID. ### Configure the API |
active-directory-b2c | Partner N8identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-n8identity.md | Use this solution for the following scenarios: To get started, you'll need: -- An Azure AD subscription+* An Azure subscription + - If you don't have a one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - TheAccessHub Admin Tool environment TheAccessHub Admin Tool permissions act on behalf of a Global Administrator to r To create a Global Administrator: 1. In the Azure portal, sign in to your Azure AD B2C tenant as an Administrator. -2. Go to **Azure Active Directory** > **Users**. +2. Go to **Microsoft Entra ID** > **Users**. 3. Select **New User**. 4. Choose **Create User** to create a regular directory user and not a customer. 5. On the identity information form: To authorize TheAccessHub Admin Tool to access your directory: ## Configure a new CSR user with your enterprise identity -Create a CSR or Helpdesk user who accesses TheAccessHub Admin Tool with enterprise Azure Active Directory credentials. +Create a CSR or Helpdesk user who accesses TheAccessHub Admin Tool with enterprise Microsoft Entra credentials. To configure a CSR or Helpdesk user with single sign-on (SSO): To configure a CSR or Helpdesk user with single sign-on (SSO): 3. Select **Add Colleague**. 4. For **Colleague Type**, select **Azure Administrator**. 5. For the profile information, select a home organization to control who has permission to manage this user.-6. For **Login ID/Azure AD User Name**, enter the user principal name from the user Azure Active Directory account. +6. For **Login ID/Azure AD User Name**, enter the user principal name from the user Microsoft Entra account. 7. On the **TheAccessHub Roles** tab, select the **Helpdesk** managed role. 6. Select **Submit**. To configure a CSR or Helpdesk user with single sign-on (SSO): ## Configure a new CSR user with a new identity -Create a CSR or Helpdesk user to access TheAccessHub Admin Tool with a new local credential. This user is for organizations that don't use Azure AD. +Create a CSR or Helpdesk user to access TheAccessHub Admin Tool with a new local credential. This user is for organizations that don't use Microsoft Entra ID. See, [The AccessHub Admin Tool: Add Colleague Administrator](https://youtu.be/iOpOI2OpnLI) without SSO. |
active-directory-b2c | Partner Nevis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-nevis.md | To get started, you'll need: - A Nevis demo account - Go to nevis.net for [Nevis + Microsoft Azure AD B2C](https://www.nevis-security.com/aadb2c/) to request an account-- An Azure AD subscription+* An Azure subscription + - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription |
active-directory-b2c | Partner Nok Nok | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-nok-nok.md | To enable passwordless FIDO authentication for your users, enable Nok Nok as an * Go to the Apple App Store for [Nok Nok Passport](https://apps.apple.com/us/app/nok-nok-passport/id1050437340) * Or, Google Play [Nok Nok Passport](https://play.google.com/store/apps/details?id=com.noknok.android.passport2&hl=en&gl=US) -The following diagram illustrates the Nok Nok solution as IdP for Azure AD B2C using Open ID Connect (OIDC) for passwordless authentication. +The following diagram illustrates the Nok Nok solution as IdP for Azure AD B2C using OpenID Connect (OIDC) for passwordless authentication. - ![Diagram of Nok Nok as IdP for Azure AD B2C using Open ID Connect (OIDC) for passwordless authentication.](./media/partner-nok-nok/nok-nok-architecture-diagram.png) + ![Diagram of Nok Nok as IdP for Azure AD B2C using OpenID Connect (OIDC) for passwordless authentication.](./media/partner-nok-nok/nok-nok-architecture-diagram.png) 1. At the sign-in page, user selects sign-in or sign-up and enters the username. 2. Azure AD B2C redirects user to the Nok Nok OIDC authentication provider. For the following instructions, Nok Nok is a new OIDC IdP in the B2C identity pr 9. Leave the **Multi-factor Authentication** field. 10. Select **Enforce conditional access policies**. 11. Under **User attributes and token claims**, in the Collect attribute option, select **Email Address**. -12. Add user attributes for Azure AD to collect, with claims that Azure AD B2C returns to the client application. +12. Add user attributes for Microsoft Entra ID to collect, with claims that Azure AD B2C returns to the client application. 13. Select **Create**. 14. Select the new **User flow**. 15. On the left panel, select **Application Claims**. |
active-directory-b2c | Partner Onfido | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-onfido.md | In this tutorial, you'll enable the Onfido service to verify identity in the sig To get started, you'll need: -- An Azure AD subscription+* An Azure subscription + - If you don't have on, you can get an [Azure free account](https://azure.microsoft.com/free/) - [An Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - An Onfido trial account For more Onfido documentation, see: 3. Add **Allowed Origin** as `https://{your_tenant_name}.b2clogin.com`. >[!NOTE]->You'll need the deployed service URL to configure Azure AD. +>You'll need the deployed service URL to configure Microsoft Entra ID. #### Adding sensitive configuration settings |
active-directory-b2c | Partner Ping Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-ping-identity.md | In this tutorial, learn how to extend the capabilities of Azure Active Directory Many e-commerce sites and web applications exposed to the internet are deployed behind proxy systems, or a reverse-proxy system. These proxy systems pre-authenticate, enforce policy, and route traffic. Typical scenarios include protecting web applications from inbound web traffic and providing a uniform session management across distributed server deployments. -Generally, configurations include an authentication translation layer that externalizes the authentication from the web application. Reverse proxies provide the authenticated user context to the web applications, such as a header value in clear or digest form. The applications aren't using industry standard tokens such as Security Assertion Markup Language (SAML), OAuth, or Open ID Connect (OIDC). Instead, the proxy provides authentication context and maintains the session with the end-user agent such as browser or native application. As a service running as a man-in-the-middle, proxies provide significant session control. The proxy service is efficient and scalable, not a bottleneck for applications behind the proxy service. The diagram is a reverse-proxy implementation and communications flow. +Generally, configurations include an authentication translation layer that externalizes the authentication from the web application. Reverse proxies provide the authenticated user context to the web applications, such as a header value in clear or digest form. The applications aren't using industry standard tokens such as Security Assertion Markup Language (SAML), OAuth, or OpenID Connect (OIDC). Instead, the proxy provides authentication context and maintains the session with the end-user agent such as browser or native application. As a service running as a man-in-the-middle, proxies provide significant session control. The proxy service is efficient and scalable, not a bottleneck for applications behind the proxy service. The diagram is a reverse-proxy implementation and communications flow. ![Diagram of the reverse proxy implementation.](./media/partner-ping/reverse-proxy.png) To create a web session: 3. Enter a **Name** for the web session. 4. Select the **Cookie Type**: **Signed JWT** or **Encrypted JWT**. 5. Enter a unique value for **Audience**.-6. For **Client ID**, enter the **Azure AD Application ID**. -7. For **Client Secret**, enter the **Key** you generated for the application in Azure AD. -8. (Optional) Create and use custom claims with the Microsoft Graph API: Select **Advanced**. Deselect **Request Profile** and **Refresh User Attributes**. Learn more about custom claims: [Header-based single sign-on for on-premises apps with Azure AD App Proxy](../active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md). +6. For **Client ID**, enter the **Microsoft Entra Application ID**. +7. For **Client Secret**, enter the **Key** you generated for the application in Microsoft Entra ID. +8. (Optional) Create and use custom claims with the Microsoft Graph API: Select **Advanced**. Deselect **Request Profile** and **Refresh User Attributes**. Learn more about custom claims: [Header-based single sign-on for on-premises apps with Microsoft Entra application proxy](../active-directory/app-proxy/application-proxy-configure-single-sign-on-with-headers.md). 9. Select **Save** #### Create identity mapping |
active-directory-b2c | Partner Saviynt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-saviynt.md | Use the following instructions to set up access control delegated administration To get started, you need: -* An Azure AD subscription +* An Azure subscription + * If you don't have on, get an [Azure free account](https://azure.microsoft.com/free/) * An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription * Go to saviynt.com [Contact Us](https://saviynt.com/contact-us/) to request a demo The following architecture diagram illustrates the implementation. Use the following instructions to create an application, delete users, and more. -### Create an Azure AD application for Saviynt +<a name='create-an-azure-ad-application-for-saviynt'></a> ++### Create a Microsoft Entra application for Saviynt For the following instructions, use the directory with the Azure AD B2C tenant. Save the Tenant ID, Client ID, and Client Secret to complete the setup. Enable Saviynt to perform user delete operations in Azure AD B2C. -Learn more: [Application and service principal objects in Azure AD](../active-directory/develop/app-objects-and-service-principals.md) +Learn more: [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md) 1. Install the latest version of Microsoft Graph PowerShell Module on a Windows workstation or server. |
active-directory-b2c | Partner Strata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-strata.md | The solution has the following benefits: To get started, you'll need: -- An Azure AD subscription+* An Azure subscription + - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - An [Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - An instance of [Azure Key Vault](https://azure.microsoft.com/services/key-vault/) to store secrets used by Maverics Identity Orchestrator. Connect to Azure AD B2C or other attribute providers such as a Lightweight Directory Access Protocol (LDAP) directory or database. You can run your Orchestrator instance on any server, whether on-premises or in - **Ports**: 22 (SSH/SCP), 443, 80 - **Root access**: For install/administrative tasks - **Maverics Identity Orchestrator**: Runs as user `maverics` under `systemd`-- **Network egress**: From the server hosting Maverics Identity Orchestrator that can reach your Azure AD tenant+- **Network egress**: From the server hosting Maverics Identity Orchestrator that can reach your Microsoft Entra tenant ### Install Maverics Identity Orchestrator |
active-directory-b2c | Partner Trusona | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-trusona.md | zone_pivot_groups: b2c-policy-type # Configure Trusona Authentication Cloud with Azure Active Directory B2C -In this sample tutorial, you'll learn how to integrate Azure Active Directory (Azure AD B2C) authentication with [Trusona Authentication Cloud](https://www.trusona.com/customers/authentication-cloud). It's a cloud-based service enabling users to authenticate with a **tap-and-go** experience, without the need for any kind of mobile authenticator app. +In this sample tutorial, you'll learn how to integrate Azure AD B2C authentication with [Trusona Authentication Cloud](https://www.trusona.com/customers/authentication-cloud). It's a cloud-based service enabling users to authenticate with a **tap-and-go** experience, without the need for any kind of mobile authenticator app. Benefits of integrating Trusona Authentication Cloud with Azure AD B2C include: - Deliver strong authentication with a better user experience Benefits of integrating Trusona Authentication Cloud with Azure AD B2C include: To get started, you need: - A Trusona Authentication Cloud trial account. To request an account, [contact Trusona](mailto:info@trusona.com).-- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).+- An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). - [An Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription. ::: zone pivot="b2c-custom-policy" In this scenario, Trusona acts as an Identity Provider (IdP) for Azure AD B2C to > [!NOTE] >1. The Trusona portal supports self-service registration. Upon registering you will be assigned to a Trusona account with read-only rights. Afterwards, Trusona will assign you to the correct account and elevate your rights to read-write based upon your organizationΓÇÖs access control policy for portal users.- >2. Azure Active DirectoryΓÇÖs initial domain name is used as the client redirect host. + >2. Microsoft Entra IDΓÇÖs initial domain name is used as the client redirect host. [![Screenshot shows Trusona Authentication Cloud portal settings.](./media/partner-trusona/trusona-auth-cloud-oidc-settings.png)](./media/partner-trusona/trusona-auth-cloud-oidc-settings.png#lightbox) |
active-directory-b2c | Partner Twilio | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-twilio.md | In this walkthrough, learn how to integrate a sample online payment app in Azure To get started, you'll need: -* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). * [An Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription. * A [trial account](https://www.twilio.com/try-twilio) at Twilio. For additional information, review the following articles: - Refer to GitHub for [Twilio integration code samples](https://github.com/azure-ad-b2c/samples/tree/master/policies/twilio-mfa-psd2) -- [Custom policies in AAD B2C](custom-policy-overview.md)+- [Custom policies in Azure AD B2C](custom-policy-overview.md) -- [Get started with custom policies in AAD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy) |
active-directory-b2c | Partner Typingdna | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-typingdna.md | Title: TypingDNA with Azure Active Directory B2C -description: Learn how to integrate Azure AD B2C authentication with TypingDNA to help with Identity verification and proofing based on user typing pattern, provides ID verification solutions forcing multi-factor authentication and helps to comply with SCA requirements for Payment Services Directive 2 (PSD2). +description: Learn how to integrate Azure AD B2C authentication with TypingDNA to help with Identity verification and proofing based on user typing pattern, provides ID verification solutions forcing multifactor authentication and helps to comply with SCA requirements for Payment Services Directive 2 (PSD2). - Azure AD B2C uses TypingDNA's technologies to capture the users typing characteristics and have them recorded and analyzed for familiarity on each authentication. This adds a layer of protection related to the riskiness of an authentication and evaluates the risk levels. Azure AD B2C can invoke other mechanisms to provide further confidence the user is who they claim to be by invoking Azure AD MFA, forcing email verification, or any other custom logic for your scenario. + Azure AD B2C uses TypingDNA's technologies to capture the users typing characteristics and have them recorded and analyzed for familiarity on each authentication. This adds a layer of protection related to the riskiness of an authentication and evaluates the risk levels. Azure AD B2C can invoke other mechanisms to provide further confidence the user is who they claim to be by invoking Microsoft Entra multifactor authentication, forcing email verification, or any other custom logic for your scenario. >[!NOTE] > This sample policy is based on [SocialAndLocalAccountsWithMfa](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/SocialAndLocalAccountsWithMfa) starter pack. These thresholds should be adjusted on your use case. - After your API has evaluated the `net_score`, it should return a boolean claim to B2C - `promptMFA`. -- The `promptMFA` claim is used within a pre-condition to conditionally execute Azure AD MFA.+- The `promptMFA` claim is used within a pre-condition to conditionally execute Microsoft Entra multifactor authentication. ```xml These thresholds should be adjusted on your use case. 2. Replace all instances of `apiKey` and `apiSecret` in [TypingDNA-API-Interface](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/TypingDNA/source-code/TypingDNA-API-Interface) solution with the credentials from your TypingDNA dashboard 3. Host the HTML files at your provider of choice following the CORS requirements [here](./customize-ui-with-html.md#3-configure-cors) 4. Replace the LoadURI elements for the `api.selfasserted.tdnasignup` and `api.selfasserted.tdnasignin` content definitions in the `TrustFrameworkExtensions.xml` file to the URI of your hosted HTML files respectively.-5. Create a B2C policy key under identity experience framework in the Azure AD blade in the **Azure portal**. Use the `Generate` option and name this key `tdnaHashedId`. +5. Create a B2C policy key under identity experience framework in the Microsoft Entra ID blade in the **Azure portal**. Use the `Generate` option and name this key `tdnaHashedId`. + 6. Replace the TenantId's in the policy files 7. Replace the ServiceURLs in all TypingDNA REST API technical profiles (REST-TDNA-VerifyUser, REST-TDNA-SaveUser, REST-TDNA-CheckUser) with the endpoint for your [TypingDNA-API-Interface API](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/TypingDNA/source-code/TypingDNA-API-Interface). 8. Upload [policy files](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/TypingDNA/policy) to your tenant. These thresholds should be adjusted on your use case. For additional information, review the following articles: -- [Custom policies in AAD B2C](./custom-policy-overview.md)+- [Custom policies in Azure AD B2C](./custom-policy-overview.md) -- [Get started with custom policies in AAD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy) |
active-directory-b2c | Partner Whoiam Rampart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-whoiam-rampart.md | In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) a ## Prerequisites -* An Azure AD subscription +* An Azure subscription + * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/) * An Azure AD B2C tenant linked to the Azure subscription * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) a WhoIAM Rampart is built in Azure and runs in the Azure environment. The following components comprise the Rampart solution with Azure AD B2C: -* **An Azure AD tenant** - the Azure AD B2C tenant stores users and manages access (and scope) in Rampart +* **a Microsoft Entra tenant** - the Azure AD B2C tenant stores users and manages access (and scope) in Rampart * **Custom B2C policies** - to integrate with Rampart * **A resource group** - hosts Rampart functionality A list of user-created applications in your Azure AD B2C tenant appears. Likewis - [Set-up Guide, Authorization Policy Execution](https://docs.gatekeeper.whoiamdemos.com/#/setup-guide?id=authorization-policy-execution) - [Azure AD B2C custom policy overview](custom-policy-overview.md) - [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)- |
active-directory-b2c | Partner Whoiam | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-whoiam.md | Learn more: [WhoIAM, Products and Services, Branded Identity Management System]( To get started, you'll need: -- An Azure AD subscription+* An Azure subscription + - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) - [An Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription - A WhoIAM trial account The following diagram shows the implementation architecture. * [Key Vault](https://azure.microsoft.com/services/key-vault/): Store passwords * [App Service](https://azure.microsoft.com/services/app-service/): Host the BRIMS API and admin portal services- * [Azure Active Directory](https://azure.microsoft.com/services/active-directory/): Authenticate administrative users for the portal + * [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/): Authenticate administrative users for the portal * [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/): Store and retrieve settings * [Application Insights overview](../azure-monitor/app/app-insights-overview.md) (optional): Sign in to the API and the portal |
active-directory-b2c | Partner Xid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-xid.md | In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) a ## Prerequisites -* An Azure AD subscription +* An Azure subscription + * If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/) * An Azure AD B2C tenant linked to the Azure subscription * See, [Tutorial: Create an Azure Active Directory B2C tenant](./tutorial-create-tenant.md) |
active-directory-b2c | Password Complexity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/password-complexity.md | To configure the password complexity, override the `newPassword` and `reenterPas ## Disable strong password -The following technical profiles are [Active Directory technical profiles](active-directory-technical-profile.md), which read and write data to Azure Active Directory. Override these technical profiles in the extension file. Use `PersistedClaims` to disable the strong password policy. Find the **ClaimsProviders** element. Add the following claim providers as follows: +The following technical profiles are [Active Directory technical profiles](active-directory-technical-profile.md), which read and write data to Microsoft Entra ID. Override these technical profiles in the extension file. Use `PersistedClaims` to disable the strong password policy. Find the **ClaimsProviders** element. Add the following claim providers as follows: ```xml <!-- |
active-directory-b2c | Phone Based Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/phone-based-mfa.md | Title: Securing phone-based MFA in Azure AD B2C -description: Learn tips for securing phone-based multi-factor authentication (MFA) in your Azure AD B2C tenant by using Azure Monitor Log Analytics reports and alerts. Use our workbook to identify fraudulent phone authentications and mitigate fraudulent sign-ups. = +description: Learn tips for securing phone-based multifactor authentication in your Azure AD B2C tenant by using Azure Monitor Log Analytics reports and alerts. Use our workbook to identify fraudulent phone authentications and mitigate fraudulent sign-ups. = -# Securing phone-based multi-factor authentication (MFA) +# Securing phone-based multifactor authentication -With Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA), users can choose to receive an automated voice call at a phone number they register for verification. Malicious users could take advantage of this method by creating multiple accounts and placing phone calls without completing the MFA registration process. These numerous failed sign-ups could exhaust the allowed sign-up attempts, preventing other users from signing up for new accounts in your Azure AD B2C tenant. To help protect against these attacks, you can use Azure Monitor to monitor phone authentication failures and mitigate fraudulent sign-ups. +With Microsoft Entra multifactor authentication, users can choose to receive an automated voice call at a phone number they register for verification. Malicious users could take advantage of this method by creating multiple accounts and placing phone calls without completing the MFA registration process. These numerous failed sign-ups could exhaust the allowed sign-up attempts, preventing other users from signing up for new accounts in your Azure AD B2C tenant. To help protect against these attacks, you can use Azure Monitor to monitor phone authentication failures and mitigate fraudulent sign-ups. > [!IMPORTANT]-> Authenticator app (TOTP) provides stronger security than SMS/Phone multi-factor authentication. To set this up please read our instructions for [enabling multi-factor authentication in Azure Active Directory B2C](multi-factor-authentication.md). +> Authenticator app (TOTP) provides stronger security than SMS/Phone multifactor authentication. To set this up please read our instructions for [enabling multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md). ## Prerequisites |
active-directory-b2c | Publish App To Azure Ad App Gallery | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/publish-app-to-azure-ad-app-gallery.md | Title: Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery -description: Learn how to list an Azure AD B2C app that supports single sign-on in the Azure Active Directory app gallery. + Title: Publish your Azure Active Directory B2C app to the Microsoft Entra app gallery +description: Learn how to list an Azure AD B2C app that supports single sign-on in the Microsoft Entra app gallery. -# Publish your Azure Active Directory B2C app to the Azure Active Directory app gallery +# Publish your Azure Active Directory B2C app to the Microsoft Entra app gallery -The Azure Active Directory (Azure AD) app gallery is a catalog of thousands of apps. The app gallery makes it easy to deploy and configure single sign-on (SSO) and automate user setup. You can find popular cloud apps in the gallery, such as Workday, ServiceNow, and Zoom. +The Microsoft Entra app gallery is a catalog of thousands of apps. The app gallery makes it easy to deploy and configure single sign-on (SSO) and automate user setup. You can find popular cloud apps in the gallery, such as Workday, ServiceNow, and Zoom. -This article describes how to publish your Azure Active Directory B2C (Azure AD B2C) app in the Azure AD app gallery. When you publish your app, it's listed among the options that customers can choose from when they're adding apps to their Azure AD tenant. +This article describes how to publish your Azure Active Directory B2C (Azure AD B2C) app in the Microsoft Entra app gallery. When you publish your app, it's listed among the options that customers can choose from when they're adding apps to their Microsoft Entra tenant. Here are some benefits of adding your Azure AD B2C app to the app gallery: - Your app is a verified integration with Microsoft.-- SSO access is enabled between your app and Azure AD apps.+- SSO access is enabled between your app and Microsoft Entra apps. - Customers can find your app in the gallery with a quick search. - App configuration is simple and minimal. - Customers get a step-by-step configuration tutorial. The sign-in flow involves the following steps: 1. Users go to the [My Apps portal](https://myapps.microsoft.com/) and select your app. The app opens the app sign-in URL. 1. The app sign-in URL starts an authorization request and redirects users to the Azure AD B2C authorization endpoint.-1. Users choose to sign in with their Azure AD "Corporate" account. Azure AD B2C takes them to the Azure AD authorization endpoint, where they sign in with their work account. -1. If the Azure AD SSO session is active, Azure AD issues an access token without prompting users to sign in again. Otherwise, users are prompted to sign in again. +1. Users choose to sign in with their Microsoft Entra ID "Corporate" account. Azure AD B2C takes them to the Microsoft Entra authorization endpoint, where they sign in with their work account. +1. If the Microsoft Entra SSO session is active, Microsoft Entra ID issues an access token without prompting users to sign in again. Otherwise, users are prompted to sign in again. ![Diagram of the sign-in OpenID connect flow.](./media/publish-app-to-azure-ad-app-gallery/app-gallery-sign-in-flow.png) -Depending on the users' SSO session and Azure AD identity settings, they might be prompted to: +Depending on the users' SSO session and Microsoft Entra identity settings, they might be prompted to: - Provide their email address or phone number. Depending on the users' SSO session and Azure AD identity settings, they might b - Accept the consent page. Your customer's tenant administrator can [grant tenant-wide admin consent to an app](../active-directory/manage-apps/grant-admin-consent.md). When consent is granted, the consent page won't be presented to users. -Upon successful sign-in, Azure AD returns a token to Azure AD B2C. Azure AD B2C validates and reads the token claims, and then returns a token to your application. +Upon successful sign-in, Microsoft Entra ID returns a token to Azure AD B2C. Azure AD B2C validates and reads the token claims, and then returns a token to your application. ## Prerequisites To enable sign in to your app with Azure AD B2C, register your app in the Azure If you haven't already done so, [register a web application](tutorial-register-applications.md). Later, you'll register this app with the Azure app gallery. -## Step 2: Set up sign-in for multitenant Azure AD +<a name='step-2-set-up-sign-in-for-multitenant-azure-ad'></a> -To allow employees and consumers from any Azure AD tenant to sign in by using Azure AD B2C, follow the guidance for [setting up sign in for multitenant Azure AD](identity-provider-azure-ad-multi-tenant.md?pivots=b2c-custom-policy). +## Step 2: Set up sign-in for multitenant Microsoft Entra ID ++To allow employees and consumers from any Microsoft Entra tenant to sign in by using Azure AD B2C, follow the guidance for [setting up sign in for multitenant Microsoft Entra ID](identity-provider-azure-ad-multi-tenant.md?pivots=b2c-custom-policy). ## Step 3: Prepare your app -In your app, copy the URL of the sign-in endpoint. If you use the [web application sample](configure-authentication-sample-web-app.md), the sign-in URL is `https://localhost:5001/MicrosoftIdentity/Account/SignIn?`. This URL is where the Azure AD app gallery takes users to sign in to your app. +In your app, copy the URL of the sign-in endpoint. If you use the [web application sample](configure-authentication-sample-web-app.md), the sign-in URL is `https://localhost:5001/MicrosoftIdentity/Account/SignIn?`. This URL is where the Microsoft Entra app gallery takes users to sign in to your app. In production environments, the app registration redirect URI is ordinarily a publicly accessible endpoint where your app is running. The reply URL must begin with `https`. ## Step 4: Publish your Azure AD B2C app -Finally, add the multitenant app to the Azure AD app gallery. Follow the instructions in [Publish your app to the Azure AD app gallery](../active-directory/manage-apps/v2-howto-app-gallery-listing.md). To add your app to the app gallery, use the following steps: +Finally, add the multitenant app to the Microsoft Entra app gallery. Follow the instructions in [Publish your app to the Microsoft Entra app gallery](../active-directory/manage-apps/v2-howto-app-gallery-listing.md). To add your app to the app gallery, use the following steps: 1. [Create and publish documentation](../active-directory/manage-apps/v2-howto-app-gallery-listing.md#create-and-publish-documentation). 1. [Submit your app](../active-directory/manage-apps/v2-howto-app-gallery-listing.md#submit-your-application) with the following information: Finally, add the multitenant app to the Azure AD app gallery. Follow the instruc ## Next steps -- Learn how to [Publish your Azure AD app to the Azure AD app gallery](../active-directory/manage-apps/v2-howto-app-gallery-listing.md).+- Learn how to [Publish your Microsoft Entra app to the Microsoft Entra app gallery](../active-directory/manage-apps/v2-howto-app-gallery-listing.md). |
active-directory-b2c | Quickstart Native App Desktop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/quickstart-native-app-desktop.md | Select **Call API** to make a request to the protected resource. ![Call API](./media/quickstart-native-app-desktop/call-api-wpf.png) -The application includes the Azure AD access token in the request to the protected web API resource. The web API sends back the display name contained in the access token. +The application includes the Microsoft Entra access token in the request to the protected web API resource. The web API sends back the display name contained in the access token. You've successfully used your Azure AD B2C user account to make an authorized call an Azure AD B2C protected web API. |
active-directory-b2c | Quickstart Web App Dotnet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/quickstart-web-app-dotnet.md | Azure Active Directory B2C provides functionality to allow users to update their ![Screenshot of the sample web app in browser with To-Do List link and Add button highlighted.](./media/quickstart-web-app-dotnet/add-todo-item-web.png) - The ASP.NET web application includes an Azure AD access token in the request to the protected web API resource to perform operations on the user's to-do list items. + The ASP.NET web application includes a Microsoft Entra access token in the request to the protected web API resource to perform operations on the user's to-do list items. You've successfully used your Azure AD B2C user account to make an authorized call to an Azure AD B2C protected web API. |
active-directory-b2c | Register Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/register-apps.md | You can register different app types in your Azure AD B2C Tenant. The how-to gui - [Daemon apps](client-credentials-grant-flow.md) - [Microsoft Graph application](microsoft-graph-get-started.md) - [SAML application](saml-service-provider.md?tabs=windows&pivots=b2c-custom-policy)-- [Publish app in Azure AD app gallery](publish-app-to-azure-ad-app-gallery.md)+- [Publish app in Microsoft Entra app gallery](publish-app-to-azure-ad-app-gallery.md) - + |
active-directory-b2c | Roles Resource Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/roles-resource-access-control.md | When planning your access control strategy, it's best to assign users the least |Resource |Description |Role | |||| |[Application registrations](tutorial-register-applications.md) | Create and manage all aspects of your web, mobile, and native application registrations within Azure AD B2C.|[Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator)|-|Tenant Creator| Create new Azure AD or Azure AD B2C tenants.| [Tenant Creator](../active-directory/roles/permissions-reference.md#tenant-creator)| +|Tenant Creator| Create new Microsoft Entra ID or Azure AD B2C tenants.| [Tenant Creator](../active-directory/roles/permissions-reference.md#tenant-creator)| |[Identity providers](add-identity-provider.md)| Configure the [local identity provider](identity-provider-local.md) and external social or enterprise identity providers. | [External Identity Provider Administrator](../active-directory/roles/permissions-reference.md#external-identity-provider-administrator)| |[API connectors](add-api-connector.md)| Integrate your user flows with web APIs to customize the user experience and integrate with external systems.|[External ID User Flow Administrator](../active-directory/roles/permissions-reference.md#external-id-user-flow-administrator)| |[Company branding](customize-ui.md#configure-company-branding)| Customize your user flow pages.| [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator)| |
active-directory-b2c | Saml Identity Provider Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/saml-identity-provider-technical-profile.md | The **OutputClaimsTransformations** element may contain a collection of **Output | WantsEncryptedAssertions | No | Indicates whether the technical profile requires all incoming assertions to be encrypted. Possible values: `true` or `false`. The default value is `false`. If the value is set to `true`, assertions sent by the identity provider to Azure AD B2C must be signed and the **SamlAssertionDecryption** cryptographic key needs to be specified. If the value is set to `true`, the metadata of the Azure AD B2C technical profile includes the **encryption** section. The identity provider reads the metadata and encrypts the SAML response assertion with the public key that is provided in the metadata of the Azure AD B2C technical profile. If you enable the assertions encryption, you also may need to disable the response signature validation (for more information, see **ResponsesSigned**). | | NameIdPolicyFormat | No | Specifies constraints on the name identifier to be used to represent the requested subject. If omitted, any type of identifier supported by the identity provider for the requested subject can be used. For example, `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`. **NameIdPolicyFormat** can be used with **NameIdPolicyAllowCreate**. Look at your identity provider’s documentation for guidance about which name ID policies are supported. | | NameIdPolicyAllowCreate | No | When using **NameIdPolicyFormat**, you can also specify the `AllowCreate` property of **NameIDPolicy**. The value of this metadata is `true` or `false` to indicate whether the identity provider is allowed to create a new account during the sign-in flow. Look at your identity provider’s documentation for guidance on how to do so. |-| AuthenticationRequestExtensions | No | Optional protocol message extension elements that are agreed on between Azure AD BC and the identity provider. The extension is presented in XML format. You add the XML data inside the CDATA element `<![CDATA[Your IDP metadata]]>`. Check your identity provider’s documentation to see if the extensions element is supported. | +| AuthenticationRequestExtensions | No | Optional protocol message extension elements that are agreed on between Azure AD B2C and the identity provider. The extension is presented in XML format. You add the XML data inside the CDATA element `<![CDATA[Your IDP metadata]]>`. Check your identity provider’s documentation to see if the extensions element is supported. | | IncludeAuthnContextClassReferences | No | Specifies one or more URI references identifying authentication context classes. For example, to allow a user to sign in with username and password only, set the value to `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`. To allow sign-in through username and password over a protected session (SSL/TLS), specify `PasswordProtectedTransport`. Look at your identity provider’s documentation for guidance about the **AuthnContextClassRef** URIs that are supported. Specify multiple URIs as a comma-delimited list. | | IncludeKeyInfo | No | Indicates whether the SAML authentication request contains the public key of the certificate when the binding is set to `HTTP-POST`. Possible values: `true` or `false`. | | IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. | |
active-directory-b2c | Secure Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/secure-rest-api.md | A claim provides temporary storage of data during an Azure AD B2C policy executi You can obtain an access token in one of several ways: by obtaining it [from a federated identity provider](idp-pass-through-user-flow.md), by calling a REST API that returns an access token, by using an [ROPC flow](../active-directory/develop/v2-oauth-ropc.md), or by using the [client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). The client credentials flow is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. -#### Acquiring an Azure AD access token +<a name='acquiring-an-azure-ad-access-token-'></a> -The following example uses a REST API technical profile to make a request to the Azure AD token endpoint using the client credentials passed as HTTP basic authentication. For more information, see [Microsoft identity platform and the OAuth 2.0 client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). +#### Acquiring a Microsoft Entra access token -Before the technical profile can interact with Azure AD to obtain an access token, you need to register an application. Azure AD B2C relies the Azure AD platform. You can create the app in your Azure AD B2C tenant, or in any Azure AD tenant you manage. To register an application: +The following example uses a REST API technical profile to make a request to the Microsoft Entra token endpoint using the client credentials passed as HTTP basic authentication. For more information, see [Microsoft identity platform and the OAuth 2.0 client credentials flow](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md). ++Before the technical profile can interact with Microsoft Entra ID to obtain an access token, you need to register an application. Azure AD B2C relies the Microsoft Entra platform. You can create the app in your Azure AD B2C tenant, or in any Microsoft Entra tenant you manage. To register an application: 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD or Azure AD B2C directory in the **Directory name** list, and then select **Switch**. -1. In the left menu, select **Azure Active Directory**. Or, select **All services** and search for and select **Azure Active Directory**. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra ID or Azure AD B2C directory in the **Directory name** list, and then select **Switch**. +1. In the left menu, select **Microsoft Entra ID**. Or, select **All services** and search for and select **Microsoft Entra ID**. 1. Select **App registrations**, and then select **New registration**. 1. Enter a **Name** for the application. For example, *Client_Credentials_Auth_app*. 1. Under **Supported account types**, select **Accounts in this organizational directory only**. Before the technical profile can interact with Azure AD to obtain an access toke For a client credentials flow, you need to create an application secret. The client secret is also known as an application password. The secret will be used by your application to acquire an access token. -1. In the **Azure AD - App registrations** page, select the application you created, for example *Client_Credentials_Auth_app*. +1. In the **Microsoft Entra ID - App registrations** page, select the application you created, for example *Client_Credentials_Auth_app*. 1. In the left menu, under **Manage**, select **Certificates & secrets**. 1. Select **New client secret**. 1. Enter a description for the client secret in the **Description** box. For example, *clientsecret1*. You need to store the client ID and the client secret value that you previously - **Name**: `SecureRESTClientSecret`. - **Secret**: enter your client secret that you previously recorded -For the ServiceUrl, replace your-tenant-name with the name of your Azure AD tenant. See the [RESTful technical profile](restful-technical-profile.md) reference for all options available. +For the ServiceUrl, replace your-tenant-name with the name of your Microsoft Entra tenant. See the [RESTful technical profile](restful-technical-profile.md) reference for all options available. ```xml <TechnicalProfile Id="REST-AcquireAccessToken"> After you add the above snippets, your technical profile should look like the fo ### Call the REST technical profile -To call the `REST-GetProfile` technical profile, you first need to acquire an Azure AD access token using the `REST-AcquireAccessToken` technical profile. The following example shows how to call the `REST-GetProfile` technical profile from a [validation technical profile](validation-technical-profile.md): +To call the `REST-GetProfile` technical profile, you first need to acquire a Microsoft Entra access token using the `REST-AcquireAccessToken` technical profile. The following example shows how to call the `REST-GetProfile` technical profile from a [validation technical profile](validation-technical-profile.md): ```xml <ValidationTechnicalProfiles> The following XML snippet is an example of a RESTful technical profile configure ::: zone pivot="b2c-custom-policy" - Learn more about the [Restful technical profile](restful-technical-profile.md) element in the custom policy reference. ::: zone-end- |
active-directory-b2c | Security Architecture | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/security-architecture.md | Depending on your solution, you have one or more of the following components in - Sign in - Sign up - Email One-time-password (OTP)-- Multifactor authentication (MFA) controls+- Multifactor authentication controls - External REST APIs You must protect and monitor all these components to ensure your users can sign in to applications without disruption. Follow the guidance in this article to protect your solution from bot attacks, fraudulent account creation, international revenue share fraud (ISRF), and password spray. The following table provides an overview of the different protection mechanisms |Identity Verification & Proofing / Fraud Protection|Identity verification and proofing are critical for creating a trusted user experience and protecting against account takeover and fraudulent account creation. It also contributes to tenant hygiene by ensuring that user objects reflect the actual users, which align with business scenarios. </br></br>Azure AD B2C allows the integration of identity verification and proofing, and fraud protection from various software-vendor partners.| <ul><li> [Integrate with identity verification and proofing partners](./identity-verification-proofing.md)</li><li>[Configure Microsoft Dynamics 365 Fraud Protection](./partner-dynamics-365-fraud-protection.md) </li><li> [Configure with Arkose Labs platform](./partner-arkose-labs.md)</li><li> [Mitigate fraudulent MFA usage](phone-based-mfa.md#mitigate-fraudulent-sign-ups)</li></ul>| |Identity Protection|Identity Protection provides ongoing risk detection. When a risk is detected during sign-in, you can configure Azure AD B2C conditional policy to allow the user to remediate the risk before proceeding with the sign-in. Administrators can also use identity protection reports to review risky users who are at risk and review detection details. The risk detections report includes information about each risk detection, such as its type and the location of the sign-in attempt, and more. Administrators can also confirm or deny that the user is compromised.|<ul><li>[Investigate risk with Identity Protection](./identity-protection-investigate-risk.md)</li><ul> | |Conditional Access (CA)|When a user attempts to sign in, CA gathers various signals such as risks from identity protection, to make decisions and enforce organizational policies. CA can assist administrators to develop policies that are consistent with their organization's security posture. The policies can include the ability to completely block user access or provide access after the user has completed another authentication like MFA.|<ul><li>[Add Conditional Access policies to user flows](./conditional-access-user-flow.md)</li></ul>| -|Multifactor authentication (MFA)|MFA adds a second layer of security to the sign-up and sign-in process and is an essential component of improving the security posture of user authentication in Azure AD B2C. The Authenticator app - TOTP is the recommended MFA method in Azure AD B2C. | <ul><li>[Enable multifactor authentication](./multi-factor-authentication.md)</li></ul> | +|Multifactor authentication|MFA adds a second layer of security to the sign-up and sign-in process and is an essential component of improving the security posture of user authentication in Azure AD B2C. The Authenticator app - TOTP is the recommended MFA method in Azure AD B2C. | <ul><li>[Enable multifactor authentication](./multi-factor-authentication.md)</li></ul> | |Security Information and Event management (SIEM)/ Security Orchestration, Automation and Response (SOAR) |You need a reliable monitoring and alerting system for analyzing usage patterns such as sign-ins and sign-ups, and detect any anomalous behavior that may be indicative of a cyberattack. It's an important step that adds an extra layer of security. It also you to understand patterns and trends that can only be captured and built upon over time. Alerting assists in determining factors such as the rate of change in overall sign-ins, an increase in failed sign-ins, and failed sign-up journeys, phone-based frauds such as IRSF attacks, and so on. All of these can be indicators of an ongoing cyberattack that requires immediate attention. Azure AD B2C supports both high level and fine grain logging, as well as the generation of reports and alerts. It's advised that you implement monitoring and alerting in all production tenants. | <ul><li>[Monitor using Azure Monitor](./azure-monitor.md)</li><li>[Use reports & alerts](https://github.com/azure-ad-b2c/siem)</li><li> [Monitor for fraudulent MFA usage](./phone-based-mfa.md)</li><li>[Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md?pivots=b2c-user-flow)</li><li>[Configure security analytics for Azure AD B2C data with Microsoft Sentinel](./configure-security-analytics-sentinel.md)</li></ul>| [![Screenshot shows Azure AD B2C security architecture diagram.](./media/security-architecture/security-architecture-high-level.png)](./media/security-architecture/security-architecture-high-level.png#lightbox) Azure AD B2C allows you to connect to external systems by using the [API Connect After you create a sign-in experience, or user flow, you'll need to protect specific components of your flow from malicious activity. For example, if your sign in flow involves the following, then the table shows the components you need to protect, and associated protection technique: - Local account email and password authentication-- Azure AD Multi-Factor Authentication using SMS or phone call+- Microsoft Entra multifactor authentication using SMS or phone call |Component |Endpoint|How to protect| |-|-|-| After you create a sign-up experience, or user flow, you need to protect specifi - Local account email and password sign-up - Email verification using email OTP-- Azure AD Multi-Factor Authentication using SMS or phone call+- Microsoft Entra multifactor authentication using SMS or phone call |Component |Endpoint|How to protect| |-|-|-| In this scenario, the use of the WAF and AFD protection mechanisms protects both - [Configure a Web application firewall](./partner-akamai.md) to protect Azure AD B2C authentication endpoints. - [Configure Fraud prevention with Dynamics](./partner-dynamics-365-fraud-protection.md) to protect your authentication experiences. - [Investigate risk with Identity Protection in Azure AD B2C](./identity-protection-investigate-risk.md) to discover, investigate, and remediate identity-based risks.-- [Securing phone-based multi-factor authentication (MFA)](./phone-based-mfa.md) to protect your phone based multi-factor authentication.+- [Securing phone-based multifactor authentication](./phone-based-mfa.md) to protect your phone based multifactor authentication. - [Configure Identity Protection](./conditional-access-user-flow.md) to protect your sign in experience. - [Configure Monitoring and alerting](./azure-monitor.md) to be alerted to any threats. |
active-directory-b2c | Self Asserted Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/self-asserted-technical-profile.md | The PersistedClaims element is not used. The self-asserted technical profile doe A validation technical profile is used for validating some or all of the output claims of the referencing technical profile. The input claims of the validation technical profile must appear in the output claims of the self-asserted technical profile. The validation technical profile validates the user input and can return an error to the user. -The validation technical profile can be any technical profile in the policy, such as [Azure Active Directory](active-directory-technical-profile.md) or a [REST API](restful-technical-profile.md) technical profiles. In the previous example, the `LocalAccountSignUpWithLogonEmail` technical profile validates that the signinName does not exist in the directory. If not, the validation technical profile creates a local account and returns the objectId, authenticationSource, newUser. The `SelfAsserted-LocalAccountSignin-Email` technical profile calls the `login-NonInteractive` validation technical profile to validate the user credentials. +The validation technical profile can be any technical profile in the policy, such as [Microsoft Entra ID](active-directory-technical-profile.md) or a [REST API](restful-technical-profile.md) technical profiles. In the previous example, the `LocalAccountSignUpWithLogonEmail` technical profile validates that the signinName does not exist in the directory. If not, the validation technical profile creates a local account and returns the objectId, authenticationSource, newUser. The `SelfAsserted-LocalAccountSignin-Email` technical profile calls the `login-NonInteractive` validation technical profile to validate the user credentials. You can also call a REST API technical profile with your business logic, overwrite input claims, or enrich user data by further integrating with corporate line-of-business application. For more information, see [Validation technical profile](validation-technical-profile.md) |
active-directory-b2c | Service Limits | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/service-limits.md | When you add more features to a User Flow, such as multifactor authentication, m |Feature |Additional requests consumed | |||-|Azure Active Directory Multi-Factor Authentication |2 | +|Microsoft Entra multifactor authentication |2 | |Email one-time password |2 | |Age gating |2 | |Federated identity provider |2 | The following table lists the administrative configuration limits in the Azure A |Maximum policy file size |1024 KB | |Number of API connectors per tenant |20 | -<sup>1</sup> See also [Azure AD service limits and restrictions](../active-directory/enterprise-users/directory-service-limits-restrictions.md). +<sup>1</sup> See also [Microsoft Entra service limits and restrictions](../active-directory/enterprise-users/directory-service-limits-restrictions.md). ## Next steps |
active-directory-b2c | Social Transformations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/social-transformations.md | Adds an `AlternativeSecurityId` to an `alternativeSecurityIdCollection` claim. C The following example links a new social identity with an existing account. To link a new social identity: -1. In the **AAD-UserReadUsingAlternativeSecurityId** and **AAD-UserReadUsingObjectId** technical profiles, output the user's **alternativeSecurityIds** claim. +1. In the `AAD-UserReadUsingAlternativeSecurityId` and `AAD-UserReadUsingObjectId` technical profiles, output the user's `alternativeSecurityIds` claim. 1. Ask the user to sign in with one of the identity providers that aren't associated with this user. 1. Using the **CreateAlternativeSecurityId** claims transformation, create a new **alternativeSecurityId** claim type with a name of `AlternativeSecurityId2` 1. Call the **AddItemToAlternativeSecurityIdCollection** claims transformation to add the **AlternativeSecurityId2** claim to the existing **AlternativeSecurityIds** claim. The following example links a new social identity with an existing account. To l ## CreateAlternativeSecurityId -Creates a JSON representation of the userΓÇÖs alternativeSecurityId property that can be used in the calls to Azure Active Directory. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/social#createalternativesecurityid) of this claims transformation. For more information, see the [AlternativeSecurityId](/graph/api/resources/alternativesecurityid) schema. +Creates a JSON representation of the userΓÇÖs alternativeSecurityId property that can be used in the calls to Microsoft Entra ID. Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/social#createalternativesecurityid) of this claims transformation. For more information, see the [AlternativeSecurityId](/graph/api/resources/alternativesecurityid) schema. | Element | TransformationClaimType | Data Type | Notes | | - | -- | | -- | Creates a JSON representation of the userΓÇÖs alternativeSecurityId property tha ### Example of CreateAlternativeSecurityId -Use this claims transformation to generate a `alternativeSecurityId` claim. It's used by all social identity provider technical profiles, such as `Facebook-OAUTH`. The following claims transformation receives the user social account ID and the identity provider name. The output of this technical profile is a JSON string format that can be used in Azure AD directory services. +Use this claims transformation to generate a `alternativeSecurityId` claim. It's used by all social identity provider technical profiles, such as `Facebook-OAUTH`. The following claims transformation receives the user social account ID and the identity provider name. The output of this technical profile is a JSON string format that can be used in Microsoft Entra directory services. ```xml <ClaimsTransformation Id="CreateAlternativeSecurityId" TransformationMethod="CreateAlternativeSecurityId"> Removes an **AlternativeSecurityId** from an **alternativeSecurityIdCollection** The following example unlinks one of the social identities with an existing account. To unlink a social identity: -1. In the **AAD-UserReadUsingAlternativeSecurityId** and **AAD-UserReadUsingObjectId** technical profiles, output the user's **alternativeSecurityIds** claim. +1. In the `AAD-UserReadUsingAlternativeSecurityId` and `AAD-UserReadUsingObjectId` technical profiles, output the user's `alternativeSecurityIds` claim. 2. Ask the user to select which social account to remove from the list identity providers that are associated with this user. 3. Call a claims transformation technical profile that calls the **RemoveAlternativeSecurityIdByIdentityProvider** claims transformation, that removed the selected social identity, using identity provider name. 4. Persist the **alternativeSecurityIds** claim to the user account. |
active-directory-b2c | Solution Articles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/solution-articles.md | Azure Active Directory B2C (Azure AD B2C) enables organizations to implement bus | [Customer Identity Management with Azure AD B2C](/Shows/On-NET/Customer-Identity-Management-with-Azure-AD-B2C) | Video (20 minutes) | In this overview of the service, Parakh Jain ([@jainparakh](https://twitter.com/jainparakh)) from the Azure AD B2C team provides us an overview of how the service works, and also show how we can quickly connect B2C to an ASP.NET Core application. | | [Benefits of using Azure AD B2C](https://aka.ms/b2coverview) | PDF | Understand the benefits and common scenarios of Azure AD B2C, and how your application(s) can leverage this CIAM service. | | [Gaining Expertise in Azure AD B2C: A Course for Developers](https://aka.ms/learnAADB2C) | PDF | This end-to-end course takes developers through a complete journey on developing applications with Azure AD B2C as the authentication mechanism. Ten in-depth modules with labs cover everything from setting up an Azure subscription to creating custom policies that define the journeys that engage your customers. |-| [Enabling partners, Suppliers, and Customers to Access Applications with Azure active Directory](https://aka.ms/aadexternalidentities) | PDF | Every organizationΓÇÖs success, regardless of its size, industry, or compliance and security posture, relies on organizational ability to collaborate with other organizations and connect with customers.<br><br>Bringing together Azure AD, Azure AD B2C, and Azure AD B2B Collaboration, this guide details the business value and the mechanics of building an application or web experience that provides a consolidated authentication experience tailored to the contexts of your employees, business partners and suppliers, and customers. | +| [Enabling partners, Suppliers, and Customers to Access Applications with Microsoft Entra ID](https://aka.ms/aadexternalidentities) | PDF | Every organizationΓÇÖs success, regardless of its size, industry, or compliance and security posture, relies on organizational ability to collaborate with other organizations and connect with customers.<br><br>Bringing together Microsoft Entra ID, Azure AD B2C, and Microsoft Entra B2B Collaboration, this guide details the business value and the mechanics of building an application or web experience that provides a consolidated authentication experience tailored to the contexts of your employees, business partners and suppliers, and customers. | | [Migrating Application Authentication to Azure AD B2C in a Hybrid Environment](https://aka.ms/MigratetoAADB2C) | PDF | In todayΓÇÖs modern organizations, digital transformation and moving to the cloud happens in stages, requiring most organizations to at least temporarily operate in a hybrid identity environment.<br><br>This guide focuses on creating the migration plan for moving your first application to Azure AD B2C, and covers the considerations for doing so while in a hybrid identity environment. | | [General Data protection Regulation (GDPR) Considerations for Customer Facing Applications](https://aka.ms/AADB2CandGDPR) | PDF | For any customer facing applications, GDPR must be taken into consideration by all organizations that embark on projects that hold personal data and serve EU citizens.<br><br>This solution guide focuses on how Azure AD B2C can be used as a flexible component of your overall GDPR compliance approach, including how Azure AD B2C components support each of the key GDPR rights for individuals. | | Working with custom policies:<br><ul><li>[Custom policies introduction](https://download.microsoft.com/download/3/6/1/36187D50-A693-4547-848A-176F17AE1213/Deep%20Dive%20on%20Azure%20AD%20B2C%20Custom%20Policies/Azure%20AD%20B2C%20Custom%20Policies%20-%20Introduction.pdf)</li><li>[Leverage custom policies in your tenant](https://download.microsoft.com/download/3/6/1/36187D50-A693-4547-848A-176F17AE1213/Deep%20Dive%20on%20Azure%20AD%20B2C%20Custom%20Policies/Azure%20AD%20B2C%20Custom%20Policies%20-%20Leveraging%20Custom%20Policies%20for%20your%20Tenant.pdf)</li><li>[Structure policies and manage keys](https://download.microsoft.com/download/3/6/1/36187D50-A693-4547-848A-176F17AE1213/Deep%20Dive%20on%20Azure%20AD%20B2C%20Custom%20Policies/Azure%20AD%20B2C%20Custom%20Policies%20-%20Structuring%20Policies%20and%20Managing%20Keys.pdf)</li><li>[Bring your own identity and migrate users](https://download.microsoft.com/download/3/6/1/36187D50-A693-4547-848A-176F17AE1213/Deep%20Dive%20on%20Azure%20AD%20B2C%20Custom%20Policies/Azure%20AD%20B2C%20Custom%20Policies%20-%20Bring-your-own-identity%20and%20Migrating%20Users.pdf)</li><li>[Troubleshoot policies and audit access](https://download.microsoft.com/download/3/6/1/36187D50-A693-4547-848A-176F17AE1213/Deep%20Dive%20on%20Azure%20AD%20B2C%20Custom%20Policies/Azure%20AD%20B2C%20Custom%20Policies%20-%20Troubleshooting%20Policies%20and%20Auditing.pdf)</li><li>[Deep dive on custom policy schema](https://download.microsoft.com/download/3/6/1/36187D50-A693-4547-848A-176F17AE1213/Deep%20Dive%20on%20Azure%20AD%20B2C%20Custom%20Policies/Azure%20AD%20B2C%20Custom%20Policies%20-%20Deep%20Dive%20on%20Custom%20Policy%20Schema.pdf)</li><br> | PDF | This series of documents provides an end-to-end journey with the custom policies in Azure AD B2C, presenting in-depth the most common advanced identity scenarios.<br><br> It includes how to implement and manage custom policies for these scenarios and how to diagnose them with the available tooling. It also provides an in-depth understanding of how custom policies work and details how to fine-tune them to accommodate your own specific requirements. |- |
active-directory-b2c | String Transformations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/string-transformations.md | Check out the [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/c ### Example of StringJoin -The following example takes a string collection of user roles, and converts it to a comma delimiter string. You can use this method to store a string collection in Azure AD user account. Later, when you read the account from the directory, use the `StringSplit` to convert the comma delimiter string back to string collection. +The following example takes a string collection of user roles, and converts it to a comma delimiter string. You can use this method to store a string collection in an Azure AD B2C user account. Later, when you read the account from the directory, use the `StringSplit` to convert the comma delimiter string back to string collection. ```xml <ClaimsTransformation Id="ConvertRolesStringCollectionToCommaDelimiterString" TransformationMethod="StringJoin"> |
active-directory-b2c | Stringcollection Transformations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/stringcollection-transformations.md | Following example checks whether the `roles` stringCollection claim type contain ## Next steps -- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/stringCollection) on the Azure AD B2C community GitHub repo+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/stringCollection) on the Azure AD B2C community GitHub repo |
active-directory-b2c | Supported Azure Ad Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/supported-azure-ad-features.md | Title: Supported Azure Active Directory features -description: Learn about Azure Active Directory features, which are still supported in Azure AD B2C. + Title: Supported Microsoft Entra features +description: Learn about Microsoft Entra features, which are still supported in Azure AD B2C. -# Supported Azure Active Directory features +# Supported Microsoft Entra features -An Azure Active Directory B2C (Azure AD B2C) tenant is different than an Azure Active Directory (Azure AD) tenant, which you may already have, but it relies on it. The following Azure AD features can be used in your Azure AD B2C tenant. +An Azure Active Directory B2C (Azure AD B2C) tenant is different than a Microsoft Entra tenant, which you may already have, but it relies on it. The following Microsoft Entra features can be used in your Azure AD B2C tenant. -|Feature |Azure AD | Azure AD B2C | +|Feature |Microsoft Entra ID | Azure AD B2C | |||| | [Groups](../active-directory/fundamentals/how-to-manage-groups.md) | Groups can be used to manage administrative and user accounts.| Groups can be used to manage administrative accounts. You can't perform [group-based assignment of enterprise applications](../active-directory/manage-apps/assign-user-or-group-access-portal.md).|-| [Inviting External Identities guests](../active-directory//external-identities/add-users-administrator.md)| You can invite guest users and configure External Identities features such as federation and sign-in with Facebook and Google accounts. | You can invite only a Microsoft account or an Azure AD user as a guest to your Azure AD tenant for accessing applications or managing tenants. For [consumer accounts](user-overview.md#consumer-user), you use Azure AD B2C user flows and custom policies to manage users and sign-up or sign-in with external identity providers, such as Google or Facebook. | +| [Inviting External Identities guests](../active-directory//external-identities/add-users-administrator.md)| You can invite guest users and configure External Identities features such as federation and sign-in with Facebook and Google accounts. | You can invite only a Microsoft account or a Microsoft Entra user as a guest to your Microsoft Entra tenant for accessing applications or managing tenants. For [consumer accounts](user-overview.md#consumer-user), you use Azure AD B2C user flows and custom policies to manage users and sign-up or sign-in with external identity providers, such as Google or Facebook. | | [Roles and administrators](../active-directory/fundamentals/how-subscriptions-associated-directory.md)| Fully supported for administrative and user accounts. | Roles are not supported with [consumer accounts](user-overview.md#consumer-user). Consumer accounts don't have access to any Azure resources.|-| [Custom domain names](../active-directory/fundamentals/add-custom-domain.md) | You can use Azure AD custom domains for administrative accounts only. | [Consumer accounts](user-overview.md#consumer-user) can sign in with a username, phone number, or any email address. You can use [custom domains](custom-domain.md) in your redirect URLs.| -| [Conditional Access](../active-directory/conditional-access/overview.md) | Fully supported for administrative and user accounts. | A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user) Learn how to configure Azure AD B2C [conditional access](conditional-access-user-flow.md).| -| [Premium P1](https://azure.microsoft.com/pricing/details/active-directory) | Fully supported for Azure AD premium P1 features. For example, [Password Protection](../active-directory/authentication/concept-password-ban-bad.md), [Hybrid Identities](../active-directory/hybrid/whatis-hybrid-identity.md), [Conditional Access](../active-directory/roles/permissions-reference.md#), [Dynamic groups](../active-directory/enterprise-users/groups-create-rule.md), and more. | Azure AD B2C uses [Azure AD B2C Premium P1 license](https://azure.microsoft.com/pricing/details/active-directory/external-identities/), which is different from Azure AD premium P1. A subset of Azure AD Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md).| -| [Premium P2](https://azure.microsoft.com/pricing/details/active-directory/) | Fully supported for Azure AD premium P2 features. For example, [Identity Protection](../active-directory/identity-protection/overview-identity-protection.md), and [Identity Governance](../active-directory/governance/identity-governance-overview.md). | Azure AD B2C uses [Azure AD B2C Premium P2 license](https://azure.microsoft.com/pricing/details/active-directory/external-identities/), which is different from Azure AD premium P2. A subset of Azure AD Identity Protection features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to [Investigate risk with Identity Protection](identity-protection-investigate-risk.md) and configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md). | -|[Data retention policy](../active-directory/reports-monitoring/reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data)|Data retention period for both audit and sign in logs depend on your subscription. Learn more about [How long Azure AD store reporting data](../active-directory/reports-monitoring/reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data).|Sign in and audit logs are only retained for **seven (7) days**. If you require a longer retention period, use the [Azure monitor](azure-monitor.md).| -| [Go-Local add-on](data-residency.md#go-local-add-on) | Azure AD Go-Local add-on enables you to store data in the country/region you choose when your Azure AD tenant.| Just like Azure AD, Azure AD B2C supports [Go-Local add-on](data-residency.md#go-local-add-on). | +| [Custom domain names](../active-directory/fundamentals/add-custom-domain.md) | You can use Microsoft Entra custom domains for administrative accounts only. | [Consumer accounts](user-overview.md#consumer-user) can sign in with a username, phone number, or any email address. You can use [custom domains](custom-domain.md) in your redirect URLs.| +| [Conditional Access](../active-directory/conditional-access/overview.md) | Fully supported for administrative and user accounts. | A subset of Microsoft Entra Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user) Learn how to configure Azure AD B2C [conditional access](conditional-access-user-flow.md).| +| [Premium P1](https://azure.microsoft.com/pricing/details/active-directory) | Fully supported for Microsoft Entra ID P1 features. For example, [Password Protection](../active-directory/authentication/concept-password-ban-bad.md), [Hybrid Identities](../active-directory/hybrid/whatis-hybrid-identity.md), [Conditional Access](../active-directory/roles/permissions-reference.md#), [Dynamic groups](../active-directory/enterprise-users/groups-create-rule.md), and more. | Azure AD B2C uses [Azure AD B2C Premium P1 license](https://azure.microsoft.com/pricing/details/active-directory/external-identities/), which is different from Microsoft Entra ID P1. A subset of Microsoft Entra Conditional Access features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md).| +| [Premium P2](https://azure.microsoft.com/pricing/details/active-directory/) | Fully supported for Microsoft Entra ID P2 features. For example, [Identity Protection](../active-directory/identity-protection/overview-identity-protection.md), and [Identity Governance](../active-directory/governance/identity-governance-overview.md). | Azure AD B2C uses [Azure AD B2C Premium P2 license](https://azure.microsoft.com/pricing/details/active-directory/external-identities/), which is different from Microsoft Entra ID P2. A subset of Microsoft Entra ID Protection features is supported with [consumer accounts](user-overview.md#consumer-user). Learn how to [Investigate risk with Identity Protection](identity-protection-investigate-risk.md) and configure Azure AD B2C [Conditional Access](conditional-access-user-flow.md). | +|[Data retention policy](../active-directory/reports-monitoring/reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data)|Data retention period for both audit and sign in logs depend on your subscription. Learn more about [How long Microsoft Entra ID store reporting data](../active-directory/reports-monitoring/reference-reports-data-retention.md#how-long-does-azure-ad-store-the-data).|Sign in and audit logs are only retained for **seven (7) days**. If you require a longer retention period, use the [Azure monitor](azure-monitor.md).| +| [Go-Local add-on](data-residency.md#go-local-add-on) | Microsoft Entra Go-Local add-on enables you to store data in the country/region you choose when your Microsoft Entra tenant.| Just like Microsoft Entra ID, Azure AD B2C supports [Go-Local add-on](data-residency.md#go-local-add-on). | > [!NOTE]-> **Other Azure resources in your tenant:** <br>In an Azure AD B2C tenant, you can't provision other Azure resources such as virtual machines, Azure web apps, or Azure functions. You must create these resources in your Azure AD tenant. +> **Other Azure resources in your tenant:** <br>In an Azure AD B2C tenant, you can't provision other Azure resources such as virtual machines, Azure web apps, or Azure functions. You must create these resources in your Microsoft Entra tenant. |
active-directory-b2c | Technical Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/technical-overview.md | A companion to [About Azure Active Directory B2C](overview.md), this article pro ## Azure AD B2C tenant -In Azure Active Directory B2C (Azure AD B2C), a *tenant* represents your organization and is a directory of users. Each Azure AD B2C tenant is distinct and separate from other Azure AD B2C tenants. An Azure AD B2C tenant is different than an Azure Active Directory tenant, which you may already have. +In Azure Active Directory B2C (Azure AD B2C), a *tenant* represents your organization and is a directory of users. Each Azure AD B2C tenant is distinct and separate from other Azure AD B2C tenants. An Azure AD B2C tenant is different than a Microsoft Entra tenant, which you may already have. The primary resources you work with in an Azure AD B2C tenant are: An Azure AD B2C tenant is the first resource you need to create to get started w ## Accounts in Azure AD B2C -Azure AD B2C defines several types of user accounts. Azure Active Directory, Azure Active Directory B2B, and Azure Active Directory B2C share these account types. +Azure AD B2C defines several types of user accounts. Microsoft Entra ID, Microsoft Entra B2B, and Azure Active Directory B2C share these account types. * **Work account** - Users with work accounts can manage resources in a tenant, and with an administrator role, can also manage tenants. Users with work accounts can create new consumer accounts, reset passwords, block/unblock accounts, and set permissions or assign an account to a security group. * **Guest account** - External users you invite to your tenant as guests. A typical scenario for inviting a guest user to your Azure AD B2C tenant is to share administration responsibilities. Learn more about [sign-in options](sign-in-options.md) or how to [set up the loc Azure AD B2C lets you manage common attributes of consumer account profiles. For example display name, surname, given name, city, and others. -You can also extend the Azure AD schema to store additional information about your users. For example, their country/region of residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multifactor authentication. For more information, see: +You can also extend the Microsoft Entra schema to store additional information about your users. For example, their country/region of residency, preferred language, and preferences like whether they want to subscribe to a newsletter or enable multifactor authentication. For more information, see: * [User profile attributes](user-profile-attributes.md) * [Add user attributes and customize user input in](configure-user-input.md) For more information, see [Enable multifactor authentication in Azure Active Dir ## Conditional Access -Azure AD Identity Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine remediation actions and enforce organizational policies. +Microsoft Entra ID Protection risk-detection features, including risky users and risky sign-ins, are automatically detected and displayed in your Azure AD B2C tenant. You can create Conditional Access policies that use these risk detections to determine remediation actions and enforce organizational policies. :::image type="content" source="media/technical-overview/conditional-access-flow.png" alt-text="Diagram showing conditional access flow."::: Sessions are modeled as encrypted data, with the decryption key known only to th ### Access to user data -Azure AD B2C tenants share many characteristics with enterprise Azure Active Directory tenants used for employees and partners. Shared aspects include mechanisms for viewing administrative roles, assigning roles, and auditing activities. +Azure AD B2C tenants share many characteristics with enterprise Microsoft Entra tenants used for employees and partners. Shared aspects include mechanisms for viewing administrative roles, assigning roles, and auditing activities. You can assign roles to control who can perform certain administrative actions in Azure AD B2C, including: You can assign roles to control who can perform certain administrative actions i * Create and manage trust framework policies in the Identity Experience Framework (custom policies) * Manage secrets for federation and encryption in the Identity Experience Framework (custom policies) -For more information about Azure AD roles, including Azure AD B2C administration role support, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md). +For more information about Microsoft Entra roles, including Azure AD B2C administration role support, see [Administrator role permissions in Microsoft Entra ID](../active-directory/roles/permissions-reference.md). ## Auditing and logs |
active-directory-b2c | Technicalprofiles | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/technicalprofiles.md | A *technical profile* provides a framework with a built-in mechanism to communic A technical profile enables these types of scenarios: - [Application Insights](analytics-with-application-insights.md): Sends event data to [Application Insights](../azure-monitor/app/app-insights-overview.md).-- [Azure AD](active-directory-technical-profile.md): Provides support for the Azure AD B2C user management.-- [Azure AD multifactor authentication](multi-factor-auth-technical-profile.md): Provides support for verifying a phone number by using Azure AD multifactor authentication.+- [Microsoft Entra ID](active-directory-technical-profile.md): Provides support for the Azure AD B2C user management. +- [Microsoft Entra multifactor authentication](multi-factor-auth-technical-profile.md): Provides support for verifying a phone number by using Microsoft Entra multifactor authentication. - [Claims transformation](claims-transformation-technical-profile.md): Calls output claims transformations to manipulate claims values, validate claims, or set default values for a set of output claims. - [ID token hint](id-token-hint.md): Validates the `id_token_hint` JWT token signature, the issuer name, and the token audience, and extracts the claim from the inbound token. - [JWT token issuer](jwt-issuer-technical-profile.md): Emits a JWT token that's returned back to the relying party application. A technical profile enables these types of scenarios: ## Technical profile flow -All types of technical profiles share the same concept. They start by reading the input claims and run claims transformations. Then they communicate with the configured party, such as an identity provider, REST API, or Azure AD directory services. After the process is completed, the technical profile returns the output claims and might run output claims transformations. The following diagram shows how the transformations and mappings referenced in the technical profile are processed. After the claims transformation is executed, the output claims are immediately stored in the claims bag, regardless of the party the technical profile interacts with. +All types of technical profiles share the same concept. They start by reading the input claims and run claims transformations. Then they communicate with the configured party, such as an identity provider, REST API, or Microsoft Entra directory services. After the process is completed, the technical profile returns the output claims and might run output claims transformations. The following diagram shows how the transformations and mappings referenced in the technical profile are processed. After the claims transformation is executed, the output claims are immediately stored in the claims bag, regardless of the party the technical profile interacts with. ![Diagram that illustrates the technical profile flow.](./media/technical-profiles/technical-profile-flow.png) The following technical profiles reference the **CreateOtherMailsFromEmail** cla ## Input claims -The **InputClaims** element picks up claims from the claims bag that are used for the technical profile. For example, a [self-asserted technical profile](self-asserted-technical-profile.md) uses the input claims to prepopulate the output claims that the user provides. A REST API technical profile uses the input claims to send input parameters to the REST API endpoint. Azure AD uses an input claim as a unique identifier to read, update, or delete an account. +The **InputClaims** element picks up claims from the claims bag that are used for the technical profile. For example, a [self-asserted technical profile](self-asserted-technical-profile.md) uses the input claims to prepopulate the output claims that the user provides. A REST API technical profile uses the input claims to send input parameters to the REST API endpoint. Azure AD B2C uses an input claim as a unique identifier to read, update, or delete an account. The **InputClaims** element contains the following element: In the following technical profile: ## Persisted claims -The **PersistedClaims** element contains all of the values that should be persisted by an [Azure AD technical profile](active-directory-technical-profile.md) with possible mapping information between a claim type already defined in the [ClaimsSchema](claimsschema.md) section in the policy and the Azure AD attribute name. +The **PersistedClaims** element contains all of the values that should be persisted by an [Microsoft Entra technical profile](active-directory-technical-profile.md) with possible mapping information between a claim type already defined in the [ClaimsSchema](claimsschema.md) section in the policy and the Microsoft Entra attribute name. -The name of the claim is the name of the [Azure AD attribute](user-profile-attributes.md) unless the **PartnerClaimType** attribute is specified, which contains the Azure AD attribute name. +The name of the claim is the name of the [Microsoft Entra attribute](user-profile-attributes.md) unless the **PartnerClaimType** attribute is specified, which contains the Microsoft Entra attribute name. The **PersistedClaims** element contains the following element: The following technical profile references the AssertAccountEnabledIsTrue claims ## Validation technical profiles -A validation technical profile is used for validating output claims in a [self-asserted technical profile](self-asserted-technical-profile.md#validation-technical-profiles). A validation technical profile is an ordinary technical profile from any protocol, such as [Azure AD](active-directory-technical-profile.md) or a [REST API](restful-technical-profile.md). The validation technical profile returns output claims or returns error code. The error message is rendered to the user on the screen, which allows the user to retry. +A validation technical profile is used for validating output claims in a [self-asserted technical profile](self-asserted-technical-profile.md#validation-technical-profiles). A validation technical profile is an ordinary technical profile from any protocol, such as [Microsoft Entra ID](active-directory-technical-profile.md) or a [REST API](restful-technical-profile.md). The validation technical profile returns output claims or returns error code. The error message is rendered to the user on the screen, which allows the user to retry. The following diagram illustrates how Azure AD B2C uses a validation technical profile to validate the user credentials. |
active-directory-b2c | Tenant Management Check Tenant Creation Permission | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-check-tenant-creation-permission.md | As a *Global Administrator* in an Azure AD B2C tenant, you can restrict non-admi 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. -1. In the Azure portal, search for and select **Azure Active Directory**. +1. In the Azure portal, search for and select **Microsoft Entra ID**. 1. Under **Manage**, select **User Settings**. Before you create an Azure AD B2C tenant, make sure that you've the permission t 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**. -1. In the Azure portal, search for and select **Azure Active Directory**. +1. In the Azure portal, search for and select **Microsoft Entra ID**. 1. Under **Manage**, select **User Settings**. |
active-directory-b2c | Tenant Management Directory Quota | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-directory-quota.md | -It's important that you monitor how you use your Azure Active Directory (AD) B2C directory quota. Directory quota has a given size that is expressed in number of objects. These objects include user accounts, app registrations, groups, etc. When the number of objects in your tenant reach quota size, the directory will generate an error when trying to create a new object. +It's important that you monitor how you use your Azure AD B2C directory quota. Directory quota has a given size that is expressed in number of objects. These objects include user accounts, app registrations, groups, etc. When the number of objects in your tenant reach quota size, the directory will generate an error when trying to create a new object. ## Monitor directory quota usage in your Azure AD B2C tenant |
active-directory-b2c | Tenant Management Emergency Access Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-emergency-access-account.md | Create two or more emergency access accounts. These accounts should be cloud-onl Use the following steps to create an emergency access account: -1. Sign in to the [Azure portal](https://portal.azure.com) as an existing Global Administrator. If you use your Azure AD account, make sure you're using the directory that contains your Azure AD B2C tenant: +1. Sign in to the [Azure portal](https://portal.azure.com) as an existing Global Administrator. If you use your Microsoft Entra account, make sure you're using the directory that contains your Azure AD B2C tenant: 1. Select the **Directories + subscriptions** icon in the portal toolbar. Once you create your emergency accounts, you need to do the following: - [Read tenant name and ID](tenant-management-read-tenant-name.md) - [Clean up resources and delete tenant](tutorial-delete-tenant.md)- |
active-directory-b2c | Tenant Management Manage Administrator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-manage-administrator.md | To create a new administrative account, follow these steps: The domain part of the user name must use either the initial default domain name, *\<tenant name>.onmicrosoft.com* or your [custom domain](custom-domain.md) such as `contoso.com`. - **Name**. *Required*. The first and last name of the new user. For example, *Mary Parker*. - **Groups**. *Optional*. You can add the user to one or more existing groups. You can also add the user to groups at a later time. - - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [Use roles to control resource access](roles-resource-access-control.md). + - **Directory role**: If you require Microsoft Entra administrative permissions for the user, you can add them to a Microsoft Entra role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Microsoft Entra ID. For more information about assigning roles, see [Use roles to control resource access](roles-resource-access-control.md). - **Job info**: You can add more information about the user here, or do it later. 1. Copy the autogenerated password provided in the **Password** box. You'll need to give this password to the user to sign in for the first time. The user is created and added to your Azure AD B2C tenant. It's preferable to ha ## Invite an administrator (guest account) -You can also invite a new guest user to manage your tenant. The guest account is the preferred option when your organization also has Azure AD because the lifecycle of this identity can be managed externally. +You can also invite a new guest user to manage your tenant. The guest account is the preferred option when your organization also has Microsoft Entra ID because the lifecycle of this identity can be managed externally. To invite a user, follow these steps: To invite a user, follow these steps: - **Email address**. *Required*. The email address of the user you would like to invite, which must be a Microsoft account. For example, `mary@contoso.com`. - **Personal message**: You add a personal message that will be included in the invite email. - **Groups**. *Optional*. You can add the user to one or more existing groups. You can also add the user to groups at a later time.- - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Azure AD. For more information about assigning roles, see [Use roles to control resource access](roles-resource-access-control.md). + - **Directory role**: If you require Microsoft Entra administrative permissions for the user, you can add them to a Microsoft Entra role. You can assign the user to be a Global administrator or one or more of the limited administrator roles in Microsoft Entra ID. For more information about assigning roles, see [Use roles to control resource access](roles-resource-access-control.md). - **Job info**: You can add more information about the user here, or do it later. 1. Select **Create**. To delete an existing user, you must have a *Global administrator* role assignme 1. In your Azure AD B2C directory, select **Users**, and then select the user you want to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. -The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/users-restore.md). +The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Microsoft Entra ID](../active-directory/fundamentals/users-restore.md). ## Protect administrative accounts It's recommended that you protect all administrator accounts with multifactor au ![Authentication methods in use at the sign in screenshot](./media/tenant-management/sing-in-with-multi-factor-authentication.png) -If you're not using [Conditional Access](conditional-access-user-flow.md), you can enable [Azure AD security defaults](../active-directory/fundamentals/security-defaults.md) to force all administrative accounts to use MFA. +If you're not using [Conditional Access](conditional-access-user-flow.md), you can enable [Microsoft Entra security defaults](../active-directory/fundamentals/security-defaults.md) to force all administrative accounts to use MFA. ## Next steps |
active-directory-b2c | Tenant Management Read Tenant Name | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-read-tenant-name.md | To get your Azure AD B2C tenant ID, follow these steps: 1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.-1. In the Azure portal, search for and select **Azure Active Directory**. +1. In the Azure portal, search for and select **Microsoft Entra ID**. 1. In the **Overview**, copy the **Tenant ID**. ![Screenshot demonstrates how to get the Azure AD B2C tenant ID.](./media/tenant-management/get-azure-ad-b2c-tenant-id.png) ## Next steps -- [Clean up resources and delete tenant](tutorial-delete-tenant.md)+- [Clean up resources and delete tenant](tutorial-delete-tenant.md) |
active-directory-b2c | Threat Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/threat-management.md | To manage smart lockout settings, including the lockout threshold: - **Lockout threshold**: The number of failed sign-in tries that are allowed before the account is first locked out. If the first sign-in after a lockout also fails, the account locks again. - **Lockout duration in seconds**: The minimum duration of each lockout in seconds. If an account locks repeatedly, this duration increases. - ![Azure portal Password protection page in Azure AD settings](./media/threat-management/portal-02-password-protection.png) + ![Azure portal Password protection page in Microsoft Entra settings](./media/threat-management/portal-02-password-protection.png) <br />*Setting the lockout threshold to 5 in **Password protection** settings*. 1. Select **Save**. When testing the smart lockout feature, use a distinctive pattern for each passw When the smart lockout threshold is reached, you'll see the following message while the account is locked: **Your account is temporarily locked to prevent unauthorized use. Try again later**. The error messages can be [localized](localization-string-ids.md#sign-up-or-sign-in-error-messages). > [!NOTE]-> When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service. In that scenario, because each Azure AD datacenter tracks lockout independently, it might take more than your defined lockout threshold number of attempts to cause a lockout. A user has a maximum of (threshold_limit * datacenter_count) number of bad attempts before being completely locked out. For more information, see [Azure global infrastructure](https://azure.microsoft.com/global-infrastructure/). +> When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Microsoft Entra authentication service. In that scenario, because each Microsoft Entra datacenter tracks lockout independently, it might take more than your defined lockout threshold number of attempts to cause a lockout. A user has a maximum of (threshold_limit * datacenter_count) number of bad attempts before being completely locked out. For more information, see [Azure global infrastructure](https://azure.microsoft.com/global-infrastructure/). ## Viewing locked-out accounts To obtain information about locked-out accounts, you can check the Active Directory [sign-in activity report](../active-directory/reports-monitoring/concept-sign-ins.md). Under **Status**, select **Failure**. Failed sign-in attempts with a **Sign-in error code** of `50053` indicate a locked account: -![Section of Azure AD sign-in report showing locked-out account](./media/threat-management/portal-01-locked-account.png) +![Section of Microsoft Entra sign-in report showing locked-out account](./media/threat-management/portal-01-locked-account.png) -To learn about viewing the sign-in activity report in Azure Active Directory, see [Sign-in activity report error codes](../active-directory/reports-monitoring/concept-sign-ins.md). +To learn about viewing the sign-in activity report in Microsoft Entra ID, see [Sign-in activity report error codes](../active-directory/reports-monitoring/concept-sign-ins.md). |
active-directory-b2c | Troubleshoot With Application Insights | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/troubleshoot-with-application-insights.md | If you don't already have one, create an instance of Application Insights in you To use an existing instance of Application Insights in your subscription, follow these steps: 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the Azure AD directory that has your Azure subscription, and not your Azure AD B2C directory. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the Microsoft Entra directory that has your Azure subscription, and not your Azure AD B2C directory. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Open the Application Insights resource that you created earlier. 1. On the **Overview** page, and record the **Instrumentation Key** To create an instance of Application Insights in your subscription, follow these steps: 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Make sure you're using the Azure AD directory that has your Azure subscription, and not your Azure AD B2C directory. Select the **Directories + subscriptions** icon in the portal toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch**. +1. Make sure you're using the Microsoft Entra directory that has your Azure subscription, and not your Azure AD B2C directory. Select the **Directories + subscriptions** icon in the portal toolbar. +1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory in the **Directory name** list, and then select **Switch**. 1. Select **Create a resource** in the left-hand navigation menu. 1. Search for and select **Application Insights**, then select **Create**. 1. Complete the form, select **Review + create**, and then select **Create**. |
active-directory-b2c | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/troubleshoot.md | This error occurs when the [self-service password reset experience](add-password There are 2 solutions to this problem: - Respond back with a new authentication request using Azure AD B2C password reset user flow.- - Use recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended). + - Use recommended [self service password reset (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended). ## User canceled the operation Azure AD B2C service can also return an error to your application when a user cancels an operation. The following are examples of scenarios where a user performs a cancel operation: -- A user policy uses the recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended) with a consumer local account. The user selects the **Forgot your password?** link , and then selects **Cancel** button before the user flow experience completes. In this case, Azure AD B2C service returns error code `AADB2C90091` to your application. +- A user policy uses the recommended [self service password reset (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended) with a consumer local account. The user selects the **Forgot your password?** link , and then selects **Cancel** button before the user flow experience completes. In this case, Azure AD B2C service returns error code `AADB2C90091` to your application. - A user chooses to authenticate with an external identity provider such as [LinkedIn](identity-provider-linkedin.md). The user select **Cancel** button before authenticating to the identity provider itself. In this case, Azure AD B2C service returns error code `AADB2C90273` to your application. Learn more about [error codes Azure Active Directory B2C service return](error-codes.md). To handle this error, fetch the **error description** for the user and respond back with a new authentication request using the same user flow. |
active-directory-b2c | Tutorial Create Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tutorial-create-tenant.md | Before you create your Azure AD B2C tenant, you need to take the following consi 1. Sign in to the [Azure portal](https://portal.azure.com). -1. Make sure you're using the Azure Active Directory (Azure AD) tenant that contains your subscription: +1. Make sure you're using the Microsoft Entra tenant that contains your subscription: 1. In the Azure portal toolbar, select the **Directories + subscriptions** (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::) icon. - 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory that contains your subscription in the **Directory name** list, and then select **Switch** button next to it. + 1. On the **Portal settings | Directories + subscriptions** page, find your Microsoft Entra directory that contains your subscription in the **Directory name** list, and then select **Switch** button next to it. ![Screenshot of the directories and subscriptions window.](media/tutorial-create-tenant/switch-directory.png) Before you create your Azure AD B2C tenant, you need to take the following consi - For **Organization name**, enter a name for your Azure AD B2C tenant. - For **Initial domain name**, enter a domain name for your Azure AD B2C tenant.- - For **Location**, select your country/region from the list. If the country/region you select has a [Go-Local add-on](data-residency.md#go-local-add-on) option, such as Japan or Australia, and you want to store your data exclusively within that country/region, select the **Store Azure AD Core Store data and Azure AD components and service data in the location selected above** checkbox. Go-Local add-on is a paid add-on whose charge is added to your Azure AD B2C Premium P1 or P2 licenses charges, see [Billing model](billing.md#about-go-local-add-on). You can't change the data residency region after you create your Azure AD B2C tenant. + - For **Location**, select your country/region from the list. If the country/region you select has a [Go-Local add-on](data-residency.md#go-local-add-on) option, such as Japan or Australia, and you want to store your data exclusively within that country/region, select the **Store Microsoft Entra Core Store data and Microsoft Entra components and service data in the location selected above** checkbox. Go-Local add-on is a paid add-on whose charge is added to your Azure AD B2C Premium P1 or P2 licenses charges, see [Billing model](billing.md#about-go-local-add-on). You can't change the data residency region after you create your Azure AD B2C tenant. - For **Subscription**, select your subscription from the list. - For **Resource group**, select or search for the resource group that will contain the tenant. Azure AD B2C allows you to activate Go-Local add-on on an existing tenant as lon :::image type="content" source="media/tutorial-create-tenant/opt-in-go-local-add-on.png" alt-text="Screenshot of opt in to Azure AD B2C Go-Local add-on in Azure portal."::: -1. On the **Data residency** pane that appears, select the **Store my directory and Azure AD data in \<Country\>** checkbox, then select **Save** button. +1. On the **Data residency** pane that appears, select the **Store my directory and Microsoft Entra data in \<Country\>** checkbox, then select **Save** button. 1. Close the **Data residency** pane. |
active-directory-b2c | Tutorial Delete Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tutorial-delete-tenant.md | When you've finished the Azure Active Directory B2C (Azure AD B2C) tutorials, yo 1. Make sure you're using the directory that contains your Azure AD B2C tenant: 1. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch** button next to it.-1. In the Azure portal, search for and select the **Azure Active Directory** service. +1. In the Azure portal, search for and select the **Microsoft Entra ID** service. 1. In the left menu, under **Manage**, select **Properties**. 1. Under **Access management for Azure resources**, select **Yes**, and then select **Save**. 1. Sign out of the Azure portal and then sign back in to refresh your access. 1. Repeat step two to make sure you're using the directory that contains your Azure AD B2C tenant.-1. In the Azure portal, search for and select the **Azure Active Directory** service +1. In the Azure portal, search for and select the **Microsoft Entra ID** service 1. On the **Overview** page, select **Manage tenants**. 1. On the **Manage tenants** page, select (by check marking) the tenant you want to delete, and then, at the top of the page, select the **Delete** button. The **Required action** column indicates the resources you need to remove before you can delete the tenant. Once you delete all the tenant resources, you can now delete the tenant itself: 1. Make sure you're using the directory that contains your Azure AD B2C tenant: 1. Select the **Directories + subscriptions** icon in the portal toolbar. 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch** button next to it.-1. In the Azure portal, search for and select the **Azure Active Directory** service. +1. In the Azure portal, search for and select the **Microsoft Entra ID** service. 1. If you haven't already granted yourself access management permissions, do the following: 1. Under **Manage**, select **Properties**. 1. Under **Access management for Azure resources**, select **Yes**, and then select **Save**.- 1. Sign out of the Azure portal and then sign back in to refresh your access, and select the **Azure Active Directory** service. + 1. Sign out of the Azure portal and then sign back in to refresh your access, and select the **Microsoft Entra ID** service. 1. On the **Overview** page, select **Manage tenants**. |
active-directory-b2c | User Flow Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-flow-custom-attributes.md | Extension attributes can only be registered on an application object, even thoug ## Modify your custom policy -To enable custom attributes in your policy, provide **Application ID** and Application **Object ID** in the AAD-Common technical profile metadata. The *AAD-Common* technical profile is found in the base [Azure Active Directory](active-directory-technical-profile.md) technical profile, and provides support for Azure AD user management. Other Azure AD technical profiles include the AAD-Common to use its configuration. Override the AAD-Common technical profile in the extension file. +To enable custom attributes in your policy, provide **Application ID** and Application **Object ID** in the AAD-Common technical profile metadata. The *AAD-Common* technical profile is found in the base [Microsoft Entra ID](active-directory-technical-profile.md) technical profile, and provides support for Microsoft Entra user management. Other Microsoft Entra technical profiles include the AAD-Common to use its configuration. Override the AAD-Common technical profile in the extension file. 1. Open the extensions file of your policy. For example, <em>`SocialAndLocalAccounts/`**`TrustFrameworkExtensions.xml`**</em>. 1. Find the ClaimsProviders element. Add a new ClaimsProvider to the ClaimsProviders element. To enable custom attributes in your policy, provide **Application ID** and Appli 1. Select **Upload Custom Policy**, and then upload the TrustFrameworkExtensions.xml policy files that you changed. > [!NOTE]-> The first time the Azure AD technical profile persists the claim to the directory, it checks whether the custom attribute exists. If it doesn't, it creates the custom attribute. +> The first time the Microsoft Entra technical profile persists the claim to the directory, it checks whether the custom attribute exists. If it doesn't, it creates the custom attribute. ## Create a custom attribute through Azure portal The following example demonstrates the use of a custom attribute in Azure AD B2C ## Manage extension attributes through Microsoft Graph -You can use Microsoft Graph to create and manage the custom attributes then set the values for a user. Extension attributes are also called directory or Azure AD extensions. +You can use Microsoft Graph to create and manage the custom attributes then set the values for a user. Extension attributes are also called directory or Microsoft Entra extensions. Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention `extension_{appId-without-hyphens}_{extensionProperty-name}` where `{appId-without-hyphens}` is the stripped version of the **appId** (called Client ID on the Azure AD B2C portal) for the `b2c-extensions-app` with only characters 0-9 and A-Z. For example, if the **appId** of the `b2c-extensions-app` application is `25883231-668a-43a7-80b2-5685c3f874bc` and the attribute name is `loyaltyId`, then the custom attribute is named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`. |
active-directory-b2c | User Flow Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-flow-overview.md | You can configure user flow settings like these to control identity experience b * Account types used for sign-in, such as social accounts like a Facebook, or local accounts that use an email address and password for sign-in * Attributes to be collected from the consumer, such as first name, postal code, or country/region of residency-* Azure AD Multi-Factor Authentication (MFA) +* Microsoft Entra multifactor authentication * Customization of the user interface * Set of claims in a token that your application receives after the user completes the user flow * Session management A custom policy is fully configurable and policy-driven. It orchestrates trust b The custom policy gives you the ability to construct user journeys with any combination of steps. For example: * Federate with other identity providers-* First- and third-party multifactor authentication (MFA) challenges +* First- and third-party multifactor authentication challenges * Collect any user input * Integrate with external systems using REST API communication The following table gives a detailed comparison of the scenarios you can enable | UI customization | [Full UI customization](customize-ui-with-html.md) including HTML, CSS and, [JavaScript](javascript-and-page-layout.md).<br><br>[Multilanguage support](language-customization.md) with Custom strings. | Same as User flows | | Attribute customization | Standard and custom attributes. | Same as User flows | | Token and session management | [Customize tokens](configure-tokens.md) and [sessions behavior](session-behavior.md). | Same as User flows |-| Identity Providers | [Predefined local](identity-provider-local.md) or [social provider](add-identity-provider.md), such as federation with Azure Active Directory tenants. | Standards-based OIDC, OAUTH, and SAML. Authentication is also possible by using integration with REST APIs. | -| Identity Tasks | [Sign-up or sign-in](add-sign-up-and-sign-in-policy.md) with local or many social accounts.<br><br>[Self-service password reset](add-password-reset-policy.md).<br><br>[Profile edit](add-profile-editing-policy.md).<br><br>Multi-Factor Authentication.<br><br>Access token flows. | Complete the same tasks as user flows using custom identity providers or use custom scopes.<br><br>Provision a user account in another system at the time of registration.<br><br>Send a welcome email using your own email service provider.<br><br>Use a user store outside Azure AD B2C.<br><br>Validate user provided information with a trusted system by using an API. | +| Identity Providers | [Predefined local](identity-provider-local.md) or [social provider](add-identity-provider.md), such as federation with Microsoft Entra tenants. | Standards-based OIDC, OAUTH, and SAML. Authentication is also possible by using integration with REST APIs. | +| Identity Tasks | [Sign-up or sign-in](add-sign-up-and-sign-in-policy.md) with local or many social accounts.<br><br>[Self-service password reset](add-password-reset-policy.md).<br><br>[Profile edit](add-profile-editing-policy.md).<br><br>Multifactor authentication.<br><br>Access token flows. | Complete the same tasks as user flows using custom identity providers or use custom scopes.<br><br>Provision a user account in another system at the time of registration.<br><br>Send a welcome email using your own email service provider.<br><br>Use a user store outside Azure AD B2C.<br><br>Validate user provided information with a trusted system by using an API. | ## Application integration |
active-directory-b2c | User Flow Versions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-flow-versions.md | Standard user flows (previously referred to as V1) user flows, previously known To switch from a legacy version of a user flow to the **Recommended** version, follow these steps: -1. Create a new user flow policy by following the steps in [Tutorial: Create user flows in Azure Active Directory](tutorial-create-user-flows.md). While creating the user flow, select the **Recommended** version. +1. Create a new user flow policy by following the steps in [Tutorial: Create user flows in Azure AD B2C](tutorial-create-user-flows.md). While creating the user flow, select the **Recommended** version. 3. Configure your new user flow with the same settings that were configured in the legacy policy. If you're using a legacy V2 or V1.1 user flow, your application won't be affecte ### Will Microsoft still support my legacy V2 or V1.1 user flow policy? -In the public cloud, all legacy preview user flows (V1.1 and V2) are deprecated. *These changes apply to the Azure public cloud only. Other environments will continue to use [legacy user flow versioning](user-flow-versions-legacy.md).* +In the public cloud, all legacy preview user flows (V1.1 and V2) are deprecated. *These changes apply to the Azure public cloud only. Other environments will continue to use [legacy user flow versioning](user-flow-versions-legacy.md).* |
active-directory-b2c | User Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-overview.md | -In Azure Active Directory B2C (Azure AD B2C), there are several types of accounts that can be created. Azure Active Directory (Azure AD), Azure Active Directory B2B (Azure AD B2B), and Azure Active Directory B2C (Azure AD B2C) share in the types of user accounts that can be used. +In Azure Active Directory B2C (Azure AD B2C), there are several types of accounts that can be created. Microsoft Entra ID, Microsoft Entra B2B, and Azure Active Directory B2C (Azure AD B2C) share in the types of user accounts that can be used. The following types of accounts are available: - **Work account** - A work account can access resources in a tenant, and with an administrator role, can manage tenants.-- **Guest account** - A guest account can only be a Microsoft account or an Azure AD user that can be used to share administration responsibilities such as [managing a tenant](tenant-management-manage-administrator.md).+- **Guest account** - A guest account can only be a Microsoft account or a Microsoft Entra user that can be used to share administration responsibilities such as [managing a tenant](tenant-management-manage-administrator.md). - **Consumer account** - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts can be created by: - The user going through a sign-up user flow in an Azure AD B2C application - Using Microsoft Graph API The following types of accounts are available: ## Work account -A work account is created the same way for all tenants based on Azure AD. To create a work account, you can use the information in [Quickstart: Add new users to Azure Active Directory](../active-directory/fundamentals/add-users.md). A work account is created using the **New user** choice in the Azure portal. +A work account is created the same way for all tenants based on Microsoft Entra ID. To create a work account, you can use the information in [Quickstart: Add new users to Microsoft Entra ID](../active-directory/fundamentals/add-users.md). A work account is created using the **New user** choice in the Azure portal. When you add a new work account, you need to consider the following configuration settings: When you add a new work account, you need to consider the following configuratio - **User** - Users can access assigned resources but cannot manage most tenant resources. - **Global administrator** - Global administrators have full control over all tenant resources.- - **Limited administrator** - Select the administrative role or roles for the user. For more information about the roles that can be selected, see [Assigning administrator roles in Azure Active Directory](../active-directory/roles/permissions-reference.md). + - **Limited administrator** - Select the administrative role or roles for the user. For more information about the roles that can be selected, see [Assigning administrator roles in Microsoft Entra ID](../active-directory/roles/permissions-reference.md). ### Create a work account You can use the following information to reset the password of a user: ## Guest user -You can invite external users to your tenant as a guest user. A typical scenario for inviting a guest user to your Azure AD B2C tenant is to share administration responsibilities. For an example of using a guest account, see [Properties of an Azure Active Directory B2B collaboration user](../active-directory/external-identities/user-properties.md). +You can invite external users to your tenant as a guest user. A typical scenario for inviting a guest user to your Azure AD B2C tenant is to share administration responsibilities. For an example of using a guest account, see [Properties of a Microsoft Entra B2B collaboration user](../active-directory/external-identities/user-properties.md). When you invite a guest user to your tenant, you provide the email address of the recipient and a message describing the invitation. The invitation link takes the user to the consent page. If an inbox isn't attached to the email address, the user can navigate to the consent page by going to a Microsoft page using the invited credentials. The user is then forced to redeem the invitation the same way as clicking on the link in the email. For example: `https://myapps.microsoft.com/B2CTENANTNAME`. |
active-directory-b2c | User Profile Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-profile-attributes.md | Most of the attributes that can be used with Azure AD B2C user profiles are also You can also integrate with external systems. For example, you can use Azure AD B2C for authentication, but delegate to an external customer relationship management (CRM) or customer loyalty database as the authoritative source of customer data. For more information, see the [remote profile](https://github.com/azure-ad-b2c/samples/tree/master/policies/remote-profile) solution. -## Azure AD user resource type +<a name='azure-ad-user-resource-type'></a> ++## Microsoft Entra user resource type The table below lists the [user resource type](/graph/api/resources/user) attributes that are supported by the Azure AD B2C directory user profile. It gives the following information about each attribute: The table below lists the [user resource type](/graph/api/resources/user) attrib - Attribute description - Whether the attribute is available in the Azure portal - Whether the attribute can be used in a user flow-- Whether the attribute can be used in a custom policy [Azure AD technical profile](active-directory-technical-profile.md) and in which section (<InputClaims>, <OutputClaims>, or <PersistedClaims>)+- Whether the attribute can be used in a custom policy [Microsoft Entra technical profile](active-directory-technical-profile.md) and in which section (<InputClaims>, <OutputClaims>, or <PersistedClaims>) |Name |Type |Description|Azure portal|User flows|Custom policy| |||-||-|-| The table below lists the [user resource type](/graph/api/resources/user) attrib |userPrincipalName |String|The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. The domain must be present in the tenant's collection of verified domains. This property is required when an account is created. Immutable.|No|No|Input, Persisted, Output| |usageLocation |String|Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries/regions. Not nullable. A two letter country/region code (ISO standard 3166). Examples: "US", "JP", and "GB".|Yes|No|Persisted, Output| |userType |String|A string value that can be used to classify user types in your directory. Value must be Member. Read-only.|Read only|No|Persisted, Output|-|userState (externalUserState)<sup>3</sup>|String|For Azure AD B2B account only, and it indicates whether the invitation is PendingAcceptance or Accepted.|No|No|Persisted, Output| +|userState (externalUserState)<sup>3</sup>|String|For Microsoft Entra B2B account only, and it indicates whether the invitation is PendingAcceptance or Accepted.|No|No|Persisted, Output| |userStateChangedOn (externalUserStateChangeDateTime)<sup>2</sup>|DateTime|Shows the timestamp for the latest change to the UserState property.|No|No|Persisted, Output| <sup>1 </sup>Not supported by Microsoft Graph<br><sup>2 </sup>For more information, see [MFA phone number attribute](#mfa-phone-number-attribute)<br><sup>3 </sup>Shouldn't be used with Azure AD B2C For a federated (social) identity, the **passwordProfile** attribute is not requ ## Password policy attribute -The Azure AD B2C password policy (for local accounts) is based on the Azure Active Directory [strong password strength](../active-directory/authentication/concept-sspr-policy.md) policy. The Azure AD B2C sign-up or sign-in and password reset policies require this strong password strength, and don't expire passwords. +The Azure AD B2C password policy (for local accounts) is based on the Microsoft Entra ID [strong password strength](../active-directory/authentication/concept-sspr-policy.md) policy. The Azure AD B2C sign-up or sign-in and password reset policies require this strong password strength, and don't expire passwords. In user migration scenarios, if the accounts you want to migrate have weaker password strength than the [strong password strength](../active-directory/authentication/concept-sspr-policy.md) enforced by Azure AD B2C, you can disable the strong password requirement. To change the default password policy, set the `passwordPolicies` attribute to `DisableStrongPassword`. For example, you can modify the create user request as follows: In Azure AD B2C [custom policies](custom-policy-overview.md), the phone number i Every customer-facing application has unique requirements for the information to be collected. Your Azure AD B2C tenant comes with a built-in set of information stored in properties, such as Given Name, Surname, and Postal Code. With Azure AD B2C, you can extend the set of properties stored in each customer account. For more information, see [Add user attributes and customize user input in Azure Active Directory B2C](configure-user-input.md) -Extension attributes [extend the schema](/graph/extensibility-overview#schema-extensions) of the user objects in the directory. The extension attributes can only be registered on an application object, even though they might contain data for a user. The extension attribute is attached to the application called `b2c-extensions-app`. Do not modify this application, as it's used by Azure AD B2C for storing user data. You can find this application under Azure Active Directory App registrations. [Learn more about Azure AD B2C](extensions-app.md) `b2c-extensions-app`. +Extension attributes [extend the schema](/graph/extensibility-overview#schema-extensions) of the user objects in the directory. The extension attributes can only be registered on an application object, even though they might contain data for a user. The extension attribute is attached to the application called `b2c-extensions-app`. Do not modify this application, as it's used by Azure AD B2C for storing user data. You can find this application under Microsoft Entra App registrations. [Learn more about Azure AD B2C](extensions-app.md) `b2c-extensions-app`. > [!NOTE] > - You can write up to 100 extension attributes to any user account. |
active-directory-b2c | Userinfo Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/userinfo-endpoint.md | The user info UserJourney specifies: - **Authorization**: The UserInfo endpoint is protected with a bearer token. An issued access token is presented in the authorization header to the UserInfo endpoint. The policy specifies the technical profile that validates the incoming token and extracts claims, such as the objectId of the user. The objectId of the user is used to retrieve the claims to be returned in the response of the UserInfo endpoint journey. - **Orchestration step**: - - An orchestration step is used to gather information about the user. Based on the claims within the incoming access token, the user journey invokes an [Azure Active Directory technical profile](active-directory-technical-profile.md) to retrieve data about the user, for example, reading the user by the objectId. + - An orchestration step is used to gather information about the user. Based on the claims within the incoming access token, the user journey invokes a [Microsoft Entra technical profile](active-directory-technical-profile.md) to retrieve data about the user, for example, reading the user by the objectId. - **Optional orchestration steps** - You can add more orchestration steps, such as a REST API technical profile to retrieve more information about the user. - **UserInfo Issuer** - Specifies the list of claims that the UserInfo endpoint returns. |
active-directory-b2c | Validation Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/validation-technical-profile.md | -A validation technical profile is an ordinary technical profile from any protocol, such as [Azure Active Directory](active-directory-technical-profile.md) or a [REST API](restful-technical-profile.md). The validation technical profile returns output claims, or returns 4xx HTTP status code, with the following data. For more information, see [returning error message](restful-technical-profile.md#returning-validation-error-message) +A validation technical profile is an ordinary technical profile from any protocol, such as [Microsoft Entra ID](active-directory-technical-profile.md) or a [REST API](restful-technical-profile.md). The validation technical profile returns output claims, or returns 4xx HTTP status code, with the following data. For more information, see [returning error message](restful-technical-profile.md#returning-validation-error-message) ```json { |
active-directory-b2c | View Audit Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/view-audit-logs.md | Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity i Audit log events are only retained for **seven days**. Plan to download and store your logs using one of the methods shown below if you require a longer retention period. > [!NOTE]-> You can't see user sign-ins for individual Azure AD B2C applications under the **Users** section of the **Azure Active Directory** or **Azure AD B2C** pages in the Azure portal. The sign-in events there show user activity, but can't be correlated back to the B2C application that the user signed in to. You must use the audit logs for that, as explained further in this article. +> You can't see user sign-ins for individual Azure AD B2C applications under the **Users** section of the **Microsoft Entra ID** or **Azure AD B2C** pages in the Azure portal. The sign-in events there show user activity, but can't be correlated back to the B2C application that the user signed in to. You must use the audit logs for that, as explained further in this article. ## Overview of activities available in the B2C category of audit logs If you select a row in the list, the activity details for the event are displaye To download the list of activity events in a comma-separated values (CSV) file, select **Download**. -## Get audit logs with the Azure AD reporting API +<a name='get-audit-logs-with-the-azure-ad-reporting-api'></a> -Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](/graph/api/directoryaudit-list). For more information, see [Get started with the Azure Active Directory reporting API](../active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md). +## Get audit logs with the Microsoft Entra ID reporting API ++Audit logs are published to the same pipeline as other activities for Microsoft Entra ID, so they can be accessed through the [Microsoft Entra ID reporting API](/graph/api/directoryaudit-list). For more information, see [Get started with the Microsoft Entra ID reporting API](../active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md). ### Enable reporting API access -To allow script- or application-based access to the Azure AD reporting API, you need an application registered in your Azure AD B2C tenant with the following API permissions. You can enable these permissions on an existing application registration within your B2C tenant, or create a new one specifically for use with audit log automation. +To allow script- or application-based access to the Microsoft Entra reporting API, you need an application registered in your Azure AD B2C tenant with the following API permissions. You can enable these permissions on an existing application registration within your B2C tenant, or create a new one specifically for use with audit log automation. * Microsoft Graph > Application permissions > AuditLog > AuditLog.Read.All After you've registered an application with the appropriate permissions, see the ### Access the API -To download Azure AD B2C audit log events via the API, filter the logs on the `B2C` category. To filter by category, use the `filter` query string parameter when you call the Azure AD reporting API endpoint. +To download Azure AD B2C audit log events via the API, filter the logs on the `B2C` category. To filter by category, use the `filter` query string parameter when you call the Microsoft Entra reporting API endpoint. ```http https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=loggedByService eq 'B2C' and activityDateTime gt 2019-09-10T02:28:17Z https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=loggedByServi ### PowerShell script -The following PowerShell script shows an example of how to query the Azure AD reporting API. After querying the API, it prints the logged events to standard output, then writes the JSON output to a file. +The following PowerShell script shows an example of how to query the Microsoft Entra reporting API. After querying the API, it prints the logged events to standard output, then writes the JSON output to a file. You can try this script in the [Azure Cloud Shell](overview.md). Be sure to update it with your application ID, client secret, and the name of your Azure AD B2C tenant. |
active-directory-domain-services | Administration Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/administration-concepts.md | Title: Management concepts for Azure AD Domain Services | Microsoft Docs -description: Learn about how to administer an Azure Active Directory Domain Services managed domain and the behavior of user accounts and passwords + Title: Management concepts for Microsoft Entra Domain Services | Microsoft Docs +description: Learn about how to administer a Microsoft Entra Domain Services managed domain and the behavior of user accounts and passwords -# Management concepts for user accounts, passwords, and administration in Azure Active Directory Domain Services +# Management concepts for user accounts, passwords, and administration in Microsoft Entra Domain Services -When you create and run an Azure Active Directory Domain Services (AD DS) managed domain, there are some differences in behavior compared to a traditional on-premises AD DS environment. You use the same administrative tools in Azure AD DS as a self-managed domain, but you can't directly access the domain controllers (DC). There's also some differences in behavior for password policies and password hashes depending on the source of the user account creation. +When you create and run a Microsoft Entra Domain Services (AD DS) managed domain, there are some differences in behavior compared to a traditional on-premises AD DS environment. You use the same administrative tools in Microsoft Entra DS as a self-managed domain, but you can't directly access the domain controllers (DC). There's also some differences in behavior for password policies and password hashes depending on the source of the user account creation. This conceptual article details how to administer a managed domain and the different behavior of user accounts depending on the way they're created. A managed domain is a DNS namespace and matching directory. In a managed domain, ## User account creation -User accounts can be created in a managed domain in multiple ways. Most user accounts are synchronized in from Azure AD, which can also include user account synchronized from an on-premises AD DS environment. You can also manually create accounts directly in the managed domain. Some features, like initial password synchronization or password policy, behave differently depending on how and where user accounts are created. +User accounts can be created in a managed domain in multiple ways. Most user accounts are synchronized in from Microsoft Entra ID, which can also include user account synchronized from an on-premises AD DS environment. You can also manually create accounts directly in the managed domain. Some features, like initial password synchronization or password policy, behave differently depending on how and where user accounts are created. -* The user account can be synchronized in from Azure AD. This includes cloud-only user accounts created directly in Azure AD, and hybrid user accounts synchronized from an on-premises AD DS environment using Azure AD Connect. - * The majority of user accounts in a managed domain are created through the synchronization process from Azure AD. -* The user account can be manually created in a managed domain, and doesn't exist in Azure AD. - * If you need to create service accounts for applications that only run in the managed domain, you can manually create them in the managed domain. As synchronization is one way from Azure AD, user accounts created in the managed domain aren't synchronized back to Azure AD. +* The user account can be synchronized in from Microsoft Entra ID. This includes cloud-only user accounts created directly in Microsoft Entra ID, and hybrid user accounts synchronized from an on-premises AD DS environment using Microsoft Entra Connect. + * The majority of user accounts in a managed domain are created through the synchronization process from Microsoft Entra ID. +* The user account can be manually created in a managed domain, and doesn't exist in Microsoft Entra ID. + * If you need to create service accounts for applications that only run in the managed domain, you can manually create them in the managed domain. As synchronization is one way from Microsoft Entra ID, user accounts created in the managed domain aren't synchronized back to Microsoft Entra ID. ## Password policy -Azure AD DS includes a default password policy that defines settings for things like account lockout, maximum password age, and password complexity. Settings like account lockout policy apply to all users in a managed domain, regardless of how the user was created as outlined in the previous section. A few settings, like minimum password length and password complexity, only apply to users created directly in a managed domain. +Microsoft Entra DS includes a default password policy that defines settings for things like account lockout, maximum password age, and password complexity. Settings like account lockout policy apply to all users in a managed domain, regardless of how the user was created as outlined in the previous section. A few settings, like minimum password length and password complexity, only apply to users created directly in a managed domain. You can create your own custom password policies to override the default policy in a managed domain. These custom policies can then be applied to specific groups of users as needed. For more information on the differences in how password policies are applied dep ## Password hashes -To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. For security reasons, Azure AD also doesn't store any password credentials in clear-text form. Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials. +To authenticate users on the managed domain, Microsoft Entra DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Microsoft Entra ID doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Microsoft Entra DS for your tenant. For security reasons, Microsoft Entra ID also doesn't store any password credentials in clear-text form. Therefore, Microsoft Entra ID can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials. -For cloud-only user accounts, users must change their passwords before they can use the managed domain. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The account isn't synchronized from Azure AD to Azure AD DS until the password is changed. +For cloud-only user accounts, users must change their passwords before they can use the managed domain. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Microsoft Entra ID. The account isn't synchronized from Microsoft Entra ID to Microsoft Entra DS until the password is changed. -For users synchronized from an on-premises AD DS environment using Azure AD Connect, [enable synchronization of password hashes][hybrid-phs]. +For users synchronized from an on-premises AD DS environment using Microsoft Entra Connect, [enable synchronization of password hashes][hybrid-phs]. > [!IMPORTANT]-> Azure AD Connect only synchronizes legacy password hashes when you enable Azure AD DS for your Azure AD tenant. Legacy password hashes aren't used if you only use Azure AD Connect to synchronize an on-premises AD DS environment with Azure AD. +> Microsoft Entra Connect only synchronizes legacy password hashes when you enable Microsoft Entra DS for your Microsoft Entra tenant. Legacy password hashes aren't used if you only use Microsoft Entra Connect to synchronize an on-premises AD DS environment with Microsoft Entra ID. >-> If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Azure AD DS. For more information, see [Disable weak cipher suites and NTLM credential hash synchronization][secure-domain]. +> If your legacy applications don't use NTLM authentication or LDAP simple binds, we recommend that you disable NTLM password hash synchronization for Microsoft Entra DS. For more information, see [Disable weak cipher suites and NTLM credential hash synchronization][secure-domain]. -Once appropriately configured, the usable password hashes are stored in the managed domain. If you delete the managed domain, any password hashes stored at that point are also deleted. Synchronized credential information in Azure AD can't be reused if you later create another managed domain - you must reconfigure the password hash synchronization to store the password hashes again. Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new managed domain. For more information, see [Password hash sync process for Azure AD DS and Azure AD Connect][azure-ad-password-sync]. +Once appropriately configured, the usable password hashes are stored in the managed domain. If you delete the managed domain, any password hashes stored at that point are also deleted. Synchronized credential information in Microsoft Entra ID can't be reused if you later create another managed domain - you must reconfigure the password hash synchronization to store the password hashes again. Previously domain-joined VMs or users won't be able to immediately authenticate - Microsoft Entra ID needs to generate and store the password hashes in the new managed domain. For more information, see [Password hash sync process for Microsoft Entra DS and Microsoft Entra Connect][azure-ad-password-sync]. > [!IMPORTANT]-> Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD. +> Microsoft Entra Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Microsoft Entra Connect in a managed domain to synchronize objects back to Microsoft Entra ID. ## Forests and trusts A *forest* is a logical construct used by Active Directory Domain Services (AD DS) to group one or more *domains*. The domains then store objects for user or groups, and provide authentication services. -In Azure AD DS, the forest only contains one domain. On-premises AD DS forests often contain many domains. In large organizations, especially after mergers and acquisitions, you may end up with multiple on-premises forests that each then contain multiple domains. +In Microsoft Entra DS, the forest only contains one domain. On-premises AD DS forests often contain many domains. In large organizations, especially after mergers and acquisitions, you may end up with multiple on-premises forests that each then contain multiple domains. -By default, a managed domain is created as a *user* forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. A user forest works when the password hashes can be synchronized and users aren't using exclusive sign-in methods like smart card authentication. +By default, a managed domain is created as a *user* forest. This type of forest synchronizes all objects from Microsoft Entra ID, including any user accounts created in an on-premises AD DS environment. User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. A user forest works when the password hashes can be synchronized and users aren't using exclusive sign-in methods like smart card authentication. -In an Azure AD DS *resource* forest, users authenticate over a one-way forest *trust* from their on-premises AD DS. With this approach, the user objects and password hashes aren't synchronized to Azure AD DS. The user objects and credentials only exist in the on-premises AD DS. This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed. +In a Microsoft Entra DS *resource* forest, users authenticate over a one-way forest *trust* from their on-premises AD DS. With this approach, the user objects and password hashes aren't synchronized to Microsoft Entra DS. The user objects and credentials only exist in the on-premises AD DS. This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed. -## Azure AD DS SKUs +<a name='azure-ad-ds-skus'></a> -In Azure AD DS, the available performance and features are based on the SKU. You select a SKU when you create the managed domain, and you can switch SKUs as your business requirements change after the managed domain has been deployed. The following table outlines the available SKUs and the differences between them: +## Microsoft Entra DS SKUs ++In Microsoft Entra DS, the available performance and features are based on the SKU. You select a SKU when you create the managed domain, and you can switch SKUs as your business requirements change after the managed domain has been deployed. The following table outlines the available SKUs and the differences between them: | SKU name | Maximum object count | Backup frequency | ||-|| In Azure AD DS, the available performance and features are based on the SKU. You | Enterprise | Unlimited | Every 3 days | | Premium | Unlimited | Daily | -Before these Azure AD DS SKUs, a billing model based on the number of objects (user and computer accounts) in the managed domain was used. There is no longer variable pricing based on the number of objects in the managed domain. +Before these Microsoft Entra DS SKUs, a billing model based on the number of objects (user and computer accounts) in the managed domain was used. There is no longer variable pricing based on the number of objects in the managed domain. -For more information, see the [Azure AD DS pricing page][pricing]. +For more information, see the [Microsoft Entra DS pricing page][pricing]. ### Managed domain performance If your business or application demands change and you need additional compute p ### Backup frequency -The backup frequency determines how often a snapshot of the managed domain is taken. Backups are an automated process managed by the Azure platform. In the event of an issue with your managed domain, Azure support can assist you in restoring from backup. As synchronization only occurs one way *from* Azure AD, any issues in a managed domain won't impact Azure AD or on-premises AD DS environments and functionality. +The backup frequency determines how often a snapshot of the managed domain is taken. Backups are an automated process managed by the Azure platform. In the event of an issue with your managed domain, Azure support can assist you in restoring from backup. As synchronization only occurs one way *from* Microsoft Entra ID, any issues in a managed domain won't impact Microsoft Entra ID or on-premises AD DS environments and functionality. As the SKU level increases, the frequency of those backup snapshots increases. Review your business requirements and recovery point objective (RPO) to determine the required backup frequency for your managed domain. If your business or application requirements change and you need more frequent backups, you can switch to a different SKU. ## Next steps -To get started, [create an Azure AD DS managed domain][create-instance]. +To get started, [create a Microsoft Entra DS managed domain][create-instance]. <!-- INTERNAL LINKS --> [password-policy]: password-policy.md |
active-directory-domain-services | Alert Ldaps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-ldaps.md | Title: Resolve secure LDAP alerts in Azure AD Domain Services | Microsoft Docs -description: Learn how to troubleshoot and resolve common alerts with secure LDAP for Azure Active Directory Domain Services. + Title: Resolve secure LDAP alerts in Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to troubleshoot and resolve common alerts with secure LDAP for Microsoft Entra Domain Services. Last updated 09/15/2023 -# Known issues: Secure LDAP alerts in Azure Active Directory Domain Services +# Known issues: Secure LDAP alerts in Microsoft Entra Domain Services -Applications and services that use lightweight directory access protocol (LDAP) to communicate with Azure Active Directory Domain Services (Azure AD DS) can be [configured to use secure LDAP](tutorial-configure-ldaps.md). An appropriate certificate and required network ports must be open for secure LDAP to work correctly. +Applications and services that use lightweight directory access protocol (LDAP) to communicate with Microsoft Entra Domain Services (Microsoft Entra DS) can be [configured to use secure LDAP](tutorial-configure-ldaps.md). An appropriate certificate and required network ports must be open for secure LDAP to work correctly. -This article helps you understand and resolve common alerts with secure LDAP access in Azure AD DS. +This article helps you understand and resolve common alerts with secure LDAP access in Microsoft Entra DS. ## AADDS101: Secure LDAP network configuration When you enable secure LDAP, it's recommended to create additional rules that re The managed domain's health automatically updates itself within two hours and removes the alert. > [!TIP]-> TCP port 636 isn't the only rule needed for Azure AD DS to run smoothly. To learn more, see the [Azure AD DS Network security groups and required ports](network-considerations.md#network-security-groups-and-required-ports). +> TCP port 636 isn't the only rule needed for Microsoft Entra DS to run smoothly. To learn more, see the [Microsoft Entra DS Network security groups and required ports](network-considerations.md#network-security-groups-and-required-ports). ## AADDS502: Secure LDAP certificate expiring The managed domain's health automatically updates itself within two hours and re ### Resolution -Create a replacement secure LDAP certificate by following the steps to [create a certificate for secure LDAP](tutorial-configure-ldaps.md#create-a-certificate-for-secure-ldap). Apply the replacement certificate to Azure AD DS, and distribute the certificate to any clients that connect using secure LDAP. +Create a replacement secure LDAP certificate by following the steps to [create a certificate for secure LDAP](tutorial-configure-ldaps.md#create-a-certificate-for-secure-ldap). Apply the replacement certificate to Microsoft Entra DS, and distribute the certificate to any clients that connect using secure LDAP. ## Next steps |
active-directory-domain-services | Alert Nsg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-nsg.md | Title: Resolve network security group alerts in Azure AD DS | Microsoft Docs -description: Learn how to troubleshoot and resolve network security group configuration alerts for Azure Active Directory Domain Services + Title: Resolve network security group alerts in Microsoft Entra DS | Microsoft Docs +description: Learn how to troubleshoot and resolve network security group configuration alerts for Microsoft Entra Domain Services Last updated 09/15/2023 -# Known issues: Network configuration alerts in Azure Active Directory Domain Services +# Known issues: Network configuration alerts in Microsoft Entra Domain Services -To let applications and services correctly communicate with an Azure Active Directory Domain Services (Azure AD DS) managed domain, specific network ports must be open to allow traffic to flow. In Azure, you control the flow of traffic using network security groups. The health status of an Azure AD DS managed domain shows an alert if the required network security group rules aren't in place. +To let applications and services correctly communicate with a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain, specific network ports must be open to allow traffic to flow. In Azure, you control the flow of traffic using network security groups. The health status of a Microsoft Entra DS managed domain shows an alert if the required network security group rules aren't in place. This article helps you understand and resolve common alerts for network security group configuration issues. This article helps you understand and resolve common alerts for network security *Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user-defined route that blocks incoming traffic from the internet.* -Invalid network security group rules are the most common cause of network errors for Azure AD DS. The network security group for the virtual network must allow access to specific ports and protocols. If these ports are blocked, the Azure platform can't monitor or update the managed domain. The synchronization between the Azure AD directory and Azure AD DS is also impacted. Make sure you keep the default ports open to avoid interruption in service. +Invalid network security group rules are the most common cause of network errors for Microsoft Entra DS. The network security group for the virtual network must allow access to specific ports and protocols. If these ports are blocked, the Azure platform can't monitor or update the managed domain. The synchronization between the Microsoft Entra directory and Microsoft Entra DS is also impacted. Make sure you keep the default ports open to avoid interruption in service. ## Default security rules -The following default inbound and outbound security rules are applied to the network security group for a managed domain. These rules keep Azure AD DS secure and allow the Azure platform to monitor, manage, and update the managed domain. +The following default inbound and outbound security rules are applied to the network security group for a managed domain. These rules keep Microsoft Entra DS secure and allow the Azure platform to monitor, manage, and update the managed domain. ### Inbound security rules The following default inbound and outbound security rules are applied to the net | 65500 | DenyAllOutBound | Any | Any | Any | Any | Deny | >[!NOTE]-> Azure AD DS needs unrestricted outbound access from the virtual network. We don't recommend that you create any additional rules that restrict outbound access for the virtual network. +> Microsoft Entra DS needs unrestricted outbound access from the virtual network. We don't recommend that you create any additional rules that restrict outbound access for the virtual network. ## Verify and edit existing security rules |
active-directory-domain-services | Alert Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-service-principal.md | Title: Resolve service principal alerts in Azure AD Domain Services | Microsoft Docs -description: Learn how to troubleshoot service principal configuration alerts for Azure Active Directory Domain Services + Title: Resolve service principal alerts in Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to troubleshoot service principal configuration alerts for Microsoft Entra Domain Services -# Known issues: Service principal alerts in Azure Active Directory Domain Services +# Known issues: Service principal alerts in Microsoft Entra Domain Services -[Service principals](../active-directory/develop/app-objects-and-service-principals.md) are applications that the Azure platform uses to manage, update, and maintain an Azure Active Directory Domain Services (Azure AD DS) managed domain. If a service principal is deleted, functionality in the managed domain is impacted. +[Service principals](../active-directory/develop/app-objects-and-service-principals.md) are applications that the Azure platform uses to manage, update, and maintain a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. If a service principal is deleted, functionality in the managed domain is impacted. This article helps you troubleshoot and resolve service principal-related configuration alerts. This article helps you troubleshoot and resolve service principal-related config ### Alert message -*A Service Principal required for Azure AD Domain Services to function properly has been deleted from your Azure AD directory. This configuration impacts Microsoft's ability to monitor, manage, patch, and synchronize your managed domain.* +*A Service Principal required for Microsoft Entra Domain Services to function properly has been deleted from your Microsoft Entra directory. This configuration impacts Microsoft's ability to monitor, manage, patch, and synchronize your managed domain.* If a required service principal is deleted, the Azure platform can't perform automated management tasks. The managed domain may not correctly apply updates or take backups. To check which service principal is missing and must be recreated, complete the ### Recreate a missing Service Principal -If application ID *2565bd9d-da50-47d4-8b85-4c97f669dc36* is missing from your Azure AD directory in Azure Global, use Azure AD PowerShell to complete the following steps. For other Azure clouds, use AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. For more information, see [Azure AD PowerShell](/powershell/azure/active-directory/install-adv2). +If application ID *2565bd9d-da50-47d4-8b85-4c97f669dc36* is missing from your Microsoft Entra directory in Azure Global, use Azure AD PowerShell to complete the following steps. For other Azure clouds, use AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. For more information, see [Azure AD PowerShell](/powershell/azure/active-directory/install-adv2). 1. If needed, install the Azure AD PowerShell module and import it as follows: If application ID *2565bd9d-da50-47d4-8b85-4c97f669dc36* is missing from your Az The managed domain's health automatically updates itself within two hours and removes the alert. -### Re-register the Microsoft AAD namespace +<a name='re-register-the-microsoft-aad-namespace'></a> -If application ID *443155a6-77f3-45e3-882b-22b3a8d431fb*, *abba844e-bc0e-44b0-947a-dc74e5d09022*, or *d87dcbc6-a371-462e-88e3-28ad15ec4e64* is missing from your Azure AD directory, complete the following steps to re-register the *Microsoft.AAD* resource provider: +### Re-register the Microsoft Entra namespace ++If application ID *443155a6-77f3-45e3-882b-22b3a8d431fb*, *abba844e-bc0e-44b0-947a-dc74e5d09022*, or *d87dcbc6-a371-462e-88e3-28ad15ec4e64* is missing from your Microsoft Entra directory, complete the following steps to re-register the *Microsoft.AAD* resource provider: 1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Subscriptions**. 1. Choose the subscription associated with your managed domain. The managed domain's health automatically updates itself within two hours and re ### Alert message -*The service principal with the application ID "d87dcbc6-a371-462e-88e3-28ad15ec4e64" was deleted and then recreated. The recreation leaves behind inconsistent permissions on Azure AD Domain Services resources needed to service your managed domain. Synchronization of passwords on your managed domain could be affected.* +*The service principal with the application ID "d87dcbc6-a371-462e-88e3-28ad15ec4e64" was deleted and then recreated. The recreation leaves behind inconsistent permissions on Microsoft Entra Domain Services resources needed to service your managed domain. Synchronization of passwords on your managed domain could be affected.* -Azure AD DS automatically synchronizes user accounts and credentials from Azure AD. If there's a problem with the Azure AD application used for this process, credential synchronization between Azure AD DS and Azure AD fails. +Microsoft Entra DS automatically synchronizes user accounts and credentials from Microsoft Entra ID. If there's a problem with the Microsoft Entra application used for this process, credential synchronization between Microsoft Entra DS and Microsoft Entra ID fails. ### Resolution -To recreate the Azure AD application used for credential synchronization, use Azure AD PowerShell to complete the following steps. For more information, see [install Azure AD PowerShell](/powershell/azure/active-directory/install-adv2). +To recreate the Microsoft Entra application used for credential synchronization, use Azure AD PowerShell to complete the following steps. For more information, see [install Azure AD PowerShell](/powershell/azure/active-directory/install-adv2). 1. If needed, install the Azure AD PowerShell module and import it as follows: |
active-directory-domain-services | Change Sku | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/change-sku.md | Title: Change the SKU for an Azure AD Domain Services | Microsoft Docs -description: Learn how to the SKU tier for an Azure AD Domain Services managed domain if your business requirements change + Title: Change the SKU for a Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to the SKU tier for a Microsoft Entra Domain Services managed domain if your business requirements change -#Customer intent: As an identity administrator, I want to change the SKU for my Azure AD Domain Services managed domain to use different features as my business requirements change. +#Customer intent: As an identity administrator, I want to change the SKU for my Microsoft Entra Domain Services managed domain to use different features as my business requirements change. -# Change the SKU for an existing Azure Active Directory Domain Services managed domain +# Change the SKU for an existing Microsoft Entra Domain Services managed domain -In Azure Active Directory Domain Services (Azure AD DS), the available performance and features are based on the SKU type. These feature differences include the backup frequency or maximum number of one-way outbound forest trusts. +In Microsoft Entra Domain Services (Microsoft Entra DS), the available performance and features are based on the SKU type. These feature differences include the backup frequency or maximum number of one-way outbound forest trusts. -You select a SKU when you create the managed domain, and you can switch SKUs up or down as your business needs change after the managed domain has been deployed. Changes in business requirements could include the need for more frequent backups or to create additional forest trusts. For more information on the limits and pricing of the different SKUs, see [Azure AD DS SKU concepts][concepts-sku] and [Azure AD DS pricing][pricing] pages. +You select a SKU when you create the managed domain, and you can switch SKUs up or down as your business needs change after the managed domain has been deployed. Changes in business requirements could include the need for more frequent backups or to create additional forest trusts. For more information on the limits and pricing of the different SKUs, see [Microsoft Entra DS SKU concepts][concepts-sku] and [Microsoft Entra DS pricing][pricing] pages. -This article shows you how to change the SKU for an existing Azure AD DS managed domain using the [Microsoft Entra admin center](https://entra.microsoft.com). +This article shows you how to change the SKU for an existing Microsoft Entra DS managed domain using the [Microsoft Entra admin center](https://entra.microsoft.com). ## Before you begin To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. * If needed, complete the tutorial to [create and configure a managed domain][create-azure-ad-ds-instance]. ## SKU change limitations You can change SKUs up or down after the managed domain has been deployed. Howev For example, if you have created seven trusts on the *Premium* SKU, you can't change down to the *Enterprise* SKU. The *Enterprise* SKU supports a maximum of five trusts. -For more information on these limits, see [Azure AD DS SKU features and limits][concepts-sku]. +For more information on these limits, see [Microsoft Entra DS SKU features and limits][concepts-sku]. ## Select a new SKU To change the SKU for a managed domain using the [Microsoft Entra admin center](https://entra.microsoft.com), complete the following steps: -1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Azure AD Domain Services**. Choose your managed domain from the list, such as *aaddscontoso.com*. -1. In the menu on the left-hand side of the Azure AD DS page, select **Settings > SKU**. +1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Microsoft Entra Domain Services**. Choose your managed domain from the list, such as *aaddscontoso.com*. +1. In the menu on the left-hand side of the Microsoft Entra DS page, select **Settings > SKU**. - ![Select the SKU menu option for your Azure AD DS managed domain in the Microsoft Entra admin center](media/change-sku/overview-change-sku.png) + ![Select the SKU menu option for your Microsoft Entra DS managed domain in the Microsoft Entra admin center](media/change-sku/overview-change-sku.png) 1. From the drop-down menu, select the SKU you wish for your managed domain. If you have a resource forest, you can't select *Standard* SKU as forest trusts are only available on the *Enterprise* SKU or higher. It can take a minute or two to change the SKU type. ## Next steps -If you have a resource forest and want to create additional trusts after the SKU change, see [Create an outbound forest trust to an on-premises domain in Azure AD DS][create-trust]. +If you have a resource forest and want to create additional trusts after the SKU change, see [Create an outbound forest trust to an on-premises domain in Microsoft Entra DS][create-trust]. <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md |
active-directory-domain-services | Check Health | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/check-health.md | Title: Check the health of Azure Active Directory Domain Services | Microsoft Docs -description: Learn how to check the health of an Azure Active Directory Domain Services (Azure AD DS) managed domain and understand status messages. + Title: Check the health of Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to check the health of a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain and understand status messages. Last updated 09/13/2023 -# Check the health of an Azure Active Directory Domain Services managed domain +# Check the health of a Microsoft Entra Domain Services managed domain -Azure Active Directory Domain Services (Azure AD DS) runs some background tasks to keep the managed domain healthy and up-to-date. These tasks include taking backups, applying security updates, and synchronizing data from Azure AD. If there are issues with the Azure AD DS managed domain, these tasks may not successfully complete. To review and resolve any issues, you can check the health status of a managed domain using the Microsoft Entra admin center. +Microsoft Entra Domain Services (Microsoft Entra DS) runs some background tasks to keep the managed domain healthy and up-to-date. These tasks include taking backups, applying security updates, and synchronizing data from Microsoft Entra ID. If there are issues with the Microsoft Entra DS managed domain, these tasks may not successfully complete. To review and resolve any issues, you can check the health status of a managed domain using the Microsoft Entra admin center. -This article shows you how to view the Azure AD DS health status and understand the information or alerts shown. +This article shows you how to view the Microsoft Entra DS health status and understand the information or alerts shown. ## View the health status -The health status for a managed domain is viewed using the Microsoft Entra admin center. Information on the last backup time and synchronization with Azure AD can be seen, along with any alerts that indicate a problem with the managed domain's health. To view the health status for a managed domain, complete the following steps: +The health status for a managed domain is viewed using the Microsoft Entra admin center. Information on the last backup time and synchronization with Microsoft Entra ID can be seen, along with any alerts that indicate a problem with the managed domain's health. To view the health status for a managed domain, complete the following steps: 1. Sign in to [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator). -1. Search for and select **Azure AD Domain Services**. +1. Search for and select **Microsoft Entra Domain Services**. 1. Select your managed domain, such as *aaddscontoso.com*.-1. On the left-hand side of the Azure AD DS resource window, select **Health**. The following example screenshot shows a healthy managed domain and the status of the last backup and Azure AD synchronization: +1. On the left-hand side of the Microsoft Entra DS resource window, select **Health**. The following example screenshot shows a healthy managed domain and the status of the last backup and Azure AD synchronization: - ![Health page overview showing the Azure Active Directory Domain Services status](./media/check-health/health-page.png) + ![Health page overview showing the Microsoft Entra Domain Services status](./media/check-health/health-page.png) The *Last evaluated* timestamp of the health page shows when the managed domain was last checked. The health of a managed domain is evaluated every hour. If you make any changes to a managed domain, wait until the next evaluation cycle to view the updated health status. The health status for a managed domain show two types of information - *monitors ### Monitors -Monitors are areas of a managed domain that are checked on a regular basis. If there are any active alerts for the managed domain, it may cause one of the monitors to report an issue. Azure AD DS currently has monitors for the following areas: +Monitors are areas of a managed domain that are checked on a regular basis. If there are any active alerts for the managed domain, it may cause one of the monitors to report an issue. Microsoft Entra DS currently has monitors for the following areas: * Backup-* Synchronization with Azure AD +* Synchronization with Microsoft Entra ID #### Backup monitor The backup monitor checks that automated regular backups of the managed domain s | Last backup was taken 1 to 14 days ago | This time range is the expected status for the backup monitor. Automated regular backups should occur in this period. | | Last backup was taken more than 14 days ago. | A timespan longer than two weeks indicates there's an issue with the automated regular backups. Active critical alerts may prevent the managed domain from being backed up. Resolve any active alerts for the managed domain. If the backup monitor doesn't then update the status to report a recent backup, [open an Azure support request][azure-support]. | -#### Synchronization with Azure AD monitor +<a name='synchronization-with-azure-ad-monitor'></a> -A managed domain regularly synchronizes with Azure Active Directory. The number of users and group objects, and the number of changes made in the Azure AD directory since the last sync, affects how long it takes to synchronize. If the managed domain was last synchronized over three days ago, check for and resolve any active alerts. If the synchronization monitor doesn't update the status to show a recent sync after you address any active alerts, [open an Azure support request][azure-support]. +#### Synchronization with Microsoft Entra ID monitor ++A managed domain regularly synchronizes with Microsoft Entra ID. The number of users and group objects, and the number of changes made in the Microsoft Entra directory since the last sync, affects how long it takes to synchronize. If the managed domain was last synchronized over three days ago, check for and resolve any active alerts. If the synchronization monitor doesn't update the status to show a recent sync after you address any active alerts, [open an Azure support request][azure-support]. ### Alerts |
active-directory-domain-services | Compare Identity Solutions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/compare-identity-solutions.md | Title: Compare Active Directory-based services in Azure | Microsoft Docs -description: In this overview, you compare the different identity offerings for Active Directory Domain Services, Azure Active Directory, and Azure Active Directory Domain Services. +description: In this overview, you compare the different identity offerings for Active Directory Domain Services, Microsoft Entra ID, and Microsoft Entra Domain Services. -#Customer intent: As an IT administrator or decision maker, I want to understand the differences between Active Directory Domain Services (AD DS), Azure AD, and Azure AD DS so I can choose the most appropriate identity solution for my organization. +#Customer intent: As an IT administrator or decision maker, I want to understand the differences between Active Directory Domain Services (AD DS), Microsoft Entra ID, and Microsoft Entra DS so I can choose the most appropriate identity solution for my organization. -# Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services +# Compare self-managed Active Directory Domain Services, Microsoft Entra ID, and managed Microsoft Entra Domain Services -To provide applications, services, or devices access to a central identity, there are three common ways to use Active Directory-based services in Azure. This choice in identity solutions gives you the flexibility to use the most appropriate directory for your organization's needs. For example, if you mostly manage cloud-only users that run mobile devices, it may not make sense to build and run your own Active Directory Domain Services (AD DS) identity solution. Instead, you could just use Azure Active Directory. +To provide applications, services, or devices access to a central identity, there are three common ways to use Active Directory-based services in Azure. This choice in identity solutions gives you the flexibility to use the most appropriate directory for your organization's needs. For example, if you mostly manage cloud-only users that run mobile devices, it may not make sense to build and run your own Active Directory Domain Services (AD DS) identity solution. Instead, you could just use Microsoft Entra ID. Although the three Active Directory-based identity solutions share a common name and technology, they're designed to provide services that meet different customer demands. At high level, these identity solutions and feature sets are: * **Active Directory Domain Services (AD DS)** - Enterprise-ready lightweight directory access protocol (LDAP) server that provides key features such as identity and authentication, computer object management, group policy, and trusts. * AD DS is a central component in many organizations with an on-premises IT environment, and provides core user account authentication and computer management features. * For more information, see [Active Directory Domain Services overview in the Windows Server documentation][overview-adds].-* **Azure Active Directory (Azure AD)** - Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Microsoft 365, the Microsoft Entra admin center, or SaaS applications. - * Azure AD can be synchronized with an on-premises AD DS environment to provide a single identity to users that works natively in the cloud. - * For more information about Azure AD, see [What is Azure Active Directory?][whatis-azuread] -* **Azure Active Directory Domain Services (Azure AD DS)** - Provides managed domain services with a subset of fully compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication. - * Azure AD DS integrates with Azure AD, which itself can synchronize with an on-premises AD DS environment. This ability extends central identity use cases to traditional web applications that run in Azure as part of a lift-and-shift strategy. - * To learn more about synchronization with Azure AD and on-premises, see [How objects and credentials are synchronized in a managed domain][synchronization]. +* **Microsoft Entra ID** - Cloud-based identity and mobile device management that provides user account and authentication services for resources such as Microsoft 365, the Microsoft Entra admin center, or SaaS applications. + * Microsoft Entra ID can be synchronized with an on-premises AD DS environment to provide a single identity to users that works natively in the cloud. + * For more information about Microsoft Entra ID, see [What is Microsoft Entra ID?][whatis-azuread] +* **Microsoft Entra Domain Services (Microsoft Entra DS)** - Provides managed domain services with a subset of fully compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication. + * Microsoft Entra DS integrates with Microsoft Entra ID, which itself can synchronize with an on-premises AD DS environment. This ability extends central identity use cases to traditional web applications that run in Azure as part of a lift-and-shift strategy. + * To learn more about synchronization with Microsoft Entra ID and on-premises, see [How objects and credentials are synchronized in a managed domain][synchronization]. This overview article compares and contrasts how these identity solutions can work together, or would be used independently, depending on the needs of your organization. > [!div class="nextstepaction"]-> [To get started, create an Azure AD DS managed domain using the Microsoft Entra admin center][tutorial-create] +> [To get started, create a Microsoft Entra DS managed domain using the Microsoft Entra admin center][tutorial-create] -## Azure AD DS and self-managed AD DS +<a name='azure-ad-ds-and-self-managed-ad-ds'></a> ++## Microsoft Entra DS and self-managed AD DS If you have applications and services that need access to traditional authentication mechanisms such as Kerberos or NTLM, there are two ways to provide Active Directory Domain Services in the cloud: -* A *managed domain* that you create using Azure Active Directory Domain Services (Azure AD DS). Microsoft creates and manages the required resources. +* A *managed domain* that you create using Microsoft Entra Domain Services (Microsoft Entra DS). Microsoft creates and manages the required resources. * A *self-managed* domain that you create and configure using traditional resources such as virtual machines (VMs), Windows Server guest OS, and Active Directory Domain Services (AD DS). You then continue to administer these resources. -With Azure AD DS, the core service components are deployed and maintained for you by Microsoft as a *managed* domain experience. You don't deploy, manage, patch, and secure the AD DS infrastructure for components like the VMs, Windows Server OS, or domain controllers (DCs). +With Microsoft Entra DS, the core service components are deployed and maintained for you by Microsoft as a *managed* domain experience. You don't deploy, manage, patch, and secure the AD DS infrastructure for components like the VMs, Windows Server OS, or domain controllers (DCs). -Azure AD DS provides a smaller subset of features to traditional self-managed AD DS environment, which reduces some of the design and management complexity. For example, there are no AD forests, domain, sites, and replication links to design and maintain. You can still [create forest trusts between Azure AD DS and on-premises environments][create-forest-trust]. +Microsoft Entra DS provides a smaller subset of features to traditional self-managed AD DS environment, which reduces some of the design and management complexity. For example, there are no AD forests, domain, sites, and replication links to design and maintain. You can still [create forest trusts between Microsoft Entra DS and on-premises environments][create-forest-trust]. -For applications and services that run in the cloud and need access to traditional authentication mechanisms such as Kerberos or NTLM, Azure AD DS provides a managed domain experience with the minimal amount of administrative overhead. For more information, see [Management concepts for user accounts, passwords, and administration in Azure AD DS][administration-concepts]. +For applications and services that run in the cloud and need access to traditional authentication mechanisms such as Kerberos or NTLM, Microsoft Entra DS provides a managed domain experience with the minimal amount of administrative overhead. For more information, see [Management concepts for user accounts, passwords, and administration in Microsoft Entra DS][administration-concepts]. When you deploy and run a self-managed AD DS environment, you have to maintain all of the associated infrastructure and directory components. There's additional maintenance overhead with a self-managed AD DS environment, but you're then able to do additional tasks such as extend the schema or create forest trusts. Common deployment models for a self-managed AD DS environment that provides iden * **Extend on-premises domain to Azure** - An Azure virtual network connects to an on-premises network using a VPN / ExpressRoute connection. Azure VMs connect to this Azure virtual network, which lets them domain-join to the on-premises AD DS environment. * An alternative is to create Azure VMs and promote them as replica domain controllers from the on-premises AD DS domain. These domain controllers replicate over a VPN / ExpressRoute connection to the on-premises AD DS environment. The on-premises AD DS domain is effectively extended into Azure. -The following table outlines some of the features you may need for your organization, and the differences between a managed Azure AD DS domain or a self-managed AD DS domain: +The following table outlines some of the features you may need for your organization, and the differences between a managed Microsoft Entra DS domain or a self-managed AD DS domain: -| **Feature** | **Azure AD DS** | **Self-managed AD DS** | +| **Feature** | **Microsoft Entra DS** | **Self-managed AD DS** | | -- |::|:-:| | **Managed service** | **✓** | **✕** | | **Secure deployments** | **✓** | Administrator secures the deployment | The following table outlines some of the features you may need for your organiza | **LDAP write** | **✓** (within the managed domain) | **✓** | | **Geo-distributed deployments** | **✓** | **✓** | -## Azure AD DS and Azure AD +<a name='azure-ad-ds-and-azure-ad'></a> ++## Microsoft Entra DS and Microsoft Entra ID -Azure AD lets you manage the identity of devices used by the organization and control access to corporate resources from those devices. Users can also register their personal device (a bring-your-own (BYO) model) with Azure AD, which provides the device with an identity. Azure AD then authenticates the device when a user signs in to Azure AD and uses the device to access secured resources. The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune. This management ability lets you restrict access to sensitive resources to managed and policy-compliant devices. +Microsoft Entra ID lets you manage the identity of devices used by the organization and control access to corporate resources from those devices. Users can also register their personal device (a bring-your-own (BYO) model) with Microsoft Entra ID, which provides the device with an identity. Microsoft Entra ID then authenticates the device when a user signs in to Microsoft Entra ID and uses the device to access secured resources. The device can be managed using Mobile Device Management (MDM) software like Microsoft Intune. This management ability lets you restrict access to sensitive resources to managed and policy-compliant devices. -Traditional computers and laptops can also join to Azure AD. This mechanism offers the same benefits of registering a personal device with Azure AD, such as to allow users to sign in to the device using their corporate credentials. +Traditional computers and laptops can also join to Microsoft Entra ID. This mechanism offers the same benefits of registering a personal device with Microsoft Entra ID, such as to allow users to sign in to the device using their corporate credentials. -Azure AD joined devices give you the following benefits: +Microsoft Entra joined devices give you the following benefits: -* Single-sign-on (SSO) to applications secured by Azure AD. +* Single-sign-on (SSO) to applications secured by Microsoft Entra ID. * Enterprise policy-compliant roaming of user settings across devices. * Access to the Windows Store for Business using corporate credentials. * Windows Hello for Business. * Restricted access to apps and resources from devices compliant with corporate policy. -Devices can be joined to Azure AD with or without a hybrid deployment that includes an on-premises AD DS environment. The following table outlines common device ownership models and how they would typically be joined to a domain: +Devices can be joined to Microsoft Entra ID with or without a hybrid deployment that includes an on-premises AD DS environment. The following table outlines common device ownership models and how they would typically be joined to a domain: | **Type of device** | **Device platforms** | **Mechanism** | |:-| -- | - |-| Personal devices | Windows 10, iOS, Android, macOS | Azure AD registered | -| Organization-owned device not joined to on-premises AD DS | Windows 10 | Azure AD joined | -| Organization-owned device joined to an on-premises AD DS | Windows 10 | Hybrid Azure AD joined | +| Personal devices | Windows 10, iOS, Android, macOS | Microsoft Entra registered | +| Organization-owned device not joined to on-premises AD DS | Windows 10 | Microsoft Entra joined | +| Organization-owned device joined to an on-premises AD DS | Windows 10 | Microsoft Entra hybrid joined | -On an Azure AD-joined or registered device, user authentication happens using modern OAuth / OpenID Connect based protocols. These protocols are designed to work over the internet, so are great for mobile scenarios where users access corporate resources from anywhere. +On a Microsoft Entra joined or registered device, user authentication happens using modern OAuth / OpenID Connect based protocols. These protocols are designed to work over the internet, so are great for mobile scenarios where users access corporate resources from anywhere. -With Azure AD DS-joined devices, applications can use the Kerberos and NTLM protocols for authentication, so can support legacy applications migrated to run on Azure VMs as part of a lift-and-shift strategy. The following table outlines differences in how the devices are represented and can authenticate themselves against the directory: +With Microsoft Entra DS-joined devices, applications can use the Kerberos and NTLM protocols for authentication, so can support legacy applications migrated to run on Azure VMs as part of a lift-and-shift strategy. The following table outlines differences in how the devices are represented and can authenticate themselves against the directory: -| **Aspect** | **Azure AD-joined** | **Azure AD DS-joined** | +| **Aspect** | **Microsoft Entra joined** | **Microsoft Entra DS-joined** | |:--| | - |-| Device controlled by | Azure AD | Azure AD DS managed domain | -| Representation in the directory | Device objects in the Azure AD directory | Computer objects in the Azure AD DS managed domain | +| Device controlled by | Microsoft Entra ID | Microsoft Entra DS managed domain | +| Representation in the directory | Device objects in the Microsoft Entra directory | Computer objects in the Microsoft Entra DS managed domain | | Authentication | OAuth / OpenID Connect based protocols | Kerberos and NTLM protocols | | Management | Mobile Device Management (MDM) software like Intune | Group Policy | | Networking | Works over the internet | Must be connected to, or peered with, the virtual network where the managed domain is deployed | | Great for... | End-user mobile or desktop devices | Server VMs deployed in Azure | -If on-premises AD DS and Azure AD are configured for federated authentication using AD FS, then there's no (current/valid) password hash available in Azure DS. Azure AD user accounts created before fed auth was implemented might have an old password hash but this likely doesn't match a hash of their on-premises password. Hence Azure AD DS won't be able to validate the users credentials +If on-premises AD DS and Microsoft Entra ID are configured for federated authentication using AD FS, then there's no (current/valid) password hash available in Azure DS. Microsoft Entra user accounts created before fed auth was implemented might have an old password hash but this likely doesn't match a hash of their on-premises password. Hence Microsoft Entra DS won't be able to validate the users credentials ## Next steps -To get started with using Azure AD DS, [create an Azure AD DS managed domain using the Microsoft Entra admin center][tutorial-create]. +To get started with using Microsoft Entra DS, [create a Microsoft Entra DS managed domain using the Microsoft Entra admin center][tutorial-create]. You can also learn more about -[management concepts for user accounts, passwords, and administration in Azure AD DS][administration-concepts] and [how objects and credentials are synchronized in a managed domain][synchronization]. +[management concepts for user accounts, passwords, and administration in Microsoft Entra DS][administration-concepts] and [how objects and credentials are synchronized in a managed domain][synchronization]. <!-- INTERNAL LINKS --> [manage-dns]: manage-dns.md |
active-directory-domain-services | Concepts Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/concepts-custom-attributes.md | Title: Create and manage custom attributes for Azure AD Domain Services | Microsoft Docs -description: Learn how to create and manage custom attributes in an Azure AD DS managed domain. + Title: Create and manage custom attributes for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to create and manage custom attributes in a Microsoft Entra DS managed domain. Last updated 03/07/2023 -# Custom attributes for Azure Active Directory Domain Services +# Custom attributes for Microsoft Entra Domain Services For various reasons, companies often canΓÇÖt modify code for legacy apps. For example, apps may use a custom attribute, such as a custom employee ID, and rely on that attribute for LDAP operations. -Azure AD supports adding custom data to resources using [extensions](/graph/extensibility-overview). Azure Active Directory Domain Services (Azure AD DS) can synchronize the following types of extensions from Azure AD, so you can also use apps that depend on custom attributes with Azure AD DS: +Microsoft Entra ID supports adding custom data to resources using [extensions](/graph/extensibility-overview). Microsoft Entra Domain Services (Microsoft Entra DS) can synchronize the following types of extensions from Microsoft Entra ID, so you can also use apps that depend on custom attributes with Microsoft Entra DS: - [onPremisesExtensionAttributes](/graph/extensibility-overview?tabs=http#extension-attributes) are a set of 15 attributes that can store extended user string attributes. - [Directory extensions](/graph/extensibility-overview?tabs=http#directory-azure-ad-extensions) allow the schema extension of specific directory objects, such as users and groups, with strongly typed attributes through registration with an application in the tenant. -Both types of extensions can be configured by using Azure AD Connect for users who are managed on-premises, or Microsoft Graph APIs for cloud-only users. +Both types of extensions can be configured by using Microsoft Entra Connect for users who are managed on-premises, or Microsoft Graph APIs for cloud-only users. >[!Note] >The following types of extensions aren't supported for synchronization: ->- Custom security attributes in Azure AD (Preview) +>- Custom security attributes in Microsoft Entra ID (Preview) >- Microsoft Graph schema extensions >- Microsoft Graph open extensions ## Requirements -The minimum SKU supported for custom attributes is the Enterprise SKU. If you use Standard, you need to [upgrade](change-sku.md) the managed domain to Enterprise or Premium. For more information, see [Azure Active Directory Domain Pricing](https://azure.microsoft.com/pricing/details/active-directory-ds/). +The minimum SKU supported for custom attributes is the Enterprise SKU. If you use Standard, you need to [upgrade](change-sku.md) the managed domain to Enterprise or Premium. For more information, see [Microsoft Entra Domain Pricing](https://azure.microsoft.com/pricing/details/active-directory-ds/). ## How Custom Attributes work After you create a managed domain, click **Custom Attributes (Preview)** under * Click **OnPremisesExtensionAttributes** to synchronize the attributes extensionAttribute1-15, also known as [Exchange custom attributes](/graph/api/resources/onpremisesextensionattributes). -## Synchronize Azure AD directory extension attributes +<a name='synchronize-azure-ad-directory-extension-attributes-'></a> -These are the extended user or group attributes defined in your Azure AD tenant. +## Synchronize Microsoft Entra directory extension attributes ++These are the extended user or group attributes defined in your Microsoft Entra tenant. Select **+ Add** to choose which custom attributes to synchronize. The list shows the available extension properties in your tenant. You can filter the list by using the search bar. Select **+ Add** to choose which custom attributes to synchronize. The list show If you don't see the directory extension you are looking for, enter the extensionΓÇÖs associated application appId and click **Search** to load only that applicationΓÇÖs defined extension properties. This search helps when multiple applications define many extensions in your tenant. >[!NOTE]->If you would like to see directory extensions synchronized by Azure AD Connect, click **Enterprise App** and look for the Application ID of the **Tenant Schema Extension App**. For more information, see [Azure AD Connect sync: Directory extensions](../active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard). +>If you would like to see directory extensions synchronized by Microsoft Entra Connect, click **Enterprise App** and look for the Application ID of the **Tenant Schema Extension App**. For more information, see [Microsoft Entra Connect Sync: Directory extensions](../active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard). Click **Select**, and then **Save** to confirm the change. :::image type="content" border="true" source="./media/concepts-custom-attributes/select.png" alt-text="Screenshot of how to save directory extension attributes."::: -Azure AD DS back fills all synchronized users and groups with the onboarded custom attribute values. The custom attribute values gradually populate for objects that contain the directory extension in Azure AD. During the backfill synchronization process, incremental changes in Azure AD are paused, and the sync time depends on the size of the tenant. +Microsoft Entra DS back fills all synchronized users and groups with the onboarded custom attribute values. The custom attribute values gradually populate for objects that contain the directory extension in Microsoft Entra ID. During the backfill synchronization process, incremental changes in Microsoft Entra ID are paused, and the sync time depends on the size of the tenant. -To check the backfilling status, click **Azure AD DS Health** and verify the **Synchronization with Azure AD** monitor has an updated timestamp within an hour since onboarding. Once updated, the backfill is complete. +To check the backfilling status, click **Microsoft Entra DS Health** and verify the **Synchronization with Microsoft Entra ID** monitor has an updated timestamp within an hour since onboarding. Once updated, the backfill is complete. ## Next steps -To configure onPremisesExtensionAttributes or directory extensions for cloud-only users in Azure AD, see [Custom data options in Microsoft Graph](/graph/extensibility-overview?tabs=http#custom-data-options-in-microsoft-graph). +To configure onPremisesExtensionAttributes or directory extensions for cloud-only users in Microsoft Entra ID, see [Custom data options in Microsoft Graph](/graph/extensibility-overview?tabs=http#custom-data-options-in-microsoft-graph). -To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md). +To sync onPremisesExtensionAttributes or directory extensions from on-premises to Microsoft Entra ID, [configure Microsoft Entra Connect](../active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md). |
active-directory-domain-services | Concepts Forest Trust | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/concepts-forest-trust.md | Title: How trusts work for Azure AD Domain Services | Microsoft Docs -description: Learn more about how forest trust work with Azure AD Domain Services + Title: How trusts work for Microsoft Entra Domain Services | Microsoft Docs +description: Learn more about how forest trust work with Microsoft Entra Domain Services The access control mechanisms provided by AD DS and the Windows distributed secu The trust path is implemented by the Net Logon service using an authenticated remote procedure call (RPC) connection to the trusted domain authority. A secured channel also extends to other AD DS domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups. >[!NOTE]->Azure AD DS only supports one-way transitive trusts where the managed domain will trust other domains, but no other directions or trust types are supported. +>Microsoft Entra DS only supports one-way transitive trusts where the managed domain will trust other domains, but no other directions or trust types are supported. -For an overview of how trusts apply to Azure AD DS, see [Forest concepts and features][create-forest-trust]. +For an overview of how trusts apply to Microsoft Entra DS, see [Forest concepts and features][create-forest-trust]. -To get started using trusts in Azure AD DS, [create a managed domain that uses forest trusts][tutorial-create-advanced]. +To get started using trusts in Microsoft Entra DS, [create a managed domain that uses forest trusts][tutorial-create-advanced]. ## Trust relationship flows For example, when a one-way, forest trust is created between *Forest 1* (the tru * Members of *Forest 2* can't access resources located in *Forest 1* using the same trust. > [!IMPORTANT]-> Azure AD Domain Services only supports a one-way forest trust to on-premises Active Directory. +> Microsoft Entra Domain Services only supports a one-way forest trust to on-premises Active Directory. ### Forest trust requirements Before you can create a forest trust, you need to verify you have the correct Do * When there is no shared root DNS server and the root DNS servers in each forest DNS namespace use DNS conditional forwarders for each DNS namespace to route queries for names in the other namespace. > [!IMPORTANT]- > Any Azure AD Domain Services forest with a trust must use this DNS configuration. Hosting a DNS namespace other than the forest DNS namespace is not a feature of Azure AD Domain Services. Conditional forwarders is the proper configuration. + > Any Microsoft Entra Domain Services forest with a trust must use this DNS configuration. Hosting a DNS namespace other than the forest DNS namespace is not a feature of Microsoft Entra Domain Services. Conditional forwarders is the proper configuration. * When there is no shared root DNS server and the root DNS servers in each forest DNS namespace are use DNS secondary zones are configured in each DNS namespace to route queries for names in the other namespace. To create a forest trust, you must be a member of the Domain Admins group (in the forest root domain) or the Enterprise Admins group in Active Directory. Each trust is assigned a password that the administrators in both forests must know. Members of Enterprise Admins in both forests can create the trusts in both forests at once and, in this scenario, a password that is cryptographically random is automatically generated and written for both forests. -A managed domain forest supports up to five one-way outbound forest trusts to on-premises forests. The outbound forest trust for Azure AD Domain Services is created in the Microsoft Entra admin center. You don't manually create the trust with the managed domain itself. The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory. +A managed domain forest supports up to five one-way outbound forest trusts to on-premises forests. The outbound forest trust for Microsoft Entra Domain Services is created in the Microsoft Entra admin center. You don't manually create the trust with the managed domain itself. The incoming forest trust must be configured by a user with the privileges previously noted in the on-premises Active Directory. ## Trust processes and interactions When two forests are connected by a forest trust, authentication requests made u When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a [trusted domain object](#trusted-domain-object). Trusted namespaces include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are replicated to the global catalog. >[!NOTE]->Alternate UPN suffixes on trusts are not supported. If an on-premises domain uses the same UPN suffix as Azure AD DS, sign in must use **sAMAccountName**. +>Alternate UPN suffixes on trusts are not supported. If an on-premises domain uses the same UPN suffix as Microsoft Entra DS, sign in must use **sAMAccountName**. Before authentication protocols can follow the forest trust path, the service principal name (SPN) of the resource computer must be resolved to a location in the other forest. An SPN can be one of the following names: Administrators can use *Active Directory Domains and Trusts*, *Netdom* and *Nlte ## Next steps -To get started with creating a managed domain with a forest trust, see [Create and configure an Azure AD DS managed domain][tutorial-create-advanced]. You can then [Create an outbound forest trust to an on-premises domain][create-forest-trust]. +To get started with creating a managed domain with a forest trust, see [Create and configure a Microsoft Entra DS managed domain][tutorial-create-advanced]. You can then [Create an outbound forest trust to an on-premises domain][create-forest-trust]. <!-- LINKS - INTERNAL --> [tutorial-create-advanced]: tutorial-create-instance-advanced.md |
active-directory-domain-services | Concepts Replica Sets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/concepts-replica-sets.md | Title: Replica sets concepts for Azure AD Domain Services | Microsoft Docs -description: Learn what replica sets are in Azure Active Directory Domain Services and how they provide redundancy to applications that require identity services. + Title: Replica sets concepts for Microsoft Entra Domain Services | Microsoft Docs +description: Learn what replica sets are in Microsoft Entra Domain Services and how they provide redundancy to applications that require identity services. Last updated 01/29/2023 -# Replica sets concepts and features for Azure Active Directory Domain Services +# Replica sets concepts and features for Microsoft Entra Domain Services -When you create an Azure Active Directory Domain Services (Azure AD DS) managed domain, you define a unique namespace. This namespace is the domain name, such as *aaddscontoso.com*, and two domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. +When you create a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain, you define a unique namespace. This namespace is the domain name, such as *aaddscontoso.com*, and two domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. -You can expand a managed domain to have more than one replica set per Azure AD tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Azure AD DS. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. +You can expand a managed domain to have more than one replica set per Microsoft Entra tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Microsoft Entra DS. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. > [!NOTE] > Replica sets don't let you deploy multiple unique managed domains in a single Azure tenant. Each replica set contains the same data. ## How replica sets work -When you create a managed domain, such as *aaddscontoso.com*, an initial replica set is created. Additional replica sets share the same namespace and configuration. Changes to Azure AD DS, including configuration, user identity and credentials, groups, group policy objects, computer objects, and other changes are applied to all replica sets in the managed domain using AD DS replication. +When you create a managed domain, such as *aaddscontoso.com*, an initial replica set is created. Additional replica sets share the same namespace and configuration. Changes to Microsoft Entra DS, including configuration, user identity and credentials, groups, group policy objects, computer objects, and other changes are applied to all replica sets in the managed domain using AD DS replication. You create each replica set in a virtual network. Each virtual network must be peered to every other virtual network that hosts a managed domain's replica set. This configuration creates a mesh network topology that supports directory replication. A virtual network can support multiple replica sets, provided that each replica set is in a different virtual subnet. You can create a maximum of five replica setsΓÇöthe initial replica set for the ### How does user and group information get synchronized to my replica sets? -All replica sets are connected to each other using a mesh virtual network peering. One replica set receives user and group updates from Azure AD. Those changes are then replicated to the other replica sets using intrasite AD DS replication over the peered network. +All replica sets are connected to each other using a mesh virtual network peering. One replica set receives user and group updates from Microsoft Entra ID. Those changes are then replicated to the other replica sets using intrasite AD DS replication over the peered network. Just like with on-premises AD DS, an extended disconnected state can cause disruption in replication. As peered virtual networks aren't transitive, the design requirements for replica sets requires a fully meshed network topology. Changes within the managed domain work just like they previously did. You [creat ## Next steps -To get started with replica sets, [create and configure an Azure AD DS managed domain][tutorial-create-advanced]. When deployed, [create and use additional replica sets][create-replica-set]. +To get started with replica sets, [create and configure a Microsoft Entra DS managed domain][tutorial-create-advanced]. When deployed, [create and use additional replica sets][create-replica-set]. <!-- LINKS - INTERNAL --> [tutorial-create-advanced]: tutorial-create-instance-advanced.md |
active-directory-domain-services | Create Forest Trust Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-forest-trust-powershell.md | Title: Create an Azure AD Domain Services forest trust using Azure PowerShell | Microsoft Docs -description: In this article, learn how to create and configure an Azure Active Directory Domain Services forest trust to an on-premises Active Directory Domain Services environment using Azure PowerShell. + Title: Create a Microsoft Entra Domain Services forest trust using Azure PowerShell | Microsoft Docs +description: In this article, learn how to create and configure a Microsoft Entra Domain Services forest trust to an on-premises Active Directory Domain Services environment using Azure PowerShell. -#Customer intent: As an identity administrator, I want to create an Azure AD Domain Services forest and one-way outbound trust from an Azure Active Directory Domain Services forest to an on-premises Active Directory Domain Services forest using Azure PowerShell to provide authentication and resource access between forests. +#Customer intent: As an identity administrator, I want to create a Microsoft Entra Domain Services forest and one-way outbound trust from a Microsoft Entra Domain Services forest to an on-premises Active Directory Domain Services forest using Azure PowerShell to provide authentication and resource access between forests. -# Create an Azure Active Directory Domain Services forest trust to an on-premises domain using Azure PowerShell +# Create a Microsoft Entra Domain Services forest trust to an on-premises domain using Azure PowerShell -In environments where you can't synchronize password hashes, or you have users that exclusively sign in using smart cards so they don't know their password, you can create a one-way outbound trust from Azure Active Directory Domain Services (Azure AD DS) to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Azure AD DS managed domain. In this case, on-premises password hashes are never synchronized. +In environments where you can't synchronize password hashes, or you have users that exclusively sign in using smart cards so they don't know their password, you can create a one-way outbound trust from Microsoft Entra Domain Services (Microsoft Entra DS) to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Microsoft Entra DS managed domain. In this case, on-premises password hashes are never synchronized. -![Diagram of forest trust from Azure AD DS to on-premises AD DS](./media/create-forest-powershell/forest-trust-relationship.png) +![Diagram of forest trust from Microsoft Entra DS to on-premises AD DS](./media/create-forest-powershell/forest-trust-relationship.png) In this article, you learn how to: > [!div class="checklist"]-> * Create an Azure AD DS forest using Azure PowerShell +> * Create a Microsoft Entra DS forest using Azure PowerShell > * Create a one-way outbound forest trust in the managed domain using Azure PowerShell > * Configure DNS in an on-premises AD DS environment to support managed domain connectivity > * Create a one-way inbound forest trust in an on-premises AD DS environment To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. * Install and configure Azure PowerShell. * If needed, follow the instructions to [install the Azure PowerShell module and connect to your Azure subscription](/powershell/azure/install-azure-powershell). * Make sure that you sign in to your Azure subscription using the [Connect-AzAccount][Connect-AzAccount] cmdlet. * Install and configure Azure AD PowerShell.- * If needed, follow the instructions to [install the Azure AD PowerShell module and connect to Azure AD](/powershell/azure/active-directory/install-adv2). - * Make sure that you sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet. -* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to enable Azure AD DS. -* You need [Domain Services Contributor](../role-based-access-control/built-in-roles.md#contributor) Azure role to create the required Azure AD DS resources. + * If needed, follow the instructions to [install the Azure AD PowerShell module and connect to Microsoft Entra ID](/powershell/azure/active-directory/install-adv2). + * Make sure that you sign in to your Microsoft Entra tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet. +* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to enable Microsoft Entra DS. +* You need [Domain Services Contributor](../role-based-access-control/built-in-roles.md#contributor) Azure role to create the required Microsoft Entra DS resources. ## Sign in to the Microsoft Entra admin center It's a multi-part process to create a managed domain forest and the trust relati Before you start, make sure you understand the [network considerations, forest naming, and DNS requirements](tutorial-create-forest-trust.md#networking-considerations). You can't change the managed domain forest name once it's deployed. -## Create the Azure AD service principal +<a name='create-the-azure-ad-service-principal'></a> -Azure AD DS requires a service principal synchronize data from Azure AD. This principal must be created in your Azure AD tenant before you created the managed domain forest. +## Create the Microsoft Entra service principal -Create an Azure AD service principal for Azure AD DS to communicate and authenticate itself. A specific application ID is used named *Domain Controller Services* with an ID of *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Don't change this application ID. +Microsoft Entra DS requires a service principal synchronize data from Microsoft Entra ID. This principal must be created in your Microsoft Entra tenant before you created the managed domain forest. -Create an Azure AD service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet: +Create a Microsoft Entra service principal for Microsoft Entra DS to communicate and authenticate itself. A specific application ID is used named *Domain Controller Services* with an ID of *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Don't change this application ID. ++Create a Microsoft Entra service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet: ```powershell New-AzureADServicePrincipal -AppId "6ba9a5d4-8456-4118-b521-9c5ca10cdf84" New-AzureADServicePrincipal -AppId "6ba9a5d4-8456-4118-b521-9c5ca10cdf84" ## Create a managed domain -To create a managed domain, you use the `New-AzureAaddsForest` script. This script is part of a wider set of commands that support managed domains, including create the one-way bound forest in a following section. These scripts are available from the [PowerShell Gallery](https://www.powershellgallery.com/) and are digitally signed by the Azure AD engineering team. +To create a managed domain, you use the `New-AzureAaddsForest` script. This script is part of a wider set of commands that support managed domains, including create the one-way bound forest in a following section. These scripts are available from the [PowerShell Gallery](https://www.powershellgallery.com/) and are digitally signed by the Microsoft Entra engineering team. 1. First, create a resource group using the [New-AzResourceGroup][New-AzResourceGroup] cmdlet. In the following example, the resource group is named *myResourceGroup* and is created in the *westus* region. Use your own name and desired region: To create a managed domain, you use the `New-AzureAaddsForest` script. This scri | Name | Script parameter | Description | |:--||:|- | Subscription | *-azureSubscriptionId* | Subscription ID used for Azure AD DS billing. You can get the list of subscriptions using the [Get-AzureRMSubscription][Get-AzureRMSubscription] cmdlet. | + | Subscription | *-azureSubscriptionId* | Subscription ID used for Microsoft Entra DS billing. You can get the list of subscriptions using the [Get-AzureRMSubscription][Get-AzureRMSubscription] cmdlet. | | Resource Group | *-aaddsResourceGroupName* | Name of the resource group for the managed domain and associated resources. |- | Location | *-aaddsLocation* | The Azure region to host your managed domain. For available regions, see [supported regions for Azure AD DS.](https://azure.microsoft.com/global-infrastructure/services/?products=active-directory-ds®ions=all) | - | Azure AD DS administrator | *-aaddsAdminUser* | The user principal name of the first managed domain administrator. This account must be an existing cloud user account in your Azure Active Directory. The user, and the user running the script, is added to the *AAD DC Administrators* group. | - | Azure AD DS domain name | *-aaddsDomainName* | The FQDN of the managed domain, based on the previous guidance on how to choose a forest name. | + | Location | *-aaddsLocation* | The Azure region to host your managed domain. For available regions, see [supported regions for Microsoft Entra DS.](https://azure.microsoft.com/global-infrastructure/services/?products=active-directory-ds®ions=all) | + | Microsoft Entra DS administrator | *-aaddsAdminUser* | The user principal name of the first managed domain administrator. This account must be an existing cloud user account in your Microsoft Entra ID. The user, and the user running the script, is added to the *AAD DC Administrators* group. | + | Microsoft Entra DS domain name | *-aaddsDomainName* | The FQDN of the managed domain, based on the previous guidance on how to choose a forest name. | - The `New-AzureAaddsForest` script can create the Azure virtual network and Azure AD DS subnet if these resources don't already exist. The script can optionally create the workload subnets, when specified: + The `New-AzureAaddsForest` script can create the Azure virtual network and Microsoft Entra DS subnet if these resources don't already exist. The script can optionally create the workload subnets, when specified: | Name | Script parameter | Description | |:-|:-|:| | Virtual network name | *-aaddsVnetName* | Name of the virtual network for the managed domain.| | Address space | *-aaddsVnetCIDRAddressSpace* | Virtual network's address range in CIDR notation (if creating the virtual network).|- | Azure AD DS subnet name | *-aaddsSubnetName* | Name of the subnet of the *aaddsVnetName* virtual network hosting the managed domain. Don't deploy your own VMs and workloads into this subnet. | - | Azure AD DS address range | *-aaddsSubnetCIDRAddressRange* | Subnet address range in CIDR notation for the Azure AD DS instance, such as *192.168.1.0/24*. Address range must be contained by the address range of the virtual network, and different from other subnets. | + | Microsoft Entra DS subnet name | *-aaddsSubnetName* | Name of the subnet of the *aaddsVnetName* virtual network hosting the managed domain. Don't deploy your own VMs and workloads into this subnet. | + | Microsoft Entra DS address range | *-aaddsSubnetCIDRAddressRange* | Subnet address range in CIDR notation for the Microsoft Entra DS instance, such as *192.168.1.0/24*. Address range must be contained by the address range of the virtual network, and different from other subnets. | | Workload subnet name (optional) | *-workloadSubnetName* | Optional name of a subnet in the *aaddsVnetName* virtual network to create for your own application workloads. VMs and applications and also be connected to a peered Azure virtual network instead. | | Workload address range (optional) | *-workloadSubnetCIDRAddressRange* | Optional subnet address range in CIDR notation for application workload, such as *192.168.2.0/24*. Address range must be contained by the address range of the virtual network, and different from other subnets.| To create a managed domain, you use the `New-AzureAaddsForest` script. This scri -workloadSubnetCIDRAddressRange "192.168.2.0/24" ``` - It takes quite some time to create the managed domain forest and supporting resources. Allow the script to complete. Continue on to the next section to configure your on-premises network connectivity while the Azure AD forest provisions in the background. + It takes quite some time to create the managed domain forest and supporting resources. Allow the script to complete. Continue on to the next section to configure your on-premises network connectivity while the Microsoft Entra forest provisions in the background. ## Configure and validate network settings Before you start, make sure you understand the [network considerations and recom * Confirm that your on-premises domain controller can connect to the managed VM using `ping` or remote desktop, for example. * Verify that your management VM can connect to your on-premises domain controllers, again using a utility such as `ping`. -1. In the Microsoft Entra admin center, search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com* and wait for the status to report as **Running**. +1. In the Microsoft Entra admin center, search for and select **Microsoft Entra Domain Services**. Choose your managed domain, such as *aaddscontoso.com* and wait for the status to report as **Running**. - When running, [update DNS settings for the Azure virtual network](tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network) and then [enable user accounts for Azure AD DS](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) to finalize the configurations for your managed domain. + When running, [update DNS settings for the Azure virtual network](tutorial-create-instance.md#update-dns-settings-for-the-azure-virtual-network) and then [enable user accounts for Microsoft Entra DS](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) to finalize the configurations for your managed domain. 1. Make a note of the DNS addresses shown on the overview page. You need these addresses when you configure the on-premises Active Directory side of the trust relationship in a following section. 1. Restart the management VM for it to receive the new DNS settings, then [join the VM to the managed domain](join-windows-vm.md#join-the-vm-to-the-managed-domain). Now provide the script the following information: | Name | Script parameter | Description | |:--|:|:|-| Azure AD DS domain name | *-ManagedDomainFqdn* | FQDN of the managed domain, such as *aaddscontoso.com* | +| Microsoft Entra DS domain name | *-ManagedDomainFqdn* | FQDN of the managed domain, such as *aaddscontoso.com* | | On-premises AD DS domain name | *-TrustFqdn* | The FQDN of the trusted forest, such as *onprem.contoso.com* | | Trust friendly name | *-TrustFriendlyName* | Friendly name of the trust relationship. | | On-premises AD DS DNS IP addresses | *-TrustDnsIPs* | A comma-delimited list of DNS server IPv4 addresses for the trusted domain listed. | To configure inbound trust on the on-premises AD DS domain, complete the followi The following common scenarios let you validate that forest trust correctly authenticates users and access to resources: -* [On-premises user authentication from the Azure AD DS forest](#on-premises-user-authentication-from-the-azure-ad-ds-forest) -* [Access resources in the Azure AD DS forest as an on-premises user](#access-resources-in-azure-ad-ds-as-an-on-premises-user) +* [On-premises user authentication from the Microsoft Entra DS forest](#on-premises-user-authentication-from-the-azure-ad-ds-forest) +* [Access resources in the Microsoft Entra DS forest as an on-premises user](#access-resources-in-azure-ad-ds-as-an-on-premises-user) * [Enable file and printer sharing](#enable-file-and-printer-sharing) * [Create a security group and add members](#create-a-security-group-and-add-members) * [Create a file share for cross-forest access](#create-a-file-share-for-cross-forest-access) * [Validate cross-forest authentication to a resource](#validate-cross-forest-authentication-to-a-resource) -### On-premises user authentication from the Azure AD DS forest +<a name='on-premises-user-authentication-from-the-azure-ad-ds-forest'></a> ++### On-premises user authentication from the Microsoft Entra DS forest You should have Windows Server virtual machine joined to the managed domain resource domain. Use this virtual machine to test your on-premises user can authenticate on a virtual machine. 1. Connect to the Windows Server VM joined to the managed domain using Remote Desktop and your managed domain administrator credentials. If you get a Network Level Authentication (NLA) error, check the user account you used is not a domain user account. > [!TIP]- > To securely connect to your VMs joined to Azure AD Domain Services, you can use the [Azure Bastion Host Service](../bastion/bastion-overview.md) in supported Azure regions. + > To securely connect to your VMs joined to Microsoft Entra Domain Services, you can use the [Azure Bastion Host Service](../bastion/bastion-overview.md) in supported Azure regions. 1. Open a command prompt and use the `whoami` command to show the distinguished name of the currently authenticated user: You should have Windows Server virtual machine joined to the managed domain reso 1. If the authentication is a successful, a new command prompt opens. The title of the new command prompt includes `running as userUpn@trusteddomain.com`. 1. Use `whoami /fqdn` in the new command prompt to view the distinguished name of the authenticated user from the on-premises Active Directory. -### Access resources in Azure AD DS as an on-premises user +<a name='access-resources-in-azure-ad-ds-as-an-on-premises-user'></a> ++### Access resources in Microsoft Entra DS as an on-premises user Using the Windows Server VM joined to the managed domain, you can test the scenario where users can access resources hosted in the forest when they authenticate from computers in the on-premises domain with users from the on-premises domain. The following examples show you how to create and test various common scenarios. Using the Windows Server VM joined to the managed domain, you can test the scena 1. Connect to the Windows Server VM joined to the managed domain using Remote Desktop and your managed domain administrator credentials. If you get a Network Level Authentication (NLA) error, check the user account you used is not a domain user account. > [!TIP]- > To securely connect to your VMs joined to Azure AD Domain Services, you can use the [Azure Bastion Host Service](../bastion/bastion-overview.md) in supported Azure regions. + > To securely connect to your VMs joined to Microsoft Entra Domain Services, you can use the [Azure Bastion Host Service](../bastion/bastion-overview.md) in supported Azure regions. 1. Open **Windows Settings**, then search for and select **Network and Sharing Center**. 1. Choose the option for **Change advanced sharing** settings. In this article, you learned how to: > * Create a one-way inbound forest trust in an on-premises AD DS environment > * Test and validate the trust relationship for authentication and resource access -For more conceptual information about forest types in Azure AD DS, see [How do forest trusts work in Azure AD DS?][concepts-trust] +For more conceptual information about forest types in Microsoft Entra DS, see [How do forest trusts work in Microsoft Entra DS?][concepts-trust] <!-- INTERNAL LINKS --> [concepts-trust]: concepts-forest-trust.md |
active-directory-domain-services | Create Gmsa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-gmsa.md | Title: Group managed service accounts for Azure AD Domain Services | Microsoft Docs -description: Learn how to create a group managed service account (gMSA) for use with Azure Active Directory Domain Services managed domains + Title: Group managed service accounts for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to create a group managed service account (gMSA) for use with Microsoft Entra Domain Services managed domains Last updated 01/29/2023 -# Create a group managed service account (gMSA) in Azure Active Directory Domain Services +# Create a group managed service account (gMSA) in Microsoft Entra Domain Services Applications and services often need an identity to authenticate themselves with other resources. For example, a web service may need to authenticate with a database service. If an application or service has multiple instances, such as a web server farm, manually creating and configuring the identities for those resources gets time consuming. -Instead, a group managed service account (gMSA) can be created in the Azure Active Directory Domain Services (Azure AD DS) managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources. +Instead, a group managed service account (gMSA) can be created in the Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources. This article shows you how to create a gMSA in a managed domain using Azure PowerShell. To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A Windows Server management VM that is joined to the Azure AD DS managed domain. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A Windows Server management VM that is joined to the Microsoft Entra DS managed domain. * If needed, complete the tutorial to [create a management VM][tutorial-create-management-vm]. ## Managed service accounts overview A group managed service account (gMSA) provides the same management simplificati For more information, see [group managed service accounts (gMSA) overview][gmsa-overview]. -## Using service accounts in Azure AD DS +<a name='using-service-accounts-in-azure-ad-ds'></a> ++## Using service accounts in Microsoft Entra DS As managed domains are locked down and managed by Microsoft, there are some considerations when using service accounts: As managed domains are locked down and managed by Microsoft, there are some cons * You can't create a service account in the built-in *AADDC Users* or *AADDC Computers* OUs. * Instead, [create a custom OU][create-custom-ou] in the managed domain and then create service accounts in that custom OU. * The Key Distribution Services (KDS) root key is pre-created.- * The KDS root key is used to generate and retrieve passwords for gMSAs. In Azure AD DS, the KDS root is created for you. + * The KDS root key is used to generate and retrieve passwords for gMSAs. In Microsoft Entra DS, the KDS root is created for you. * You don't have privileges to create another, or view the default, KDS root key. ## Create a gMSA -First, create a custom OU using the [New-ADOrganizationalUnit][New-AdOrganizationalUnit] cmdlet. For more information on creating and managing custom OUs, see [Custom OUs in Azure AD DS][create-custom-ou]. +First, create a custom OU using the [New-ADOrganizationalUnit][New-AdOrganizationalUnit] cmdlet. For more information on creating and managing custom OUs, see [Custom OUs in Microsoft Entra DS][create-custom-ou]. > [!TIP] > To complete these steps to create a gMSA, [use your management VM][tutorial-create-management-vm]. This management VM should already have the required AD PowerShell cmdlets and connection to the managed domain. |
active-directory-domain-services | Create Ou | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-ou.md | Title: Create an organizational unit (OU) in Azure AD Domain Services | Microsoft Docs' -description: Learn how to create and manage a custom Organizational Unit (OU) in an Azure AD Domain Services managed domain. + Title: Create an organizational unit (OU) in Microsoft Entra Domain Services | Microsoft Docs' +description: Learn how to create and manage a custom Organizational Unit (OU) in a Microsoft Entra Domain Services managed domain. Last updated 09/15/2023 -# Create an Organizational Unit (OU) in an Azure Active Directory Domain Services managed domain +# Create an Organizational Unit (OU) in a Microsoft Entra Domain Services managed domain Organizational units (OUs) in an Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings. -Azure AD DS managed domains include the following two built-in OUs: +Microsoft Entra DS managed domains include the following two built-in OUs: * *AADDC Computers* - contains computer objects for all computers that are joined to the managed domain.-* *AADDC Users* - includes users and groups synchronized in from the Azure AD tenant. +* *AADDC Users* - includes users and groups synchronized in from the Microsoft Entra tenant. -As you create and run workloads that use Azure AD DS, you may need to create service accounts for applications to authenticate themselves. To organize these service accounts, you often create a custom OU in the managed domain and then create service accounts within that OU. +As you create and run workloads that use Microsoft Entra DS, you may need to create service accounts for applications to authenticate themselves. To organize these service accounts, you often create a custom OU in the managed domain and then create service accounts within that OU. In a hybrid environment, OUs created in an on-premises AD DS environment aren't synchronized to the managed domain. Managed domains use a flat OU structure. All user accounts and groups are stored in the *AADDC Users* container, despite being synchronized from different on-premises domains or forests, even if you've configured a hierarchical OU structure there. To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A Windows Server management VM that is joined to the Azure AD DS managed domain. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A Windows Server management VM that is joined to the Microsoft Entra DS managed domain. * If needed, complete the tutorial to [create a management VM][tutorial-create-management-vm].-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. +* A user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant. ## Custom OU considerations and limitations When you create custom OUs in a managed domain, you gain additional management f * To create custom OUs, users must be a member of the *AAD DC Administrators* group. * A user that creates a custom OU is granted administrative privileges (full control) over that OU and is the resource owner. * By default, the *AAD DC Administrators* group also has full control of the custom OU.-* A default OU for *AADDC Users* is created that contains all the synchronized user accounts from your Azure AD tenant. +* A default OU for *AADDC Users* is created that contains all the synchronized user accounts from your Microsoft Entra tenant. * You can't move users or groups from the *AADDC Users* OU to custom OUs that you create. Only user accounts or resources created in the managed domain can be moved into custom OUs.-* User accounts, groups, service accounts, and computer objects that you create under custom OUs aren't available in your Azure AD tenant. - * These objects don't show up using the Microsoft Graph API or in the Azure AD UI; they're only available in your managed domain. +* User accounts, groups, service accounts, and computer objects that you create under custom OUs aren't available in your Microsoft Entra tenant. + * These objects don't show up using the Microsoft Graph API or in the Microsoft Entra UI; they're only available in your managed domain. ## Create a custom OU |
active-directory-domain-services | Csp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/csp.md | Title: Azure AD Domain Services for Cloud Solution Providers | Microsoft Docs -description: Learn how to enable and manage Azure Active Directory Domain Services managed domains for Azure Cloud Solution Providers + Title: Microsoft Entra Domain Services for Cloud Solution Providers | Microsoft Docs +description: Learn how to enable and manage Microsoft Entra Domain Services managed domains for Azure Cloud Solution Providers Last updated 09/15/2023 -# Azure Active Directory Domain Services deployment and management for Azure Cloud Solution Providers +# Microsoft Entra Domain Services deployment and management for Azure Cloud Solution Providers Azure Cloud Solution Providers (CSP) is a program for Microsoft Partners and provides a license channel for various Microsoft cloud services. Azure CSP enables partners to manage sales, own the billing relationship, provide technical and billing support, and be the customer's single point of contact. In addition, Azure CSP provides a full set of tools, including a self-service portal and accompanying APIs. These tools enable CSP partners to easily provision and manage Azure resources, and provide billing for customers and their subscriptions. The [Partner Center portal](/partner-center/azure-plan-lp) is the entry point for all Azure CSP partners, and provides rich customer management capabilities, automated processing, and more. Azure CSP partners can use Partner Center capabilities by using a web-based UI or by using PowerShell and various API calls. -The following diagram illustrates how the CSP model works at a high level. Here, Contoso has an Azure Active Directory (Azure AD) tenant. They have a partnership with a CSP, who deploys and manages resources in their Azure CSP subscription. Contoso may also have regular (direct) Azure subscriptions, which are billed directly to Contoso. +The following diagram illustrates how the CSP model works at a high level. Here, Contoso has a Microsoft Entra tenant. They have a partnership with a CSP, who deploys and manages resources in their Azure CSP subscription. Contoso may also have regular (direct) Azure subscriptions, which are billed directly to Contoso. ![Overview of the CSP model](./media/csp/csp_model_overview.png) The CSP partner's tenant has three special agent groups - *Admin* agents, *Helpdesk* agents, and *Sales* agents. -The *Admin* agents group is assigned to the tenant administrator role in Contoso's Azure AD tenant. As a result, a user belonging to the CSP partner's admin agents group has tenant admin privileges in Contoso's Azure AD tenant. +The *Admin* agents group is assigned to the tenant administrator role in Contoso's Microsoft Entra tenant. As a result, a user belonging to the CSP partner's admin agents group has tenant admin privileges in Contoso's Microsoft Entra tenant. -When the CSP partner provisions an Azure CSP subscription for Contoso, their admin agents group is assigned to the owner role for that subscription. As a result, the CSP partner's admin agents have the required privileges to provision Azure resources such as virtual machines, virtual networks, and Azure AD Domain Services on behalf of Contoso. +When the CSP partner provisions an Azure CSP subscription for Contoso, their admin agents group is assigned to the owner role for that subscription. As a result, the CSP partner's admin agents have the required privileges to provision Azure resources such as virtual machines, virtual networks, and Microsoft Entra Domain Services on behalf of Contoso. For more information, see the [Azure CSP overview](/partner-center/azure-plan-lp) -## Benefits of using Azure AD DS in an Azure CSP subscription +<a name='benefits-of-using-azure-ad-ds-in-an-azure-csp-subscription'></a> -Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory Domain Services. Over the decades, many applications have been built to work against AD using these capabilities. Many independent software vendors (ISVs) have built and deployed applications at their customers' premises. These applications are hard to support since you often require access to the different environments where the applications are deployed. With Azure CSP subscriptions, you have a simpler alternative with the scale and flexibility of Azure. +## Benefits of using Microsoft Entra DS in an Azure CSP subscription -Azure AD DS supports Azure CSP subscriptions. You can deploy your application in an Azure CSP subscription tied to your customer's Azure AD tenant. As a result, your employees (support staff) can manage, administer, and service the VMs on which your application is deployed using your organization's corporate credentials. +Microsoft Entra Domain Services (Microsoft Entra DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory Domain Services. Over the decades, many applications have been built to work against AD using these capabilities. Many independent software vendors (ISVs) have built and deployed applications at their customers' premises. These applications are hard to support since you often require access to the different environments where the applications are deployed. With Azure CSP subscriptions, you have a simpler alternative with the scale and flexibility of Azure. -You can also deploy an Azure AD DS managed domain in your customer's Azure AD tenant. Your application is then connected to your customer's managed domain. Capabilities within your application that rely on Kerberos / NTLM, LDAP, or the [System.DirectoryServices API](/dotnet/api/system.directoryservices) work seamlessly against your customer's domain. End customers benefit from consuming your application as a service, without needing to worry about maintaining the infrastructure the application is deployed on. +Microsoft Entra DS supports Azure CSP subscriptions. You can deploy your application in an Azure CSP subscription tied to your customer's Microsoft Entra tenant. As a result, your employees (support staff) can manage, administer, and service the VMs on which your application is deployed using your organization's corporate credentials. -All billing for Azure resources you consume in that subscription, including Azure AD DS, is charged back to you. You maintain full control over the relationship with the customer when it comes to sales, billing, technical support etc. With the flexibility of the Azure CSP platform, a small team of support agents can service many such customers who have instances of your application deployed. +You can also deploy a Microsoft Entra DS managed domain in your customer's Microsoft Entra tenant. Your application is then connected to your customer's managed domain. Capabilities within your application that rely on Kerberos / NTLM, LDAP, or the [System.DirectoryServices API](/dotnet/api/system.directoryservices) work seamlessly against your customer's domain. End customers benefit from consuming your application as a service, without needing to worry about maintaining the infrastructure the application is deployed on. -## CSP deployment models for Azure AD DS +All billing for Azure resources you consume in that subscription, including Microsoft Entra DS, is charged back to you. You maintain full control over the relationship with the customer when it comes to sales, billing, technical support etc. With the flexibility of the Azure CSP platform, a small team of support agents can service many such customers who have instances of your application deployed. -There are two ways in which you can use Azure AD DS with an Azure CSP subscription. Pick the right one based on the security and simplicity considerations your customers have. +<a name='csp-deployment-models-for-azure-ad-ds'></a> ++## CSP deployment models for Microsoft Entra DS ++There are two ways in which you can use Microsoft Entra DS with an Azure CSP subscription. Pick the right one based on the security and simplicity considerations your customers have. ### Direct deployment model -In this deployment model, Azure AD DS is enabled within a virtual network that belongs to the Azure CSP subscription. The CSP partner's admin agents have the following privileges: +In this deployment model, Microsoft Entra DS is enabled within a virtual network that belongs to the Azure CSP subscription. The CSP partner's admin agents have the following privileges: -* *Global administrator* privileges in the customer's Azure AD tenant. +* *Global administrator* privileges in the customer's Microsoft Entra tenant. * *Subscription owner* privileges on the Azure CSP subscription. ![Direct deployment model](./media/csp/csp_direct_deployment_model.png) -In this deployment model, the CSP provider's admin agents can administer identities for the customer. These admin agents can perform tasks like provision new users or groups, or add applications within the customer's Azure AD tenant. +In this deployment model, the CSP provider's admin agents can administer identities for the customer. These admin agents can perform tasks like provision new users or groups, or add applications within the customer's Microsoft Entra tenant. This deployment model may be suited for smaller organizations that don't have a dedicated identity administrator or prefer for the CSP partner to administer identities on their behalf. ### Peered deployment model -In this deployment model, Azure AD DS is enabled within a virtual network belonging to the customer - a direct Azure subscription paid for by the customer. The CSP partner can deploy applications within a virtual network belonging to the customer's CSP subscription. The virtual networks can then be connected using Azure virtual network peering. +In this deployment model, Microsoft Entra DS is enabled within a virtual network belonging to the customer - a direct Azure subscription paid for by the customer. The CSP partner can deploy applications within a virtual network belonging to the customer's CSP subscription. The virtual networks can then be connected using Azure virtual network peering. With this deployment, the workloads or applications deployed by the CSP partner in the Azure CSP subscription can connect to the customer's managed domain provisioned in the customer's direct Azure subscription. ![Peered deployment model](./media/csp/csp_peered_deployment_model.png) -This deployment model provides a separation of privileges and enables the CSP partner's helpdesk agents to administer the Azure subscription and deploy and manage resources within it. However, the CSP partner's helpdesk agents don't need to have global administrator privileges on the customer's Azure AD directory. The customer's identity administrators can continue to manage identities for their organization. +This deployment model provides a separation of privileges and enables the CSP partner's helpdesk agents to administer the Azure subscription and deploy and manage resources within it. However, the CSP partner's helpdesk agents don't need to have global administrator privileges on the customer's Microsoft Entra directory. The customer's identity administrators can continue to manage identities for their organization. ++This deployment model may be suited to scenarios where an ISV provides a hosted version of their on-premises application, which also needs to connect to the customer's Microsoft Entra ID. -This deployment model may be suited to scenarios where an ISV provides a hosted version of their on-premises application, which also needs to connect to the customer's Azure AD. +<a name='administer-azure-ad-ds-in-csp-subscriptions'></a> -## Administer Azure AD DS in CSP subscriptions +## Administer Microsoft Entra DS in CSP subscriptions The following important considerations apply when administering a managed domain in an Azure CSP subscription: -* **CSP admin agents can provision a managed domain using their credentials:** Azure AD DS supports Azure CSP subscriptions. Users belonging to a CSP partner's admin agents group can provision a new managed domain. +* **CSP admin agents can provision a managed domain using their credentials:** Microsoft Entra DS supports Azure CSP subscriptions. Users belonging to a CSP partner's admin agents group can provision a new managed domain. -* **CSPs can script creation of new managed domains for their customers using PowerShell:** See [how to enable Azure AD DS using PowerShell](powershell-create-instance.md) for details. +* **CSPs can script creation of new managed domains for their customers using PowerShell:** See [how to enable Microsoft Entra DS using PowerShell](powershell-create-instance.md) for details. -* **CSP admin agents can't perform ongoing management tasks on the managed domain using their credentials:** CSP admin users can't perform routine management tasks within the managed domain using their credentials. These users are external to the customer's Azure AD tenant and their credentials aren't available within the customer's Azure AD tenant. Azure AD DS doesn't have access to the Kerberos and NTLM password hashes for these users, so users can't be authenticated on managed domains. +* **CSP admin agents can't perform ongoing management tasks on the managed domain using their credentials:** CSP admin users can't perform routine management tasks within the managed domain using their credentials. These users are external to the customer's Microsoft Entra tenant and their credentials aren't available within the customer's Microsoft Entra tenant. Microsoft Entra DS doesn't have access to the Kerberos and NTLM password hashes for these users, so users can't be authenticated on managed domains. > [!WARNING] > You must create a user account within the customer's directory to perform ongoing administration tasks on the managed domain. >- > You can't sign in to the managed domain using a CSP admin user's credentials. Use the credentials of a user account belonging to the customer's Azure AD tenant to do so. You need these credentials for tasks such as joining VMs to the managed domain, administering DNS, or administering Group Policy. + > You can't sign in to the managed domain using a CSP admin user's credentials. Use the credentials of a user account belonging to the customer's Microsoft Entra tenant to do so. You need these credentials for tasks such as joining VMs to the managed domain, administering DNS, or administering Group Policy. * **The user account created for ongoing administration must be added to the *AAD DC Administrators* group:** The *AAD DC Administrators* group has privileges to perform certain delegated administration tasks on the managed domain. These tasks include configuring DNS, creating organizational units, and administering group policy. - For a CSP partner to perform these tasks on a managed domain, a user account must be created within the customer's Azure AD tenant. The credentials for this account must be shared with the CSP partner's admin agents. Also, this user account must be added to the *AAD DC Administrators* group to enable configuration tasks on the managed domain to be performed using this user account. + For a CSP partner to perform these tasks on a managed domain, a user account must be created within the customer's Microsoft Entra tenant. The credentials for this account must be shared with the CSP partner's admin agents. Also, this user account must be added to the *AAD DC Administrators* group to enable configuration tasks on the managed domain to be performed using this user account. ## Next steps -To get started, [enroll in the Azure CSP program](/partner-center/enrolling-in-the-csp-program). You can then enable Azure AD Domain Services using the [Microsoft Entra admin center](tutorial-create-instance.md) or [Azure PowerShell](powershell-create-instance.md). +To get started, [enroll in the Azure CSP program](/partner-center/enrolling-in-the-csp-program). You can then enable Microsoft Entra Domain Services using the [Microsoft Entra admin center](tutorial-create-instance.md) or [Azure PowerShell](powershell-create-instance.md). |
active-directory-domain-services | Delete Aadds | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/delete-aadds.md | Title: Delete Azure Active Directory Domain Services | Microsoft Docs -description: Learn how to disable, or delete, an Azure Active Directory Domain Services managed domain + Title: Delete Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to disable, or delete, a Microsoft Entra Domain Services managed domain Last updated 09/15/2023 -# Delete an Azure Active Directory Domain Services managed domain +# Delete a Microsoft Entra Domain Services managed domain -If you no longer need an Azure Active Directory Domain Services (Azure AD DS) managed domain, you can delete it. There's no option to turn off or temporarily disable an Azure AD DS managed domain. Deleting the managed domain doesn't delete or otherwise adversely impact the Azure AD tenant. +If you no longer need a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain, you can delete it. There's no option to turn off or temporarily disable a Microsoft Entra DS managed domain. Deleting the managed domain doesn't delete or otherwise adversely impact the Microsoft Entra tenant. This article shows you how to use the Microsoft Entra admin center to delete a managed domain. This article shows you how to use the Microsoft Entra admin center to delete a m To delete a managed domain, complete the following steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator).-1. Search for and select **Azure AD Domain Services**. +1. Search for and select **Microsoft Entra Domain Services**. 1. Select the name of your managed domain, such as *aaddscontoso.com*. 1. On the **Overview** page, select **Delete**. To confirm the deletion, type the domain name of the managed domain again, then select **Delete**. It can take 15-20 minutes or more to delete the managed domain. ## Next steps -Consider [sharing feedback][feedback] for the features that you would like to see in Azure AD DS. +Consider [sharing feedback][feedback] for the features that you would like to see in Microsoft Entra DS. -If you want to get started with Azure AD DS again, see [Create and configure an Azure Active Directory Domain Services managed domain][create-instance]. +If you want to get started with Microsoft Entra DS again, see [Create and configure a Microsoft Entra Domain Services managed domain][create-instance]. <!-- INTERNAL LINKS --> [feedback]: https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789?c=5d63b5b7-ae25-ec11-b6e6-000d3a4f0789 |
active-directory-domain-services | Deploy Azure App Proxy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-azure-app-proxy.md | Title: Deploy Azure AD Application Proxy for Azure AD Domain Services | Microsoft Docs -description: Learn how to provide secure access to internal applications for remote workers by deploying and configuring Azure Active Directory Application Proxy in an Azure Active Directory Domain Services managed domain + Title: Deploy Microsoft Entra application proxy for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to provide secure access to internal applications for remote workers by deploying and configuring Microsoft Entra application proxy in a Microsoft Entra Domain Services managed domain Last updated 09/15/2023 -# Deploy Azure AD Application Proxy for secure access to internal applications in an Azure Active Directory Domain Services managed domain +# Deploy Microsoft Entra application proxy for secure access to internal applications in a Microsoft Entra Domain Services managed domain -With Azure AD Domain Services (Azure AD DS), you can lift-and-shift legacy applications running on-premises into Azure. Azure Active Directory (AD) Application Proxy then helps you support remote workers by securely publishing those internal applications part of an Azure AD DS managed domain so they can be accessed over the internet. +With Microsoft Entra Domain Services (Microsoft Entra DS), you can lift-and-shift legacy applications running on-premises into Azure. Microsoft Entra application proxy then helps you support remote workers by securely publishing those internal applications part of a Microsoft Entra DS managed domain so they can be accessed over the internet. -If you're new to the Azure AD Application Proxy and want to learn more, see [How to provide secure remote access to internal applications](../active-directory/app-proxy/application-proxy.md). +If you're new to the Microsoft Entra application proxy and want to learn more, see [How to provide secure remote access to internal applications](../active-directory/app-proxy/application-proxy.md). -This article shows you how to create and configure an Azure AD Application Proxy connector to provide secure access to applications in a managed domain. +This article shows you how to create and configure a Microsoft Entra application proxy connector to provide secure access to applications in a managed domain. ## Before you begin To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. - * An **Azure AD Premium license** is required to use the Azure AD Application Proxy. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. + * An **Microsoft Entra ID P1 or P2 license** is required to use the Microsoft Entra application proxy. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. ## Create a domain-joined Windows VM -To route traffic to applications running in your environment, you install the Azure AD Application Proxy connector component. This Azure AD Application Proxy connector must be installed on a Windows Server virtual machine (VM) that's joined to the managed domain. For some applications, you can deploy multiple servers that each have the connector installed. This deployment option gives you greater availability and helps handle heavier authentication loads. +To route traffic to applications running in your environment, you install the Microsoft Entra application proxy connector component. This Microsoft Entra application proxy connector must be installed on a Windows Server virtual machine (VM) that's joined to the managed domain. For some applications, you can deploy multiple servers that each have the connector installed. This deployment option gives you greater availability and helps handle heavier authentication loads. -The VM that runs the Azure AD Application Proxy connector must be on the same, or a peered, virtual network as your managed domain. The VMs that then host the applications you publish using the Application Proxy must also be deployed on the same Azure virtual network. +The VM that runs the Microsoft Entra application proxy connector must be on the same, or a peered, virtual network as your managed domain. The VMs that then host the applications you publish using the Application Proxy must also be deployed on the same Azure virtual network. -To create a VM for the Azure AD Application Proxy connector, complete the following steps: +To create a VM for the Microsoft Entra application proxy connector, complete the following steps: -1. [Create a custom OU](create-ou.md). You can delegate permissions to manage this custom OU to users within the managed domain. The VMs for Azure AD Application Proxy and that run your applications must be a part of the custom OU, not the default *AAD DC Computers* OU. -1. [Domain-join the virtual machines][create-join-windows-vm], both the one that runs the Azure AD Application Proxy connector, and the ones that run your applications, to the managed domain. Create these computer accounts in the custom OU from the previous step. +1. [Create a custom OU](create-ou.md). You can delegate permissions to manage this custom OU to users within the managed domain. The VMs for Microsoft Entra application proxy and that run your applications must be a part of the custom OU, not the default *Microsoft Entra DC Computers* OU. +1. [Domain-join the virtual machines][create-join-windows-vm], both the one that runs the Microsoft Entra application proxy connector, and the ones that run your applications, to the managed domain. Create these computer accounts in the custom OU from the previous step. -## Download the Azure AD Application Proxy connector +<a name='download-the-azure-ad-application-proxy-connector'></a> -Perform the following steps to download the Azure AD Application Proxy connector. The setup file you download is copied to your App Proxy VM in the next section. +## Download the Microsoft Entra application proxy connector ++Perform the following steps to download the Microsoft Entra application proxy connector. The setup file you download is copied to your App Proxy VM in the next section. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator). 1. Search for and select **Enterprise applications**. 1. Select **Application proxy** from the menu on the left-hand side. To create your first connector and enable App Proxy, select the link to **download a connector**. 1. On the download page, accept the license terms and privacy agreement, then select **Accept terms & Download**. - ![Download the Azure AD App Proxy connector](./media/app-proxy/download-app-proxy-connector.png) + ![Download the Microsoft Entra application proxy connector](./media/app-proxy/download-app-proxy-connector.png) ++<a name='install-and-register-the-azure-ad-application-proxy-connector'></a> -## Install and register the Azure AD Application Proxy connector +## Install and register the Microsoft Entra application proxy connector -With a VM ready to be used as the Azure AD Application Proxy connector, now copy and run the setup file downloaded from the Microsoft Entra admin center. +With a VM ready to be used as the Microsoft Entra application proxy connector, now copy and run the setup file downloaded from the Microsoft Entra admin center. -1. Copy the Azure AD Application Proxy connector setup file to your VM. +1. Copy the Microsoft Entra application proxy connector setup file to your VM. 1. Run the setup file, such as *AADApplicationProxyConnectorInstaller.exe*. Accept the software license terms.-1. During the install, you're prompted to register the connector with the Application Proxy in your Azure AD directory. - * Provide the credentials for a global administrator in your Azure AD directory. The Azure AD global administrator credentials may be different from your Azure credentials in the portal +1. During the install, you're prompted to register the connector with the Application Proxy in your Microsoft Entra directory. + * Provide the credentials for a global administrator in your Microsoft Entra directory. The Microsoft Entra Global Administrator credentials may be different from your Azure credentials in the portal > [!NOTE] > The global administrator account used to register the connector must belong to the same directory where you enable the Application Proxy service. >- > For example, if the Azure AD domain is *contoso.com*, the global administrator should be `admin@contoso.com` or another valid alias on that domain. + > For example, if the Microsoft Entra domain is *contoso.com*, the global administrator should be `admin@contoso.com` or another valid alias on that domain. * If Internet Explorer Enhanced Security Configuration is turned on for the VM where you install the connector, the registration screen might be blocked. To allow access, follow the instructions in the error message, or turn off Internet Explorer Enhanced Security during the install process. * If connector registration fails, see [Troubleshoot Application Proxy](../active-directory/app-proxy/application-proxy-troubleshoot.md).-1. At the end of the setup, a note is shown for environments with an outbound proxy. To configure the Azure AD Application Proxy connector to work through the outbound proxy, run the provided script, such as `C:\Program Files\Microsoft AAD App Proxy connector\ConfigureOutBoundProxy.ps1`. +1. At the end of the setup, a note is shown for environments with an outbound proxy. To configure the Microsoft Entra application proxy connector to work through the outbound proxy, run the provided script, such as `C:\Program Files\Microsoft AAD App Proxy connector\ConfigureOutBoundProxy.ps1`. 1. On the Application proxy page in the Microsoft Entra admin center, the new connector is listed with a status of *Active*, as shown in the following example: - ![The new Azure AD Application Proxy connector shown as active in the Microsoft Entra admin center](./media/app-proxy/connected-app-proxy.png) + ![The new Microsoft Entra application proxy connector shown as active in the Microsoft Entra admin center](./media/app-proxy/connected-app-proxy.png) > [!NOTE]-> To provide high availability for applications authenticating through the Azure AD Application Proxy, you can install connectors on multiple VMs. Repeat the same steps listed in the previous section to install the connector on other servers joined to the managed domain. +> To provide high availability for applications authenticating through the Microsoft Entra application proxy, you can install connectors on multiple VMs. Repeat the same steps listed in the previous section to install the connector on other servers joined to the managed domain. ## Enable resource-based Kerberos constrained delegation -If you want to use single sign-on to your applications using integrated Windows authentication (IWA), grant the Azure AD Application Proxy connectors permission to impersonate users and send and receive tokens on their behalf. To grant these permissions, you configure Kerberos constrained delegation (KCD) for the connector to access resources on the managed domain. As you don't have domain administrator privileges in a managed domain, traditional account-level KCD cannot be configured on a managed domain. Instead, use resource-based KCD. +If you want to use single sign-on to your applications using integrated Windows authentication (IWA), grant the Microsoft Entra application proxy connectors permission to impersonate users and send and receive tokens on their behalf. To grant these permissions, you configure Kerberos constrained delegation (KCD) for the connector to access resources on the managed domain. As you don't have domain administrator privileges in a managed domain, traditional account-level KCD cannot be configured on a managed domain. Instead, use resource-based KCD. -For more information, see [Configure Kerberos constrained delegation (KCD) in Azure Active Directory Domain Services](deploy-kcd.md). +For more information, see [Configure Kerberos constrained delegation (KCD) in Microsoft Entra Domain Services](deploy-kcd.md). > [!NOTE]-> You must be signed in to a user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant to run the following PowerShell cmdlets. +> You must be signed in to a user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant to run the following PowerShell cmdlets. >-> The computer accounts for your App Proxy connector VM and application VMs must be in a custom OU where you have permissions to configure resource-based KCD. You can't configure resource-based KCD for a computer account in the built-in *AAD DC Computers* container. +> The computer accounts for your App Proxy connector VM and application VMs must be in a custom OU where you have permissions to configure resource-based KCD. You can't configure resource-based KCD for a computer account in the built-in *Microsoft Entra DC Computers* container. -Use the [Get-ADComputer][Get-ADComputer] to retrieve the settings for the computer on which the Azure AD Application Proxy connector is installed. From your domain-joined management VM and logged in as user account that's a member of the *Azure AD DC administrators* group, run the following cmdlets. +Use the [Get-ADComputer][Get-ADComputer] to retrieve the settings for the computer on which the Microsoft Entra application proxy connector is installed. From your domain-joined management VM and logged in as user account that's a member of the *Microsoft Entra DC administrators* group, run the following cmdlets. -The following example gets information about the computer account named *appproxy.aaddscontoso.com*. Provide your own computer name for the Azure AD Application Proxy VM configured in the previous steps. +The following example gets information about the computer account named *appproxy.aaddscontoso.com*. Provide your own computer name for the Microsoft Entra application proxy VM configured in the previous steps. ```powershell $ImpersonatingAccount = Get-ADComputer -Identity appproxy.aaddscontoso.com ``` -For each application server that runs the apps behind Azure AD Application Proxy use the [Set-ADComputer][Set-ADComputer] PowerShell cmdlet to configure resource-based KCD. In the following example, the Azure AD Application Proxy connector is granted permissions to use the *appserver.aaddscontoso.com* computer: +For each application server that runs the apps behind Microsoft Entra application proxy use the [Set-ADComputer][Set-ADComputer] PowerShell cmdlet to configure resource-based KCD. In the following example, the Microsoft Entra application proxy connector is granted permissions to use the *appserver.aaddscontoso.com* computer: ```powershell Set-ADComputer appserver.aaddscontoso.com -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount ``` -If you deploy multiple Azure AD Application Proxy connectors, you must configure resource-based KCD for each connector instance. +If you deploy multiple Microsoft Entra application proxy connectors, you must configure resource-based KCD for each connector instance. ## Next steps -With the Azure AD Application Proxy integrated with Azure AD DS, publish applications for users to access. For more information, see [publish applications using Azure AD Application Proxy](../active-directory/app-proxy/application-proxy-add-on-premises-application.md). +With the Microsoft Entra application proxy integrated with Microsoft Entra DS, publish applications for users to access. For more information, see [publish applications using Microsoft Entra application proxy](../active-directory/app-proxy/application-proxy-add-on-premises-application.md). <!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md |
active-directory-domain-services | Deploy Kcd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-kcd.md | Title: Kerberos constrained delegation for Azure AD Domain Services | Microsoft Docs -description: Learn how to enable resource-based Kerberos constrained delegation (KCD) in an Azure Active Directory Domain Services managed domain. + Title: Kerberos constrained delegation for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to enable resource-based Kerberos constrained delegation (KCD) in a Microsoft Entra Domain Services managed domain. Last updated 01/29/2023 -# Configure Kerberos constrained delegation (KCD) in Azure Active Directory Domain Services +# Configure Kerberos constrained delegation (KCD) in Microsoft Entra Domain Services As you run applications, there may be a need for those applications to access resources in the context of a different user. Active Directory Domain Services (AD DS) supports a mechanism called *Kerberos delegation* that enables this use-case. Kerberos *constrained* delegation (KCD) then builds on this mechanism to define specific resources that can be accessed in the context of the user. -Azure Active Directory Domain Services (Azure AD DS) managed domains are more securely locked down than traditional on-premises AD DS environments, so use a more secure *resource-based* KCD. +Microsoft Entra Domain Services (Microsoft Entra DS) managed domains are more securely locked down than traditional on-premises AD DS environments, so use a more secure *resource-based* KCD. -This article shows you how to configure resource-based Kerberos constrained delegation in an Azure AD DS managed domain. +This article shows you how to configure resource-based Kerberos constrained delegation in a Microsoft Entra DS managed domain. ## Prerequisites To complete this article, you need the following resources: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A Windows Server management VM that is joined to the Azure AD DS managed domain. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A Windows Server management VM that is joined to the Microsoft Entra DS managed domain. * If needed, complete the tutorial to [create a Windows Server VM and join it to a managed domain][create-join-windows-vm] then [install the AD DS management tools][tutorial-create-management-vm].-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. +* A user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant. ## Kerberos constrained delegation overview Complete the following steps to configure this scenario: 1. [Domain-join the virtual machines][create-join-windows-vm], both the one that runs the web app, and the one that runs the web API, to the managed domain. Create these computer accounts in the custom OU from the previous step. > [!NOTE]- > The computer accounts for the web app and the web API must be in a custom OU where you have permissions to configure resource-based KCD. You can't configure resource-based KCD for a computer account in the built-in *AAD DC Computers* container. + > The computer accounts for the web app and the web API must be in a custom OU where you have permissions to configure resource-based KCD. You can't configure resource-based KCD for a computer account in the built-in *Microsoft Entra DC Computers* container. 1. Finally, configure resource-based KCD using the [Set-ADComputer][Set-ADComputer] PowerShell cmdlet. - From your domain-joined management VM and logged in as user account that's a member of the *Azure AD DC administrators* group, run the following cmdlets. Provide your own computer names as needed: + From your domain-joined management VM and logged in as user account that's a member of the *Microsoft Entra DC administrators* group, run the following cmdlets. Provide your own computer names as needed: ```powershell $ImpersonatingAccount = Get-ADComputer -Identity contoso-webapp.aaddscontoso.com In this scenario, let's assume you have a web app that runs as a service account 1. Create the service account (for example, *appsvc*) used to run the web app within the custom OU. > [!NOTE]- > Again, the computer account for the web API VM, and the service account for the web app, must be in a custom OU where you have permissions to configure resource-based KCD. You can't configure resource-based KCD for accounts in the built-in *AAD DC Computers* or *AAD DC Users* containers. This also means that you can't use user accounts synchronized from Azure AD to set up resource-based KCD. You must create and use service accounts specifically created in Azure AD DS. + > Again, the computer account for the web API VM, and the service account for the web app, must be in a custom OU where you have permissions to configure resource-based KCD. You can't configure resource-based KCD for accounts in the built-in *Microsoft Entra DC Computers* or *Microsoft Entra DC Users* containers. This also means that you can't use user accounts synchronized from Microsoft Entra ID to set up resource-based KCD. You must create and use service accounts specifically created in Microsoft Entra DS. 1. Finally, configure resource-based KCD using the [Set-ADUser][Set-ADUser] PowerShell cmdlet. - From your domain-joined management VM and logged in as user account that's a member of the *Azure AD DC administrators* group, run the following cmdlets. Provide your own service names as needed: + From your domain-joined management VM and logged in as user account that's a member of the *Microsoft Entra DC administrators* group, run the following cmdlets. Provide your own service names as needed: ```powershell $ImpersonatingAccount = Get-ADUser -Identity appsvc |
active-directory-domain-services | Deploy Sp Profile Sync | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/deploy-sp-profile-sync.md | Title: Enable SharePoint User Profile service with Azure AD DS | Microsoft Docs -description: Learn how to configure an Azure Active Directory Domain Services managed domain to support profile synchronization for SharePoint Server + Title: Enable SharePoint User Profile service with Microsoft Entra DS | Microsoft Docs +description: Learn how to configure a Microsoft Entra Domain Services managed domain to support profile synchronization for SharePoint Server Last updated 01/29/2023 -# Configure Azure Active Directory Domain Services to support user profile synchronization for SharePoint Server +# Configure Microsoft Entra Domain Services to support user profile synchronization for SharePoint Server -SharePoint Server includes a service to synchronize user profiles. This feature allows user profiles to be stored in a central location and accessible across multiple SharePoint sites and farms. To configure the SharePoint Server user profile service, the appropriate permissions must be granted in an Azure Active Directory Domain Services (Azure AD DS) managed domain. For more information, see [user profile synchronization in SharePoint Server](/SharePoint/administration/user-profile-service-administration). +SharePoint Server includes a service to synchronize user profiles. This feature allows user profiles to be stored in a central location and accessible across multiple SharePoint sites and farms. To configure the SharePoint Server user profile service, the appropriate permissions must be granted in a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. For more information, see [user profile synchronization in SharePoint Server](/SharePoint/administration/user-profile-service-administration). -This article shows you how to configure Azure AD DS to allow the SharePoint Server user profile sync service. +This article shows you how to configure Microsoft Entra DS to allow the SharePoint Server user profile sync service. ## Before you begin To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A Windows Server management VM that is joined to the Azure AD DS managed domain. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A Windows Server management VM that is joined to the Microsoft Entra DS managed domain. * If needed, complete the tutorial to [create a management VM][tutorial-create-management-vm].-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. +* A user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant. * The SharePoint service account name for the user profile synchronization service. For more information about the *Profile Synchronization account*, see [Plan for administrative and service accounts in SharePoint Server][sharepoint-service-account]. To get the *Profile Synchronization account* name from the SharePoint Central Administration website, click **Application Management** > **Manage service applications** > **User Profile service application**. For more information, see [Configure profile synchronization by using SharePoint Active Directory Import in SharePoint Server](/SharePoint/administration/configure-profile-synchronization-by-using-sharepoint-active-directory-import). ## Service accounts overview -In a managed domain, a security group named *AAD DC Service Accounts* exists as part of the *Users* organizational unit (OU). Members of this security group are delegated the following privileges: +In a managed domain, a security group named *Microsoft Entra DC Service Accounts* exists as part of the *Users* organizational unit (OU). Members of this security group are delegated the following privileges: - **Replicate Directory Changes** privilege on the root DSE. - **Replicate Directory Changes** privilege on the *Configuration* naming context (`cn=configuration` container). -The *AAD DC Service Accounts* security group is also a member of the built-in group *Pre-Windows 2000 Compatible Access*. +The *Microsoft Entra DC Service Accounts* security group is also a member of the built-in group *Pre-Windows 2000 Compatible Access*. When added to this security group, the service account for SharePoint Server user profile synchronization service is granted the required privileges to work correctly. ## Enable support for SharePoint Server user profile sync -The service account for SharePoint Server needs adequate privileges to replicate changes to the directory and let SharePoint Server user profile sync work correctly. To provide these privileges, add the service account used for SharePoint user profile synchronization to the *AAD DC Service Accounts* group. +The service account for SharePoint Server needs adequate privileges to replicate changes to the directory and let SharePoint Server user profile sync work correctly. To provide these privileges, add the service account used for SharePoint user profile synchronization to the *Microsoft Entra DC Service Accounts* group. -From your Azure AD DS management VM, complete the following steps: +From your Microsoft Entra DS management VM, complete the following steps: > [!NOTE] > To edit group membership in a managed domain, you must be signed in to a user account that's a member of the *AAD DC Administrators* group. From your Azure AD DS management VM, complete the following steps: 1. From the Start screen, select **Administrative Tools**. A list of available management tools is shown that were installed in the tutorial to [create a management VM][tutorial-create-management-vm]. 1. To manage group membership, select **Active Directory Administrative Center** from the list of administrative tools. 1. In the left pane, choose your managed domain, such as *aaddscontoso.com*. A list of existing OUs and resources is shown.-1. Select the **Users** OU, then choose the *AAD DC Service Accounts* security group. +1. Select the **Users** OU, then choose the *Microsoft Entra DC Service Accounts* security group. 1. Select **Members**, then choose **Add...**. 1. Enter the name of the SharePoint service account, then select **OK**. In the following example, the SharePoint service account is named *spadmin*: - ![Add the SharePoint service account to the AAD DC Service Accounts security group](./media/deploy-sp-profile-sync/add-member-to-aad-dc-service-accounts-group.png) + ![Add the SharePoint service account to the Microsoft Entra DC Service Accounts security group](./media/deploy-sp-profile-sync/add-member-to-aad-dc-service-accounts-group.png) <!-- INTERNAL LINKS --> From your Azure AD DS management VM, complete the following steps: [tutorial-create-management-vm]: tutorial-create-management-vm.md <!-- EXTERNAL LINKS -->-[sharepoint-service-account]: /sharepoint/security-for-sharepoint-server/plan-for-administrative-and-service-accounts +[sharepoint-service-account]: /sharepoint/security-for-sharepoint-server/plan-for-administrative-and-service-accounts |
active-directory-domain-services | Feature Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/feature-availability.md | Title: Azure Active Directory Domain Services (Azure AD DS) feature availability in Azure Government -description: Learn which Azure AD DS features are available in Azure Government. + Title: Microsoft Entra Domain Services (Microsoft Entra DS) feature availability in Azure Government +description: Learn which Microsoft Entra DS features are available in Azure Government. -# Azure Active Directory Domain Services feature availability +# Microsoft Entra Domain Services feature availability <!Jeremy said there are additional features that don't fit nicely in this list that we need to add later> -This following table lists Azure Active Directory Domain Services (Azure AD DS) feature availability in Azure Government. +This following table lists Microsoft Entra Domain Services (Microsoft Entra DS) feature availability in Azure Government. | Feature | Availability | This following table lists Azure Active Directory Domain Services (Azure AD DS) | Auditing and Azure Monitor Workbooks templates | ✅ | | Domain join Windows VMs | ✅ | | Domain join Linux VMs | ✅ | -| Deploy Azure AD Application Proxy | ✅ | +| Deploy Microsoft Entra application proxy | ✅ | | Enable profile sync for SharePoint | ✅ | ## Next steps |
active-directory-domain-services | Fleet Metrics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/fleet-metrics.md | Title: Check fleet metrics of Azure Active Directory Domain Services | Microsoft Docs -description: Learn how to check fleet metrics of an Azure Active Directory Domain Services (Azure AD DS) managed domain. + Title: Check fleet metrics of Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to check fleet metrics of a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. Last updated 01/29/2023 -# Check fleet metrics of Azure Active Directory Domain Services +# Check fleet metrics of Microsoft Entra Domain Services -Administrators can use Azure Monitor Metrics to configure a scope for Azure Active Directory Domain Services (Azure AD DS) and gain insights into how the service is performing. -You can access Azure AD DS metrics from two places: +Administrators can use Azure Monitor Metrics to configure a scope for Microsoft Entra Domain Services (Microsoft Entra DS) and gain insights into how the service is performing. +You can access Microsoft Entra DS metrics from two places: -- In Azure Monitor Metrics, click **New chart** > **Select a scope** and select the Azure AD DS instance:+- In Azure Monitor Metrics, click **New chart** > **Select a scope** and select the Microsoft Entra DS instance: - :::image type="content" border="true" source="media/fleet-metrics/select.png" alt-text="Screenshot of how to select Azure AD DS for fleet metrics."::: + :::image type="content" border="true" source="media/fleet-metrics/select.png" alt-text="Screenshot of how to select Microsoft Entra DS for fleet metrics."::: -- In Azure AD DS, under **Monitoring**, click **Metrics**:+- In Microsoft Entra DS, under **Monitoring**, click **Metrics**: - :::image type="content" border="true" source="media/fleet-metrics/metrics-scope.png" alt-text="Screenshot of how to select Azure AD DS as scope in Azure Monitor Metrics."::: + :::image type="content" border="true" source="media/fleet-metrics/metrics-scope.png" alt-text="Screenshot of how to select Microsoft Entra DS as scope in Azure Monitor Metrics."::: The following screenshot shows how to select combined metrics for Total Processor Time and LDAP searches: :::image type="content" border="true" source="media/fleet-metrics/combined-metrics.png" alt-text="Screenshot of combined metrics in Azure Monitor Metrics."::: - You can also view metrics for a fleet of Azure AD DS instances: + You can also view metrics for a fleet of Microsoft Entra DS instances: - :::image type="content" border="true" source="media/fleet-metrics/metrics-instance.png" alt-text="Screenshot of how to select an Azure AD DS instance as the scope for fleet metrics."::: + :::image type="content" border="true" source="media/fleet-metrics/metrics-instance.png" alt-text="Screenshot of how to select a Microsoft Entra DS instance as the scope for fleet metrics."::: The following screenshot shows combined metrics for Total Processor Time, DNS Queries, and LDAP searches by role instance: - :::image type="content" border="true" source="media/fleet-metrics/combined-metrics-instance.png" alt-text="Screenshot of combined metrics for an Azure AD DS instance."::: + :::image type="content" border="true" source="media/fleet-metrics/combined-metrics-instance.png" alt-text="Screenshot of combined metrics for a Microsoft Entra DS instance."::: ## Metrics definitions and descriptions You can select a metric for more details about the data collection. :::image type="content" border="true" source="media/fleet-metrics/descriptions.png" alt-text="Screenshot of fleet metric descriptions."::: -The following table describes the metrics that are available for Azure AD DS. +The following table describes the metrics that are available for Microsoft Entra DS. | Metric | Description | |--|-| The following table describes the metrics that are available for Azure AD DS. ## Azure Monitor alert -You can configure metric alerts for Azure AD DS to be notified of possible problems. Metric alerts are one type of alert for Azure Monitor. For more information about other types of alerts, see [What are Azure Monitor Alerts?](../azure-monitor/alerts/alerts-overview.md). +You can configure metric alerts for Microsoft Entra DS to be notified of possible problems. Metric alerts are one type of alert for Azure Monitor. For more information about other types of alerts, see [What are Azure Monitor Alerts?](../azure-monitor/alerts/alerts-overview.md). To view and manage Azure Monitor alert, a user needs to be assigned [Azure Monitor roles](../azure-monitor/roles-permissions-security.md). -In Azure Monitor or Azure AD DS Metrics, click **New alert** and configure an Azure AD DS instance as the scope. Then choose the metrics you want to measure from the list of available signals: +In Azure Monitor or Microsoft Entra DS Metrics, click **New alert** and configure a Microsoft Entra DS instance as the scope. Then choose the metrics you want to measure from the list of available signals: :::image type="content" border="true" source="media/fleet-metrics/available-alerts.png" alt-text="Screenshot of available alerts."::: You can upvote to enable multiple resource selection to correlate data between r ## Next steps -- [Check the health of an Azure Active Directory Domain Services managed domain](check-health.md)+- [Check the health of a Microsoft Entra Domain Services managed domain](check-health.md) |
active-directory-domain-services | How To Data Retrieval | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/how-to-data-retrieval.md | Title: Instructions for data retrieval from Azure Active Directory Domain Services | Microsoft Docs -description: Learn how to retrieve data from Azure Active Directory Domain Services (Azure AD DS). + Title: Instructions for data retrieval from Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to retrieve data from Microsoft Entra Domain Services (Microsoft Entra DS). -# Azure AD DS instructions for data retrieval +# Microsoft Entra DS instructions for data retrieval -This document describes how to retrieve data from Azure Active Directory Domain Services (Azure AD DS). +This document describes how to retrieve data from Microsoft Entra Domain Services (Microsoft Entra DS). [!INCLUDE [active-directory-app-provisioning.md](../../includes/gdpr-intro-sentence.md)] -## Use Azure Active Directory to create, read, update, and delete user objects +<a name='use-azure-active-directory-to-create-read-update-and-delete-user-objects'></a> -You can create a user in the Azure AD portal or by using Graph PowerShell or Graph API. You can also read, update, and delete users. The next sections show how to do these operations in the Azure AD portal. +## Use Microsoft Entra ID to create, read, update, and delete user objects ++You can create a user in the Microsoft Entra portal or by using Graph PowerShell or Graph API. You can also read, update, and delete users. The next sections show how to do these operations in the Microsoft Entra portal. ### Create, read, or update a user -You can create a new user using the Azure Active Directory portal. +You can create a new user using the Microsoft Entra portal. To add a new user, follow these steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../active-directory/roles/permissions-reference.md#user-administrator). 1. Browse to **Identity** > **Users**, and then select **New user**. - ![Add a user through Users - All users in Azure AD](./media/tutorial-create-management-vm/add-user-in-users-all-users.png) + ![Add a user through Users - All users in Microsoft Entra ID](./media/tutorial-create-management-vm/add-user-in-users-all-users.png) 1. On the **User** page, enter information for this user: To add a new user, follow these steps: - **Groups**. Optionally, you can add the user to one or more existing groups. - - **Directory role**: If you require Azure AD administrative permissions for the user, you can add them to an Azure AD role. + - **Directory role**: If you require Microsoft Entra administrative permissions for the user, you can add them to a Microsoft Entra role. - **Job info**: You can add more information about the user here. To add a new user, follow these steps: 1. Select **Create**. -The user is created and added to your Azure AD organization. +The user is created and added to your Microsoft Entra organization. To read or update a user, search for and select the user such as, _Mary Parker_. Change any property and click **Save**. To read or update a user, search for and select the user such as, _Mary Parker_. To delete a user, follow these steps: -1. Search for and select the user you want to delete from your Azure AD tenant. For example, _Mary Parker_. +1. Search for and select the user you want to delete from your Microsoft Entra tenant. For example, _Mary Parker_. 1. Select **Delete user**. The user is deleted and no longer appears on the **Users - All users** page. The When a user is deleted, any licenses consumed by the user are made available for other users. -## Use RSAT tools to connect to an Azure AD DS managed domain and view users +<a name='use-rsat-tools-to-connect-to-an-azure-ad-ds-managed-domain-and-view-users'></a> ++## Use RSAT tools to connect to a Microsoft Entra DS managed domain and view users Sign in to an administrative workstation with a user account that's a member of the *AAD DC Administrators* group. The following steps require installation of [Remote Server Administration Tools (RSAT)](tutorial-create-management-vm.md#install-active-directory-administrative-tools). Sign in to an administrative workstation with a user account that's a member of ![List the available containers part of the managed domain](./media/tutorial-create-management-vm/active-directory-administrative-center.png) -1. To see the users and groups that belong to the managed domain, select the **AADDC Users** container. The user accounts and groups from your Azure AD tenant are listed in this container. +1. To see the users and groups that belong to the managed domain, select the **AADDC Users** container. The user accounts and groups from your Microsoft Entra tenant are listed in this container. In the following example output, a user account named *Contoso Admin* and a group for *AAD DC Administrators* are shown in this container. - ![View the list of Azure AD DS domain users in the Active Directory Administrative Center](./media/tutorial-create-management-vm/list-azure-ad-users.png) + ![View the list of Microsoft Entra DS domain users in the Active Directory Administrative Center](./media/tutorial-create-management-vm/list-azure-ad-users.png) 1. To see the computers that are joined to the managed domain, select the **AADDC Computers** container. An entry for the current virtual machine, such as *myVM*, is listed. Computer accounts for all devices that are joined to the managed domain are stored in this *AADDC Computers* container. You can also use the *Active Directory Module for Windows PowerShell*, installed as part of the administrative tools, to manage common actions in your managed domain. ## Next steps-* [Azure AD DS Overview](overview.md) +* [Microsoft Entra DS Overview](overview.md) |
active-directory-domain-services | Join Centos Linux Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/join-centos-linux-vm.md | Title: Join a CentOS VM to Azure AD Domain Services | Microsoft Docs -description: Learn how to configure and join a CentOS Linux virtual machine to an Azure Active Directory Domain Services managed domain. + Title: Join a CentOS VM to Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to configure and join a CentOS Linux virtual machine to a Microsoft Entra Domain Services managed domain. -# Join a CentOS Linux virtual machine to an Azure Active Directory Domain Services managed domain +# Join a CentOS Linux virtual machine to a Microsoft Entra Domain Services managed domain -To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (Azure AD DS) managed domain. When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. +To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. When you join a VM to a Microsoft Entra DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. This article shows you how to join a CentOS Linux VM to a managed domain. To complete this tutorial, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, the first tutorial [creates and configures a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. * A user account that's part of the managed domain. * Unique Linux VM names that are a maximum of 15 characters to avoid truncated names that might cause conflicts in Active Directory. If you need to create a CentOS Linux VM, or want to create a test VM for use wit When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain: -* Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services. +* Deploy the VM into the same, or a peered, virtual network in which you have enabled Microsoft Entra Domain Services. * Deploy the VM into a different subnet than your managed domain. Once the VM is deployed, follow the steps to connect to the VM using SSH. Now that the required packages are installed on the VM, join the VM to the manag * Check that the VM is deployed to the same, or a peered, virtual network in which the managed domain is available. * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the managed domain. -1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). +1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). Again, the managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `contosoadmin@aaddscontoso.com` is used to initialize Kerberos. Enter your own user account that's a part of the managed domain: |
active-directory-domain-services | Join Coreos Linux Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/join-coreos-linux-vm.md | Title: Join a CoreOS VM to Azure AD Domain Services | Microsoft Docs -description: Learn how to configure and join a CoreOS virtual machine to an Azure AD Domain Services managed domain. + Title: Join a CoreOS VM to Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to configure and join a CoreOS virtual machine to a Microsoft Entra Domain Services managed domain. Last updated 07/13/2020 -# Join a CoreOS virtual machine to an Azure Active Directory Domain Services managed domain +# Join a CoreOS virtual machine to a Microsoft Entra Domain Services managed domain -To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (Azure AD DS) managed domain. When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. +To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. When you join a VM to a Microsoft Entra DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. This article shows you how to join a CoreOS VM to a managed domain. To complete this tutorial, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, the first tutorial [creates and configures a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. * A user account that's a part of the managed domain. * Unique Linux VM names that are a maximum of 15 characters to avoid truncated names that might cause conflicts in Active Directory. If you need to create a CoreOS Linux VM, or want to create a test VM for use wit When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain: -* Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services. -* Deploy the VM into a different subnet than your Azure AD Domain Services managed domain. +* Deploy the VM into the same, or a peered, virtual network in which you have enabled Microsoft Entra Domain Services. +* Deploy the VM into a different subnet than your Microsoft Entra Domain Services managed domain. Once the VM is deployed, follow the steps to connect to the VM using SSH. With the SSSD configuration file updated, now join the virtual machine to the ma * Check that the VM is deployed to the same, or a peered, virtual network in which the managed domain is available. * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the managed domain. -1. Now join the VM to the managed domain using the `adcli join` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). +1. Now join the VM to the managed domain using the `adcli join` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). Again, the managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `contosoadmin@aaddscontoso.com` is used to initialize Kerberos. Enter your own user account that's a part of the managed domain. |
active-directory-domain-services | Join Rhel Linux Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/join-rhel-linux-vm.md | Title: Join a RHEL VM to Azure AD Domain Services | Microsoft Docs -description: Learn how to configure and join a Red Hat Enterprise Linux virtual machine to an Azure AD Domain Services managed domain. + Title: Join a RHEL VM to Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to configure and join a Red Hat Enterprise Linux virtual machine to a Microsoft Entra Domain Services managed domain. -# Join a Red Hat Enterprise Linux virtual machine to an Azure Active Directory Domain Services managed domain +# Join a Red Hat Enterprise Linux virtual machine to a Microsoft Entra Domain Services managed domain -To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (Azure AD DS) managed domain. When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. +To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. When you join a VM to a Microsoft Entra DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. This article shows you how to join a Red Hat Enterprise Linux (RHEL) VM to a managed domain. To complete this tutorial, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, the first tutorial [creates and configures a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. * A user account that's a part of the managed domain. * Unique Linux VM names that are a maximum of 15 characters to avoid truncated names that might cause conflicts in Active Directory. If you need to create a RHEL Linux VM, or want to create a test VM for use with When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain: -* Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services. -* Deploy the VM into a different subnet than your Azure AD Domain Services managed domain. +* Deploy the VM into the same, or a peered, virtual network in which you have enabled Microsoft Entra Domain Services. +* Deploy the VM into a different subnet than your Microsoft Entra Domain Services managed domain. Once the VM is deployed, follow the steps to connect to the VM using SSH. Now that the required packages are installed on the VM, join the VM to the manag * Check that the VM is deployed to the same, or a peered, virtual network in which the managed domain is available. * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the managed domain. -1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). +1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). Again, the managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `contosoadmin@aaddscontoso.com` is used to initialize Kerberos. Enter your own user account that's a part of the managed domain: |
active-directory-domain-services | Join Suse Linux Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/join-suse-linux-vm.md | Title: Join a SLE VM to Azure AD Domain Services | Microsoft Docs -description: Learn how to configure and join a SUSE Linux Enterprise virtual machine to an Azure AD Domain Services managed domain. + Title: Join a SLE VM to Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to configure and join a SUSE Linux Enterprise virtual machine to a Microsoft Entra Domain Services managed domain. -# Join a SUSE Linux Enterprise virtual machine to an Azure Active Directory Domain Services managed domain +# Join a SUSE Linux Enterprise virtual machine to a Microsoft Entra Domain Services managed domain -To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (Azure AD DS) managed domain. When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. +To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. When you join a VM to a Microsoft Entra DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. This article shows you how to join a SUSE Linux Enterprise (SLE) VM to a managed domain. To complete this tutorial, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, the first tutorial [creates and configures a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. * A user account that's a part of the managed domain. * Unique Linux VM names that are a maximum of 15 characters to avoid truncated names that might cause conflicts in Active Directory. If you need to create a SLE Linux VM, or want to create a test VM for use with t When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain: -* Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services. -* Deploy the VM into a different subnet than your Azure AD Domain Services managed domain. +* Deploy the VM into the same, or a peered, virtual network in which you have enabled Microsoft Entra Domain Services. +* Deploy the VM into a different subnet than your Microsoft Entra Domain Services managed domain. Once the VM is deployed, follow the steps to connect to the VM using SSH. To join the VM to the managed domain, complete the following steps: ![Example screenshot of the Active Directory enrollment window in YaST](./media/join-suse-linux-vm/enroll-window.png) -1. In the dialog, specify the *Username* and *Password* of a user that's a part of the managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). +1. In the dialog, specify the *Username* and *Password* of a user that's a part of the managed domain. If needed, [add a user account to a group in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). To make sure that the current domain is enabled for Samba, activate *Overwrite Samba configuration to work with this AD*. To join the managed domain using **winbind** and the *`samba net` command*: group: compat winbind ``` -3. Check that the date and time in Azure AD and Linux are in sync. You can do this by adding the Azure AD server to the NTP service: +3. Check that the date and time in Microsoft Entra ID and Linux are in sync. You can do this by adding the Microsoft Entra server to the NTP service: 1. Add the following line to `/etc/ntp.conf`: |
active-directory-domain-services | Join Ubuntu Linux Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/join-ubuntu-linux-vm.md | Title: Join an Ubuntu VM to Azure AD Domain Services | Microsoft Docs -description: Learn how to configure and join an Ubuntu Linux virtual machine to an Azure AD Domain Services managed domain. + Title: Join an Ubuntu VM to Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to configure and join an Ubuntu Linux virtual machine to a Microsoft Entra Domain Services managed domain. Last updated 01/29/2023 -# Join an Ubuntu Linux virtual machine to an Azure Active Directory Domain Services managed domain +# Join an Ubuntu Linux virtual machine to a Microsoft Entra Domain Services managed domain -To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (Azure AD DS) managed domain. When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. +To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain. When you join a VM to a Microsoft Entra DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM. This article shows you how to join an Ubuntu Linux VM to a managed domain. To complete this tutorial, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A user account that's a part of the managed domain. Make sure the SAMAccountName attribute for the user is not autogenerated. If multiple user accounts in the Azure AD tenant have the same mailNickname attribute, the SAMAccountName attribute for each user is autogenerated. For more information, see [How objects and credentials are synchronized in an Azure Active Directory Domain Services managed domain](synchronization.md). +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, the first tutorial [creates and configures a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A user account that's a part of the managed domain. Make sure the SAMAccountName attribute for the user is not autogenerated. If multiple user accounts in the Microsoft Entra tenant have the same mailNickname attribute, the SAMAccountName attribute for each user is autogenerated. For more information, see [How objects and credentials are synchronized in a Microsoft Entra Domain Services managed domain](synchronization.md). * Unique Linux VM names that are a maximum of 15 characters to avoid truncated names that might cause conflicts in Active Directory. ## Create and connect to an Ubuntu Linux VM If you need to create an Ubuntu Linux VM, or want to create a test VM for use wi When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain: -* Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services. -* Deploy the VM into a different subnet than your Azure AD Domain Services managed domain. +* Deploy the VM into the same, or a peered, virtual network in which you have enabled Microsoft Entra Domain Services. +* Deploy the VM into a different subnet than your Microsoft Entra Domain Services managed domain. Once the VM is deployed, follow the steps to connect to the VM using SSH. Now that the required packages are installed on the VM and NTP is configured, jo * Check that the VM is deployed to the same, or a peered, virtual network in which the managed domain is available. * Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the managed domain. -1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Azure AD](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). +1. Now initialize Kerberos using the `kinit` command. Specify a user that's a part of the managed domain. If needed, [add a user account to a group in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). Again, the managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `contosoadmin@aaddscontoso.com` is used to initialize Kerberos. Enter your own user account that's a part of the managed domain: rdns=false ## Update the SSSD configuration -One of the packages installed in a previous step was for System Security Services Daemon (SSSD). When a user tries to sign in to a VM using domain credentials, SSSD relays the request to an authentication provider. In this scenario, SSSD uses Azure AD DS to authenticate the request. +One of the packages installed in a previous step was for System Security Services Daemon (SSSD). When a user tries to sign in to a VM using domain credentials, SSSD relays the request to an authentication provider. In this scenario, SSSD uses Microsoft Entra DS to authenticate the request. 1. Open the *sssd.conf* file with an editor: |
active-directory-domain-services | Join Windows Vm Template | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/join-windows-vm-template.md | Title: Use a template to join a Windows VM to Azure AD DS | Microsoft Docs -description: Learn how to use Azure Resource Manager templates to join a new or existing Windows Server VM to an Azure Active Directory Domain Services managed domain. + Title: Use a template to join a Windows VM to Microsoft Entra DS | Microsoft Docs +description: Learn how to use Azure Resource Manager templates to join a new or existing Windows Server VM to a Microsoft Entra Domain Services managed domain. Last updated 08/01/2023 -# Join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain using a Resource Manager template +# Join a Windows Server virtual machine to a Microsoft Entra Domain Services managed domain using a Resource Manager template -To automate the deployment and configuration of Azure virtual machines (VMs), you can use a Resource Manager template. These templates let you create consistent deployments each time. Extensions can also be included in templates to automatically configure a VM as part of the deployment. One useful extension joins VMs to a domain, which can be used with Azure Active Directory Domain Services (Azure AD DS) managed domains. +To automate the deployment and configuration of Azure virtual machines (VMs), you can use a Resource Manager template. These templates let you create consistent deployments each time. Extensions can also be included in templates to automatically configure a VM as part of the deployment. One useful extension joins VMs to a domain, which can be used with Microsoft Entra Domain Services (Microsoft Entra DS) managed domains. -This article shows you how to create and join a Windows Server VM to an Azure AD DS managed domain using Resource Manager templates. You also learn how to join an existing Windows Server VM to an Azure AD DS domain. +This article shows you how to create and join a Windows Server VM to a Microsoft Entra DS managed domain using Resource Manager templates. You also learn how to join an existing Windows Server VM to a Microsoft Entra DS domain. ## Prerequisites To complete this tutorial, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, the first tutorial [creates and configures an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A user account that's a part of the *AAD DC administrators* group. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, the first tutorial [creates and configures a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A user account that's a part of the *AAD DC Administrators* group. ## Azure Resource Manager template overview To create a Windows Server VM then join it to a managed domain, complete the fol | Setting | Value | ||-|- | Subscription | Pick the same Azure subscription in which you have enabled Azure AD Domain Services. | + | Subscription | Pick the same Azure subscription in which you have enabled Microsoft Entra Domain Services. | | Resource group | Choose the resource group for your VM. | | Location | Select the location of for your VM. | | Existing VNET Name | The name of the existing virtual network to connect the VM to, such as *myVnet*. | To create a Windows Server VM then join it to a managed domain, complete the fol | Domain To Join | The managed domain DNS name, such as *aaddscontoso.com*. | | Domain Username | The user account in the managed domain that should be used to join the VM to the managed domain, such as `contosoadmin@aaddscontoso.com`. This account must be a part of the managed domain. | | Domain Password | The password for the user account specified in the previous setting. |- | Optional OU Path | The custom OU in which to add the VM. If you don't specify a value for this parameter, the VM is added to the default *AAD DC Computers* OU. | + | Optional OU Path | The custom OU in which to add the VM. If you don't specify a value for this parameter, the VM is added to the default *Microsoft Entra DC Computers* OU. | | VM Admin Username | Specify a local administrator account to create on the VM. | | VM Admin Password | Specify a local administrator password for the VM. Create a strong local administrator password to protect against password brute-force attacks. | To join an existing Windows Server VM to a managed domain, complete the followin | Setting | Value | ||-|- | Subscription | Pick the same Azure subscription in which you have enabled Azure AD Domain Services. | + | Subscription | Pick the same Azure subscription in which you have enabled Microsoft Entra Domain Services. | | Resource group | Choose the resource group with your existing VM. | | Location | Select the location of your existing VM. | | VM list | Enter the comma-separated list of the existing VM(s) to join to the managed domain, such as *myVM1,myVM2*. | | Domain Join User Name | The user account in the managed domain that should be used to join the VM to the managed domain, such as `contosoadmin@aaddscontoso.com`. This account must be a part of the managed domain. | | Domain Join User Password | The password for the user account specified in the previous setting. |- | Optional OU Path | The custom OU in which to add the VM. If you don't specify a value for this parameter, the VM is added to the default *AAD DC Computers* OU. | + | Optional OU Path | The custom OU in which to add the VM. If you don't specify a value for this parameter, the VM is added to the default *Microsoft Entra DC Computers* OU. | 1. Review the terms and conditions, then check the box for **I agree to the terms and conditions stated above**. When ready, select **Purchase** to join the VM to the managed domain. |
active-directory-domain-services | Join Windows Vm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/join-windows-vm.md | Title: Join a Windows Server VM to an Azure AD Domain Services managed domain | Microsoft Docs -description: In this tutorial, learn how to join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain. + Title: Join a Windows Server VM to a Microsoft Entra Domain Services managed domain | Microsoft Docs +description: In this tutorial, learn how to join a Windows Server virtual machine to a Microsoft Entra Domain Services managed domain. -#Customer intent: As an server administrator, I want to learn how to join a Windows Server VM to an Azure Active Directory Domain Services managed domain to provide centralized identity and policy. +#Customer intent: As an server administrator, I want to learn how to join a Windows Server VM to a Microsoft Entra Domain Services managed domain to provide centralized identity and policy. -# Tutorial: Join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain +# Tutorial: Join a Windows Server virtual machine to a Microsoft Entra Domain Services managed domain -Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. With an Azure AD DS managed domain, you can provide domain join features and management to virtual machines (VMs) in Azure. This tutorial shows you how to create a Windows Server VM then join it to a managed domain. +Microsoft Entra Domain Services (Microsoft Entra DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. With a Microsoft Entra DS managed domain, you can provide domain join features and management to virtual machines (VMs) in Azure. This tutorial shows you how to create a Windows Server VM then join it to a managed domain. In this tutorial, you learn how to: To complete this tutorial, you need the following resources: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. * A user account that's a part of the managed domain.- * Make sure that Azure AD Connect password hash synchronization or self-service password reset has been performed so the account is able to sign in to managed domain. -* An Azure Bastion host deployed in your Azure AD DS virtual network. + * Make sure that Microsoft Entra Connect password hash synchronization or self-service password reset has been performed so the account is able to sign in to managed domain. +* An Azure Bastion host deployed in your Microsoft Entra DS virtual network. * If needed, [create an Azure Bastion host][azure-bastion]. If you already have a VM that you want to domain-join, skip to the section to [join the VM to the managed domain](#join-the-vm-to-the-managed-domain). With the VM created and a web-based RDP connection established using Azure Basti ![Specify the managed domain to join](./media/join-windows-vm/join-domain.png) -1. Enter domain credentials to join the domain. Provide credentials for a user that's a part of the managed domain. The account must be part of the managed domain or Azure AD tenant - accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process. +1. Enter domain credentials to join the domain. Provide credentials for a user that's a part of the managed domain. The account must be part of the managed domain or Microsoft Entra tenant - accounts from external directories associated with your Microsoft Entra tenant can't correctly authenticate during the domain-join process. Account credentials can be specified in one of the following ways: - * **UPN format** (recommended) - Enter the user principal name (UPN) suffix for the user account, as configured in Azure AD. For example, the UPN suffix of the user *contosoadmin* would be `contosoadmin@aaddscontoso.onmicrosoft.com`. There are a couple of common use-cases where the UPN format can be used reliably to sign in to the domain rather than the *SAMAccountName* format: + * **UPN format** (recommended) - Enter the user principal name (UPN) suffix for the user account, as configured in Microsoft Entra ID. For example, the UPN suffix of the user *contosoadmin* would be `contosoadmin@aaddscontoso.onmicrosoft.com`. There are a couple of common use-cases where the UPN format can be used reliably to sign in to the domain rather than the *SAMAccountName* format: * If a user's UPN prefix is long, such as *deehasareallylongname*, the *SAMAccountName* may be autogenerated.- * If multiple users have the same UPN prefix in your Azure AD tenant, such as *dee*, their *SAMAccountName* format might be autogenerated. + * If multiple users have the same UPN prefix in your Microsoft Entra tenant, such as *dee*, their *SAMAccountName* format might be autogenerated. * **SAMAccountName format** - Enter the account name in the *SAMAccountName* format. For example, the *SAMAccountName* of user *contosoadmin* would be `AADDSCONTOSO\contosoadmin`. 1. It takes a few seconds to join to the managed domain. When complete, the following message welcomes you to the domain: In the next tutorial, you use this Windows Server VM to install the management t To remove the VM from the managed domain, follow through the steps again to [join the VM to a domain](#join-the-vm-to-the-managed-domain). Instead of joining the managed domain, choose to join a workgroup, such as the default *WORKGROUP*. After the VM has rebooted, the computer object is removed from the managed domain. -If you [delete the VM](#delete-the-vm) without unjoining from the domain, an orphaned computer object is left in Azure AD DS. +If you [delete the VM](#delete-the-vm) without unjoining from the domain, an orphaned computer object is left in Microsoft Entra DS. ### Delete the VM If you don't receive a prompt that asks for credentials to join the domain, ther After trying each of these troubleshooting steps, try to join the Windows Server VM to the managed domain again. -* Verify the VM is connected to the same virtual network that Azure AD DS is enabled in, or has a peered network connection. +* Verify the VM is connected to the same virtual network that Microsoft Entra DS is enabled in, or has a peered network connection. * Try to ping the DNS domain name of the managed domain, such as `ping aaddscontoso.com`. * If the ping request fails, try to ping the IP addresses for the managed domain, such as `ping 10.0.0.4`. The IP address for your environment is displayed on the *Properties* page when you select the managed domain from your list of Azure resources. * If you can ping the IP address but not the domain, DNS may be incorrectly configured. Confirm that the IP addresses of the managed domain are configured as DNS servers for the virtual network. If you receive a prompt that asks for credentials to join the domain, but then a After trying each of these troubleshooting steps, try to join the Windows Server VM to the managed domain again. * Make sure that the user account you specify belongs to the managed domain.-* Confirm that the account is part of the managed domain or Azure AD tenant. Accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process. +* Confirm that the account is part of the managed domain or Microsoft Entra tenant. Accounts from external directories associated with your Microsoft Entra tenant can't correctly authenticate during the domain-join process. * Try using the UPN format to specify credentials, such as `contosoadmin@aaddscontoso.onmicrosoft.com`. If there are many users with the same UPN prefix in your tenant or if your UPN prefix is overly long, the *SAMAccountName* for your account may be autogenerated. In these cases, the *SAMAccountName* format for your account may be different from what you expect or use in your on-premises domain. * Check that you have [enabled password synchronization][password-sync] to your managed domain. Without this configuration step, the required password hashes won't be present in the managed domain to correctly authenticate your sign-in attempt.-* Wait for password synchronization to be completed. When a user account's password is changed, an automatic background synchronization from Azure AD updates the password in Azure AD DS. It takes some time for the password to be available for domain-join use. +* Wait for password synchronization to be completed. When a user account's password is changed, an automatic background synchronization from Microsoft Entra ID updates the password in Microsoft Entra DS. It takes some time for the password to be available for domain-join use. ## Next steps |
active-directory-domain-services | Manage Dns | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/manage-dns.md | Title: Manage DNS for Azure AD Domain Services | Microsoft Docs -description: Learn how to install the DNS Server Tools to manage DNS and create conditional forwarders for an Azure Active Directory Domain Services managed domain. + Title: Manage DNS for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to install the DNS Server Tools to manage DNS and create conditional forwarders for a Microsoft Entra Domain Services managed domain. Last updated 09/15/2023 -# Administer DNS and create conditional forwarders in an Azure Active Directory Domain Services managed domain +# Administer DNS and create conditional forwarders in a Microsoft Entra Domain Services managed domain -Azure AD DS includes a Domain Name System (DNS) server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run. +Microsoft Entra DS includes a Domain Name System (DNS) server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run. -As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the *AAD DC Administrators* group are granted DNS administration privileges on the Azure AD DS managed domain and can create and edit custom DNS records. +As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the *AAD DC Administrators* group are granted DNS administration privileges on the Microsoft Entra DS managed domain and can create and edit custom DNS records. In a hybrid environment, DNS zones and records configured in other DNS namespaces, such as an on-premises AD DS environment, aren't synchronized to the managed domain. To resolve named resources in other DNS namespaces, create and use conditional forwarders that point to existing DNS servers in your environment. -This article shows you how to install the DNS Server tools then use the DNS console to manage records and create conditional forwarders in Azure AD DS. +This article shows you how to install the DNS Server tools then use the DNS console to manage records and create conditional forwarders in Microsoft Entra DS. >[!NOTE]->Creating or changing root hints or server-level DNS forwarders is not supported and will cause issues for the Azure AD DS managed domain. +>Creating or changing root hints or server-level DNS forwarders is not supported and will cause issues for the Microsoft Entra DS managed domain. ## Before you begin To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* Connectivity from your Azure AD DS virtual network to where your other DNS namespaces are hosted. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* Connectivity from your Microsoft Entra DS virtual network to where your other DNS namespaces are hosted. * This connectivity can be provided with an [Azure ExpressRoute][expressroute] or [Azure VPN Gateway][vpn-gateway] connection. * A Windows Server management VM that is joined to the managed domain. * If needed, complete the tutorial to [create a Windows Server VM and join it to a managed domain][create-join-windows-vm].-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. +* A user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant. ## Install DNS Server tools With the DNS Server tools installed, you can administer DNS records on the manag ![DNS Console - administer domain](./media/manage-dns/dns-manager.png) > [!WARNING]-> When you manage records using the DNS Server tools, make sure that you don't delete or modify the built-in DNS records that are used by Azure AD DS. Built-in DNS records include domain DNS records, name server records, and other records used for DC location. If you modify these records, domain services are disrupted on the virtual network. +> When you manage records using the DNS Server tools, make sure that you don't delete or modify the built-in DNS records that are used by Microsoft Entra DS. Built-in DNS records include domain DNS records, name server records, and other records used for DC location. If you modify these records, domain services are disrupted on the virtual network. ## Create conditional forwarders -An Azure AD DS DNS zone should only contain the zone and records for the managed domain itself. Don't create additional zones in the managed domain to resolve named resources in other DNS namespaces. Instead, use conditional forwarders in the managed domain to tell the DNS server where to go in order to resolve addresses for those resources. +A Microsoft Entra DS DNS zone should only contain the zone and records for the managed domain itself. Don't create additional zones in the managed domain to resolve named resources in other DNS namespaces. Instead, use conditional forwarders in the managed domain to tell the DNS server where to go in order to resolve addresses for those resources. A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as *contoso.com*, to forward queries to. Instead of the local DNS server trying to resolve queries for records in that domain, DNS queries are forwarded to the configured DNS for that domain. This configuration makes sure that the correct DNS records are returned, as you don't create a local a DNS zone with duplicate records in the managed domain to reflect those resources. For more information about managing DNS, see the [DNS tools article on Technet]( [connect-windows-server-vm]: join-windows-vm.md#connect-to-the-windows-server-vm <!-- EXTERNAL LINKS -->-[install-rsat]: /windows-server/remote/remote-server-administration-tools#BKMK_Thresh +[install-rsat]: /windows-server/remote/remote-server-administration-tools#BKMK_Thresh |
active-directory-domain-services | Manage Group Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/manage-group-policy.md | Title: Create and manage group policy in Azure AD Domain Services | Microsoft Docs -description: Learn how to edit the built-in group policy objects (GPOs) and create your own custom policies in an Azure Active Directory Domain Services managed domain. + Title: Create and manage group policy in Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to edit the built-in group policy objects (GPOs) and create your own custom policies in a Microsoft Entra Domain Services managed domain. Last updated 09/15/2023 -# Administer Group Policy in an Azure Active Directory Domain Services managed domain +# Administer Group Policy in a Microsoft Entra Domain Services managed domain -Settings for user and computer objects in Azure Active Directory Domain Services (Azure AD DS) are often managed using Group Policy Objects (GPOs). Azure AD DS includes built-in GPOs for the *AADDC Users* and *AADDC Computers* containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. Members of the *Azure AD DC administrators* group have Group Policy administration privileges in the Azure AD DS domain, and can also create custom GPOs and organizational units (OUs). For more information on what Group Policy is and how it works, see [Group Policy overview][group-policy-overview]. +Settings for user and computer objects in Microsoft Entra Domain Services (Microsoft Entra DS) are often managed using Group Policy Objects (GPOs). Microsoft Entra DS includes built-in GPOs for the *AADDC Users* and *AADDC Computers* containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. Members of the *Microsoft Entra DC administrators* group have Group Policy administration privileges in the Microsoft Entra DS domain, and can also create custom GPOs and organizational units (OUs). For more information on what Group Policy is and how it works, see [Group Policy overview][group-policy-overview]. -In a hybrid environment, group policies configured in an on-premises AD DS environment aren't synchronized to Azure AD DS. To define configuration settings for users or computers in Azure AD DS, edit one of the default GPOs or create a custom GPO. +In a hybrid environment, group policies configured in an on-premises AD DS environment aren't synchronized to Microsoft Entra DS. To define configuration settings for users or computers in Microsoft Entra DS, edit one of the default GPOs or create a custom GPO. This article shows you how to install the Group Policy Management tools, then edit the built-in GPOs and create custom GPOs. To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A Windows Server management VM that is joined to the Azure AD DS managed domain. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A Windows Server management VM that is joined to the Microsoft Entra DS managed domain. * If needed, complete the tutorial to [create a Windows Server VM and join it to a managed domain][create-join-windows-vm].-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. +* A user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant. > [!NOTE] > You can use Group Policy Administrative Templates by copying the new templates to the management workstation. Copy the *.admx* files into `%SYSTEMROOT%\PolicyDefinitions` and copy the locale-specific *.adml* files to `%SYSTEMROOT%\PolicyDefinitions\[Language-CountryRegion]`, where `Language-CountryRegion` matches the language and region of the *.adml* files. There are two built-in Group Policy Objects (GPOs) in a managed domain - one for ## Create a custom Group Policy Object -To group similar policy settings, you often create additional GPOs instead of applying all of the required settings in the single, default GPO. With Azure AD DS, you can create or import your own custom group policy objects and link them to a custom OU. If you need to first create a custom OU, see [create a custom OU in a managed domain](create-ou.md). +To group similar policy settings, you often create additional GPOs instead of applying all of the required settings in the single, default GPO. With Microsoft Entra DS, you can create or import your own custom group policy objects and link them to a custom OU. If you need to first create a custom OU, see [create a custom OU in a managed domain](create-ou.md). 1. In the **Group Policy Management** console, select your custom organizational unit (OU), such as *MyCustomOU*. Right-select the OU and choose **Create a GPO in this domain, and Link it here...**: |
active-directory-domain-services | Mismatched Tenant Error | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/mismatched-tenant-error.md | Title: Fix mismatched directory errors in Azure AD Domain Services | Microsoft Docs -description: Learn what a mismatched directory error means and how to resolve it in Azure AD Domain Services + Title: Fix mismatched directory errors in Microsoft Entra Domain Services | Microsoft Docs +description: Learn what a mismatched directory error means and how to resolve it in Microsoft Entra Domain Services Last updated 01/29/2023 -# Resolve mismatched directory errors for existing Azure Active Directory Domain Services managed domains +# Resolve mismatched directory errors for existing Microsoft Entra Domain Services managed domains -If an Azure Active Directory Domain Services (Azure AD DS) managed domain shows a mismatched tenant error, you can't administer the managed domain until resolved. This error occurs if the underlying Azure virtual network is moved to a different Azure AD directory. +If a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain shows a mismatched tenant error, you can't administer the managed domain until resolved. This error occurs if the underlying Azure virtual network is moved to a different Microsoft Entra directory. This article explains why the error occurs and how to resolve it. ## What causes this error? -A mismatched directory error happens when an Azure AD DS managed domain and virtual network belong to two different Azure AD tenants. For example, you may have a managed domain called *aaddscontoso.com* that runs in Contoso's Azure AD tenant. However, the Azure virtual network for managed domain is part of the Fabrikam Azure AD tenant. +A mismatched directory error happens when a Microsoft Entra DS managed domain and virtual network belong to two different Microsoft Entra tenants. For example, you may have a managed domain called *aaddscontoso.com* that runs in Contoso's Microsoft Entra tenant. However, the Azure virtual network for managed domain is part of the Fabrikam Microsoft Entra tenant. -Azure role-based access control (Azure RBAC) is used to limit access to resources. When you enable Azure AD DS in an Azure AD tenant, credential hashes are synchronized to the managed domain. This operation requires you to be a tenant admin for the Azure AD directory, and access to the credentials must be controlled. +Azure role-based access control (Azure RBAC) is used to limit access to resources. When you enable Microsoft Entra DS in a Microsoft Entra tenant, credential hashes are synchronized to the managed domain. This operation requires you to be a tenant admin for the Microsoft Entra directory, and access to the credentials must be controlled. To deploy resources to an Azure virtual network and control traffic, you must have administrative privileges on the virtual network in which you deploy the managed domain. -For Azure RBAC to work consistently and secure access to all the resources Azure AD DS uses, the managed domain and the virtual network must belong to the same Azure AD tenant. +For Azure RBAC to work consistently and secure access to all the resources Microsoft Entra DS uses, the managed domain and the virtual network must belong to the same Microsoft Entra tenant. The following rules apply for deployments: -- An Azure AD directory may have multiple Azure subscriptions.+- A Microsoft Entra directory may have multiple Azure subscriptions. - An Azure subscription may have multiple resources such as virtual networks.-- A single managed domain is enabled for an Azure AD directory.-- A managed domain can be enabled on a virtual network belonging to any of the Azure subscriptions within the same Azure AD tenant.+- A single managed domain is enabled for a Microsoft Entra directory. +- A managed domain can be enabled on a virtual network belonging to any of the Azure subscriptions within the same Microsoft Entra tenant. ### Valid configuration -In the following example deployment scenario, the Contoso managed domain is enabled in the Contoso Azure AD tenant. The managed domain is deployed in a virtual network that belongs to an Azure subscription owned by the Contoso Azure AD tenant. +In the following example deployment scenario, the Contoso managed domain is enabled in the Contoso Microsoft Entra tenant. The managed domain is deployed in a virtual network that belongs to an Azure subscription owned by the Contoso Microsoft Entra tenant. -Both the managed domain and the virtual network belong to the same Azure AD tenant. This example configuration is valid and fully supported. +Both the managed domain and the virtual network belong to the same Microsoft Entra tenant. This example configuration is valid and fully supported. -![Valid Azure AD DS tenant configuration with the managed domain and virtual network part of the same Azure AD tenant](./media/getting-started/valid-tenant-config.png) +![Valid Microsoft Entra DS tenant configuration with the managed domain and virtual network part of the same Microsoft Entra tenant](./media/getting-started/valid-tenant-config.png) ### Mismatched tenant configuration -In this example deployment scenario, the Contoso managed domain is enabled in the Contoso Azure AD tenant. However, the managed domain is deployed in a virtual network that belongs to an Azure subscription owned by the Fabrikam Azure AD tenant. +In this example deployment scenario, the Contoso managed domain is enabled in the Contoso Microsoft Entra tenant. However, the managed domain is deployed in a virtual network that belongs to an Azure subscription owned by the Fabrikam Microsoft Entra tenant. -The managed domain and the virtual network belong to two different Azure AD tenants. This example configuration is a mismatched tenant and isn't supported. The virtual network must be moved to the same Azure AD tenant as the managed domain. +The managed domain and the virtual network belong to two different Microsoft Entra tenants. This example configuration is a mismatched tenant and isn't supported. The virtual network must be moved to the same Microsoft Entra tenant as the managed domain. ![Mismatched tenant configuration](./media/getting-started/mismatched-tenant-config.png) The managed domain and the virtual network belong to two different Azure AD tena The following two options resolve the mismatched directory error: -* First, [delete the managed domain](delete-aadds.md) from your existing Azure AD directory. Then, [create a replacement managed domain](tutorial-create-instance.md) in the same Azure AD directory as the virtual network you wish to use. When ready, join all machines previously joined to the deleted domain to the recreated managed domain. -* [Move the Azure subscription](../cost-management-billing/manage/billing-subscription-transfer.md) containing the virtual network to the same Azure AD directory as the managed domain. +* First, [delete the managed domain](delete-aadds.md) from your existing Microsoft Entra directory. Then, [create a replacement managed domain](tutorial-create-instance.md) in the same Microsoft Entra directory as the virtual network you wish to use. When ready, join all machines previously joined to the deleted domain to the recreated managed domain. +* [Move the Azure subscription](../cost-management-billing/manage/billing-subscription-transfer.md) containing the virtual network to the same Microsoft Entra directory as the managed domain. ## Next steps -For more information on troubleshooting issues with Azure AD DS, see the [troubleshooting guide](troubleshoot.md). +For more information on troubleshooting issues with Microsoft Entra DS, see the [troubleshooting guide](troubleshoot.md). |
active-directory-domain-services | Network Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/network-considerations.md | Title: Network planning and connections for Azure AD Domain Services | Microsoft Docs -description: Learn about some of the virtual network design considerations and resources used for connectivity when you run Azure Active Directory Domain Services. + Title: Network planning and connections for Microsoft Entra Domain Services | Microsoft Docs +description: Learn about some of the virtual network design considerations and resources used for connectivity when you run Microsoft Entra Domain Services. -# Virtual network design considerations and configuration options for Azure Active Directory Domain Services +# Virtual network design considerations and configuration options for Microsoft Entra Domain Services -Azure Active Directory Domain Services (Azure AD DS) provides authentication and management services to other applications and workloads. Network connectivity is a key component. Without correctly configured virtual network resources, applications and workloads can't communicate with and use the features provided by Azure AD DS. Plan your virtual network requirements to make sure that Azure AD DS can serve your applications and workloads as needed. +Microsoft Entra Domain Services (Microsoft Entra DS) provides authentication and management services to other applications and workloads. Network connectivity is a key component. Without correctly configured virtual network resources, applications and workloads can't communicate with and use the features provided by Microsoft Entra DS. Plan your virtual network requirements to make sure that Microsoft Entra DS can serve your applications and workloads as needed. -This article outlines design considerations and requirements for an Azure virtual network to support Azure AD DS. +This article outlines design considerations and requirements for an Azure virtual network to support Microsoft Entra DS. ## Azure virtual network design -To provide network connectivity and allow applications and services to authenticate against an Azure AD DS managed domain, you use an Azure virtual network and subnet. Ideally, the managed domain should be deployed into its own virtual network. +To provide network connectivity and allow applications and services to authenticate against a Microsoft Entra DS managed domain, you use an Azure virtual network and subnet. Ideally, the managed domain should be deployed into its own virtual network. -You can include a separate application subnet in the same virtual network to host your management VM or light application workloads. A separate virtual network for larger or complex application workloads, peered to the Azure AD DS virtual network, is usually the most appropriate design. +You can include a separate application subnet in the same virtual network to host your management VM or light application workloads. A separate virtual network for larger or complex application workloads, peered to the Microsoft Entra DS virtual network, is usually the most appropriate design. Other designs choices are valid, provided you meet the requirements outlined in the following sections for the virtual network and subnet. -As you design the virtual network for Azure AD DS, the following considerations apply: +As you design the virtual network for Microsoft Entra DS, the following considerations apply: -* Azure AD DS must be deployed into the same Azure region as your virtual network. - * At this time, you can only deploy one managed domain per Azure AD tenant. The managed domain is deployed to single region. Make sure that you create or select a virtual network in a [region that supports Azure AD DS](https://azure.microsoft.com/global-infrastructure/services/?products=active-directory-ds®ions=all). +* Microsoft Entra DS must be deployed into the same Azure region as your virtual network. + * At this time, you can only deploy one managed domain per Microsoft Entra tenant. The managed domain is deployed to single region. Make sure that you create or select a virtual network in a [region that supports Microsoft Entra DS](https://azure.microsoft.com/global-infrastructure/services/?products=active-directory-ds®ions=all). * Consider the proximity of other Azure regions and the virtual networks that host your application workloads. * To minimize latency, keep your core applications close to, or in the same region as, the virtual network subnet for your managed domain. You can use virtual network peering or virtual private network (VPN) connections between Azure virtual networks. These connection options are discussed in a following section. * The virtual network can't rely on DNS services other than those services provided by the managed domain.- * Azure AD DS provides its own DNS service. The virtual network must be configured to use these DNS service addresses. Name resolution for additional namespaces can be accomplished using conditional forwarders. + * Microsoft Entra DS provides its own DNS service. The virtual network must be configured to use these DNS service addresses. Name resolution for additional namespaces can be accomplished using conditional forwarders. * You can't use custom DNS server settings to direct queries from other DNS servers, including on VMs. Resources in the virtual network must use the DNS service provided by the managed domain. > [!IMPORTANT]-> You can't move Azure AD DS to a different virtual network after you've enabled the service. +> You can't move Microsoft Entra DS to a different virtual network after you've enabled the service. -A managed domain connects to a subnet in an Azure virtual network. Design this subnet for Azure AD DS with the following considerations: +A managed domain connects to a subnet in an Azure virtual network. Design this subnet for Microsoft Entra DS with the following considerations: * A managed domain must be deployed in its own subnet. Using an existing subnet, gateway subnet, or remote gateways settings in the virtual network peering is unsupported. * A network security group is created during the deployment of a managed domain. This network security group contains the required rules for correct service communication. The following example diagram outlines a valid design where the managed domain h ![Recommended subnet design](./media/active-directory-domain-services-design-guide/vnet-subnet-design.png) -## Connections to the Azure AD DS virtual network +<a name='connections-to-the-azure-ad-ds-virtual-network'></a> -As noted in the previous section, you can only create a managed domain in a single virtual network in Azure, and only one managed domain can be created per Azure AD tenant. Based on this architecture, you may need to connect one or more virtual networks that host your application workloads to your managed domain's virtual network. +## Connections to the Microsoft Entra DS virtual network ++As noted in the previous section, you can only create a managed domain in a single virtual network in Azure, and only one managed domain can be created per Microsoft Entra tenant. Based on this architecture, you may need to connect one or more virtual networks that host your application workloads to your managed domain's virtual network. You can connect application workloads hosted in other Azure virtual networks using one of the following methods: Virtual networks connected to the managed domain's virtual network typically hav You can enable name resolution using conditional DNS forwarders on the DNS server supporting the connecting virtual networks, or by using the same DNS IP addresses from the managed domain's virtual network. -## Network resources used by Azure AD DS +<a name='network-resources-used-by-azure-ad-ds'></a> ++## Network resources used by Microsoft Entra DS A managed domain creates some networking resources during deployment. These resources are needed for successful operation and management of the managed domain, and shouldn't be manually configured. -Don't lock the networking resources used by Azure AD DS. If networking resources get locked, they can't be deleted. When domain controllers need to be rebuilt in that case, new networking resources with different IP addresses need to be created. +Don't lock the networking resources used by Microsoft Entra DS. If networking resources get locked, they can't be deleted. When domain controllers need to be rebuilt in that case, new networking resources with different IP addresses need to be created. | Azure resource | Description | |:-|:|-| Network interface card | Azure AD DS hosts the managed domain on two domain controllers (DCs) that run on Windows Server as Azure VMs. Each VM has a virtual network interface that connects to your virtual network subnet. | -| Dynamic standard public IP address | Azure AD DS communicates with the synchronization and management service using a Standard SKU public IP address. For more information about public IP addresses, see [IP address types and allocation methods in Azure](../virtual-network/ip-services/public-ip-addresses.md). | -| Azure standard load balancer | Azure AD DS uses a Standard SKU load balancer for network address translation (NAT) and load balancing (when used with secure LDAP). For more information about Azure load balancers, see [What is Azure Load Balancer?](../load-balancer/load-balancer-overview.md) | -| Network address translation (NAT) rules | Azure AD DS creates and uses two Inbound NAT rules on the load balancer for secure PowerShell remoting. If a Standard SKU load balancer is used, it will have an Outbound NAT Rule too. For the Basic SKU load balancer, no Outbound NAT rule is required. | +| Network interface card | Microsoft Entra DS hosts the managed domain on two domain controllers (DCs) that run on Windows Server as Azure VMs. Each VM has a virtual network interface that connects to your virtual network subnet. | +| Dynamic standard public IP address | Microsoft Entra DS communicates with the synchronization and management service using a Standard SKU public IP address. For more information about public IP addresses, see [IP address types and allocation methods in Azure](../virtual-network/ip-services/public-ip-addresses.md). | +| Azure standard load balancer | Microsoft Entra DS uses a Standard SKU load balancer for network address translation (NAT) and load balancing (when used with secure LDAP). For more information about Azure load balancers, see [What is Azure Load Balancer?](../load-balancer/load-balancer-overview.md) | +| Network address translation (NAT) rules | Microsoft Entra DS creates and uses two Inbound NAT rules on the load balancer for secure PowerShell remoting. If a Standard SKU load balancer is used, it will have an Outbound NAT Rule too. For the Basic SKU load balancer, no Outbound NAT rule is required. | | Load balancer rules | When a managed domain is configured for secure LDAP on TCP port 636, three rules are created and used on a load balancer to distribute the traffic. | > [!WARNING]-> Don't delete or modify any of the network resource created by Azure AD DS, such as manually configuring the load balancer or rules. If you delete or modify any of the network resources, an Azure AD DS service outage may occur. +> Don't delete or modify any of the network resource created by Microsoft Entra DS, such as manually configuring the load balancer or rules. If you delete or modify any of the network resources, a Microsoft Entra DS service outage may occur. ## Network security groups and required ports The following network security group Inbound rules are required for the managed Note that the **CorpNetSaw** service tag isn't available by using the Microsoft Entra admin center, and the network security group rule for **CorpNetSaw** has to be added by using [PowerShell](powershell-create-instance.md#create-a-network-security-group). -Azure AD DS also relies on the Default Security rules AllowVnetInBound and AllowAzureLoadBalancerInBound. +Microsoft Entra DS also relies on the Default Security rules AllowVnetInBound and AllowAzureLoadBalancerInBound. :::image type="content" border="true" source="./media/network-considerations/nsg.png" alt-text="Screenshot of network security group rules."::: The AllowVnetInBound rule allows all traffic within the VNet which allows the DCs to properly communicate and replicate as well as allow domain join and other domain services to domain members. For more information about required ports for Windows, see [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements). -The AllowAzureLoadBalancerInBound rule is also required so that the service can properly communicate over the loadbalancer to manage the DCs. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it. +The AllowAzureLoadBalancerInBound rule is also required so that the service can properly communicate over the loadbalancer to manage the DCs. This network security group secures Microsoft Entra DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it. If needed, you can [create the required network security group and rules using Azure PowerShell](powershell-create-instance.md#create-a-network-security-group). > [!WARNING]-> When you associate a misconfigured network security group or a user defined route table with the subnet in which the managed domain is deployed, you may disrupt Microsoft's ability to service and manage the domain. Synchronization between your Azure AD tenant and your managed domain is also disrupted. Follow all listed requirements to avoid an unsupported configuration that could break sync, patching, or management. +> When you associate a misconfigured network security group or a user defined route table with the subnet in which the managed domain is deployed, you may disrupt Microsoft's ability to service and manage the domain. Synchronization between your Microsoft Entra tenant and your managed domain is also disrupted. Follow all listed requirements to avoid an unsupported configuration that could break sync, patching, or management. > > If you use secure LDAP, you can add the required TCP port 636 rule to allow external traffic if needed. Adding this rule doesn't place your network security group rules in an unsupported state. For more information, see [Lock down secure LDAP access over the internet](tutorial-configure-ldaps.md#lock-down-secure-ldap-access-over-the-internet) > For Outbound connectivity, you can either keep **AllowVnetOutbound** and **Allow | Outbound port number | Protocol | Source | Destination | Action | Required | Purpose | |:--:|:--:|::|:-:|::|:--:|:-:|-| 443 | TCP | Any | AzureActiveDirectoryDomainServices| Allow | Yes | Communication with the Azure AD Domain Services management service. | +| 443 | TCP | Any | AzureActiveDirectoryDomainServices| Allow | Yes | Communication with the Microsoft Entra Domain Services management service. | | 443 | TCP | Any | AzureMonitor | Allow | Yes | Monitoring of the virtual machines. | | 443 | TCP | Any | Storage | Allow | Yes | Communication with Azure Storage. | -| 443 | TCP | Any | AzureActiveDirectory | Allow | Yes | Communication with Azure Active Directory. | +| 443 | TCP | Any | Microsoft Entra ID | Allow | Yes | Communication with Microsoft Entra ID. | | 443 | TCP | Any | AzureUpdateDelivery | Allow | Yes | Communication with Windows Update. | | 80 | TCP | Any | AzureFrontDoor.FirstParty | Allow | Yes | Download of patches from Windows Update. | | 443 | TCP | Any | GuestAndHybridManagement | Allow | Yes | Automated management of security patches. | Get-AzNetworkSecurityGroup -Name "nsg-name" -ResourceGroupName "resource-group-n ## User-defined routes -User-defined routes aren't created by default, and aren't needed for Azure AD DS to work correctly. If you're required to use route tables, avoid making any changes to the *0.0.0.0* route. Changes to this route disrupt Azure AD DS and puts the managed domain in an unsupported state. +User-defined routes aren't created by default, and aren't needed for Microsoft Entra DS to work correctly. If you're required to use route tables, avoid making any changes to the *0.0.0.0* route. Changes to this route disrupt Microsoft Entra DS and puts the managed domain in an unsupported state. You must also route inbound traffic from the IP addresses included in the respective Azure service tags to the managed domain's subnet. For more information on service tags and their associated IP address from, see [Azure IP Ranges and Service Tags - Public Cloud](https://www.microsoft.com/en-us/download/details.aspx?id=56519). You must also route inbound traffic from the IP addresses included in the respec ## Next steps -For more information about some of the network resources and connection options used by Azure AD DS, see the following articles: +For more information about some of the network resources and connection options used by Microsoft Entra DS, see the following articles: * [Azure virtual network peering](../virtual-network/virtual-network-peering-overview.md) * [Azure VPN gateways](../vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md) |
active-directory-domain-services | Notifications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/notifications.md | Title: Email notifications for Azure AD Domain Services | Microsoft Docs -description: Learn how to configure email notifications to alert you about issues in an Azure Active Directory Domain Services managed domain + Title: Email notifications for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to configure email notifications to alert you about issues in a Microsoft Entra Domain Services managed domain Last updated 09/15/2023 -# Configure email notifications for issues in Azure Active Directory Domain Services +# Configure email notifications for issues in Microsoft Entra Domain Services -The health of an Azure Active Directory Domain Services (Azure AD DS) managed domain is monitored by the Azure platform. The health status page in the Microsoft Entra admin center shows any alerts for the managed domain. To make sure issues are responded to in a timely manner, email notifications can be configured to report on health alerts as soon as they're detected in the Azure AD DS managed domain. +The health of a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain is monitored by the Azure platform. The health status page in the Microsoft Entra admin center shows any alerts for the managed domain. To make sure issues are responded to in a timely manner, email notifications can be configured to report on health alerts as soon as they're detected in the Microsoft Entra DS managed domain. This article shows you how to configure email notification recipients for a managed domain. The following example email notification indicates a critical warning or alert w ### Why would I receive email notifications? -Azure AD DS sends email notifications for important updates about the managed domain. These notifications are only for urgent issues that impact the service and should be addressed immediately. Each email notification is triggered by an alert on the managed domain. The alerts also appear in the Microsoft Entra admin center and can be viewed on the [Azure AD DS health page][check-health]. +Microsoft Entra DS sends email notifications for important updates about the managed domain. These notifications are only for urgent issues that impact the service and should be addressed immediately. Each email notification is triggered by an alert on the managed domain. The alerts also appear in the Microsoft Entra admin center and can be viewed on the [Microsoft Entra DS health page][check-health]. -Azure AD DS doesn't send emails for advertisement, updates, or sales purposes. +Microsoft Entra DS doesn't send emails for advertisement, updates, or sales purposes. ### When will I receive email notifications? A notification is sent immediately when a [new alert][troubleshoot-alerts] is fo ### Who should receive the email notifications? -The list of email recipients for Azure AD DS should be composed of people who are able to administer and make changes to the managed domain. This email list should be thought of as your "first responders" to any alerts and issues. +The list of email recipients for Microsoft Entra DS should be composed of people who are able to administer and make changes to the managed domain. This email list should be thought of as your "first responders" to any alerts and issues. You can add up to five additional emails recipients for email notifications. If you want more than five recipients for email notifications, create a distribution list and add that to the notification list instead. -You can also choose to have all *Global Administrators* of the Azure AD directory and every member of the *AAD DC Administrators* group receive email notifications. Azure AD DS only sends notification to up to 100 email addresses, including the list of global administrators and AAD DC administrators. +You can also choose to have all *Global Administrators* of the Microsoft Entra directory and every member of the *AAD DC Administrators* group receive email notifications. Microsoft Entra DS only sends notification to up to 100 email addresses, including the list of global administrators and AAD DC Administrators. ## Configure email notifications To review the existing email notification recipients or add additional recipients, complete the following steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../active-directory/roles/permissions-reference.md#authentication-policy-administrator).-1. Search for and select **Azure AD Domain Services**. +1. Search for and select **Microsoft Entra Domain Services**. 1. Select your managed domain, such as *aaddscontoso.com*.-1. On the left-hand side of the Azure AD DS resource window, select **Notification settings**. The existing recipients for email notifications are shown. +1. On the left-hand side of the Microsoft Entra DS resource window, select **Notification settings**. The existing recipients for email notifications are shown. 1. To add an email recipient, enter the email address in the additional recipients table. 1. When done, select **Save** on the top-hand navigation. If an alert is resolved, the alert is cleared from the Microsoft Entra admin cen ### Why can I not edit the notification settings? -If you're unable to access the notification settings page in the Microsoft Entra admin center, you don't have the permissions to edit the managed domain. Contact a global administrator to either get permissions to edit Azure AD DS resource or be removed from the recipient list. +If you're unable to access the notification settings page in the Microsoft Entra admin center, you don't have the permissions to edit the managed domain. Contact a global administrator to either get permissions to edit Microsoft Entra DS resource or be removed from the recipient list. ### I don't seem to be receiving email notifications even though I provided my email address. Why? |
active-directory-domain-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/overview.md | Title: Overview of Azure Active Directory Domain Services | Microsoft Docs -description: In this overview, learn what Azure Active Directory Domain Services provides and how to use it in your organization to provide identity services to applications and services in the cloud. + Title: Overview of Microsoft Entra Domain Services | Microsoft Docs +description: In this overview, learn what Microsoft Entra Domain Services provides and how to use it in your organization to provide identity services to applications and services in the cloud. -#Customer intent: As an IT administrator or decision maker, I want to understand what Azure AD DS is and how it can benefit my organization. +#Customer intent: As an IT administrator or decision maker, I want to understand what Microsoft Entra DS is and how it can benefit my organization. -# What is Azure Active Directory Domain Services? +# What is Microsoft Entra Domain Services? -Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud. +Microsoft Entra Domain Services (Microsoft Entra DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud. -An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud. +A Microsoft Entra DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud. -Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure. +Microsoft Entra DS integrates with your existing Microsoft Entra tenant. This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure. > [!div class="nextstepaction"]-> [To get started, create an Azure AD DS managed domain using the Microsoft Entra admin center][tutorial-create] +> [To get started, create a Microsoft Entra DS managed domain using the Microsoft Entra admin center][tutorial-create] -Take a look at our short video to learn more about Azure AD DS. +Take a look at our short video to learn more about Microsoft Entra DS. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4LblD] -## How does Azure AD DS work? +<a name='how-does-azure-ad-ds-work'></a> -When you create an Azure AD DS managed domain, you define a unique namespace. This namespace is the domain name, such as *aaddscontoso.com*. Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. +## How does Microsoft Entra DS work? ++When you create a Microsoft Entra DS managed domain, you define a unique namespace. This namespace is the domain name, such as *aaddscontoso.com*. Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. You don't need to manage, configure, or update these DCs. The Azure platform handles the DCs as part of the managed domain, including backups and encryption at rest using Azure Disk Encryption. -A managed domain is configured to perform a one-way synchronization from Azure AD to provide access to a central set of users, groups, and credentials. You can create resources directly in the managed domain, but they aren't synchronized back to Azure AD. Applications, services, and VMs in Azure that connect to the managed domain can then use common AD DS features such as domain join, group policy, LDAP, and Kerberos/NTLM authentication. +A managed domain is configured to perform a one-way synchronization from Microsoft Entra ID to provide access to a central set of users, groups, and credentials. You can create resources directly in the managed domain, but they aren't synchronized back to Microsoft Entra ID. Applications, services, and VMs in Azure that connect to the managed domain can then use common AD DS features such as domain join, group policy, LDAP, and Kerberos/NTLM authentication. -In a hybrid environment with an on-premises AD DS environment, [Azure AD Connect][azure-ad-connect] synchronizes identity information with Azure AD, which is then synchronized to the managed domain. +In a hybrid environment with an on-premises AD DS environment, [Microsoft Entra Connect][azure-ad-connect] synchronizes identity information with Microsoft Entra ID, which is then synchronized to the managed domain. -![Synchronization in Azure AD Domain Services with Azure AD and on-premises AD DS using AD Connect](./media/active-directory-domain-services-design-guide/sync-topology.png) +![Synchronization in Microsoft Entra Domain Services with Microsoft Entra ID and on-premises AD DS using AD Connect](./media/active-directory-domain-services-design-guide/sync-topology.png) -Azure AD DS replicates identity information from Azure AD, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. The same set of Azure AD DS features exists for both environments. +Microsoft Entra DS replicates identity information from Microsoft Entra ID, so it works with Microsoft Entra tenants that are cloud-only, or synchronized with an on-premises AD DS environment. The same set of Microsoft Entra DS features exists for both environments. * If you have an existing on-premises AD DS environment, you can synchronize user account information to provide a consistent identity for users. To learn more, see [How objects and credentials are synchronized in a managed domain][synchronization].-* For cloud-only environments, you don't need a traditional on-premises AD DS environment to use the centralized identity services of Azure AD DS. +* For cloud-only environments, you don't need a traditional on-premises AD DS environment to use the centralized identity services of Microsoft Entra DS. -You can expand a managed domain to have more than one replica set per Azure AD tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Azure AD DS. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. For more information, see [Replica sets concepts and features for managed domains][concepts-replica-sets]. +You can expand a managed domain to have more than one replica set per Microsoft Entra tenant. Replica sets can be added to any peered virtual network in any Azure region that supports Microsoft Entra DS. Additional replica sets in different Azure regions provide geographical disaster recovery for legacy applications if an Azure region goes offline. For more information, see [Replica sets concepts and features for managed domains][concepts-replica-sets]. -Take a look at this video about how Azure AD DS integrates with your applications and workloads to provide identity services in the cloud: +Take a look at this video about how Microsoft Entra DS integrates with your applications and workloads to provide identity services in the cloud: <br /> >[!VIDEO https://www.youtube.com/embed/T1Nd9APNceQ] -To see Azure AD DS deployment scenarios in action, you can explore the following examples: +To see Microsoft Entra DS deployment scenarios in action, you can explore the following examples: ++* [Microsoft Entra DS for hybrid organizations](scenarios.md#azure-ad-ds-for-hybrid-organizations) +* [Microsoft Entra DS for cloud-only organizations](scenarios.md#azure-ad-ds-for-cloud-only-organizations) -* [Azure AD DS for hybrid organizations](scenarios.md#azure-ad-ds-for-hybrid-organizations) -* [Azure AD DS for cloud-only organizations](scenarios.md#azure-ad-ds-for-cloud-only-organizations) +<a name='azure-ad-ds-features-and-benefits'></a> -## Azure AD DS features and benefits +## Microsoft Entra DS features and benefits -To provide identity services to applications and VMs in the cloud, Azure AD DS is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy, DNS management, and LDAP bind and read support. LDAP write support is available for objects created in the managed domain, but not resources synchronized from Azure AD. +To provide identity services to applications and VMs in the cloud, Microsoft Entra DS is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy, DNS management, and LDAP bind and read support. LDAP write support is available for objects created in the managed domain, but not resources synchronized from Microsoft Entra ID. -To learn more about your identity options, [compare Azure AD DS with Azure AD, AD DS on Azure VMs, and AD DS on-premises][compare]. +To learn more about your identity options, [compare Microsoft Entra DS with Microsoft Entra ID, AD DS on Azure VMs, and AD DS on-premises][compare]. -The following features of Azure AD DS simplify deployment and management operations: +The following features of Microsoft Entra DS simplify deployment and management operations: -* **Simplified deployment experience:** Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Microsoft Entra admin center. -* **Integrated with Azure AD:** User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS. - * Accounts in external directories linked to your Azure AD aren't available in Azure AD DS. Credentials aren't available for those external directories, so can't be synchronized into a managed domain. -* **Use your corporate credentials/passwords:** Passwords for users in Azure AD DS are the same as in your Azure AD tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain. +* **Simplified deployment experience:** Microsoft Entra DS is enabled for your Microsoft Entra tenant using a single wizard in the Microsoft Entra admin center. +* **Integrated with Microsoft Entra ID:** User accounts, group memberships, and credentials are automatically available from your Microsoft Entra tenant. New users, groups, or changes to attributes from your Microsoft Entra tenant or your on-premises AD DS environment are automatically synchronized to Microsoft Entra DS. + * Accounts in external directories linked to your Microsoft Entra ID aren't available in Microsoft Entra DS. Credentials aren't available for those external directories, so can't be synchronized into a managed domain. +* **Use your corporate credentials/passwords:** Passwords for users in Microsoft Entra DS are the same as in your Microsoft Entra tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain. * **NTLM and Kerberos authentication:** With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.-* **High availability:** Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures. +* **High availability:** Microsoft Entra DS includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures. * In regions that support [Azure Availability Zones][availability-zones], these domain controllers are also distributed across zones for additional resiliency. * [Replica sets][concepts-replica-sets] can also be used to provide geographical disaster recovery for legacy applications if an Azure region goes offline. Some key aspects of a managed domain include the following: * The managed domain is a stand-alone domain. It isn't an extension of an on-premises domain.- * If needed, you can create one-way outbound forest trusts from Azure AD DS to an on-premises AD DS environment. For more information, see [Forest concepts and features for Azure AD DS][forest-trusts]. + * If needed, you can create one-way outbound forest trusts from Microsoft Entra DS to an on-premises AD DS environment. For more information, see [Forest concepts and features for Microsoft Entra DS][forest-trusts]. * Your IT team doesn't need to manage, patch, or monitor domain controllers for this managed domain. -For hybrid environments that run AD DS on-premises, you don't need to manage AD replication to the managed domain. User accounts, group memberships, and credentials from your on-premises directory are synchronized to Azure AD via [Azure AD Connect][azure-ad-connect]. These user accounts, group memberships, and credentials are automatically available within the managed domain. +For hybrid environments that run AD DS on-premises, you don't need to manage AD replication to the managed domain. User accounts, group memberships, and credentials from your on-premises directory are synchronized to Microsoft Entra ID via [Microsoft Entra Connect][azure-ad-connect]. These user accounts, group memberships, and credentials are automatically available within the managed domain. ## Next steps -To learn more about Azure AD DS compares with other identity solutions and how synchronization works, see the following articles: +To learn more about Microsoft Entra DS compares with other identity solutions and how synchronization works, see the following articles: -* [Compare Azure AD DS with Azure AD, Active Directory Domain Services on Azure VMs, and Active Directory Domain Services on-premises][compare] -* [Learn how Azure AD Domain Services synchronizes with your Azure AD directory][synchronization] -* To learn how to administrator a managed domain, see [management concepts for user accounts, passwords, and administration in Azure AD DS][administration-concepts]. +* [Compare Microsoft Entra DS with Microsoft Entra ID, Active Directory Domain Services on Azure VMs, and Active Directory Domain Services on-premises][compare] +* [Learn how Microsoft Entra Domain Services synchronizes with your Microsoft Entra directory][synchronization] +* To learn how to administrator a managed domain, see [management concepts for user accounts, passwords, and administration in Microsoft Entra DS][administration-concepts]. To get started, [create a managed domain using the Microsoft Entra admin center][tutorial-create]. |
active-directory-domain-services | Password Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/password-policy.md | Title: Create and use password policies in Azure AD Domain Services | Microsoft Docs -description: Learn how and why to use fine-grained password policies to secure and control account passwords in an Azure AD DS managed domain. + Title: Create and use password policies in Microsoft Entra Domain Services | Microsoft Docs +description: Learn how and why to use fine-grained password policies to secure and control account passwords in a Microsoft Entra DS managed domain. Last updated 05/09/2023 -# Password and account lockout policies on Azure Active Directory Domain Services managed domains +# Password and account lockout policies on Microsoft Entra Domain Services managed domains -To manage user security in Azure Active Directory Domain Services (Azure AD DS), you can define fine-grained password policies that control account lockout settings or minimum password length and complexity. A default fine grained password policy is created and applied to all users in an Azure AD DS managed domain. To provide granular control and meet specific business or compliance needs, additional policies can be created and applied to specific users or groups. +To manage user security in Microsoft Entra Domain Services (Microsoft Entra DS), you can define fine-grained password policies that control account lockout settings or minimum password length and complexity. A default fine grained password policy is created and applied to all users in a Microsoft Entra DS managed domain. To provide granular control and meet specific business or compliance needs, additional policies can be created and applied to specific users or groups. -This article shows you how to create and configure a fine-grained password policy in Azure AD DS using the Active Directory Administrative Center. +This article shows you how to create and configure a fine-grained password policy in Microsoft Entra DS using the Active Directory Administrative Center. > [!NOTE] > Password policies are only available for managed domains created using the Resource Manager deployment model. To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. * The managed domain must have been created using the Resource Manager deployment model. * A Windows Server management VM that is joined to the managed domain. * If needed, complete the tutorial to [create a management VM][tutorial-create-management-vm].-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. +* A user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant. ## Default password policy settings For more information about password policies and using the Active Directory Admi Policies are distributed through group association in a managed domain, and any changes you make are applied at the next user sign-in. Changing the policy doesn't unlock a user account that's already locked out. -Password policies behave a little differently depending on how the user account they're applied to was created. There are two ways a user account can be created in Azure AD DS: +Password policies behave a little differently depending on how the user account they're applied to was created. There are two ways a user account can be created in Microsoft Entra DS: -* The user account can be synchronized in from Azure AD. This includes cloud-only user accounts created directly in Azure, and hybrid user accounts synchronized from an on-premises AD DS environment using Azure AD Connect. - * The majority of user accounts in Azure AD DS are created through the synchronization process from Azure AD. -* The user account can be manually created in a managed domain, and doesn't exist in Azure AD. +* The user account can be synchronized in from Microsoft Entra ID. This includes cloud-only user accounts created directly in Azure, and hybrid user accounts synchronized from an on-premises AD DS environment using Microsoft Entra Connect. + * The majority of user accounts in Microsoft Entra DS are created through the synchronization process from Microsoft Entra ID. +* The user account can be manually created in a managed domain, and doesn't exist in Microsoft Entra ID. -All users, regardless of how they're created, have the following account lockout policies applied by the default password policy in Azure AD DS: +All users, regardless of how they're created, have the following account lockout policies applied by the default password policy in Microsoft Entra DS: * **Account lockout duration:** 30 * **Number of failed logon attempts allowed:** 5 All users, regardless of how they're created, have the following account lockout With these default settings, user accounts are locked out for 30 minutes if five invalid passwords are used within 2 minutes. Accounts are automatically unlocked after 30 minutes. -Account lockouts only occur within the managed domain. User accounts are only locked out in Azure AD DS, and only due to failed sign-in attempts against the managed domain. User accounts that were synchronized in from Azure AD or on-premises aren't locked out in their source directories, only in Azure AD DS. +Account lockouts only occur within the managed domain. User accounts are only locked out in Microsoft Entra DS, and only due to failed sign-in attempts against the managed domain. User accounts that were synchronized in from Microsoft Entra ID or on-premises aren't locked out in their source directories, only in Microsoft Entra DS. -If you have an Azure AD password policy that specifies a maximum password age greater than 90 days, that password age is applied to the default policy in Azure AD DS. You can configure a custom password policy to define a different maximum password age in Azure AD DS. Take care if you have a shorter maximum password age configured in an Azure AD DS password policy than in Azure AD or an on-premises AD DS environment. In that scenario, a user's password may expire in Azure AD DS before they're prompted to change in Azure AD or an on-premises AD DS environment. +If you have a Microsoft Entra password policy that specifies a maximum password age greater than 90 days, that password age is applied to the default policy in Microsoft Entra DS. You can configure a custom password policy to define a different maximum password age in Microsoft Entra DS. Take care if you have a shorter maximum password age configured in a Microsoft Entra DS password policy than in Microsoft Entra ID or an on-premises AD DS environment. In that scenario, a user's password may expire in Microsoft Entra DS before they're prompted to change in Microsoft Entra ID or an on-premises AD DS environment. -For user accounts created manually in a managed domain, the following additional password settings are also applied from the default policy. These settings don't apply to user accounts synchronized in from Azure AD, as a user can't update their password directly in Azure AD DS. +For user accounts created manually in a managed domain, the following additional password settings are also applied from the default policy. These settings don't apply to user accounts synchronized in from Microsoft Entra ID, as a user can't update their password directly in Microsoft Entra DS. * **Minimum password length (characters):** 7 * **Passwords must meet complexity requirements** To create a custom password policy, you use the Active Directory Administrative Set the precedence for your custom password policy to override the default, such as *1*. -1. Edit other password policy settings as desired. Account lockout settings apply to all users, but only take effect within the managed domain and not in Azure AD itself. +1. Edit other password policy settings as desired. Account lockout settings apply to all users, but only take effect within the managed domain and not in Microsoft Entra itself. ![Create a custom fine-grained password policy](./media/password-policy/custom-fgpp.png) For more information about password policies and using the Active Directory Admi [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md [associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md [create-azure-ad-ds-instance]: tutorial-create-instance.md-[tutorial-create-management-vm]: tutorial-create-management-vm.md +[tutorial-create-management-vm]: tutorial-create-management-vm.md |
active-directory-domain-services | Policy Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/policy-reference.md | Title: Built-in policy definitions for Azure Active Directory Domain Services -description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources. + Title: Built-in policy definitions for Microsoft Entra Domain Services +description: Lists Azure Policy built-in policy definitions for Microsoft Entra Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources. Last updated 09/19/2023 -# Azure Policy built-in definitions for Azure Active Directory Domain Services +# Azure Policy built-in definitions for Microsoft Entra Domain Services This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy-definitions for Azure Active Directory Domain Services. For additional Azure Policy built-ins for +definitions for Microsoft Entra Domain Services. For additional Azure Policy built-ins for other services, see [Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md). The name of each built-in policy definition links to the policy definition in th the link in the **Version** column to view the source on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy). -## Azure Active Directory Domain Services +<a name='azure-active-directory-domain-services'></a> ++## Microsoft Entra Domain Services [!INCLUDE [azure-policy-reference-rp-aads](../../includes/policy/reference/byrp/microsoft.aad.md)] |
active-directory-domain-services | Powershell Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-create-instance.md | Title: Enable Azure DS Domain Services using PowerShell | Microsoft Docs -description: Learn how to configure and enable Azure Active Directory Domain Services using Azure AD PowerShell and Azure PowerShell. +description: Learn how to configure and enable Microsoft Entra Domain Services using Azure AD PowerShell and Azure PowerShell. Last updated 01/29/2023 -# Enable Azure Active Directory Domain Services using PowerShell +# Enable Microsoft Entra Domain Services using PowerShell -Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources. +Microsoft Entra Domain Services (Microsoft Entra DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Microsoft Entra DS integrates with your existing Microsoft Entra tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources. -This article shows you how to enable Azure AD DS using PowerShell. +This article shows you how to enable Microsoft Entra DS using PowerShell. [!INCLUDE [updated-for-az.md](../../includes/updated-for-az.md)] To complete this article, you need the following resources: * If needed, follow the instructions to [install the Azure PowerShell module and connect to your Azure subscription](/powershell/azure/install-azure-powershell). * Make sure that you sign in to your Azure subscription using the [Connect-AzAccount][Connect-AzAccount] cmdlet. * Install and configure Azure AD PowerShell.- * If needed, follow the instructions to [install the Azure AD PowerShell module and connect to Azure AD](/powershell/azure/active-directory/install-adv2). - * Make sure that you sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet. -* You need *global administrator* privileges in your Azure AD tenant to enable Azure AD DS. -* You need *Contributor* privileges in your Azure subscription to create the required Azure AD DS resources. + * If needed, follow the instructions to [install the Azure AD PowerShell module and connect to Microsoft Entra ID](/powershell/azure/active-directory/install-adv2). + * Make sure that you sign in to your Microsoft Entra tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet. +* You need *global administrator* privileges in your Microsoft Entra tenant to enable Microsoft Entra DS. +* You need *Contributor* privileges in your Azure subscription to create the required Microsoft Entra DS resources. > [!IMPORTANT] > While the **Az.ADDomainServices** PowerShell module is in preview, you must install it separately To complete this article, you need the following resources: Install-Module -Name Az.ADDomainServices ``` -## Create required Azure AD resources +<a name='create-required-azure-ad-resources'></a> -Azure AD DS requires a service principal to authenticate and communicate and an Azure AD group to define which users have administrative permissions in the managed domain. +## Create required Microsoft Entra resources -First, create an Azure AD service principal by using a specific application ID named *Domain Controller Services*. The ID value is *2565bd9d-da50-47d4-8b85-4c97f669dc36* for global Azure and *6ba9a5d4-8456-4118-b521-9c5ca10cdf84* for other Azure clouds. Don't change this application ID. +Microsoft Entra DS requires a service principal to authenticate and communicate and a Microsoft Entra group to define which users have administrative permissions in the managed domain. -Create an Azure AD service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet: +First, create a Microsoft Entra service principal by using a specific application ID named *Domain Controller Services*. The ID value is *2565bd9d-da50-47d4-8b85-4c97f669dc36* for global Azure and *6ba9a5d4-8456-4118-b521-9c5ca10cdf84* for other Azure clouds. Don't change this application ID. ++Create a Microsoft Entra service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet: ```powershell New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36" ``` -Now create an Azure AD group named *AAD DC Administrators*. Users added to this group are then granted permissions to perform administration tasks on the managed domain. +Now create a Microsoft Entra group named *AAD DC Administrators*. Users added to this group are then granted permissions to perform administration tasks on the managed domain. First, get the *AAD DC Administrators* group object ID using the [Get-AzureADGroup][Get-AzureADGroup] cmdlet. If the group doesn't exist, create it with the *AAD DC Administrators* group using the [New-AzureADGroup][New-AzureADGroup] cmdlet: Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjec ## Create network resources -First, register the Azure AD Domain Services resource provider using the [Register-AzResourceProvider][Register-AzResourceProvider] cmdlet: +First, register the Microsoft Entra Domain Services resource provider using the [Register-AzResourceProvider][Register-AzResourceProvider] cmdlet: ```azurepowershell-interactive Register-AzResourceProvider -ProviderNamespace Microsoft.AAD New-AzResourceGroup ` -Location $AzureLocation ``` -Create the virtual network and subnets for Azure AD Domain Services. Two subnets are created - one for *DomainServices*, and one for *Workloads*. Azure AD DS is deployed into the dedicated *DomainServices* subnet. Don't deploy other applications or workloads into this subnet. Use the separate *Workloads* or other subnets for the rest of your VMs. +Create the virtual network and subnets for Microsoft Entra Domain Services. Two subnets are created - one for *DomainServices*, and one for *Workloads*. Microsoft Entra DS is deployed into the dedicated *DomainServices* subnet. Don't deploy other applications or workloads into this subnet. Use the separate *Workloads* or other subnets for the rest of your VMs. Create the subnets using the [New-AzVirtualNetworkSubnetConfig][New-AzVirtualNetworkSubnetConfig] cmdlet, then create the virtual network using the [New-AzVirtualNetwork][New-AzVirtualNetwork] cmdlet. $Vnet= New-AzVirtualNetwork ` ### Create a network security group -Azure AD DS needs a network security group to secure the ports needed for the managed domain and block all other incoming traffic. A [network security group (NSG)][nsg-overview] contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. In Azure AD DS, the network security group acts as an extra layer of protection to lock down access to the managed domain. To view the ports required, see [Network security groups and required ports][network-ports]. +Microsoft Entra DS needs a network security group to secure the ports needed for the managed domain and block all other incoming traffic. A [network security group (NSG)][nsg-overview] contains a list of rules that allow or deny network traffic to traffic in an Azure virtual network. In Microsoft Entra DS, the network security group acts as an extra layer of protection to lock down access to the managed domain. To view the ports required, see [Network security groups and required ports][network-ports]. The following PowerShell cmdlets use [New-AzNetworkSecurityRuleConfig][New-AzNetworkSecurityRuleConfig] to create the rules, then [New-AzNetworkSecurityGroup][New-AzNetworkSecurityGroup] to create the network security group. The network security group and rules are then associated with the virtual network subnet using the [Set-AzVirtualNetworkSubnetConfig][Set-AzVirtualNetworkSubnetConfig] cmdlet. $vnet | Set-AzVirtualNetwork Now let's create a managed domain. Set your Azure subscription ID, and then provide a name for the managed domain, such as *aaddscontoso.com*. You can get your subscription ID using the [Get-AzSubscription][Get-AzSubscription] cmdlet. -If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for redundancy. +If you choose a region that supports Availability Zones, the Microsoft Entra DS resources are distributed across zones for redundancy. Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there's a minimum of three separate zones in all enabled regions. -There's nothing for you to configure for Azure AD DS to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]. +There's nothing for you to configure for Microsoft Entra DS to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]. ```azurepowershell-interactive $AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID" When the Microsoft Entra admin center shows that the managed domain has finished * Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication. * To configure DNS, select your managed domain in the portal. On the **Overview** window, you are prompted to automatically configure these DNS settings.-* [Enable password synchronization to Azure AD DS](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials. +* [Enable password synchronization to Microsoft Entra DS](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials. ## Complete PowerShell script The following complete PowerShell script combines all of the tasks shown in this article. Copy the script and save it to a file with a `.ps1` extension. For Azure Global, use AppId value *2565bd9d-da50-47d4-8b85-4c97f669dc36*. For other Azure clouds, use AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Run the script in a local PowerShell console or the [Azure Cloud Shell][cloud-shell]. > [!NOTE]-> To enable Azure AD DS, you must be a global administrator for the Azure AD tenant. You also need at least *Contributor* privileges in the Azure subscription. +> To enable Microsoft Entra DS, you must be a global administrator for the Microsoft Entra tenant. You also need at least *Contributor* privileges in the Azure subscription. ```azurepowershell-interactive # Change the following values to match your deployment. When the Microsoft Entra admin center shows that the managed domain has finished * Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication. * To configure DNS, select your managed domain in the portal. On the **Overview** window, you are prompted to automatically configure these DNS settings.-* [Enable password synchronization to Azure AD DS](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials. +* [Enable password synchronization to Microsoft Entra DS](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials. ## Next steps |
active-directory-domain-services | Powershell Scoped Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-scoped-synchronization.md | Title: Scoped synchronization using PowerShell for Azure AD Domain Services | Microsoft Docs -description: Learn how to use Azure AD PowerShell to configure scoped synchronization from Azure AD to an Azure Active Directory Domain Services managed domain + Title: Scoped synchronization using PowerShell for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to use Azure AD PowerShell to configure scoped synchronization from Microsoft Entra ID to a Microsoft Entra Domain Services managed domain Last updated 09/06/2023 -# Configure scoped synchronization from Azure AD to Azure Active Directory Domain Services using Azure AD PowerShell +# Configure scoped synchronization from Microsoft Entra ID to Microsoft Entra Domain Services using Azure AD PowerShell -To provide authentication services, Azure Active Directory Domain Services (Azure AD DS) synchronizes users and groups from Azure AD. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Azure AD using Azure AD Connect, and then synchronized to Azure AD DS. +To provide authentication services, Microsoft Entra Domain Services (Microsoft Entra DS) synchronizes users and groups from Microsoft Entra ID. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Microsoft Entra ID using Microsoft Entra Connect, and then synchronized to Microsoft Entra DS. -By default, all users and groups from an Azure AD directory are synchronized to an Azure AD DS managed domain. If you have specific needs, you can instead choose to synchronize only a defined set of users. +By default, all users and groups from a Microsoft Entra directory are synchronized to a Microsoft Entra DS managed domain. If you have specific needs, you can instead choose to synchronize only a defined set of users. This article shows you how to create a managed domain that uses scoped synchronization and then change or disable the set of scoped users using Azure AD PowerShell. You can also [complete these steps using the Microsoft Entra admin center][scoped-sync]. To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][tutorial-create-instance]. -* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to change the Azure AD DS synchronization scope. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][tutorial-create-instance]. +* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to change the Microsoft Entra DS synchronization scope. ## Scoped synchronization overview -By default, all users and groups from an Azure AD directory are synchronized to a managed domain. If only a few users need to access the managed domain, you can synchronize only those user accounts. This scoped synchronization is group-based. When you configure group-based scoped synchronization, only the user accounts that belong to the groups you specify are synchronized to the managed domain. Nested groups aren't synchronized, only the specific groups you select. +By default, all users and groups from a Microsoft Entra directory are synchronized to a managed domain. If only a few users need to access the managed domain, you can synchronize only those user accounts. This scoped synchronization is group-based. When you configure group-based scoped synchronization, only the user accounts that belong to the groups you specify are synchronized to the managed domain. Nested groups aren't synchronized, only the specific groups you select. You can change the synchronization scope before or after you create the managed domain. The scope of synchronization is defined by a service principal with the application identifier 2565bd9d-da50-47d4-8b85-4c97f669dc36. To prevent scope loss, don't delete or change the service principal. If it is accidentally deleted, the synchronization scope can't be recovered. Keep in mind the following caveats if you change the synchronization scope: - A full synchronization occurs. - Objects that are no longer required in the managed domain are deleted. New objects are created in the managed domain. -To learn more about the synchronization process, see [Understand synchronization in Azure AD Domain Services][concepts-sync]. +To learn more about the synchronization process, see [Understand synchronization in Microsoft Entra Domain Services][concepts-sync]. ## PowerShell script for scoped synchronization To configure scoped synchronization using PowerShell, first save the following script to a file named `Select-GroupsToSync.ps1`. -This script configures Azure AD DS to synchronize selected groups from Azure AD. All user accounts that are part of the specified groups are synchronized to the managed domain. +This script configures Microsoft Entra DS to synchronize selected groups from Microsoft Entra ID. All user accounts that are part of the specified groups are synchronized to the managed domain. This script is used in the additional steps in this article. Write-Output "****************************************************************** To enable group-based scoped synchronization for a managed domain, complete the following steps: -1. First set *"filteredSync" = "Enabled"* on the Azure AD DS resource, then update the managed domain. +1. First set *"filteredSync" = "Enabled"* on the Microsoft Entra DS resource, then update the managed domain. - When prompted, specify the credentials for a *global admin* to sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet: + When prompted, specify the credentials for a *global admin* to sign in to your Microsoft Entra tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet: ```powershell # Connect to your Azure AD tenant In the following example, the groups to synchronize no longer includes *GroupNam > [!WARNING] > You must include the *AAD DC Administrators* group in the list of groups for scoped synchronization. If you don't include this group, the managed domain is unusable. -When prompted, specify the credentials for a *global admin* to sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet: +When prompted, specify the credentials for a *global admin* to sign in to your Microsoft Entra tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet: ```powershell .\Select-GroupsToSync.ps1 -groupsToAdd @("AAD DC Administrators", "GroupName1", "GroupName3") Changing the scope of synchronization causes the managed domain to resynchronize ## Disable scoped synchronization -To disable group-based scoped synchronization for a managed domain, set *"filteredSync" = "Disabled"* on the Azure AD DS resource, then update the managed domain. When complete, all users and groups are set to synchronize from Azure AD. +To disable group-based scoped synchronization for a managed domain, set *"filteredSync" = "Disabled"* on the Microsoft Entra DS resource, then update the managed domain. When complete, all users and groups are set to synchronize from Microsoft Entra ID. -When prompted, specify the credentials for a *global admin* to sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet: +When prompted, specify the credentials for a *global admin* to sign in to your Microsoft Entra tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet: ```powershell # Connect to your Azure AD tenant Changing the scope of synchronization causes the managed domain to resynchronize ## Next steps -To learn more about the synchronization process, see [Understand synchronization in Azure AD Domain Services](synchronization.md). +To learn more about the synchronization process, see [Understand synchronization in Microsoft Entra Domain Services](synchronization.md). <!-- INTERNAL LINKS --> [scoped-sync]: scoped-synchronization.md |
active-directory-domain-services | Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/scenarios.md | Title: Common deployment scenarios for Azure AD Domain Services | Microsoft Docs -description: Learn about some of the common scenarios and use-cases for Azure Active Directory Domain Services to provide value and meet business needs. + Title: Common deployment scenarios for Microsoft Entra Domain Services | Microsoft Docs +description: Learn about some of the common scenarios and use-cases for Microsoft Entra Domain Services to provide value and meet business needs. Last updated 01/29/2023 -# Common use-cases and scenarios for Azure Active Directory Domain Services +# Common use-cases and scenarios for Microsoft Entra Domain Services -Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. Azure AD DS integrates with your existing Azure AD tenant, which makes it possible for users to sign in using their existing credentials. You use these domain services without the need to deploy, manage, and patch domain controllers in the cloud, which provides a smoother lift-and-shift of on-premises resources to Azure. +Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. Microsoft Entra Domain Services integrates with your existing Microsoft Entra tenant, which makes it possible for users to sign in using their existing credentials. You use these domain services without the need to deploy, manage, and patch domain controllers in the cloud, which provides a smoother lift-and-shift of on-premises resources to Azure. -This article outlines some common business scenarios where Azure AD DS provides value and meets those needs. +This article outlines some common business scenarios where Microsoft Entra Domain Services provides value and meets those needs. ## Common ways to provide identity solutions in the cloud IT administrators often use one of the following solutions to provide an identit With these approaches, VPN connections to the on-premises directory make applications vulnerable to transient network glitches or outages. If you deploy domain controllers using VMs in Azure, the IT team must manage the VMs, then secure, patch, monitor, backup, and troubleshoot them. -Azure AD DS offers alternatives to the need to create VPN connections back to an on-premises AD DS environment or run and manage VMs in Azure to provide identity services. As a managed service, Azure AD DS reduces the complexity to create an integrated identity solution for both hybrid and cloud-only environments. +Microsoft Entra Domain Services offers alternatives to the need to create VPN connections back to an on-premises AD DS environment or run and manage VMs in Azure to provide identity services. As a managed service, Microsoft Entra Domain Services reduces the complexity to create an integrated identity solution for both hybrid and cloud-only environments. > [!div class="nextstepaction"]-> [Compare Azure AD DS with Azure AD and self-managed AD DS on Azure VMs or on-premises][compare] +> [Compare Microsoft Entra Domain Services with Microsoft Entra ID and self-managed AD DS on Azure VMs or on-premises][compare] -## Azure AD DS for hybrid organizations +<a name='azure-ad-ds-for-hybrid-organizations'></a> -Many organizations run a hybrid infrastructure that includes both cloud and on-premises application workloads. Legacy applications migrated to Azure as part of a lift and shift strategy may use traditional LDAP connections to provide identity information. To support this hybrid infrastructure, identity information from an on-premises AD DS environment can be synchronized to an Azure AD tenant. Azure AD DS then provides these legacy applications in Azure with an identity source, without the need to configure and manage application connectivity back to on-premises directory services. +<a name='microsoft-entra-ds-for-hybrid-organizations'></a> ++## Microsoft Entra Domain Services for hybrid organizations ++Many organizations run a hybrid infrastructure that includes both cloud and on-premises application workloads. Legacy applications migrated to Azure as part of a lift and shift strategy may use traditional LDAP connections to provide identity information. To support this hybrid infrastructure, identity information from an on-premises AD DS environment can be synchronized to a Microsoft Entra tenant. Microsoft Entra Domain Services then provides these legacy applications in Azure with an identity source, without the need to configure and manage application connectivity back to on-premises directory services. Let's look at an example for Litware Corporation, a hybrid organization that runs both on-premises and Azure resources: -![Azure Active Directory Domain Services for a hybrid organization that includes on-premises synchronization](./media/overview/synced-tenant.png) +![Microsoft Entra Domain Services for a hybrid organization that includes on-premises synchronization](./media/overview/synced-tenant.png) * Applications and server workloads that require domain services are deployed in a virtual network in Azure. * This may include legacy applications migrated to Azure as part of a lift and shift strategy.-* To synchronize identity information from their on-premises directory to their Azure AD tenant, Litware Corporation deploys [Azure AD Connect][azure-ad-connect]. +* To synchronize identity information from their on-premises directory to their Microsoft Entra tenant, Litware Corporation deploys [Microsoft Entra Connect][azure-ad-connect]. * Identity information that is synchronized includes user accounts and group memberships.-* Litware's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network. -* Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy. +* Litware's IT team enables Microsoft Entra Domain Services for their Microsoft Entra tenant in this, or a peered, virtual network. +* Applications and VMs deployed in the Azure virtual network can then use Microsoft Entra Domain Services features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy. > [!IMPORTANT]-> Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD. +> Microsoft Entra Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Microsoft Entra Connect in a managed domain to synchronize objects back to Microsoft Entra ID. ++<a name='azure-ad-ds-for-cloud-only-organizations'></a> ++<a name='microsoft-entra-ds-for-cloud-only-organizations'></a> -## Azure AD DS for cloud-only organizations +## Microsoft Entra Domain Services for cloud-only organizations -A cloud-only Azure AD tenant doesn't have an on-premises identity source. User accounts and group memberships, for example, are created and managed directly in Azure AD. +A cloud-only Microsoft Entra tenant doesn't have an on-premises identity source. User accounts and group memberships, for example, are created and managed directly in Microsoft Entra ID. -Now let's look at an example for Contoso, a cloud-only organization that uses Azure AD for identity. All user identities, their credentials, and group memberships are created and managed in Azure AD. There is no additional configuration of Azure AD Connect to synchronize any identity information from an on-premises directory. +Now let's look at an example for Contoso, a cloud-only organization that uses Microsoft Entra ID for identity. All user identities, their credentials, and group memberships are created and managed in Microsoft Entra ID. There is no additional configuration of Microsoft Entra Connect to synchronize any identity information from an on-premises directory. -![Azure Active Directory Domain Services for a cloud-only organization with no on-premises synchronization](./media/overview/cloud-only-tenant.png) +![Microsoft Entra Domain Services for a cloud-only organization with no on-premises synchronization](./media/overview/cloud-only-tenant.png) * Applications and server workloads that require domain services are deployed in a virtual network in Azure.-* Contoso's IT team enables Azure AD DS for their Azure AD tenant in this, or a peered, virtual network. -* Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy. +* Contoso's IT team enables Microsoft Entra Domain Services for their Microsoft Entra tenant in this, or a peered, virtual network. +* Applications and VMs deployed in the Azure virtual network can then use Microsoft Entra Domain Services features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy. ## Secure administration of Azure virtual machines -To let you use a single set of AD credentials, Azure virtual machines (VMs) can be joined to an Azure AD DS managed domain. This approach reduces credential management issues such as maintaining local administrator accounts on each VM or separate accounts and passwords between environments. +To let you use a single set of AD credentials, Azure virtual machines (VMs) can be joined to a Microsoft Entra Domain Services managed domain. This approach reduces credential management issues such as maintaining local administrator accounts on each VM or separate accounts and passwords between environments. VMs that are joined to a managed domain can also be administered and secured using group policy. Required security baselines can be applied to VMs to lock them down in accordance with corporate security guidelines. For example, you can use group policy management capabilities to restrict the types of applications that can be launched on the VM. Let's look at a common example scenario. As servers and other infrastructure rea Contoso's IT administrator would prefer to domain join VMs deployed in Azure to make administration easier as users can then sign in using their corporate credentials. When domain-joined, VMs can also be configured to comply with required security baselines using group policy objects (GPOs). Contoso would prefer not to deploy, monitor, and manage their own domain controllers in Azure. -Azure AD DS is a great fit for this use-case. A managed domain lets you domain-join VMs, use a single set of credentials, and apply group policy. And because it's a managed domain, you don't have to configure and maintain the domain controllers yourself. +Microsoft Entra Domain Services is a great fit for this use-case. A managed domain lets you domain-join VMs, use a single set of credentials, and apply group policy. And because it's a managed domain, you don't have to configure and maintain the domain controllers yourself. ### Deployment notes The following deployment considerations apply to this example use case: * Managed domains use a single, flat Organizational Unit (OU) structure by default. All domain-joined VMs are in a single OU. If desired, you can create [custom OUs][custom-ou].-* Azure AD DS uses a built-in GPO each for the users and computers containers. For additional control, you can [create custom GPOs][create-gpo] and target them to custom OUs. -* Azure AD DS supports the base AD computer object schema. You can't extend the computer object's schema. +* Microsoft Entra Domain Services uses a built-in GPO each for the users and computers containers. For additional control, you can [create custom GPOs][create-gpo] and target them to custom OUs. +* Microsoft Entra Domain Services supports the base AD computer object schema. You can't extend the computer object's schema. ## Lift-and-shift on-premises applications that use LDAP bind authentication As a sample scenario, Contoso has an on-premises application that was purchased Contoso would like to migrate this application to Azure. The application should continue to works as-is, with no changes needed. Additionally, users should be able to authenticate using their existing corporate credentials and without additional training. It should be transparent to end users where the application is running. -For this scenario, Azure AD DS lets applications perform LDAP binds as part of the authentication process. Legacy on-premises applications can lift-and-shift into Azure and continue to seamlessly authenticate users without any change in configuration or user experience. +For this scenario, Microsoft Entra Domain Services lets applications perform LDAP binds as part of the authentication process. Legacy on-premises applications can lift-and-shift into Azure and continue to seamlessly authenticate users without any change in configuration or user experience. ### Deployment notes The following deployment considerations apply to this example use case: * Make sure that the application doesn't need to modify/write to the directory. LDAP write access to a managed domain isn't supported.-* You can't change passwords directly against a managed domain. End users can change their password either using [Azure AD's self-service password change mechanism][sspr] or against the on-premises directory. These changes are then automatically synchronized and available in the managed domain. +* You can't change passwords directly against a managed domain. End users can change their password either using the [Microsoft Entra self-service password change mechanism][sspr] or against the on-premises directory. These changes are then automatically synchronized and available in the managed domain. ## Lift-and-shift on-premises applications that use LDAP read to access the directory Like the previous example scenario, let's assume Contoso has an on-premises line Contoso wants to migrate this application to Azure and retire the aging on-premises hardware currently hosting this application. The application can't be rewritten to use modern directory APIs such as the REST-based Microsoft Graph API. A lift-and-shift option is desired where the application can be migrated to run in the cloud, without modifying code or rewriting the application. -To help with this scenario, Azure AD DS lets applications perform LDAP reads against the managed domain to get the attribute information it needs. The application doesn't need to be rewritten, so a lift-and-shift into Azure lets users continue to use the app without realizing there's a change in where it runs. +To help with this scenario, Microsoft Entra Domain Services lets applications perform LDAP reads against the managed domain to get the attribute information it needs. The application doesn't need to be rewritten, so a lift-and-shift into Azure lets users continue to use the app without realizing there's a change in where it runs. ### Deployment notes The following deployment considerations apply to this example use case: * Make sure that the application doesn't need to modify/write to the directory. LDAP write access to a managed domain isn't supported.-* Make sure that the application doesn't need a custom/extended Active Directory schema. Schema extensions aren't supported in Azure AD DS. +* Make sure that the application doesn't need a custom/extended Active Directory schema. Schema extensions aren't supported in Microsoft Entra Domain Services. ## Migrate an on-premises service or daemon application to Azure -Some applications include multiple tiers, where one of the tiers needs to perform authenticated calls to a backend tier, such as a database. AD service accounts are commonly used in these scenarios. When you lift-and-shift applications into Azure, Azure AD DS lets you continue to use service accounts in the same way. You can choose to use the same service account that is synchronized from your on-premises directory to Azure AD or create a custom OU and then create a separate service account in that OU. With either approach, applications continue to function the same way to make authenticated calls to other tiers and services. +Some applications include multiple tiers, where one of the tiers needs to perform authenticated calls to a backend tier, such as a database. AD service accounts are commonly used in these scenarios. When you lift-and-shift applications into Azure, Microsoft Entra Domain Services lets you continue to use service accounts in the same way. You can choose to use the same service account that is synchronized from your on-premises directory to Microsoft Entra ID or create a custom OU and then create a separate service account in that OU. With either approach, applications continue to function the same way to make authenticated calls to other tiers and services. ![Service account using WIA](./media/active-directory-domain-services-scenarios/wia-service-account.png) In this example scenario, Contoso has a custom-built software vault application that includes a web front end, a SQL server, and a backend FTP server. Windows-integrated authentication using service accounts authenticates the web front end to the FTP server. The web front end is set up to run as a service account. The backend server is configured to authorize access from the service account for the web front end. Contoso doesn't want to deploy and manage their own domain controller VMs in the cloud to move this application to Azure. -For this scenario, the servers hosting the web front end, SQL server, and the FTP server can be migrated to Azure VMs and joined to a managed domain. The VMs can then use the same service account in their on-premises directory for the app's authentication purposes, which is synchronized through Azure AD using Azure AD Connect. +For this scenario, the servers hosting the web front end, SQL server, and the FTP server can be migrated to Azure VMs and joined to a managed domain. The VMs can then use the same service account in their on-premises directory for the app's authentication purposes, which is synchronized through Microsoft Entra ID using Microsoft Entra Connect. ### Deployment notes The following deployment considerations apply to this example use case: -* Make sure that the applications use a username and password for authentication. Certificate or smartcard-based authentication isn't supported by Azure AD DS. -* You can't change passwords directly against a managed domain. End users can change their password either using [Azure AD's self-service password change mechanism][sspr] or against the on-premises directory. These changes are then automatically synchronized and available in the managed domain. +* Make sure that the applications use a username and password for authentication. Certificate or smartcard-based authentication isn't supported by Microsoft Entra Domain Services. +* You can't change passwords directly against a managed domain. End users can change their password either using the [Microsoft Entra self-service password change mechanism][sspr] or against the on-premises directory. These changes are then automatically synchronized and available in the managed domain. ## Windows Server remote desktop services deployments in Azure -You can use Azure AD DS to provide managed domain services to remote desktop servers deployed in Azure. +You can use Microsoft Entra Domain Services to provide managed domain services to remote desktop servers deployed in Azure. -For more information about this deployment scenario, see [how to integrate Azure AD Domain Services with your RDS deployment][windows-rds]. +For more information about this deployment scenario, see [how to integrate Microsoft Entra Domain Services with your RDS deployment][windows-rds]. ## Domain-joined HDInsight clusters For more information about this deployment scenario, see [how to configure domai ## Next steps -To get started, [Create and configure an Azure Active Directory Domain Services managed domain][tutorial-create-instance]. +To get started, [Create and configure a Microsoft Entra Domain Services managed domain][tutorial-create-instance]. <!-- INTERNAL LINKS --> [hdinsight]: ../hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds.md To get started, [Create and configure an Azure Active Directory Domain Services [azure-ad-connect]: ../active-directory/hybrid/whatis-azure-ad-connect.md <!-- EXTERNAL LINKS -->-[windows-rds]: /windows-server/remote/remote-desktop-services/rds-azure-adds +[windows-rds]: /windows-server/remote/remote-desktop-services/rds-azure-adds |
active-directory-domain-services | Scoped Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/scoped-synchronization.md | Title: Scoped synchronization for Azure AD Domain Services | Microsoft Docs -description: Learn how to use the Microsoft Entra admin center to configure scoped synchronization from Azure AD to an Azure Active Directory Domain Services managed domain + Title: Scoped synchronization for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to use the Microsoft Entra admin center to configure scoped synchronization from Microsoft Entra ID to a Microsoft Entra Domain Services managed domain -# Configure scoped synchronization from Azure AD to Azure Active Directory Domain Services using the Microsoft Entra admin center +# Configure scoped synchronization from Microsoft Entra ID to Microsoft Entra Domain Services using the Microsoft Entra admin center -To provide authentication services, Azure Active Directory Domain Services (Azure AD DS) synchronizes users and groups from Azure AD. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Azure AD using Azure AD Connect, and then synchronized to an Azure AD DS managed domain. +To provide authentication services, Microsoft Entra Domain Services (Microsoft Entra DS) synchronizes users and groups from Microsoft Entra ID. In a hybrid environment, users and groups from an on-premises Active Directory Domain Services (AD DS) environment can be first synchronized to Microsoft Entra ID using Microsoft Entra Connect, and then synchronized to a Microsoft Entra DS managed domain. -By default, all users and groups from an Azure AD directory are synchronized to a managed domain. If only some users need to use Azure AD DS, you can instead choose to synchronize only groups of users. You can filter synchronization for groups on-premises, cloud only, or both. +By default, all users and groups from a Microsoft Entra directory are synchronized to a managed domain. If only some users need to use Microsoft Entra DS, you can instead choose to synchronize only groups of users. You can filter synchronization for groups on-premises, cloud only, or both. This article shows you how to configure scoped synchronization and then change or disable the set of scoped users using the Microsoft Entra admin center. You can also [complete these steps using PowerShell][scoped-sync-powershell]. To complete this article, you need the following resources and privileges: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services managed domain][tutorial-create-instance]. -* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Azure AD roles in your tenant to change the Azure AD DS synchronization scope. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, complete the tutorial to [create and configure a Microsoft Entra Domain Services managed domain][tutorial-create-instance]. +* You need [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) and [Groups Administrator](../active-directory/roles/permissions-reference.md#groups-administrator) Microsoft Entra roles in your tenant to change the Microsoft Entra DS synchronization scope. ## Scoped synchronization overview -By default, all users and groups from an Azure AD directory are synchronized to a managed domain. You can scope synchronization to only user accounts that were created in Azure AD, or synchronize all users. +By default, all users and groups from a Microsoft Entra directory are synchronized to a managed domain. You can scope synchronization to only user accounts that were created in Microsoft Entra ID, or synchronize all users. If only a few groups of users need to access the managed domain, you can select **Filter by group entitlement** to synchronize only those groups. This scoped synchronization is only group-based. When you configure group-based scoped synchronization, only the user accounts that belong to the groups you specify are synchronized to the managed domain. Nested groups aren't synchronized; only the groups you specify get synchronized. Keep in mind the following caveats if you change the synchronization scope: - A full synchronization occurs. - Objects that are no longer required in the managed domain are deleted. New objects are created in the managed domain. -To learn more about the synchronization process, see [Understand synchronization in Azure AD Domain Services][concepts-sync]. +To learn more about the synchronization process, see [Understand synchronization in Microsoft Entra Domain Services][concepts-sync]. ## Enable scoped synchronization To enable scoped synchronization in the Microsoft Entra admin center, complete the following steps: -1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*. +1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Microsoft Entra Domain Services**. Choose your managed domain, such as *aaddscontoso.com*. 1. Select **Synchronization** from the menu on the left-hand side. 1. For *Synchronization scope*, select **All** or **Cloud Only**.-1. To filter synchronization for selected groups, click **Show selected groups**, choose whether to synchronize cloud-only groups, on-premises groups, or both. For example, the following screenshot shows how to synchronize only three groups that were created in Azure AD. Only users who belong to those groups will have their accounts synchronized to Azure AD DS. +1. To filter synchronization for selected groups, click **Show selected groups**, choose whether to synchronize cloud-only groups, on-premises groups, or both. For example, the following screenshot shows how to synchronize only three groups that were created in Microsoft Entra ID. Only users who belong to those groups will have their accounts synchronized to Microsoft Entra DS. :::image type="content" source="media/scoped-synchronization/cloud-only-groups.png" alt-text="Screenshot that shows filter by cloud-only groups." ::: Changing the scope of synchronization causes the managed domain to resynchronize To modify the list of groups whose users should be synchronized to the managed domain, complete the following steps: -1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*. +1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Microsoft Entra Domain Services**. Choose your managed domain, such as *aaddscontoso.com*. 1. Select **Synchronization** from the menu on the left-hand side. 1. To add a group, choose **+ Add groups** at the top, then choose the groups to add. 1. To remove a group from the synchronization scope, select it from the list of currently synchronized groups and choose **Remove groups**. Changing the scope of synchronization causes the managed domain to resynchronize To disable group-based scoped synchronization for a managed domain, complete the following steps: -1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Azure AD Domain Services**. Choose your managed domain, such as *aaddscontoso.com*. +1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Microsoft Entra Domain Services**. Choose your managed domain, such as *aaddscontoso.com*. 1. Select **Synchronization** from the menu on the left-hand side. 1. Clear the check box for **Show selected groups**, and click **Save synchronization scope**. Changing the scope of synchronization causes the managed domain to resynchronize ## Next steps -To learn more about the synchronization process, see [Understand synchronization in Azure AD Domain Services][concepts-sync]. +To learn more about the synchronization process, see [Understand synchronization in Microsoft Entra Domain Services][concepts-sync]. <!-- INTERNAL LINKS --> [scoped-sync-powershell]: powershell-scoped-synchronization.md |
active-directory-domain-services | Secure Remote Vm Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/secure-remote-vm-access.md | Title: Secure remote VM access in Azure AD Domain Services | Microsoft Docs -description: Learn how to secure remote access to VMs using Network Policy Server (NPS) and Azure AD Multi-Factor Authentication with a Remote Desktop Services deployment in an Azure Active Directory Domain Services managed domain. + Title: Secure remote VM access in Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to secure remote access to VMs using Network Policy Server (NPS) and Microsoft Entra multifactor authentication with a Remote Desktop Services deployment in a Microsoft Entra Domain Services managed domain. Last updated 01/29/2023 -# Secure remote access to virtual machines in Azure Active Directory Domain Services +# Secure remote access to virtual machines in Microsoft Entra Domain Services -To secure remote access to virtual machines (VMs) that run in an Azure Active Directory Domain Services (Azure AD DS) managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Azure AD DS authenticates users as they request access through the RDS environment. For enhanced security, you can integrate Azure AD Multi-Factor Authentication to provide an additional authentication prompt during sign-in events. Azure AD Multi-Factor Authentication uses an extension for NPS to provide this feature. +To secure remote access to virtual machines (VMs) that run in a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain, you can use Remote Desktop Services (RDS) and Network Policy Server (NPS). Microsoft Entra DS authenticates users as they request access through the RDS environment. For enhanced security, you can integrate Microsoft Entra multifactor authentication to provide an additional authentication prompt during sign-in events. Microsoft Entra multifactor authentication uses an extension for NPS to provide this feature. > [!IMPORTANT]-> The recommended way to securely connect to your VMs in an Azure AD DS managed domain is using Azure Bastion, a fully platform-managed PaaS service that you provision inside your virtual network. A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389. +> The recommended way to securely connect to your VMs in a Microsoft Entra DS managed domain is using Azure Bastion, a fully platform-managed PaaS service that you provision inside your virtual network. A bastion host provides secure and seamless Remote Desktop Protocol (RDP) connectivity to your VMs directly in the Azure portal over SSL. When you connect via a bastion host, your VMs don't need a public IP address, and you don't need to use network security groups to expose access to RDP on TCP port 3389. >-> We strongly recommend that you use Azure Bastion in all regions where it's supported. In regions without Azure Bastion availability, follow the steps detailed in this article until Azure Bastion is available. Take care with assigning public IP addresses to VMs joined to Azure AD DS where all incoming RDP traffic is allowed. +> We strongly recommend that you use Azure Bastion in all regions where it's supported. In regions without Azure Bastion availability, follow the steps detailed in this article until Azure Bastion is available. Take care with assigning public IP addresses to VMs joined to Microsoft Entra DS where all incoming RDP traffic is allowed. > > For more information, see [What is Azure Bastion?][bastion-overview]. -This article shows you how to configure RDS in Azure AD DS and optionally use the Azure AD Multi-Factor Authentication NPS extension. +This article shows you how to configure RDS in Microsoft Entra DS and optionally use the Microsoft Entra multifactor authentication NPS extension. ![Remote Desktop Services (RDS) overview](./media/enable-network-policy-server/remote-desktop-services-overview.png) To complete this article, you need the following resources: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. -* A *workloads* subnet created in your Azure Active Directory Domain Services virtual network. - * If needed, [Configure virtual networking for an Azure Active Directory Domain Services managed domain][configure-azureadds-vnet]. -* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. +* A *workloads* subnet created in your Microsoft Entra Domain Services virtual network. + * If needed, [Configure virtual networking for a Microsoft Entra Domain Services managed domain][configure-azureadds-vnet]. +* A user account that's a member of the *Microsoft Entra DC administrators* group in your Microsoft Entra tenant. ## Deploy and configure the Remote Desktop environment A suggested RDS deployment includes the following two VMs: * *RDGVM01* - Runs the RD Connection Broker server, RD Web Access server, and RD Gateway server. * *RDSHVM01* - Runs the RD Session Host server. -Make sure that VMs are deployed into a *workloads* subnet of your Azure AD DS virtual network, then join the VMs to managed domain. For more information, see how to [create and join a Windows Server VM to a managed domain][tutorial-create-join-vm]. +Make sure that VMs are deployed into a *workloads* subnet of your Microsoft Entra DS virtual network, then join the VMs to managed domain. For more information, see how to [create and join a Windows Server VM to a managed domain][tutorial-create-join-vm]. The RD environment deployment contains a number of steps. The existing RD deployment guide can be used without any specific changes to use in a managed domain: -1. Sign in to VMs created for the RD environment with an account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*. +1. Sign in to VMs created for the RD environment with an account that's part of the *Microsoft Entra DC Administrators* group, such as *contosoadmin*. 1. To create and configure RDS, use the existing [Remote Desktop environment deployment guide][deploy-remote-desktop]. Distribute the RD server components across your Azure VMs as desired.- * Specific to Azure AD DS - when you configure RD licensing, set it to **Per Device** mode, not **Per User** as noted in the deployment guide. + * Specific to Microsoft Entra DS - when you configure RD licensing, set it to **Per Device** mode, not **Per User** as noted in the deployment guide. 1. If you want to provide access using a web browser, [set up the Remote Desktop web client for your users][rd-web-client]. With RD deployed into the managed domain, you can manage and use the service as you would with an on-premises AD DS domain. -## Deploy and configure NPS and the Azure AD MFA NPS extension +<a name='deploy-and-configure-nps-and-the-azure-ad-mfa-nps-extension'></a> -If you want to increase the security of the user sign-in experience, you can optionally integrate the RD environment with Azure AD Multi-Factor Authentication. With this configuration, users receive an additional prompt during sign-in to confirm their identity. +## Deploy and configure NPS and the Microsoft Entra multifactor authentication NPS extension -To provide this capability, an additional Network Policy Server (NPS) is installed in your environment along with the Azure AD Multi-Factor Authentication NPS extension. This extension integrates with Azure AD to request and return the status of multi-factor authentication prompts. +If you want to increase the security of the user sign-in experience, you can optionally integrate the RD environment with Microsoft Entra multifactor authentication. With this configuration, users receive an additional prompt during sign-in to confirm their identity. -Users must be [registered to use Azure AD Multi-Factor Authentication][user-mfa-registration], which may require additional Azure AD licenses. +To provide this capability, an additional Network Policy Server (NPS) is installed in your environment along with the Microsoft Entra multifactor authentication NPS extension. This extension integrates with Microsoft Entra ID to request and return the status of multifactor authentication prompts. -To integrate Azure AD Multi-Factor Authentication in to your Azure AD DS Remote Desktop environment, create an NPS Server and install the extension: +Users must be [registered to use Microsoft Entra multifactor authentication][user-mfa-registration], which may require additional Microsoft Entra ID licenses. -1. Create an additional Windows Server 2016 or 2019 VM, such as *NPSVM01*, that's connected to a *workloads* subnet in your Azure AD DS virtual network. Join the VM to the managed domain. -1. Sign in to NPS VM as account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*. +To integrate Microsoft Entra multifactor authentication in to your Microsoft Entra DS Remote Desktop environment, create an NPS Server and install the extension: ++1. Create an additional Windows Server 2016 or 2019 VM, such as *NPSVM01*, that's connected to a *workloads* subnet in your Microsoft Entra DS virtual network. Join the VM to the managed domain. +1. Sign in to NPS VM as account that's part of the *Microsoft Entra DC Administrators* group, such as *contosoadmin*. 1. From **Server Manager**, select **Add Roles and Features**, then install the *Network Policy and Access Services* role.-1. Use the existing how-to article to [install and configure the Azure AD MFA NPS extension][nps-extension]. +1. Use the existing how-to article to [install and configure the Microsoft Entra multifactor authentication NPS extension][nps-extension]. ++With the NPS server and Microsoft Entra multifactor authentication NPS extension installed, complete the next section to configure it for use with the RD environment. -With the NPS server and Azure AD Multi-Factor Authentication NPS extension installed, complete the next section to configure it for use with the RD environment. +<a name='integrate-remote-desktop-gateway-and-azure-ad-multi-factor-authentication'></a> -## Integrate Remote Desktop Gateway and Azure AD Multi-Factor Authentication +## Integrate Remote Desktop Gateway and Microsoft Entra multifactor authentication -To integrate the Azure AD Multi-Factor Authentication NPS extension, use the existing how-to article to [integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD][azure-mfa-nps-integration]. +To integrate the Microsoft Entra multifactor authentication NPS extension, use the existing how-to article to [integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Microsoft Entra ID][azure-mfa-nps-integration]. The following additional configuration options are needed to integrate with a managed domain: 1. Don't [register the NPS server in Active Directory][register-nps-ad]. This step fails in a managed domain. 1. In [step 4 to configure network policy][create-nps-policy], also check the box to **Ignore user account dial-in properties**.-1. If you use Windows Server 2019 for the NPS server and Azure AD Multi-Factor Authentication NPS extension, run the following command to update the secure channel to allow the NPS server to communicate correctly: +1. If you use Windows Server 2019 for the NPS server and Microsoft Entra multifactor authentication NPS extension, run the following command to update the secure channel to allow the NPS server to communicate correctly: ```powershell sc sidtype IAS unrestricted Users are now prompted for an additional authentication factor when they sign in For more information on improving resiliency of your deployment, see [Remote Desktop Services - High availability][rds-high-availability]. -For more information about securing user sign-in, see [How it works: Azure AD Multi-Factor Authentication][concepts-mfa]. +For more information about securing user sign-in, see [How it works: Microsoft Entra multifactor authentication][concepts-mfa]. <!-- INTERNAL LINKS --> [bastion-overview]: ../bastion/bastion-overview.md For more information about securing user sign-in, see [How it works: Azure AD Mu <!-- EXTERNAL LINKS --> [deploy-remote-desktop]: /windows-server/remote/remote-desktop-services/rds-deploy-infrastructure [rd-web-client]: /windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin-[rds-high-availability]: /windows-server/remote/remote-desktop-services/rds-plan-high-availability +[rds-high-availability]: /windows-server/remote/remote-desktop-services/rds-plan-high-availability |
active-directory-domain-services | Secure Your Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/secure-your-domain.md | Title: Secure Azure AD Domain Services | Microsoft Docs -description: Learn how to disable weak ciphers, old protocols, and NTLM password hash synchronization for an Azure Active Directory Domain Services managed domain. + Title: Secure Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to disable weak ciphers, old protocols, and NTLM password hash synchronization for a Microsoft Entra Domain Services managed domain. Last updated 01/29/2023 -# Harden an Azure Active Directory Domain Services managed domain +# Harden a Microsoft Entra Domain Services managed domain -By default, Azure Active Directory Domain Services (Azure AD DS) enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. If you have on-premises hybrid connectivity using Azure AD Connect, you can also disable the synchronization of NTLM password hashes. +By default, Microsoft Entra Domain Services (Microsoft Entra DS) enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. If you have on-premises hybrid connectivity using Microsoft Entra Connect, you can also disable the synchronization of NTLM password hashes. This article shows you how to harden a managed domain by using setting setting such as: To complete this article, you need the following resources: * An active Azure subscription. * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. - * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. -* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. - * If needed, [create and configure an Azure Active Directory Domain Services managed domain][create-azure-ad-ds-instance]. +* A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. + * If needed, [create a Microsoft Entra tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. +* A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant. + * If needed, [create and configure a Microsoft Entra Domain Services managed domain][create-azure-ad-ds-instance]. ## Use Security settings to harden your domain 1. Sign in to the [Azure portal](https://portal.azure.com).-1. Search for and select **Azure AD Domain Services**. +1. Search for and select **Microsoft Entra Domain Services**. 1. Choose your managed domain, such as *aaddscontoso.com*. 1. On the left-hand side, select **Security settings**. 1. Click **Enable** or **Disable** for the following settings: To complete this article, you need the following resources: In addition to **Security settings**, Microsoft Azure Policy has a **Compliance** setting to enforce TLS 1.2 usage. The policy has no impact until it is assigned. When the policy is assigned, it appears in **Compliance**: -- If the assignment is **Audit**, the compliance will report if the Azure AD DS instance is compliant.-- If the assignment is **Deny**, the compliance will prevent an Azure AD DS instance from being created if TLS 1.2 is not required and prevent any update to an Azure AD DS instance until TLS 1.2 is required.+- If the assignment is **Audit**, the compliance will report if the Microsoft Entra DS instance is compliant. +- If the assignment is **Deny**, the compliance will prevent a Microsoft Entra DS instance from being created if TLS 1.2 is not required and prevent any update to a Microsoft Entra DS instance until TLS 1.2 is required. ![Screenshot of Compliance settings](media/secure-your-domain/policy-tls.png) ## Audit NTLM failures -While disabling NTLM password synchronization will improve security, many applications and services are not designed to work without it. For example, connecting to any resource by its IP address, such as DNS Server management or RDP, will fail with Access Denied. If you disable NTLM password synchronization and your application or service isnΓÇÖt working as expected, you can check for NTLM authentication failures by enabling security auditing for the **Logon/Logoff** > **Audit Logon** event category, where NTLM is specified as the **Authentication Package** in the event details. For more information, see [Enable security audits for Azure Active Directory Domain Services](security-audit-events.md). +While disabling NTLM password synchronization will improve security, many applications and services are not designed to work without it. For example, connecting to any resource by its IP address, such as DNS Server management or RDP, will fail with Access Denied. If you disable NTLM password synchronization and your application or service isnΓÇÖt working as expected, you can check for NTLM authentication failures by enabling security auditing for the **Logon/Logoff** > **Audit Logon** event category, where NTLM is specified as the **Authentication Package** in the event details. For more information, see [Enable security audits for Microsoft Entra Domain Services](security-audit-events.md). ## Use PowerShell to harden your domain If needed, [install and configure Azure PowerShell](/powershell/azure/install-azure-powershell). Make sure that you sign in to your Azure subscription using the [Connect-AzAccount][Connect-AzAccount] cmdlet. -Also if needed, [install and configure Azure AD PowerShell](/powershell/azure/active-directory/install-adv2). Make sure that you sign in to your Azure AD tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet. +Also if needed, [install and configure Azure AD PowerShell](/powershell/azure/active-directory/install-adv2). Make sure that you sign in to your Microsoft Entra tenant using the [Connect-AzureAD][Connect-AzureAD] cmdlet. -To disable weak cipher suites and NTLM credential hash synchronization, sign in to your Azure account, then get the Azure AD DS resource using the [Get-AzResource][Get-AzResource] cmdlet: +To disable weak cipher suites and NTLM credential hash synchronization, sign in to your Azure account, then get the Microsoft Entra DS resource using the [Get-AzResource][Get-AzResource] cmdlet: > [!TIP] > If you receive an error using the [Get-AzResource][Get-AzResource] command that the *Microsoft.AAD/DomainServices* resource doesn't exist, [elevate your access to manage all Azure subscriptions and management groups][global-admin]. Next, define *DomainSecuritySettings* to configure the following security option 3. Disable TLS v1. > [!IMPORTANT]-> Users and service accounts can't perform LDAP simple binds if you disable NTLM password hash synchronization in the Azure AD DS managed domain. If you need to perform LDAP simple binds, don't set the *"SyncNtlmPasswords"="Disabled";* security configuration option in the following command. +> Users and service accounts can't perform LDAP simple binds if you disable NTLM password hash synchronization in the Microsoft Entra DS managed domain. If you need to perform LDAP simple binds, don't set the *"SyncNtlmPasswords"="Disabled";* security configuration option in the following command. ```powershell $securitySettings = @{"DomainSecuritySettings"=@{"NtlmV1"="Disabled";"SyncNtlmPasswords"="Disabled";"TlsV1"="Disabled";"KerberosRc4Encryption"="Disabled";"KerberosArmoring"="Disabled"}} ``` -Finally, apply the defined security settings to the managed domain using the [Set-AzResource][Set-AzResource] cmdlet. Specify the Azure AD DS resource from the first step, and the security settings from the previous step. +Finally, apply the defined security settings to the managed domain using the [Set-AzResource][Set-AzResource] cmdlet. Specify the Microsoft Entra DS resource from the first step, and the security settings from the previous step. ```powershell Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $securitySettings -ApiVersion ΓÇ£2021-03-01ΓÇ¥ -Verbose -Force Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $securitySetti It takes a few moments for the security settings to be applied to the managed domain. > [!IMPORTANT]-> After you disable NTLM, perform a full password hash synchronization in Azure AD Connect to remove all the password hashes from the managed domain. If you disable NTLM but don't force a password hash sync, NTLM password hashes for a user account are only removed on the next password change. This behavior could allow a user to continue to sign in if they have cached credentials on a system where NTLM is used as the authentication method. +> After you disable NTLM, perform a full password hash synchronization in Microsoft Entra Connect to remove all the password hashes from the managed domain. If you disable NTLM but don't force a password hash sync, NTLM password hashes for a user account are only removed on the next password change. This behavior could allow a user to continue to sign in if they have cached credentials on a system where NTLM is used as the authentication method. > > Once the NTLM password hash is different from the Kerberos password hash, fallback to NTLM won't work. Cached credentials also no longer work if the VM has connectivity to the managed domain controller. |
active-directory-domain-services | Security Audit Events | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/security-audit-events.md | Title: Enable security and DNS audits for Azure AD Domain Services | Microsoft Docs -description: Learn how to enable security audits to centralize the logging of events for analysis and alerts in Azure AD Domain Services + Title: Enable security and DNS audits for Microsoft Entra Domain Services | Microsoft Docs +description: Learn how to enable security audits to centralize the logging of events for analysis and alerts in Microsoft Entra Domain Services -# Enable security and DNS audits for Azure Active Directory Domain Services +# Enable security and DNS audits for Microsoft Entra Domain Services -Azure Active Directory Domain Services (Azure AD DS) security and DNS audits let Azure stream events to targeted resources. These resources include Azure Storage, Azure Log Analytics workspaces, or Azure Event Hub. After you enable security audit events, Azure AD DS sends all the audited events for the selected category to the targeted resource. +Microsoft Entra Domain Services (Microsoft Entra DS) security and DNS audits let Azure stream events to targeted resources. These resources include Azure Storage, Azure Log Analytics workspaces, or Azure Event Hub. After you enable security audit events, Microsoft Entra DS sends all the audited events for the selected category to the targeted resource. You can archive events into Azure storage and stream events into security information and event management (SIEM) software (or equivalent) using Azure Event Hubs, or do your own analysis and using Azure Log Analytics workspaces from the Microsoft Entra admin center. ## Security audit destinations -You can use Azure Storage, Azure Event Hubs, or Azure Log Analytics workspaces as a target resource for Azure AD DS security audits. These destinations can be combined. For example, you could use Azure Storage for archiving security audit events, but an Azure Log Analytics workspace to analyze and report on the information in the short term. +You can use Azure Storage, Azure Event Hubs, or Azure Log Analytics workspaces as a target resource for Microsoft Entra DS security audits. These destinations can be combined. For example, you could use Azure Storage for archiving security audit events, but an Azure Log Analytics workspace to analyze and report on the information in the short term. The following table outlines scenarios for each destination resource type. > [!IMPORTANT]-> You need to create the target resource before you enable Azure AD DS security audits. You can create these resources using the Microsoft Entra admin center, Azure PowerShell, or the Azure CLI. +> You need to create the target resource before you enable Microsoft Entra DS security audits. You can create these resources using the Microsoft Entra admin center, Azure PowerShell, or the Azure CLI. | Target Resource | Scenario | |:|:|-|Azure Storage| This target should be used when your primary need is to store security audit events for archival purposes. Other targets can be used for archival purposes, however those targets provide capabilities beyond the primary need of archiving. <br /><br />Before you enable Azure AD DS security audit events, first [Create an Azure Storage account](../storage/common/storage-account-create.md).| -|Azure Event Hubs| This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.<br /><br />Before you enable Azure AD DS security audit events, [Create an event hub using Microsoft Entra admin center](../event-hubs/event-hubs-create.md)| -|Azure Log Analytics Workspace| This target should be used when your primary need is to analyze and review secure audits from the Microsoft Entra admin center directly.<br /><br />Before you enable Azure AD DS security audit events, [Create a Log Analytics workspace in the Microsoft Entra admin center.](../azure-monitor/logs/quick-create-workspace.md)| +|Azure Storage| This target should be used when your primary need is to store security audit events for archival purposes. Other targets can be used for archival purposes, however those targets provide capabilities beyond the primary need of archiving. <br /><br />Before you enable Microsoft Entra DS security audit events, first [Create an Azure Storage account](../storage/common/storage-account-create.md).| +|Azure Event Hubs| This target should be used when your primary need is to share security audit events with additional software such as data analysis software or security information & event management (SIEM) software.<br /><br />Before you enable Microsoft Entra DS security audit events, [Create an event hub using Microsoft Entra admin center](../event-hubs/event-hubs-create.md)| +|Azure Log Analytics Workspace| This target should be used when your primary need is to analyze and review secure audits from the Microsoft Entra admin center directly.<br /><br />Before you enable Microsoft Entra DS security audit events, [Create a Log Analytics workspace in the Microsoft Entra admin center.](../azure-monitor/logs/quick-create-workspace.md)| ## Enable security audit events using the Microsoft Entra admin center -To enable Azure AD DS security audit events using the Microsoft Entra admin center, complete the following steps. +To enable Microsoft Entra DS security audit events using the Microsoft Entra admin center, complete the following steps. > [!IMPORTANT]-> Azure AD DS security audits aren't retroactive. You can't retrieve or replay events from the past. Azure AD DS can only send events that occur after security audits are enabled. +> Microsoft Entra DS security audits aren't retroactive. You can't retrieve or replay events from the past. Microsoft Entra DS can only send events that occur af |