Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Active Directory Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/active-directory-technical-profile.md | +<!-- docutune:ignored "AAD-" --> + Azure Active Directory B2C (Azure AD B2C) provides support for the Microsoft Entra user management. This article describes the specifics of a technical profile for interacting with a claims provider that supports this standardized protocol. ## Protocol Azure Active Directory B2C (Azure AD B2C) provides support for the Microsoft Ent The **Name** attribute of the **Protocol** element needs to be set to `Proprietary`. The **handler** attribute must contain the fully qualified name of the protocol handler assembly `Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null`. Following [custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) Microsoft Entra technical profiles include the **AAD-Common** technical profile. The Microsoft Entra technical profiles don't specify the protocol because the protocol is configured in the **AAD-Common** technical profile:- + - **AAD-UserReadUsingAlternativeSecurityId** and **AAD-UserReadUsingAlternativeSecurityId-NoError** - Look up a social account in the directory. - **AAD-UserWriteUsingAlternativeSecurityId** - Create a new social account. - **AAD-UserReadUsingEmailAddress** - Look up a local account in the directory. |
active-directory-b2c | Azure Monitor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/azure-monitor.md | Watch this video to learn how to configure monitoring for Azure AD B2C using Azu ## Deployment overview -Azure AD B2C uses [Microsoft Entra ID monitoring](../active-directory/reports-monitoring/overview-monitoring-health.md). Unlike Microsoft Entra tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we send the logs. +Azure AD B2C uses [Microsoft Entra monitoring](../active-directory/reports-monitoring/overview-monitoring-health.md). Unlike Microsoft Entra tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we send the logs. To enable _Diagnostic settings_ in Microsoft Entra ID within your Azure AD B2C tenant, you use [Azure Lighthouse](../lighthouse/overview.md) to [delegate a resource](../lighthouse/concepts/architecture.md), which allows your Azure AD B2C (the **Service Provider**) to manage a Microsoft Entra ID (the **Customer**) resource. > [!TIP] To stop collecting logs to your Log Analytics workspace, delete the diagnostic s - For more information about adding and configuring diagnostic settings in Azure Monitor, see [Tutorial: Collect and analyze resource logs from an Azure resource](../azure-monitor/essentials/monitor-azure-resource.md). -- For information about streaming Microsoft Entra ID logs to an event hub, see [Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md).+- For information about streaming Microsoft Entra logs to an event hub, see [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). |
active-directory-b2c | Custom Policies Series Sign Up Or Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policies-series-sign-up-or-sign-in.md | When the custom policy runs: - **Orchestration Step 4** - This step runs if the user signs up (objectId doesn't exist), so we display the sign-up form by invoking the *UserInformationCollector* self-asserted technical profile. This step runs whether a user signs up or signs in. -- **Orchestration Step 5** - This step reads account information from Microsoft Entra ID (we invoke *AAD-UserRead* Microsoft Entra technical profile), so it runs whether a user signs up or signs in. +- **Orchestration Step 5** - This step reads account information from Microsoft Entra ID (we invoke `AAD-UserRead` Microsoft Entra technical profile), so it runs whether a user signs up or signs in. - **Orchestration Step 6** - This step invokes the *UserInputMessageClaimGenerator* technical profile to assemble the userΓÇÖs greeting message. |
active-directory-b2c | Customize Ui | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/customize-ui.md | If you'd like to brand all pages in the user flow, set the page layout version f ## Enable company branding in custom policy pages -Once you've configured company branding, enable it in your custom policy. Configure the [page layout version](contentdefinitions.md#migrating-to-page-layout) with page `contract` version for *all* of the content definitions in your custom policy. The format of the value must contain the word `contract`: _urn:com:microsoft:aad:b2c:elements:**contract**:page-name:version_. To specify a page layout in your custom policies that use an old **DataUri** value. For more information, learn how to [migrate to page layout](contentdefinitions.md#migrating-to-page-layout) with page version. +Once you've configured company branding, enable it in your custom policy. Configure the [page layout version](contentdefinitions.md#migrating-to-page-layout) with page `contract` version for *all* of the content definitions in your custom policy. The format of the value must contain the word `contract`: *urn:com:microsoft:aad:b2c:elements:**contract**:page-name:version*. To specify a page layout in your custom policies that use an old **DataUri** value. For more information, learn how to [migrate to page layout](contentdefinitions.md#migrating-to-page-layout) with page version. The following example shows the content definitions with their corresponding the page contract, and *Ocean Blue* page template: |
active-directory-b2c | Force Password Reset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/force-password-reset.md | Once a password expiration policy has been set, you must also configure force pa ### Password expiry duration -By default, the password is set not to expire. However, the value is configurable by using the [Set-MsolPasswordPolicy](/powershell/module/msonline/set-msolpasswordpolicy) cmdlet from the Azure AD Module for Windows PowerShell. This command updates the tenant, so that all users' passwords expire after number of days you configure. +By default, the password is set not to expire. However, the value is configurable by using the [Set-MsolPasswordPolicy](/powershell/module/msonline/set-msolpasswordpolicy) cmdlet from the Azure AD PowerShell module. This command updates the tenant, so that all users' passwords expire after number of days you configure. ## Next steps |
active-directory-b2c | Javascript And Page Layout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/javascript-and-page-layout.md | For information about the different page layout versions, see the [Page layout v To specify a page layout version for your custom policy pages: 1. Select a [page layout](contentdefinitions.md#select-a-page-layout) for the user interface elements of your application.-1. Define a [page layout version](contentdefinitions.md#migrating-to-page-layout) with page `contract` version for *all* of the content definitions in your custom policy. The format of the value must contain the word `contract`: _urn:com:microsoft:aad:b2c:elements:**contract**:page-name:version_. +1. Define a [page layout version](contentdefinitions.md#migrating-to-page-layout) with page `contract` version for *all* of the content definitions in your custom policy. The format of the value must contain the word `contract`: *urn:com:microsoft:aad:b2c:elements:**contract**:page-name:version*. The following example shows the content definition identifiers and the corresponding **DataUri** with page contract: |
active-directory-b2c | Partner Bindid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-bindid.md | For additional information, review the following articles: - [Azure AD B2C custom policy overview](custom-policy-overview.md) - [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)-- [TransmitSecurity/azure-ad-b2c-bindid-integration](https://github.com/TransmitSecurity/azure-ad-b2c-bindid-integration) See, Azure AD B2C Integration+- [`TransmitSecurity/azure-ad-b2c-bindid-integration`](https://github.com/TransmitSecurity/azure-ad-b2c-bindid-integration) See, Azure AD B2C Integration |
active-directory-b2c | Partner Hypr | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-hypr.md | The following architecture diagram shows the implementation. ## Configure the Azure AD B2C policy -1. Go to [Azure-AD-B2C-HYPR-Sample/policy/](https://github.com/HYPR-Corp-Public/Azure-AD-B2C-HYPR-Sample/tree/master/policy). +1. Go to [`Azure-AD-B2C-HYPR-Sample/policy/`](https://github.com/HYPR-Corp-Public/Azure-AD-B2C-HYPR-Sample/tree/master/policy). 2. Follow the instructions in [Custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) to download [Active-directory-b2c-custom-policy-starterpack/LocalAccounts/](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/master/LocalAccounts) 3. Configure the policy for the Azure AD B2C tenant. |
active-directory-b2c | Partner Saviynt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-saviynt.md | Enable Saviynt to perform user delete operations in Azure AD B2C. Learn more: [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md) -1. Install the latest version of Microsoft Graph PowerShell Module on a Windows workstation or server. +1. Install the latest version of the Microsoft Graph PowerShell module on a Windows workstation or server. For more information, see [Microsoft Graph PowerShell documentation](/powershell/microsoftgraph/). |
active-directory-b2c | Partner Typingdna | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-typingdna.md | These thresholds should be adjusted on your use case. 2. Replace all instances of `apiKey` and `apiSecret` in [TypingDNA-API-Interface](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/TypingDNA/source-code/TypingDNA-API-Interface) solution with the credentials from your TypingDNA dashboard 3. Host the HTML files at your provider of choice following the CORS requirements [here](./customize-ui-with-html.md#3-configure-cors) 4. Replace the LoadURI elements for the `api.selfasserted.tdnasignup` and `api.selfasserted.tdnasignin` content definitions in the `TrustFrameworkExtensions.xml` file to the URI of your hosted HTML files respectively.-5. Create a B2C policy key under identity experience framework in the Microsoft Entra ID blade in the **Azure portal**. Use the `Generate` option and name this key `tdnaHashedId`. +5. Create a B2C policy key under identity experience framework in the Microsoft Entra blade in the Azure portal. Use the `Generate` option and name this key `tdnaHashedId`. 6. Replace the TenantId's in the policy files 7. Replace the ServiceURLs in all TypingDNA REST API technical profiles (REST-TDNA-VerifyUser, REST-TDNA-SaveUser, REST-TDNA-CheckUser) with the endpoint for your [TypingDNA-API-Interface API](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/TypingDNA/source-code/TypingDNA-API-Interface). |
active-directory-b2c | User Flow Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-flow-custom-attributes.md | Extension attributes can only be registered on an application object, even thoug ## Modify your custom policy -To enable custom attributes in your policy, provide **Application ID** and Application **Object ID** in the AAD-Common technical profile metadata. The *AAD-Common* technical profile is found in the base [Microsoft Entra ID](active-directory-technical-profile.md) technical profile, and provides support for Microsoft Entra user management. Other Microsoft Entra technical profiles include the AAD-Common to use its configuration. Override the AAD-Common technical profile in the extension file. +To enable custom attributes in your policy, provide **Application ID** and Application **Object ID** in the **AAD-Common** technical profile metadata. The **AAD-Common*** technical profile is found in the base [Microsoft Entra ID](active-directory-technical-profile.md) technical profile, and provides support for Microsoft Entra user management. Other Microsoft Entra technical profiles include **AAD-Common** to use its configuration. Override the **AAD-Common** technical profile in the extension file. 1. Open the extensions file of your policy. For example, <em>`SocialAndLocalAccounts/`**`TrustFrameworkExtensions.xml`**</em>. 1. Find the ClaimsProviders element. Add a new ClaimsProvider to the ClaimsProviders element. |
active-directory-b2c | User Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/user-migration.md | If the accounts you're migrating have weaker password strength than the [strong ## Next steps -The [azure-ad-b2c/user-migration](https://github.com/azure-ad-b2c/user-migration) repository on GitHub contains a seamless migration custom policy example and REST API code sample: +The [`azure-ad-b2c/user-migration`](https://github.com/azure-ad-b2c/user-migration) repository on GitHub contains a seamless migration custom policy example and REST API code sample: -[Seamless user migration custom policy & REST API code sample](https://aka.ms/b2c-account-seamless-migration) +[Seamless user migration custom policy and REST API code sample](https://aka.ms/b2c-account-seamless-migration) |
active-directory-b2c | View Audit Logs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/view-audit-logs.md | To download the list of activity events in a comma-separated values (CSV) file, <a name='get-audit-logs-with-the-azure-ad-reporting-api'></a> -## Get audit logs with the Microsoft Entra ID reporting API +## Get audit logs with the Microsoft Entra reporting API -Audit logs are published to the same pipeline as other activities for Microsoft Entra ID, so they can be accessed through the [Microsoft Entra ID reporting API](/graph/api/directoryaudit-list). For more information, see [Get started with the Microsoft Entra ID reporting API](../active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md). +Audit logs are published to the same pipeline as other activities for Microsoft Entra ID, so they can be accessed through the [Microsoft Entra reporting API](/graph/api/directoryaudit-list). For more information, see [Get started with the Microsoft Entra reporting API](../active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md). ### Enable reporting API access |
active-directory-domain-services | Alert Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-service-principal.md | If a required service principal is deleted, the Azure platform can't perform aut To check which service principal is missing and must be recreated, complete the following steps: 1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.-1. Search for each of the following application IDs. For Azure Global, search for AppId value *2565bd9d-da50-47d4-8b85-4c97f669dc36*. For other Azure clouds, search for AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. If no existing application is found, follow the *Resolution* steps to create the service principal or re-register the namespace. +1. Search for each of the following application IDs. For Azure Global, search for AppId value `2565bd9d-da50-47d4-8b85-4c97f669dc36`. For other Azure clouds, search for AppId value `6ba9a5d4-8456-4118-b521-9c5ca10cdf84`. If no existing application is found, follow the *Resolution* steps to create the service principal or re-register the namespace. | Application ID | Resolution | | : | : | | 2565bd9d-da50-47d4-8b85-4c97f669dc36 | [Recreate a missing service principal](#recreate-a-missing-service-principal) |- | 443155a6-77f3-45e3-882b-22b3a8d431fb | [Re-register the Microsoft.AAD namespace](#re-register-the-microsoft-aad-namespace) | - | abba844e-bc0e-44b0-947a-dc74e5d09022 | [Re-register the Microsoft.AAD namespace](#re-register-the-microsoft-aad-namespace) | - | d87dcbc6-a371-462e-88e3-28ad15ec4e64 | [Re-register the Microsoft.AAD namespace](#re-register-the-microsoft-aad-namespace) | + | 443155a6-77f3-45e3-882b-22b3a8d431fb | [Re-register the `Microsoft.AAD` namespace](#re-register-the-microsoft-aad-namespace) | + | abba844e-bc0e-44b0-947a-dc74e5d09022 | [Re-register the `Microsoft.AAD` namespace](#re-register-the-microsoft-aad-namespace) | + | d87dcbc6-a371-462e-88e3-28ad15ec4e64 | [Re-register the `Microsoft.AAD` namespace](#re-register-the-microsoft-aad-namespace) | ### Recreate a missing Service Principal The managed domain's health automatically updates itself within two hours and re ### Re-register the Microsoft Entra namespace -If application ID *443155a6-77f3-45e3-882b-22b3a8d431fb*, *abba844e-bc0e-44b0-947a-dc74e5d09022*, or *d87dcbc6-a371-462e-88e3-28ad15ec4e64* is missing from your Microsoft Entra directory, complete the following steps to re-register the *Microsoft.AAD* resource provider: +If application ID `443155a6-77f3-45e3-882b-22b3a8d431fb`, `abba844e-bc0e-44b0-947a-dc74e5d09022`, or `d87dcbc6-a371-462e-88e3-28ad15ec4e64` is missing from your Microsoft Entra directory, complete the following steps to re-register the `Microsoft.AAD` resource provider: 1. In the [Microsoft Entra admin center](https://entra.microsoft.com), search for and select **Subscriptions**. 1. Choose the subscription associated with your managed domain. 1. From the left-hand navigation, choose **Resource Providers**.-1. Search for *Microsoft.AAD*, then select **Re-register**. +1. Search for `Microsoft.AAD`, then select **Re-register**. The managed domain's health automatically updates itself within two hours and removes the alert. |
active-directory-domain-services | Create Gmsa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-gmsa.md | -Instead, a group managed service account (gMSA) can be created in the Microsoft Entra Domain ServiceS managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources. +Instead, a group managed service account (gMSA) can be created in the Microsoft Entra Domain Services managed domain. The Windows OS automatically manages the credentials for a gMSA, which simplifies the management of large groups of resources. This article shows you how to create a gMSA in a managed domain using Azure PowerShell. |
active-directory-domain-services | How To Data Retrieval | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/how-to-data-retrieval.md | This document describes how to retrieve data from Microsoft Entra Domain Service ## Use Microsoft Entra ID to create, read, update, and delete user objects -You can create a user in the Microsoft Entra portal or by using Graph PowerShell or Graph API. You can also read, update, and delete users. The next sections show how to do these operations in the Microsoft Entra portal. +You can create a user in the Microsoft Entra admin center or by using Graph PowerShell or Graph API. You can also read, update, and delete users. The next sections show how to do these operations in the Microsoft Entra admin center. ### Create, read, or update a user -You can create a new user using the Microsoft Entra portal. +You can create a new user using the Microsoft Entra admin center. To add a new user, follow these steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../active-directory/roles/permissions-reference.md#user-administrator). When a user is deleted, any licenses consumed by the user are made available for <a name='use-rsat-tools-to-connect-to-an-azure-ad-ds-managed-domain-and-view-users'></a> -## Use RSAT tools to connect to a Microsoft Entra DS managed domain and view users +## Use RSAT tools to connect to a Microsoft Entra Domain Services managed domain and view users Sign in to an administrative workstation with a user account that's a member of the *AAD DC Administrators* group. The following steps require installation of [Remote Server Administration Tools (RSAT)](tutorial-create-management-vm.md#install-active-directory-administrative-tools). Sign in to an administrative workstation with a user account that's a member of In the following example output, a user account named *Contoso Admin* and a group for *AAD DC Administrators* are shown in this container. - ![View the list of Microsoft Entra DS domain users in the Active Directory Administrative Center](./media/tutorial-create-management-vm/list-azure-ad-users.png) + ![View the list of Microsoft Entra Domain Services domain users in the Active Directory Administrative Center](./media/tutorial-create-management-vm/list-azure-ad-users.png) 1. To see the computers that are joined to the managed domain, select the **AADDC Computers** container. An entry for the current virtual machine, such as *myVM*, is listed. Computer accounts for all devices that are joined to the managed domain are stored in this *AADDC Computers* container. You can also use the *Active Directory Module for Windows PowerShell*, installed as part of the administrative tools, to manage common actions in your managed domain. ## Next steps-* [Microsoft Entra DS Overview](overview.md) +* [Microsoft Entra Domain Services Overview](overview.md) |
active-directory-domain-services | Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/synchronization.md | Title: How synchronization works in Microsoft Entra Domain Services | Microsoft Docs -description: Learn how the synchronization process works between Microsoft Entra or an on-premises environment to a Microsoft Entra Domain Services managed domain. +description: Learn how the synchronization process works between Microsoft Entra ID or an on-premises environment to a Microsoft Entra Domain Services managed domain. |
active-directory | On Premises Ecma Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md | By default, the agent emits minimal error messages and stack trace information. To gather more information for troubleshooting agent-related problems: - 1. Install the AADCloudSyncTools PowerShell module as described in [AADCloudSyncTools PowerShell Module for Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/reference-powershell.md#install-the-aadcloudsynctools-powershell-module). + 1. Install the `AADCloudSyncTools` PowerShell module as described in [`AADCloudSyncTools` PowerShell module for Microsoft Entra Connect cloud sync](../hybrid/cloud-sync/reference-powershell.md#install-the-aadcloudsynctools-powershell-module). 2. Use the `Export-AADCloudSyncToolsLogs` PowerShell cmdlet to capture the information. Use the following switches to fine-tune your data collection. Use: - **SkipVerboseTrace** to only export current logs without capturing verbose logs (default = false). |
active-directory | On Premises Powershell Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-powershell-connector.md | The connector provides a bridge between the capabilities of the ECMA Connector H If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).-1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**. +1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud Sync** > **Agents**. :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png"::: 1. Select **Download on-premises agent**, review the terms of service, then select **Accept terms & download**. > [!NOTE]- > Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. + > Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. 1. Open the provisioning agent installer, agree to the terms of service, and select **next**. 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.-1. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. -1. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role. +1. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. +1. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role. 1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer. ## Configure the On-premises ECMA app Follow these steps to confirm that the connector host has started and has identi 1. Enter the **Secret Token** value that you defined when you created the connector. > [!NOTE]- > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent** service, right-click the service, and restart. + > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent** service, right-click the service, and restart. 1. Select **Test Connection**, and wait one minute. 1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**. Return to the web browser window where you were configuring the application prov 1. Enter the **Secret Token** value that you defined when you created the connector. > [!NOTE]- > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart. + > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent Service**, right-click the service, and restart. 1. Select **Test Connection**, and wait one minute. 1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**. You'll use the Azure portal to configure the mapping between the Microsoft Entra 1. Select the **On-premises ECMA app** application. 1. Select **Provisioning**. 1. Select **Edit provisioning**, and wait 10 seconds.-1. Expand **Mappings** and select **Provision Azure Active Directory Users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder. -1. To confirm that the schema is available in Azure AD, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list. +1. Expand **Mappings** and select **Provision Microsoft Entra users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder. +1. To confirm that the schema is available in Microsoft Entra ID, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list. 1. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning. Change the value to match the following: |Mapping type|Source attribute|Target attribute| |
active-directory | On Premises Scim Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-scim-provisioning.md | The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).-1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**. +1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud Sync** > **Agents**. :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png"::: Once the agent is installed, no further configuration is necessary on-premises, 1. From the left hand menu navigate to the **Provisioning** option and select **Get started**. 1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option. 1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.-1. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection. +1. Now either wait 10 minutes or restart the **Microsoft Entra Connect Provisioning Agent** before proceeding to the next step & testing the connection. 1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png) |
active-directory | Plan Cloud Hr Provision | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md | To review these events and all other activities performed by the provisioning se #### Azure Monitor logs -All activities performed by the provisioning service are recorded in the Microsoft Entra audit logs. You can route Microsoft Entra audit logs to Azure Monitor logs for further analysis. With Azure Monitor logs (also known as Log Analytics workspace), you can query data to find events, analyze trends, and perform correlation across various data sources. Watch this [video](https://youtu.be/MP5IaCTwkQg) to learn the benefits of using Azure Monitor logs for Microsoft Entra ID logs in practical user scenarios. +All activities performed by the provisioning service are recorded in the Microsoft Entra audit logs. You can route Microsoft Entra audit logs to Azure Monitor logs for further analysis. With Azure Monitor logs (also known as Log Analytics workspace), you can query data to find events, analyze trends, and perform correlation across various data sources. Watch this [video](https://youtu.be/MP5IaCTwkQg) to learn the benefits of using Azure Monitor logs for Microsoft Entra logs in practical user scenarios. Install the [log analytics views for Microsoft Entra activity logs](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) to get access to [prebuilt reports](https://github.com/AzureAD/Deployment-Plans/tree/master/Log%20Analytics%20Views) around provisioning events in your environment. |
active-directory | Provision On Demand | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provision-on-demand.md | Use on-demand provisioning to provision a user or group in seconds. Among other 6. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to five users. > [!NOTE]- > For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different. + > For Cloud HR provisioning app (Workday / SuccessFactors to Active Directory / Microsoft Entra ID), the input value is different. > For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday. > For SuccessFactors scenario, please provide "personIdExternal" of the user in SuccessFactors. There are currently a few known limitations to on-demand provisioning. Post your ::: zone pivot="cross-tenant-synchronization" * On-demand provisioning of groups is not supported for cross-tenant synchronization. ::: zone-end-* On-demand provisioning supports provisioning one user at a time through the Microsoft Entra portal. +* On-demand provisioning supports provisioning one user at a time through the Microsoft Entra admin center. * Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft-delete a user with on-demand provisioning and then restore the user, it can result in duplicate users. * On-demand provisioning of roles isn't supported. * On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Microsoft Entra ID. Those users don't appear when you search for a user. |
active-directory | Sap Successfactors Attribute Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-attribute-reference.md | In this article, you'll find information on: The table below captures the list of SuccessFactors attributes included by default in the following two provisioning apps: - [SuccessFactors to Active Directory User Provisioning](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)-- [SuccessFactors to Microsoft Entra User Provisioning](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md)+- [SuccessFactors to Microsoft Entra user provisioning](../saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial.md) Please refer to the [SAP SuccessFactors integration reference](./sap-successfactors-integration-reference.md#retrieving-more-attributes) to extend the schema for additional attributes. Please refer to the [SAP SuccessFactors integration reference](./sap-successfact ## Default attribute mapping -The table below provides the default attribute mapping between SuccessFactors attributes listed above and AD/Azure AD attributes. In the Microsoft Entra provisioning app "Mapping" blade, you can modify this default mapping to include attributes from the list above. +The table below provides the default attribute mapping between SuccessFactors attributes listed above and Active Directory / Microsoft Entra attributes. In the Microsoft Entra provisioning app "Mapping" blade, you can modify this default mapping to include attributes from the list above. -| \# | SuccessFactors Entity | SuccessFactors Attribute | Default AD/Azure AD attribute mapping | Processing Remark | +| \# | SuccessFactors Entity | SuccessFactors Attribute | Default attribute mapping | Processing Remark | |-|-|--|--|-| | 1 | PerPerson | personIdExternal | employeeId | Used as matching attribute | | 2 | PerPerson | perPersonUuid | \[Not mapped \- used as source anchor\] | During initial sync, the Provisioning Service links the personUuid to existing objectGuid\. | |
active-directory | Sap Successfactors Integration Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md | Use the steps to update your mapping to retrieve these codes. | Provisioning Job | Account status attribute | Mapping expression | | - | | | | SuccessFactors to Active Directory User Provisioning | `accountDisabled` | `Switch([emplStatus], "True", "A", "False", "U", "False", "P", "False")` |- | SuccessFactors to Microsoft Entra User Provisioning | `accountEnabled` | `Switch([emplStatus], "False", "A", "True", "U", "True", "P", "True")` | + | SuccessFactors to Microsoft Entra user provisioning | `accountEnabled` | `Switch([emplStatus], "False", "A", "True", "U", "True", "P", "True")` | 1. Save the changes. 1. Test the configuration using [provision on demand](provision-on-demand.md). This section describes how you can update the JSONPath settings to definitely re | Provisioning Job | Account status attribute | Expression to use if account status is based on "activeEmploymentsCount" | Expression to use if account status is based on "emplStatus" value | | -- | | -- | - | | SuccessFactors to Active Directory User Provisioning | `accountDisabled` | `Switch([activeEmploymentsCount], "False", "0", "True")` | `Switch([emplStatus], "True", "A", "False", "U", "False", "P", "False")` |- | SuccessFactors to Microsoft Entra User Provisioning | `accountEnabled` | `Switch([activeEmploymentsCount], "True", "0", "False")` | `Switch([emplStatus], "False", "A", "True", "U", "True", "P", "True")` | + | SuccessFactors to Microsoft Entra user provisioning | `accountEnabled` | `Switch([activeEmploymentsCount], "True", "0", "False")` | `Switch([emplStatus], "False", "A", "True", "U", "True", "P", "True")` | 1. Save your changes. 1. 1. Test the configuration using [provision on demand](provision-on-demand.md). |
active-directory | Use Scim To Provision Users And Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md | There are several endpoints defined in the SCIM RFC. You can start with the `/Us The Microsoft Entra provisioning service is designed to support a SCIM 2.0 user management API. > [!IMPORTANT]-> The behavior of the Microsoft Entra SCIM implementation was last updated on December 18, 2018. For information on what changed, see [SCIM 2.0 protocol compliance of the Microsoft Entra User Provisioning service](application-provisioning-config-problem-scim-compatibility.md). +> The behavior of the Microsoft Entra SCIM implementation was last updated on December 18, 2018. For information on what changed, see [SCIM 2.0 protocol compliance of the Microsoft Entra user provisioning service](application-provisioning-config-problem-scim-compatibility.md). Within the SCIM 2.0 protocol specification, your application must support these requirements: Use the general guidelines when implementing a SCIM endpoint to ensure compatibi * `id` is a required property for all resources. Every response that returns a resource should ensure each resource has this property, except for `ListResponse` with zero elements. * Values sent should be stored in the same format they were sent. Invalid values should be rejected with a descriptive, actionable error message. Transformations of data shouldn't happen between data from Microsoft Entra ID and data stored in the SCIM application. (for example. A phone number sent as 55555555555 shouldn't be saved/returned as +5 (555) 555-5555) * It isn't necessary to include the entire resource in the **PATCH** response.-* Don't require a case-sensitive match on structural elements in SCIM, in particular **PATCH** `op` operation values, as defined in [section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Azure AD emits the values of `op` as **Add**, **Replace**, and **Remove**. -* Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow. +* Don't require a case-sensitive match on structural elements in SCIM, in particular **PATCH** `op` operation values, as defined in [section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Microsoft Entra ID emits the values of `op` as **Add**, **Replace**, and **Remove**. +* Microsoft Entra ID makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow. * Support HTTPS on your SCIM endpoint. * Custom complex and multivalued attributes are supported but Microsoft Entra ID doesn't have many complex data structures to pull data from in these cases. Name/value attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes isn't supported. * The "type" subattribute values of multivalued complex attributes must be unique. For example, there can't be two different email addresses with the "work" subtype. Use the general guidelines when implementing a SCIM endpoint to ensure compatibi ### Retrieving Resources: * Response to a query/filter request should always be a `ListResponse`.-* Microsoft Azure AD only uses the following operators: `eq`, `and` +* Microsoft Entra-only uses the following operators: `eq`, `and` * The attribute that the resources can be queried on should be set as a matching attribute on the application, see [Customizing User Provisioning Attribute Mappings](customize-application-attributes.md). ### /Users: |
active-directory | User Provisioning Sync Attributes For Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md | Get-AzureADUser -ObjectId 0ccf8df6-62f1-4175-9e55-73da9e742690 | Select -ExpandP ``` ## Create an extension attribute using cloud sync-Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to autodiscover these attributes and set up a corresponding mapping to Azure AD. +Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to autodiscover these attributes and set up a corresponding mapping to Microsoft Entra ID. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).-1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync**. +1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud Sync**. 1. Select the configuration you wish to add the extension attribute and mapping. 1. Under **Manage attributes** select **click to edit mappings**. 1. Select **Add attribute mapping**. The attributes will automatically be discovered. |
active-directory | Workday Integration Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-integration-reference.md | To retrieve these data sets: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications**.-1. Select your Workday to AD/Azure AD user provisioning application. +1. Select your Workday to Active Directory / Microsoft Entra user provisioning application. 1. Select **Provisioning**. 1. Edit the mappings and open the Workday attribute list from the advanced section. -1. Add the following attributes definitions and mark them as "Required". These attributes aren't mapped to any attribute in AD or Azure AD. They serve as signals to the connector to retrieve the Cost Center, Cost Center Hierarchy and Pay Group information. +1. Add the following attributes definitions and mark them as "Required". These attributes aren't mapped to any attribute in Active Directory or Microsoft Entra ID. They serve as signals to the connector to retrieve the Cost Center, Cost Center Hierarchy and Pay Group information. > [!div class="mx-tdCol2BreakAll"] >| Attribute Name | XPATH API expression | |
active-directory | Workday Retrieve Pronoun Information | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-retrieve-pronoun-information.md | Once you confirm that pronoun data is available in the *Get_Workers* response, g <a name='updating-azure-ad-provisioning-app-to-retrieve-pronouns'></a> -To retrieve pronouns from Workday, update your Azure AD provisioning app to query Workday using v38.1 of the Workday Web Services. We recommend testing this configuration first in your test/sandbox environment before implementing the change in production. +To retrieve pronouns from Workday, update your Microsoft Entra provisioning app to query Workday using v38.1 of the Workday Web Services. We recommend testing this configuration first in your test/sandbox environment before implementing the change in production. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications**.-1. Select your Workday to AD/Azure AD user provisioning application and go to **Provisioning** . +1. Select your Workday to Active Directory / Microsoft Entra user provisioning application and go to **Provisioning** . 1. In the **Admin Credentials** section, update the **Tenant URL** to include the Workday Web Service version v38.1 as shown. >[!div class="mx-imgBorder"] |
active-directory | App Proxy Protect Ndes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/app-proxy-protect-ndes.md | Microsoft Entra application proxy is built on Azure. It gives you a massive amou ![The new Microsoft Entra application proxy connector shown as active in the Microsoft Entra admin center](./media/app-proxy-protect-ndes/connected-app-proxy.png) > [!NOTE]- > To provide high availability for applications authenticating through the Microsoft Entra application proxy, you can install connectors on multiple VMs. Repeat the same steps listed in the previous section to install the connector on other servers joined to the Microsoft Entra DS managed domain. + > To provide high availability for applications authenticating through the Microsoft Entra application proxy, you can install connectors on multiple VMs. Repeat the same steps listed in the previous section to install the connector on other servers joined to the Microsoft Entra Domain Services managed domain. 1. After successful installation, go back to the Microsoft Entra admin center. |
active-directory | Powershell Get All App Proxy Apps With Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-with-policy.md | This PowerShell script example lists all the Microsoft Entra application proxy a [!INCLUDE [cloud-shell-try-it.md](../../../../includes/cloud-shell-try-it.md)] -This sample requires the [Microsoft Entra V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true) (AzureADPreview). +This sample requires the [Azure Active Directory PowerShell 2.0 for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true) (AzureADPreview). ## Sample script |
active-directory | 4 Secure Access Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/4-secure-access-groups.md | Determine who is granted permissions to create groups: Administrators, employees * Internal and external users can join groups in your tenant * Users can create Microsoft 365 Groups * [Manage who can create Microsoft 365 Groups](/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide&preserve-view=true) - * Use Windows PowerShell to configure this setting + * Use PowerShell to configure this setting * [Restrict your Microsoft Entra app to a set of users in a Microsoft Entra tenant](../develop/howto-restrict-your-app-to-a-set-of-users.md) * [Set up self-service group management in Microsoft Entra ID](../enterprise-users/groups-self-service-management.md) * [Troubleshoot and resolve groups issues](../enterprise-users/groups-troubleshooting.md) |
active-directory | 9 Secure Access Teams Sharepoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/9-secure-access-teams-sharepoint.md | Sharing in Microsoft 365 is partially governed by the **External Identities, Ext Learn more: * [Microsoft Entra admin center](https://entra.microsoft.com)-* [External Identities in Azure AD](../external-identities/external-identities-overview.md) +* [External Identities in Microsoft Entra ID](../external-identities/external-identities-overview.md) ### Guest user access |
active-directory | Monitor Sign In Health For Resilience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/monitor-sign-in-health-for-resilience.md | During an impacting event, two things may happen: - A Microsoft Entra tenant. - A user with global administrator or security administrator role for the Microsoft Entra tenant. - A Log Analytics workspace in your Azure subscription to send logs to Azure Monitor logs. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).-- Microsoft Entra ID logs integrated with Azure Monitor logs. Learn how to [Integrate Microsoft Entra Sign- in Logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)+- Microsoft Entra ID logs integrated with Azure Monitor logs. Learn how to [Integrate Microsoft Entra sign-in logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) ## Configure the App sign-in health workbook |
active-directory | Ops Guide Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/ops-guide-auth.md | If available, use a security information and event management (SIEM) solution t <a name='azure-ad-logs-archived-and-integrated-with-incident-response-plans'></a> -### Microsoft Entra ID logs archived and integrated with incident response plans +### Microsoft Entra logs archived and integrated with incident response plans -Having access to sign-in activity, audits and risk events for Microsoft Entra ID is crucial for troubleshooting, usage analytics, and forensics investigations. Microsoft Entra ID provides access to these sources through REST APIs that have a limited retention period. A security information and event management (SIEM) system, or equivalent archival technology, is key for long-term storage of audits and supportability. To enable long-term storage of Microsoft Entra ID Logs, you must either add them to your existing SIEM solution or use [Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md). Archive logs that can be used as part of your incident response plans and investigations. +Having access to sign-in activity, audits and risk events for Microsoft Entra ID is crucial for troubleshooting, usage analytics, and forensics investigations. Microsoft Entra ID provides access to these sources through REST APIs that have a limited retention period. A security information and event management (SIEM) system, or equivalent archival technology, is key for long-term storage of audits and supportability. To enable long-term storage of Microsoft Entra logs, you must either add them to your existing SIEM solution or use [Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md). Archive logs that can be used as part of your incident response plans and investigations. #### Logs recommended reading - [Microsoft Entra ID audit API reference](/graph/api/resources/directoryaudit) - [Microsoft Entra sign-in activity report API reference](/graph/api/resources/signin)-- [Get data using the Microsoft Entra ID Reporting API with certificates](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md)+- [Get data using the Microsoft Entra reporting API with certificates](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) - [Microsoft Graph for Microsoft Entra ID Protection](../identity-protection/howto-identity-protection-graph-api.md) - [Office 365 Management Activity API reference](/office/office-365-management-api/office-365-management-activity-api-reference) - [How to use the Microsoft Entra ID Power BI Content Pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md) There are 12 aspects to a secure Identity infrastructure. This list will help yo - Lock down legacy authentication protocols. - Detect and remediate illicit consent grants. - Lock down user and group settings.-- Enable long-term storage of Microsoft Entra ID logs for troubleshooting, usage analytics, and forensics investigations.+- Enable long-term storage of Microsoft Entra logs for troubleshooting, usage analytics, and forensics investigations. ## Next steps |
active-directory | Protect M365 From On Premises Attacks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/protect-m365-from-on-premises-attacks.md | Deploy Microsoft Entra joined Windows 10 workstations with mobile device managem - **Application and workload servers** - Applications or resources that required servers can be migrated to Azure infrastructure as a service (IaaS). Use Microsoft Entra Domain Services (Microsoft Entra DS) to decouple trust and dependency on on-premises instances of Active Directory. To achieve this decoupling, make sure virtual networks used for Microsoft Entra DS don't have a connection to corporate networks. See [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md). + Applications or resources that required servers can be migrated to Azure infrastructure as a service (IaaS). Use Microsoft Entra Domain Services to decouple trust and dependency on on-premises instances of Active Directory. To achieve this decoupling, make sure virtual networks used for Microsoft Entra Domain Services don't have a connection to corporate networks. See [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md). Use credential tiering. Application servers are typically considered tier-1 assets. For more information, see [Enterprise access model](/security/compass/privileged-access-access-model#ADATM_BM). Use Microsoft Entra Conditional Access to interpret signals and use them to make ## Monitor -After you configure your environment to protect your Microsoft 365 from an on-premises compromise, proactively monitor the environment. For more information, see [What is Microsoft Entra ID monitoring](../reports-monitoring/overview-monitoring.md). +After you configure your environment to protect your Microsoft 365 from an on-premises compromise, proactively monitor the environment. For more information, see [What is Microsoft Entra monitoring?](../reports-monitoring/overview-monitoring-health.md) ### Scenarios to monitor Monitor the following key scenarios, in addition to any scenarios specific to yo Define a log storage and retention strategy, design, and implementation to facilitate a consistent tool set. For example, you could consider security information and event management (SIEM) systems like Microsoft Sentinel, common queries, and investigation and forensics playbooks. -- **Microsoft Entra ID logs**. Ingest generated logs and signals by consistently following best practices for settings such as diagnostics, log retention, and SIEM ingestion.+- **Microsoft Entra logs**. Ingest generated logs and signals by consistently following best practices for settings such as diagnostics, log retention, and SIEM ingestion. - The log strategy must include the following Microsoft Entra ID logs: + The log strategy must include the following Microsoft Entra logs: - Sign-in activity - Audit logs Define a log storage and retention strategy, design, and implementation to facil Use the Microsoft Graph API to ingest risk events. See [Use the Microsoft Graph identity protection APIs](/graph/api/resources/identityprotection-root). - You can stream Microsoft Entra ID logs to Azure Monitor logs. See [Integrate Microsoft Entra ID logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). + You can stream Microsoft Entra logs to Azure Monitor logs. See [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). - **Hybrid infrastructure operating system security logs**. All hybrid identity infrastructure operating system logs should be archived and carefully monitored as a tier-0 system, because of the surface-area implications. Include the following elements: |
active-directory | Resilience Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-client-app.md | We recommend developers build a process to use the latest MSAL release because a Find the latest version and release notes: -* [microsoft-authentication-library-for--js](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases) -* [microsoft-authentication-library-for--dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/releases) -* [microsoft-authentication-library-for--python](https://github.com/AzureAD/microsoft-authentication-library-for-python/releases) -* [microsoft-authentication-library-for--java](https://github.com/AzureAD/microsoft-authentication-library-for-java/releases) -* [microsoft-authentication-library-for--objc](https://github.com/AzureAD/microsoft-authentication-library-for-objc/releases) -* [microsoft-authentication-library-for--android](https://github.com/AzureAD/microsoft-authentication-library-for-android/releases) -* [microsoft-authentication-library-for--js](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases) -* [microsoft-identity-web](https://github.com/AzureAD/microsoft-identity-web/releases) +* [`microsoft-authentication-library-for-js`](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases) +* [`microsoft-authentication-library-for-dotnet`](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/releases) +* [`microsoft-authentication-library-for-python`](https://github.com/AzureAD/microsoft-authentication-library-for-python/releases) +* [`microsoft-authentication-library-for-java`](https://github.com/AzureAD/microsoft-authentication-library-for-java/releases) +* [`microsoft-authentication-library-for-objc`](https://github.com/AzureAD/microsoft-authentication-library-for-objc/releases) +* [`microsoft-authentication-library-for-android`](https://github.com/AzureAD/microsoft-authentication-library-for-android/releases) +* [`microsoft-authentication-library-for-js`](https://github.com/AzureAD/microsoft-authentication-library-for-js/releases) +* [`microsoft-identity-web`](https://github.com/AzureAD/microsoft-identity-web/releases) ## Resilient patterns for token handling Learn more: * [Conditional Access policy evaluation](../conditional-access/concept-continuous-access-evaluation.md#conditional-access-policy-evaluation) * [How to use CAE enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md) -If you develop resource APIs, go to openid.net for [Shared Signals ΓÇô A Secure Webhooks Framework](https://openid.net/wg/sse/). +If you develop resource APIs, go to `openid.net` for [Shared Signals ΓÇô A Secure Webhooks Framework](https://openid.net/wg/sse/). ## Next steps |
active-directory | Secure Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-best-practices.md | Detailed information on using automated or manual processes and tools to monitor Some environments might have regulatory requirements that limit which data (if any) can leave a given environment. If centralized monitoring across environments isn't possible, teams should have operational procedures to correlate activities of identities across environments for auditing and forensics purposes such as cross-environment lateral movement attempts. It's recommended that the object unique identifiers human identities belonging to the same person is discoverable, potentially as part of the identity provisioning systems. -The log strategy must include the following Microsoft Entra ID logs for each tenant used in the organization: +The log strategy must include the following Microsoft Entra logs for each tenant used in the organization: * Sign-in activity |
active-directory | Secure Resource Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-resource-management.md | Internally, managed identities are service principals of a special type, to only ## Microsoft Entra Domain Services -Microsoft Entra Domain Services (Microsoft Entra DS) provides a managed domain to facilitate authentication for Azure workloads using legacy protocols. Supported servers are moved from an on-premises AD DS forest and joined to a Microsoft Entra DS managed domain and continue to use legacy protocols for authentication (for example, Kerberos authentication). +Microsoft Entra Domain Services provides a managed domain to facilitate authentication for Azure workloads using legacy protocols. Supported servers are moved from an on-premises AD DS forest and joined to a Microsoft Entra Domain Services managed domain and continue to use legacy protocols for authentication (for example, Kerberos authentication). ## Azure AD B2C directories and Azure There are three key options regarding isolation management of IaaS workloads: * Virtual machines joined to stand-alone Active Directory Domain Services (AD DS) -* Microsoft Entra Domain Services (Microsoft Entra DS) joined virtual machines +* Microsoft Entra Domain Services joined virtual machines * Sign-in to virtual machines in Azure using Microsoft Entra authentication A key concept to address with the first two options is that there are two identity realms that are involved in these scenarios. -* When you sign in to an Azure Windows Server VM via remote desktop protocol (RDP), you're generally logging on to the server using your domain credentials, which performs a Kerberos authentication against an on-premises AD DS domain controller or Microsoft Entra DS. Alternatively, if the server isn't domain-joined then a local account can be used to sign in to the virtual machines. +* When you sign in to an Azure Windows Server VM via remote desktop protocol (RDP), you're generally logging on to the server using your domain credentials, which performs a Kerberos authentication against an on-premises AD DS domain controller or Microsoft Entra Domain Services. Alternatively, if the server isn't domain-joined then a local account can be used to sign in to the virtual machines. * When you sign in to the Azure portal to create or manage a VM, you're authenticating against Microsoft Entra ID (potentially using the same credentials if you've synchronized the correct accounts), and this could result in an authentication against your domain controllers should you be using Active Directory Federation Services (AD FS) or PassThrough Authentication. AD DS domain controllers: a minimum of two AD DS domain controllers must be depl ### Microsoft Entra Domain Services joined virtual machines -When a requirement exists to deploy IaaS workloads to Azure that require identity isolation from AD DS administrators and users in another forest, then a Microsoft Entra Domain Services (Microsoft Entra DS) managed domain can be deployed. Microsoft Entra DS is a service that provides a managed domain to facilitate authentication for Azure workloads using legacy protocols. This provides an isolated domain without the technical complexities of building and managing your own AD DS. The following considerations need to be made. +When a requirement exists to deploy IaaS workloads to Azure that require identity isolation from AD DS administrators and users in another forest, then a Microsoft Entra Domain Services managed domain can be deployed. Microsoft Entra Domain Services is a service that provides a managed domain to facilitate authentication for Azure workloads using legacy protocols. This provides an isolated domain without the technical complexities of building and managing your own AD DS. The following considerations need to be made. -![Diagram that shows Microsoft Entra DS virtual machine management.](media/secure-resource-management/vm-to-domain-services.png) +![Diagram that shows Microsoft Entra Domain Services virtual machine management.](media/secure-resource-management/vm-to-domain-services.png) -**Microsoft Entra DS managed domain** - Only one Microsoft Entra DS managed domain can be deployed per Microsoft Entra tenant and this is bound to a single VNet. It's recommended that this VNet forms the "hub" for Microsoft Entra DS authentication. From this hub, "spokes" can be created and linked to allow legacy authentication for servers and applications. The spokes are additional VNets on which Microsoft Entra DS joined servers are located and are linked to the hub using Azure network gateways or VNet peering. +**Microsoft Entra Domain Services managed domain** - Only one Microsoft Entra Domain Services managed domain can be deployed per Microsoft Entra tenant and this is bound to a single VNet. It's recommended that this VNet forms the "hub" for Microsoft Entra Domain Services authentication. From this hub, "spokes" can be created and linked to allow legacy authentication for servers and applications. The spokes are additional VNets on which Microsoft Entra Domain Services joined servers are located and are linked to the hub using Azure network gateways or VNet peering. -**Managed domain location** - A location must be set when deploying a Microsoft Entra DS managed domain. The location is a physical region (data center) where the managed domain is deployed. It's recommended you: +**Managed domain location** - A location must be set when deploying a Microsoft Entra Domain Services managed domain. The location is a physical region (data center) where the managed domain is deployed. It's recommended you: -* Consider a location that is geographically closed to the servers and applications that require Microsoft Entra DS services. +* Consider a location that is geographically closed to the servers and applications that require Microsoft Entra Domain Services services. * Consider regions that provide Availability Zones capabilities for high availability requirements. For more information, see [Regions and Availability Zones in Azure](../../reliability/availability-zones-service-support.md). -**Object provisioning** - Microsoft Entra DS synchronizes identities from the Microsoft Entra ID that is associated with the subscription that Microsoft Entra DS is deployed into. It's also worth noting that if the associated Microsoft Entra ID has synchronization set up with Microsoft Entra Connect (user forest scenario) then the life cycle of these identities can also be reflected in Microsoft Entra DS. This service has two modes that can be used for provisioning user and group objects from Microsoft Entra ID. +**Object provisioning** - Microsoft Entra Domain Services synchronizes identities from the Microsoft Entra ID that is associated with the subscription that Microsoft Entra Domain Services is deployed into. It's also worth noting that if the associated Microsoft Entra ID has synchronization set up with Microsoft Entra Connect (user forest scenario) then the life cycle of these identities can also be reflected in Microsoft Entra Domain Services. This service has two modes that can be used for provisioning user and group objects from Microsoft Entra ID. -* **All**: All users and groups are synchronized from Microsoft Entra ID into Microsoft Entra DS. +* **All**: All users and groups are synchronized from Microsoft Entra ID into Microsoft Entra Domain Services. -* **Scoped**: Only users in scope of a group(s) are synchronized from Microsoft Entra ID into Microsoft Entra DS. +* **Scoped**: Only users in scope of a group(s) are synchronized from Microsoft Entra ID into Microsoft Entra Domain Services. -When you first deploy Microsoft Entra DS, an automatic one-way synchronization is configured to replicate the objects from Microsoft Entra ID. This one-way synchronization continues to run in the background to keep the Microsoft Entra DS managed domain up to date with any changes from Microsoft Entra ID. No synchronization occurs from Microsoft Entra DS back to Microsoft Entra ID. For more information, see [How objects and credentials are synchronized in a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/synchronization.md). +When you first deploy Microsoft Entra Domain Services, an automatic one-way synchronization is configured to replicate the objects from Microsoft Entra ID. This one-way synchronization continues to run in the background to keep the Microsoft Entra Domain Services managed domain up to date with any changes from Microsoft Entra ID. No synchronization occurs from Microsoft Entra Domain Services back to Microsoft Entra ID. For more information, see [How objects and credentials are synchronized in a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/synchronization.md). -It's worth noting that if you need to change the type of synchronization from All to Scoped (or vice versa), then the Microsoft Entra DS managed domain will need to be deleted, recreated and configured. In addition, organizations should consider the use of "scoped" provisioning to reduce the identities to only those that need access to Microsoft Entra DS resources as a good practice. +It's worth noting that if you need to change the type of synchronization from All to Scoped (or vice versa), then the Microsoft Entra Domain Services managed domain will need to be deleted, recreated and configured. In addition, organizations should consider the use of "scoped" provisioning to reduce the identities to only those that need access to Microsoft Entra Domain Services resources as a good practice. -**Group Policy Objects (GPO)** - To configure GPO in a Microsoft Entra DS managed domain you must use Group Policy Management tools on a server that has been domain joined to the Microsoft Entra DS managed domain. For more information, see [Administer Group Policy in a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/manage-group-policy.md). +**Group Policy Objects (GPO)** - To configure GPO in a Microsoft Entra Domain Services managed domain you must use Group Policy Management tools on a server that has been domain joined to the Microsoft Entra Domain Services managed domain. For more information, see [Administer Group Policy in a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/manage-group-policy.md). -**Secure LDAP** - Microsoft Entra DS provides a secure LDAP service that can be used by applications that require it. This setting is disabled by default and to enable secure LDAP a certificate needs to be uploaded, in addition, the NSG that secures the VNet that Microsoft Entra DS is deployed on to must allow port 636 connectivity to the Microsoft Entra DS managed domains. For more information, see [Configure secure LDAP for a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md). +**Secure LDAP** - Microsoft Entra Domain Services provides a secure LDAP service that can be used by applications that require it. This setting is disabled by default and to enable secure LDAP a certificate needs to be uploaded, in addition, the NSG that secures the VNet that Microsoft Entra Domain Services is deployed on to must allow port 636 connectivity to the Microsoft Entra Domain Services managed domains. For more information, see [Configure secure LDAP for a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md). -**Administration** - To perform administration duties on Microsoft Entra DS (for example, domain join machines or edit GPO), the account used for this task needs to be part of the Microsoft Entra DC Administrators group. Accounts that are members of this group can't directly sign-in to domain controllers to perform management tasks. Instead, you create a management VM that is joined to the Microsoft Entra DS managed domain, then install your regular AD DS management tools. For more information, see [Management concepts for user accounts, passwords, and administration in Microsoft Entra Domain Services](../../active-directory-domain-services/administration-concepts.md). +**Administration** - To perform administration duties on Microsoft Entra Domain Services (for example, domain join machines or edit GPO), the account used for this task needs to be part of the Microsoft Entra DC Administrators group. Accounts that are members of this group can't directly sign-in to domain controllers to perform management tasks. Instead, you create a management VM that is joined to the Microsoft Entra Domain Services managed domain, then install your regular AD DS management tools. For more information, see [Management concepts for user accounts, passwords, and administration in Microsoft Entra Domain Services](../../active-directory-domain-services/administration-concepts.md). -**Password hashes** - For authentication with Microsoft Entra DS to work, password hashes for all users need to be in a format that is suitable for NT LAN Manager (NTLM) and Kerberos authentication. To ensure authentication with Microsoft Entra DS works as expected, the following prerequisites need to be performed. +**Password hashes** - For authentication with Microsoft Entra Domain Services to work, password hashes for all users need to be in a format that is suitable for NT LAN Manager (NTLM) and Kerberos authentication. To ensure authentication with Microsoft Entra Domain Services works as expected, the following prerequisites need to be performed. * **Users synchronized with Microsoft Entra Connect (from AD DS)** - The legacy password hashes need to be synchronized from on-premises AD DS to Microsoft Entra ID. -* **Users created in Microsoft Entra ID** - Need to reset their password for the correct hashes to be generated for usage with Microsoft Entra DS. For more information, see [Enable synchronization of password hashes](../../active-directory-domain-services/tutorial-configure-password-hash-sync.md). +* **Users created in Microsoft Entra ID** - Need to reset their password for the correct hashes to be generated for usage with Microsoft Entra Domain Services. For more information, see [Enable synchronization of password hashes](../../active-directory-domain-services/tutorial-configure-password-hash-sync.md). -**Network** - Microsoft Entra DS is deployed on to an Azure VNet so considerations need to be made to ensure that servers and applications are secured and can access the managed domain correctly. For more information, see [Virtual network design considerations and configuration options for Microsoft Entra Domain Services](../../active-directory-domain-services/network-considerations.md). +**Network** - Microsoft Entra Domain Services is deployed on to an Azure VNet so considerations need to be made to ensure that servers and applications are secured and can access the managed domain correctly. For more information, see [Virtual network design considerations and configuration options for Microsoft Entra Domain Services](../../active-directory-domain-services/network-considerations.md). -* Microsoft Entra DS must be deployed in its own subnet: Don't use an existing subnet or a gateway subnet. +* Microsoft Entra Domain Services must be deployed in its own subnet: Don't use an existing subnet or a gateway subnet. -* **A network security group (NSG)** - is created during the deployment of a Microsoft Entra DS managed domain. This network security group contains the required rules for correct service communication. Don't create or use an existing network security group with your own custom rules. +* **A network security group (NSG)** - is created during the deployment of a Microsoft Entra Domain Services managed domain. This network security group contains the required rules for correct service communication. Don't create or use an existing network security group with your own custom rules. -* **Microsoft Entra DS requires 3-5 IP addresses** - Make sure that your subnet IP address range can provide this number of addresses. Restricting the available IP addresses can prevent Microsoft Entra DS from maintaining two domain controllers. +* **Microsoft Entra Domain Services requires 3-5 IP addresses** - Make sure that your subnet IP address range can provide this number of addresses. Restricting the available IP addresses can prevent Microsoft Entra Domain Services from maintaining two domain controllers. -* **VNet DNS Server** - As previously discussed about the "hub and spoke" model, it's important to have DNS configured correctly on the VNets to ensure that servers joined to the Microsoft Entra DS managed domain have the correct DNS settings to resolve the Microsoft Entra DS managed domain. Each VNet has a DNS server entry that is passed to servers as they obtain an IP address and these DNS entries need to be the IP addresses of the Microsoft Entra DS managed domain. For more information, see [Update DNS settings for the Azure virtual network](../../active-directory-domain-services/tutorial-create-instance.md). +* **VNet DNS Server** - As previously discussed about the "hub and spoke" model, it's important to have DNS configured correctly on the VNets to ensure that servers joined to the Microsoft Entra Domain Services managed domain have the correct DNS settings to resolve the Microsoft Entra Domain Services managed domain. Each VNet has a DNS server entry that is passed to servers as they obtain an IP address and these DNS entries need to be the IP addresses of the Microsoft Entra Domain Services managed domain. For more information, see [Update DNS settings for the Azure virtual network](../../active-directory-domain-services/tutorial-create-instance.md). **Challenges** - The following list highlights key challenges with using this option for Identity Isolation. -* Some Microsoft Entra DS configuration can only be administered from a Microsoft Entra DS joined server. +* Some Microsoft Entra Domain Services configuration can only be administered from a Microsoft Entra Domain Services joined server. -* Only one Microsoft Entra DS managed domain can be deployed per Microsoft Entra tenant. As we describe in this section the hub and spoke model is recommended to provide Microsoft Entra DS authentication to services on other VNets. +* Only one Microsoft Entra Domain Services managed domain can be deployed per Microsoft Entra tenant. As we describe in this section the hub and spoke model is recommended to provide Microsoft Entra Domain Services authentication to services on other VNets. * Further infrastructure maybe required for management of patching and software deployments. Organizations should consider deploying Azure Update Management, Group Policy (GPO) or System Center Configuration Manager (SCCM) to manage these servers. -For this isolated model, it's assumed that there's no connectivity to the VNet that hosts the Microsoft Entra DS managed domain from the customer's corporate network and that there are no trusts configured with other forests. A jumpbox or management server should be created to allow a point from which the Microsoft Entra DS can be managed and administered. +For this isolated model, it's assumed that there's no connectivity to the VNet that hosts the Microsoft Entra Domain Services managed domain from the customer's corporate network and that there are no trusts configured with other forests. A jumpbox or management server should be created to allow a point from which the Microsoft Entra Domain Services can be managed and administered. <a name='sign-into-virtual-machines-in-azure-using-azure-active-directory-authentication'></a> |
active-directory | Security Operations Consumer Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-consumer-accounts.md | Use log files to investigate and monitor. See the following articles for more: ### Audit logs and automation tools -From the Azure portal, you can view Microsoft Entra audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. Use the Azure portal to integrate Microsoft Entra ID logs with other tools to automate monitoring and alerting: +From the Azure portal, you can view Microsoft Entra audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. Use the Azure portal to integrate Microsoft Entra logs with other tools to automate monitoring and alerting: * **Microsoft Sentinel** ΓÇô security analytics with security information and event management (SIEM) capabilities * [What is Microsoft Sentinel?](../../sentinel/overview.md) From the Azure portal, you can view Microsoft Entra audit logs and download as c * [SigmaHR/sigma](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) * **Azure Monitor** ΓÇô automated monitoring and alerting of various conditions. Create or use workbooks to combine data from different sources. * [Azure Monitor overview](../../azure-monitor/overview.md)-* **Azure Event Hubs integrated with a SIEM** - integrate Microsoft Entra ID logs with SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic with Azure Event Hubs +* **Azure Event Hubs integrated with a SIEM** - integrate Microsoft Entra logs with SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic with Azure Event Hubs * [Azure Event Hubs-A big data streaming platform and event ingestion service](../../event-hubs/event-hubs-about.md)- * [Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) + * [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) * **Microsoft Defender for Cloud Apps** ΓÇô discover and manage apps, govern across apps and resources, and conform cloud app compliance * [Microsoft Defender for Cloud Apps overview](/defender-cloud-apps/what-is-defender-for-cloud-apps) * **Identity Protection** - detect risk on workload identities across sign-in behavior and offline indicators of compromise Use the remainder of the article for recommendations on what to monitor and aler | Large number of account creations or deletions | High | Microsoft Entra audit logs | Activity: Add user<br>Status = success<br>Initiated by (actor) = CPIM Service<br>-and-<br>Activity: Delete user<br>Status = success<br>Initiated by (actor) = CPIM Service | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors. Limit false alerts. | | Accounts created and deleted by non-approved users or processes| Medium | Microsoft Entra audit logs | Initiated by (actor) ΓÇô USER PRINCIPAL NAME<br>-and-<br>Activity: Add user<br>Status = success<br>Initiated by (actor) != CPIM Service<br>and-or<br>Activity: Delete user<br>Status = success<br>Initiated by (actor) != CPIM Service | If the actors are non-approved users, configure to send an alert. | | Accounts assigned to a privileged role| High | Microsoft Entra audit logs | Activity: Add user<br>Status = success<br>Initiated by (actor) == CPIM Service<br>-and-<br>Activity: Add member to role<br>Status = success | If the account is assigned to a Microsoft Entra role, Azure role, or privileged group membership, alert and prioritize the investigation. |-| Failed sign-in attempts| Medium - if Isolated incident<br>High - if many accounts are experiencing the same pattern | Microsoft Entra Sign-ins log | Status = failed<br>-and-<br>Sign-in error code 50126 - Error validating credentials due to invalid username or password.<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. | -| Smart lock-out events| Medium - if Isolated incident<br>High - if many accounts are experiencing the same pattern or a VIP | Microsoft Entra Sign-ins log | Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application =="ProxyIdentityExperienceFramework" | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts. | -| Failed authentications from countries or regions you don't operate from| Medium | Microsoft Entra Sign-ins log | Status = failed<br>-and-<br>Location = \<unapproved location><br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | Monitor entries not equal to provided city names. | -| Increased failed authentications of any type | Medium | Microsoft Entra Sign-ins log | Status = failed<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | If you don't have a threshold, monitor and alert if failures increase by 10%, or greater. | -| Account disabled/blocked for sign-ins | Low | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 50057, The user account is disabled. | This scenario could indicate someone trying to gain access to an account after they left an organization. The account is blocked, but it's important to log and alert this activity. | -| Measurable increase of successful sign-ins | Low | Microsoft Entra Sign-ins log | Status = Success<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | If you don't have a threshold, monitor and alert if successful authentications increase by 10%, or greater. | +| Failed sign-in attempts| Medium - if Isolated incident<br>High - if many accounts are experiencing the same pattern | Microsoft Entra sign-in log | Status = failed<br>-and-<br>Sign-in error code 50126 - Error validating credentials due to invalid username or password.<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. | +| Smart lock-out events| Medium - if Isolated incident<br>High - if many accounts are experiencing the same pattern or a VIP | Microsoft Entra sign-in log | Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application =="ProxyIdentityExperienceFramework" | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts. | +| Failed authentications from countries or regions you don't operate from| Medium | Microsoft Entra sign-in log | Status = failed<br>-and-<br>Location = \<unapproved location><br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | Monitor entries not equal to provided city names. | +| Increased failed authentications of any type | Medium | Microsoft Entra sign-in log | Status = failed<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | If you don't have a threshold, monitor and alert if failures increase by 10%, or greater. | +| Account disabled/blocked for sign-ins | Low | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 50057, The user account is disabled. | This scenario could indicate someone trying to gain access to an account after they left an organization. The account is blocked, but it's important to log and alert this activity. | +| Measurable increase of successful sign-ins | Low | Microsoft Entra sign-in log | Status = Success<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | If you don't have a threshold, monitor and alert if successful authentications increase by 10%, or greater. | ## Privileged accounts | What to monitor | Risk level | Where | Filter / subfilter | Notes | | - | - | - | - | - |-| Sign-in failure, bad password threshold | High | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and monitor and adjust to suit your organizational behaviors. Limit false alerts. | -| Failure because of Conditional Access requirement | High | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | The event can indicate an attacker is trying to get into the account. | -| Interrupt | High, medium | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | The event can indicate an attacker has the account password, but can't pass the MFA challenge. | -| Account lockout | High | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, then monitor and adjust to suit your organizational behaviors. Limit false alerts. | -| Account disabled or blocked for sign-ins | low | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | The event could indicate someone trying to gain account access after they've left the organization. Although the account is blocked, log and alert this activity. | -| MFA fraud alert or block | High | Microsoft Entra Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details<br> Result details = MFA denied, fraud code entered | Privileged user indicates they haven't instigated the MFA prompt, which could indicate an attacker has the account password. | -| MFA fraud alert or block | High | Microsoft Entra Sign-ins log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken, based on fraud report tenant-level settings | Privileged user indicated no instigation of the MFA prompt. The scenario can indicate an attacker has the account password. | -| Privileged account sign-ins outside of expected controls | High | Microsoft Entra Sign-ins log | Status = Failure<br>UserPricipalName = \<Admin account> <br> Location = \<unapproved location> <br> IP address = \<unapproved IP><br>Device info = \<unapproved Browser, Operating System> | Monitor and alert entries you defined as unapproved. | -| Outside of normal sign-in times | High | Microsoft Entra Sign-ins log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside expected times. Find the normal working pattern for each privileged account and alert if there are unplanned changes outside normal working times. Sign-ins outside normal working hours could indicate compromise or possible insider threat. | +| Sign-in failure, bad password threshold | High | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and monitor and adjust to suit your organizational behaviors. Limit false alerts. | +| Failure because of Conditional Access requirement | High | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | The event can indicate an attacker is trying to get into the account. | +| Interrupt | High, medium | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | The event can indicate an attacker has the account password, but can't pass the MFA challenge. | +| Account lockout | High | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, then monitor and adjust to suit your organizational behaviors. Limit false alerts. | +| Account disabled or blocked for sign-ins | low | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | The event could indicate someone trying to gain account access after they've left the organization. Although the account is blocked, log and alert this activity. | +| MFA fraud alert or block | High | Microsoft Entra sign-in log/Azure Log Analytics | Sign-ins>Authentication details<br> Result details = MFA denied, fraud code entered | Privileged user indicates they haven't instigated the MFA prompt, which could indicate an attacker has the account password. | +| MFA fraud alert or block | High | Microsoft Entra sign-in log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken, based on fraud report tenant-level settings | Privileged user indicated no instigation of the MFA prompt. The scenario can indicate an attacker has the account password. | +| Privileged account sign-ins outside of expected controls | High | Microsoft Entra sign-in log | Status = Failure<br>UserPricipalName = \<Admin account> <br> Location = \<unapproved location> <br> IP address = \<unapproved IP><br>Device info = \<unapproved Browser, Operating System> | Monitor and alert entries you defined as unapproved. | +| Outside of normal sign-in times | High | Microsoft Entra sign-in log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside expected times. Find the normal working pattern for each privileged account and alert if there are unplanned changes outside normal working times. Sign-ins outside normal working hours could indicate compromise or possible insider threat. | | Password change | High | Microsoft Entra audit logs | Activity actor = Admin/self-service<br>-and-<br>Target = User<br>-and-<br>Status = Success or failure | Alert any admin account password changes, especially for global admins, user admins, subscription admins, and emergency access accounts. Write a query for privileged accounts. | | Changes to authentication methods | High | Microsoft Entra audit logs | Activity: Create identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | The change could indicate an attacker adding an auth method to the account to have continued access. | | Identity Provider updated by non-approved actors | High | Microsoft Entra audit logs | Activity: Update identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | The change could indicate an attacker adding an auth method to the account to have continued access. | Identity Provider deleted by non-approved actors | High | Microsoft Entra access | Administrator granting application permissions (app roles), or highly privileged delegated permissions | High | Microsoft 365 portal | ΓÇ£Add app role assignment to service principalΓÇ¥<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph) ΓÇ£Add delegated permission grantΓÇ¥<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>-and-<br>DelegatedPermissionGrant.Scope includes high-privilege permissions. | Alert when a global, application, or cloud application administrator consents to an application. Especially look for consent outside normal activity and change procedures. | | Application is granted permissions for Microsoft Graph, Exchange, SharePoint, or Microsoft Entra ID. | High | Microsoft Entra audit logs | ΓÇ£Add delegated permission grantΓÇ¥<br>-or-<br>ΓÇ£Add app role assignment to service principalΓÇ¥<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph, Exchange Online, and so on) | Use the alert in the preceding row. | | Highly privileged delegated permissions granted on behalf of all users | High | Microsoft Entra audit logs | ΓÇ£Add delegated permission grantΓÇ¥<br>where<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>DelegatedPermissionGrant.Scope includes high-privilege permissions<br>-and-<br>DelegatedPermissionGrant.ConsentType is ΓÇ£AllPrincipalsΓÇ¥. | Use the alert in the preceding row. |-| Applications that are using the ROPC authentication flow | Medium | Microsoft Entra Sign-ins log | Status=Success<br>Authentication Protocol-ROPC | High level of trust is placed in this application because the credentials can be cached or stored. If possible, move to a more secure authentication flow. Use the process only in automated application testing, if ever. | -| Dangling URI | High | Microsoft Entra ID Logs and Application Registration | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress | For example, look for dangling URIs pointing to a domain name that is gone, or one you donΓÇÖt own. | -| Redirect URI configuration changes | High | Microsoft Entra ID logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress | Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are **not** unique to the application, URIs that point to a domain you don't control. | -| Changes to AppID URI | High | Microsoft Entra ID logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Activity: Update Service principal | Look for AppID URI modifications, such as adding, modifying, or removing the URI. | -| Changes to application ownership | Medium | Microsoft Entra ID logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Add owner to application | Look for instances of users added as application owners outside normal change management activities. | -| Changes to sign out URL | Low | Microsoft Entra ID logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle | Look for modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session. +| Applications that are using the ROPC authentication flow | Medium | Microsoft Entra sign-in log | Status=Success<br>Authentication Protocol-ROPC | High level of trust is placed in this application because the credentials can be cached or stored. If possible, move to a more secure authentication flow. Use the process only in automated application testing, if ever. | +| Dangling URI | High | Microsoft Entra logs and Application Registration | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress | For example, look for dangling URIs pointing to a domain name that is gone, or one you donΓÇÖt own. | +| Redirect URI configuration changes | High | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress | Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are **not** unique to the application, URIs that point to a domain you don't control. | +| Changes to AppID URI | High | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Activity: Update Service principal | Look for AppID URI modifications, such as adding, modifying, or removing the URI. | +| Changes to application ownership | Medium | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Add owner to application | Look for instances of users added as application owners outside normal change management activities. | +| Changes to sign out URL | Low | Microsoft Entra logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle | Look for modifications to a sign out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session. ## Infrastructure |
active-directory | Security Operations Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-devices.md | The log files you use for investigation and monitoring are: * [Azure Key Vault logs](../..//key-vault/general/logging.md?tabs=Vault) -From the Azure portal, you can view the Microsoft Entra audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra ID logs with other tools that allow for greater automation of monitoring and alerting: +From the Azure portal, you can view the Microsoft Entra audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra logs with other tools that allow for greater automation of monitoring and alerting: * **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities. From the Azure portal, you can view the Microsoft Entra audit logs and download * **[Azure Monitor](../..//azure-monitor/overview.md)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources. -* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) -integrated with a SIEM**- [Microsoft Entra ID logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration. +* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) -integrated with a SIEM**- [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration. * **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance. |
active-directory | Security Operations Infrastructure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-infrastructure.md | The log files you use for investigation and monitoring are: * [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault) -From the Azure portal, you can view the Microsoft Entra audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra ID logs with other tools that allow for greater automation of monitoring and alerting: +From the Azure portal, you can view the Microsoft Entra audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra logs with other tools that allow for greater automation of monitoring and alerting: * **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities. From the Azure portal, you can view the Microsoft Entra audit logs and download * **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources. -* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM - [Microsoft Entra ID logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. +* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM - [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. * **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô Enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance. To configure monitoring for Application Proxy, see [Troubleshoot Application Pro For multifactor authentication (MFA) to be effective, you also need to block legacy authentication. You then need to monitor your environment and alert on any use of legacy authentication. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI canΓÇÖt enforce MFA. This makes these protocols the preferred entry points for attackers. For more information on tools that you can use to block legacy authentication, see [New tools to block legacy authentication in your organization](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302). -Legacy authentication is captured in the Microsoft Entra Sign-ins log as part of the detail of the event. You can use the Azure Monitor workbook to help with identifying legacy authentication usage. For more information, see [Sign-ins using legacy authentication](../reports-monitoring/howto-use-azure-monitor-workbooks.md), which is part of [How to use Azure Monitor Workbooks for Microsoft Entra ID reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). You can also use the Insecure protocols workbook for Microsoft Sentinel. For more information, see [Microsoft Sentinel Insecure Protocols Workbook Implementation Guide](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564). Specific activities to monitor include: +Legacy authentication is captured in the Microsoft Entra sign-in log as part of the detail of the event. You can use the Azure Monitor workbook to help with identifying legacy authentication usage. For more information, see [Sign-ins using legacy authentication](../reports-monitoring/howto-use-azure-monitor-workbooks.md), which is part of [How to use Azure Monitor Workbooks for Microsoft Entra ID reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). You can also use the Insecure protocols workbook for Microsoft Sentinel. For more information, see [Microsoft Sentinel Insecure Protocols Workbook Implementation Guide](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564). Specific activities to monitor include: | What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - |-| Legacy authentications|High | Microsoft Entra Sign-ins log| ClientApp : POP<br>ClientApp : IMAP<br>ClientApp : MAPI<br>ClientApp: SMTP<br>ClientApp : ActiveSync go to EXO<br>Other Clients = SharePoint and EWS| In federated domain environments, failed authentications aren't recorded and don't appear in the log. | +| Legacy authentications|High | Microsoft Entra sign-in log| ClientApp : POP<br>ClientApp : IMAP<br>ClientApp : MAPI<br>ClientApp: SMTP<br>ClientApp : ActiveSync go to EXO<br>Other Clients = SharePoint and EWS| In federated domain environments, failed authentications aren't recorded and don't appear in the log. | <a name='azure-ad-connect'></a> Monitoring single sign-on and Kerberos activity can help you detect general cred | What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - |-| Errors associated with SSO and Kerberos validation failures|Medium | Microsoft Entra Sign-ins log| | Single sign-on list of error codes at [Single sign-on](../hybrid/connect/tshoot-connect-sso.md). | +| Errors associated with SSO and Kerberos validation failures|Medium | Microsoft Entra sign-in log| | Single sign-on list of error codes at [Single sign-on](../hybrid/connect/tshoot-connect-sso.md). | | Query for troubleshooting errors|Medium | PowerShell| See query following table. check in each forest with SSO enabled.| Check in each forest with SSO enabled. | | Kerberos-related events|High | Microsoft Defender for Identity monitoring| | Review guidance available at [Microsoft Defender for Identity Lateral Movement Paths (LMPs)](/defender-for-identity/use-case-lateral-movement-path) | The DC agent Admin log is the primary source of information for how the software Complete reference for Microsoft Entra ID audit activities is available at [Microsoft Entra ID audit activity reference](../reports-monitoring/reference-audit-activities.md). ## Conditional Access-In Microsoft Entra ID, you can protect access to your resources by configuring Conditional Access policies. As an IT administrator, you want to ensure your Conditional Access policies work as expected to ensure that your resources are protected. Monitoring and alerting on changes to the Conditional Access service ensures policies defined by your organization for access to data are enforced. Microsoft Entra ID logs when changes are made to Conditional Access and also provides workbooks to ensure your policies are providing the expected coverage. ++In Microsoft Entra ID, you can protect access to your resources by configuring Conditional Access policies. As an IT administrator, you want to ensure your Conditional Access policies work as expected to ensure that your resources are protected. Monitoring and alerting on changes to the Conditional Access service ensures policies defined by your organization for access to data are enforced. Microsoft Entra logs when changes are made to Conditional Access and also provides workbooks to ensure your policies are providing the expected coverage. **Workbook Links** |
active-directory | Security Operations Introduction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-introduction.md | The log files you use for investigation and monitoring are: * [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview) * [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault) -From the Azure portal, you can view the Microsoft Entra audit logs. Download logs as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra ID logs with other tools that allow for greater automation of monitoring and alerting: +From the Azure portal, you can view the Microsoft Entra audit logs. Download logs as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra logs with other tools that allow for greater automation of monitoring and alerting: * **[Microsoft Sentinel](../../sentinel/overview.md)** - Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities. From the Azure portal, you can view the Microsoft Entra audit logs. Download log * **[Azure Monitor](../../azure-monitor/overview.md)** - Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources. -* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM. Microsoft Entra ID logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Microsoft Entra ID logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). +* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM. Microsoft Entra logs can be integrated to other SIEMs such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration. For more information, see [Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). * **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** - Enables you to discover and manage apps, govern across apps and resources, and check the compliance of your cloud apps. |
active-directory | Security Operations Privileged Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-privileged-accounts.md | You can monitor privileged account sign-in events in the Microsoft Entra sign-in | What to monitor | Risk level | Where | Filter/subfilter | Notes | | - | - | - | - | - |-| Sign-in failure, bad password threshold | High | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Failure because of Conditional Access requirement |High | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | This event can be an indication an attacker is trying to get into the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Sign-in failure, bad password threshold | High | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Failure because of Conditional Access requirement |High | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | This event can be an indication an attacker is trying to get into the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | | Privileged accounts that don't follow naming policy| | Azure subscription | [List Azure role assignments using the Azure portal](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where the sign-in name doesn't match your organization's format. An example is the use of ADM_ as a prefix. | | Interrupt | High, medium | Microsoft Entra Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure reason = Authentication failed during strong authentication request | This event can be an indication an attacker has the password for the account but can't pass the multi-factor authentication challenge.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | | Privileged accounts that don't follow naming policy| High | Microsoft Entra directory | [List Microsoft Entra role assignments](../roles/view-assignments.md)| List role assignments for Microsoft Entra roles and alert where the UPN doesn't match your organization's format. An example is the use of ADM_ as a prefix. | | Discover privileged accounts not registered for multi-factor authentication | High | Microsoft Graph API| Query for IsMFARegistered eq false for admin accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if the event is intentional or an oversight. |-| Account lockout | High | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Account disabled or blocked for sign-ins | Low | Microsoft Entra Sign-ins log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | This event could indicate someone is trying to gain access to an account after they've left the organization. Although the account is blocked, it's still important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| MFA fraud alert or block | High | Microsoft Entra Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Account lockout | High | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Account disabled or blocked for sign-ins | Low | Microsoft Entra sign-in log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | This event could indicate someone is trying to gain access to an account after they've left the organization. Although the account is blocked, it's still important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| MFA fraud alert or block | High | Microsoft Entra sign-in log/Azure Log Analytics | Sign-ins>Authentication details Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | | MFA fraud alert or block | High | Microsoft Entra audit log log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken (based on tenant-level settings for fraud report) | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |-| Privileged account sign-ins outside of expected controls | | Microsoft Entra Sign-ins log | Status = Failure<br>UserPricipalName = \<Admin account\><br>Location = \<unapproved location\><br>IP address = \<unapproved IP\><br>Device info = \<unapproved Browser, Operating System\> | Monitor and alert on any entries that you've defined as unapproved.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Outside of normal sign-in times | High | Microsoft Entra Sign-ins log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It's important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Privileged account sign-ins outside of expected controls | | Microsoft Entra sign-in log | Status = Failure<br>UserPricipalName = \<Admin account\><br>Location = \<unapproved location\><br>IP address = \<unapproved IP\><br>Device info = \<unapproved Browser, Operating System\> | Monitor and alert on any entries that you've defined as unapproved.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Outside of normal sign-in times | High | Microsoft Entra sign-in log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It's important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | | Identity protection risk | High | Identity Protection logs | Risk state = At risk<br>-and-<br>Risk level = Low, medium, high<br>-and-<br>Activity = Unfamiliar sign-in/TOR, and so on | This event indicates there's some abnormality detected with the sign-in for the account and should be alerted on. | | Password change | High | Microsoft Entra audit logs | Activity actor = Admin/self-service<br>-and-<br>Target = User<br>-and-<br>Status = Success or failure | Alert on any admin account password changes, especially for global admins, user admins, subscription admins, and emergency access accounts. Write a query targeted at all privileged accounts.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |-| Change in legacy authentication protocol | High | Microsoft Entra Sign-ins log | Client App = Other client, IMAP, POP3, MAPI, SMTP, and so on<br>-and-<br>Username = UPN<br>-and-<br>Application = Exchange (example) | Many attacks use legacy authentication, so if there's a change in auth protocol for the user, it could be an indication of an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/17ead56ae30b1a8e46bb0f95a458bdeb2d30ba9b/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| New device or location | High | Microsoft Entra Sign-ins log | Device info = Device ID<br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>-and-<br>Target = User<br>-and-<br>Location | Most admin activity should be from [privileged access devices](/security/compass/privileged-access-devices), from a limited number of locations. For this reason, alert on new devices or locations.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Change in legacy authentication protocol | High | Microsoft Entra sign-in log | Client App = Other client, IMAP, POP3, MAPI, SMTP, and so on<br>-and-<br>Username = UPN<br>-and-<br>Application = Exchange (example) | Many attacks use legacy authentication, so if there's a change in auth protocol for the user, it could be an indication of an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/17ead56ae30b1a8e46bb0f95a458bdeb2d30ba9b/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| New device or location | High | Microsoft Entra sign-in log | Device info = Device ID<br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>-and-<br>Target = User<br>-and-<br>Location | Most admin activity should be from [privileged access devices](/security/compass/privileged-access-devices), from a limited number of locations. For this reason, alert on new devices or locations.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | | Audit alert setting is changed | High | Microsoft Entra audit logs | Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity = Disable PIM alert<br>-and-<br>Status = Success | Changes to a core alert should be alerted if unexpected.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |-| Administrators authenticating to other Microsoft Entra tenants| Medium| Microsoft Entra Sign-ins log| Status = success<br><br>Resource tenantID != Home Tenant ID| When scoped to Privileged Users, this monitor detects when an administrator has successfully authenticated to another Microsoft Entra tenant with an identity in your organization's tenant. <br><br>Alert if Resource TenantID isn't equal to Home Tenant ID<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AdministratorsAuthenticatingtoAnotherAzureADTenant.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Administrators authenticating to other Microsoft Entra tenants| Medium| Microsoft Entra sign-in log| Status = success<br><br>Resource tenantID != Home Tenant ID| When scoped to Privileged Users, this monitor detects when an administrator has successfully authenticated to another Microsoft Entra tenant with an identity in your organization's tenant. <br><br>Alert if Resource TenantID isn't equal to Home Tenant ID<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AdministratorsAuthenticatingtoAnotherAzureADTenant.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | |Admin User state changed from Guest to Member|Medium|Microsoft Entra audit logs|Activity: Update user<br><br>Category: UserManagement<br><br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member.<br><br> Was this change expected?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | |Guest users invited to tenant by non-approved inviters|Medium|Microsoft Entra audit logs|Activity: Invite external user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | |
active-directory | Security Operations User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-user-accounts.md | For more information, visit [What is Identity Protection](../identity-protection ### What to look for -Configure monitoring on the data within the Microsoft Entra Sign-ins Logs to ensure that alerting occurs and adheres to your organization's security policies. Some examples of this are: +Configure monitoring on the data within the Microsoft Entra sign-in logs to ensure that alerting occurs and adheres to your organization's security policies. Some examples of this are: * **Failed Authentications**: As humans we all get our passwords wrong from time to time. However, many failed authentications can indicate that a bad actor is trying to obtain access. Attacks differ in ferocity but can range from a few attempts per hour to a much higher rate. For example, Password Spray normally preys on easier passwords against many accounts, while Brute Force attempts many passwords against targeted accounts. The following are listed in order of importance based on the effect and severity | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | | - |- |- |- |- |-| Users authenticating to other Microsoft Entra tenants.| Low| Microsoft Entra Sign-ins log| Status = success<br>Resource tenantID != Home Tenant ID| Detects when a user has successfully authenticated to another Microsoft Entra tenant with an identity in your organization's tenant.<br>Alert if Resource TenantID isn't equal to Home Tenant ID <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/UsersAuthenticatingtoOtherAzureADTenants.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Users authenticating to other Microsoft Entra tenants.| Low| Microsoft Entra sign-in log| Status = success<br>Resource tenantID != Home Tenant ID| Detects when a user has successfully authenticated to another Microsoft Entra tenant with an identity in your organization's tenant.<br>Alert if Resource TenantID isn't equal to Home Tenant ID <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/UsersAuthenticatingtoOtherAzureADTenants.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| |User state changed from Guest to Member|Medium|Microsoft Entra audit logs|Activity: Update user<br>Category: UserManagement<br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member. Was this expected?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |Guest users invited to tenant by non-approved inviters|Medium|Microsoft Entra audit logs|Activity: Invite external user<br>Category: UserManagement<br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| The following are listed in order of importance based on the effect and severity | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | | - |- |- |- |- |-| Failed sign-in attempts.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Microsoft Entra Sign-ins log| Status = failed<br>-and-<br>Sign-in error code 50126 - <br>Error validating credentials due to invalid username or password.| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Smart lock-out events.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Microsoft Entra Sign-ins log| Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Interrupts| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Microsoft Entra Sign-ins log| 500121, Authentication failed during strong authentication request. <br>-or-<br>50097, Device authentication is required or 50074, Strong Authentication is required. <br>-or-<br>50155, DeviceAuthenticationFailed<br>-or-<br>50158, ExternalSecurityChallenge - External security challenge wasn't satisfied<br>-or-<br>53003 and Failure reason = blocked by Conditional Access| Monitor and alert on interrupts.<br>Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Failed sign-in attempts.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Microsoft Entra sign-in log| Status = failed<br>-and-<br>Sign-in error code 50126 - <br>Error validating credentials due to invalid username or password.| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Smart lock-out events.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Microsoft Entra sign-in log| Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Interrupts| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Microsoft Entra sign-in log| 500121, Authentication failed during strong authentication request. <br>-or-<br>50097, Device authentication is required or 50074, Strong Authentication is required. <br>-or-<br>50155, DeviceAuthenticationFailed<br>-or-<br>50158, ExternalSecurityChallenge - External security challenge wasn't satisfied<br>-or-<br>53003 and Failure reason = blocked by Conditional Access| Monitor and alert on interrupts.<br>Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | The following are listed in order of importance based on the effect and severity of the entries. | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | | - |- |- |- |- |-| Multi-factor authentication (MFA) fraud alerts.| High| Microsoft Entra Sign-ins log| Status = failed<br>-and-<br>Details = MFA Denied<br>| Monitor and alert on any entry.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| -| Failed authentications from countries/regions you don't operate out of.| Medium| Microsoft Entra Sign-ins log| Location = \<unapproved location\>| Monitor and alert on any entries. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Failed authentications for legacy protocols or protocols that aren't used.| Medium| Microsoft Entra Sign-ins log| Status = failure<br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Failures blocked by Conditional Access.| Medium| Microsoft Entra Sign-ins log| Error code = 53003 <br>-and-<br>Failure reason = blocked by Conditional Access| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Increased failed authentications of any type.| Medium| Microsoft Entra Sign-ins log| Capture increases in failures across the board. That is, the failure total for today is >10% on the same day, the previous week.| If you don't have a set threshold, monitor and alert if failures increase by 10% or greater.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml) | -| Authentication occurring at times and days of the week when countries/regions don't conduct normal business operations.| Low| Microsoft Entra Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>-and-<br>Location = \<location\><br>-and-<br>Day\Time = \<not normal working hours\>| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml) | -| Account disabled/blocked for sign-ins| Low| Microsoft Entra Sign-ins log| Status = Failure<br>-and-<br>error code = 50057, The user account is disabled.| This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it is important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Multi-factor authentication (MFA) fraud alerts.| High| Microsoft Entra sign-in log| Status = failed<br>-and-<br>Details = MFA Denied<br>| Monitor and alert on any entry.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)| +| Failed authentications from countries/regions you don't operate out of.| Medium| Microsoft Entra sign-in log| Location = \<unapproved location\>| Monitor and alert on any entries. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Failed authentications for legacy protocols or protocols that aren't used.| Medium| Microsoft Entra sign-in log| Status = failure<br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Failures blocked by Conditional Access.| Medium| Microsoft Entra sign-in log| Error code = 53003 <br>-and-<br>Failure reason = blocked by Conditional Access| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Increased failed authentications of any type.| Medium| Microsoft Entra sign-in log| Capture increases in failures across the board. That is, the failure total for today is >10% on the same day, the previous week.| If you don't have a set threshold, monitor and alert if failures increase by 10% or greater.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml) | +| Authentication occurring at times and days of the week when countries/regions don't conduct normal business operations.| Low| Microsoft Entra sign-in log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>-and-<br>Location = \<location\><br>-and-<br>Day\Time = \<not normal working hours\>| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml) | +| Account disabled/blocked for sign-ins| Low| Microsoft Entra sign-in log| Status = Failure<br>-and-<br>error code = 50057, The user account is disabled.| This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it is important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | ### Monitoring for successful unusual sign ins | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | | - |- |- |- |- |-| Authentications of privileged accounts outside of expected controls.| High| Microsoft Entra Sign-ins log| Status = success<br>-and-<br>UserPricipalName = \<Admin account\><br>-and-<br>Location = \<unapproved location\><br>-and-<br>IP Address = \<unapproved IP\><br>Device Info= \<unapproved Browser, Operating System\><br>| Monitor and alert on successful authentication for privileged accounts outside of expected controls. Three common controls are listed. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml)<br>[Sigma ruless](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| When only single-factor authentication is required.| Low| Microsoft Entra Sign-ins log| Status = success<br>Authentication requirement = Single-factor authentication| Monitor periodically and ensure expected behavior.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Authentications of privileged accounts outside of expected controls.| High| Microsoft Entra sign-in log| Status = success<br>-and-<br>UserPricipalName = \<Admin account\><br>-and-<br>Location = \<unapproved location\><br>-and-<br>IP Address = \<unapproved IP\><br>Device Info= \<unapproved Browser, Operating System\><br>| Monitor and alert on successful authentication for privileged accounts outside of expected controls. Three common controls are listed. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml)<br>[Sigma ruless](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| When only single-factor authentication is required.| Low| Microsoft Entra sign-in log| Status = success<br>Authentication requirement = Single-factor authentication| Monitor periodically and ensure expected behavior.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | | Discover privileged accounts not registered for MFA.| High| Azure Graph API| Query for IsMFARegistered eq false for administrator accounts. <br>[List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http)| Audit and investigate to determine if intentional or an oversight. |-| Successful authentications from countries/regions your organization doesn't operate out of.| Medium| Microsoft Entra Sign-ins log| Status = success<br>Location = \<unapproved country/region\>| Monitor and alert on any entries not equal to the city names you provide.<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Successful authentication, session blocked by Conditional Access.| Medium| Microsoft Entra Sign-ins log| Status = success<br>-and-<br>error code = 53003 ΓÇô Failure reason, blocked by Conditional Access| Monitor and investigate when authentication is successful, but session is blocked by Conditional Access.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Successful authentication after you have disabled legacy authentication.| Medium| Microsoft Entra Sign-ins log| status = success <br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| If your organization has disabled legacy authentication, monitor and alert when successful legacy authentication has taken place.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Successful authentications from countries/regions your organization doesn't operate out of.| Medium| Microsoft Entra sign-in log| Status = success<br>Location = \<unapproved country/region\>| Monitor and alert on any entries not equal to the city names you provide.<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Successful authentication, session blocked by Conditional Access.| Medium| Microsoft Entra sign-in log| Status = success<br>-and-<br>error code = 53003 ΓÇô Failure reason, blocked by Conditional Access| Monitor and investigate when authentication is successful, but session is blocked by Conditional Access.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Successful authentication after you have disabled legacy authentication.| Medium| Microsoft Entra sign-in log| status = success <br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| If your organization has disabled legacy authentication, monitor and alert when successful legacy authentication has taken place.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | We recommend you periodically review authentications to medium business impact (MBI) and high business impact (HBI) applications where only single-factor authentication is required. For each, you want to determine if single-factor authentication was expected or not. In addition, review for successful authentication increases or at unexpected times, based on the location. | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | | - | - |- |- |- |-| Authentications to MBI and HBI application using single-factor authentication.| Low| Microsoft Entra Sign-ins log| status = success<br>-and-<br>Application ID = \<HBI app\> <br>-and-<br>Authentication requirement = single-factor authentication.| Review and validate this configuration is intentional.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Authentications at days and times of the week or year that countries/regions do not conduct normal business operations.| Low| Microsoft Entra Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>Location = \<location\><br>Date\Time = \<not normal working hours\>| Monitor and alert on authentications days and times of the week or year that countries/regions do not conduct normal business operations.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | -| Measurable increase of successful sign ins.| Low| Microsoft Entra Sign-ins log| Capture increases in successful authentication across the board. That is, success totals for today are >10% on the same day, the previous week.| If you don't have a set threshold, monitor and alert if successful authentications increase by 10% or greater.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Authentications to MBI and HBI application using single-factor authentication.| Low| Microsoft Entra sign-in log| status = success<br>-and-<br>Application ID = \<HBI app\> <br>-and-<br>Authentication requirement = single-factor authentication.| Review and validate this configuration is intentional.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Authentications at days and times of the week or year that countries/regions do not conduct normal business operations.| Low| Microsoft Entra sign-in log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>Location = \<location\><br>Date\Time = \<not normal working hours\>| Monitor and alert on authentications days and times of the week or year that countries/regions do not conduct normal business operations.<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | +| Measurable increase of successful sign ins.| Low| Microsoft Entra sign-in log| Capture increases in successful authentication across the board. That is, success totals for today are >10% on the same day, the previous week.| If you don't have a set threshold, monitor and alert if successful authentications increase by 10% or greater.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) | ## Next steps |
active-directory | Concept Authentication Methods Manage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-methods-manage.md | Microsoft Entra ID allows the use of a range of authentication methods to suppor The Authentication methods policy is the recommended way to manage authentication methods, including modern methods like passwordless authentication. [Authentication Policy Administrators](../roles/permissions-reference.md#authentication-policy-administrator) can edit this policy to enable authentication methods for all users or specific groups. -Methods enabled in the Authentication methods policy can typically be used anywhere in Microsoft Entra ID - for both authentication and password reset scenarios. The exception is that some methods are inherently limited to use in authentication, such as FIDO2 and Windows Hello for Business, and others are limited to use in password reset, such as security questions. For more control over which methods are usable in a given authentication scenario, consider using the **Authentication Strengths** feature. +Methods enabled in the Authentication methods policy can typically be used anywhere in Microsoft Entra ID, for both authentication and password reset scenarios. The exception is that some methods are inherently limited to use in authentication, such as FIDO2 and Windows Hello for Business, and others are limited to use in password reset, such as security questions. For more control over which methods are usable in a given authentication scenario, consider using the **Authentication Strengths** feature. Most methods also have configuration parameters to more precisely control how that method can be used. For example, if you enable **Voice calls**, you can also specify whether an office phone can be used in addition to a mobile phone. Only the [converged registration experience](concept-registration-mfa-sspr-combi ## Legacy MFA and SSPR policies -Two other policies, located in **multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used. A [Global Administrator](../roles/permissions-reference.md#global-administrator) is needed to manage these policies. +Two other policies, located in **Multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used. A [Global Administrator](../roles/permissions-reference.md#global-administrator) is needed to manage these policies. >[!Important] >In March 2023, we announced the deprecation of managing authentication methods in the legacy multifactor authentication and self-service password reset (SSPR) policies. Beginning September 30, 2024, authentication methods can't be managed in these legacy MFA and SSPR policies. We recommend customers use the manual migration control to migrate to the Authentication methods policy by the deprecation date. -To manage the legacy MFA policy, click **Security** > **multifactor authentication** > **Additional cloud-based multifactor authentication settings**. +To manage the legacy MFA policy, select **Security** > **Multifactor authentication** > **Additional cloud-based multifactor authentication settings**. :::image type="content" border="true" source="./media/concept-authentication-methods-manage/service-settings.png" alt-text="Screenshot of MFA service settings."::: |
active-directory | Concept Authentication Operator Assistance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-operator-assistance.md | For example, let's say a customer in U.S has an office phone number 425-555-1234 If the setting is **Off**, the system will automatically dial extensions as part of the phone number. Your admin can still specify individual users who should be enabled for operator assistance by prefixing the extension with ΓÇÿ@ΓÇÖ. For example, 425-555-1234x@5678 would indicate that operator assistance should be used, even though the setting is **Off**. -To check the status of this feature in your own tenant, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator), then click **Protection** > **multifactor authentication** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**. +To check the status of this feature in your own tenant, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator), then click **Protection** > **Multifactor authentication** > **Phone call settings**. Check **Operator required to transfer extensions** to see if the setting is **On** or **Off**. ![Screenshot of operator assistance settings](./media/concept-authentication-operator-assistance/settings.png) |
active-directory | Concept Authentication Strengths | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-strengths.md | There are two policies that determine which authentication methods can be used t :::image type="content" border="true" source="./media/concept-authentication-strengths/authentication-methods-policy.png" alt-text="Screenshot of Authentication methods policy."::: -- **Security** > **Multifactor Authentication** > **Additional cloud-based multifactor authentication settings** is a legacy way to control multifactor authentication methods for all of the users in the tenant. +- **Security** > **Multifactor authentication** > **Additional cloud-based multifactor authentication settings** is a legacy way to control multifactor authentication methods for all of the users in the tenant. :::image type="content" border="true" source="./media/concept-authentication-strengths/service-settings.png" alt-text="Screenshot of MFA service settings."::: |
active-directory | Concept Certificate Based Authentication Certificateuserids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md | Content-Type: application/json For the configuration, you can use the [Azure Active Directory PowerShell Version 2](/powershell/microsoftgraph/installation): -1. Start Windows PowerShell with administrator privileges. +1. Start PowerShell with administrator privileges. 1. Install and Import the Microsoft Graph PowerShell SDK ```powershell |
active-directory | Concept Certificate Based Authentication Technical Deep Dive | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md | Now we'll walk through each step: 1. Microsoft Entra ID checks whether CBA is enabled for the tenant. If CBA is enabled, the user sees a link to **Use a certificate or smartcard** on the password page. If the user doesn't see the sign-in link, make sure CBA is enabled on the tenant. For more information, see [How do I enable Microsoft Entra CBA?](./certificate-based-authentication-faq.yml#how-can-an-administrator-enable-microsoft-entra-cba-). >[!NOTE]- > If CBA is enabled on the tenant, all users will see the link to **Use a certificate or smart card** on the password page. However, only the users in scope for CBA will be able to authenticate successfully against an application that uses Microsoft Entra ID as their Identity provider (IdP). + > If CBA is enabled on the tenant, all users see the link to **Use a certificate or smart card** on the password page. However, only the users in scope for CBA can authenticate successfully against an application that uses Microsoft Entra ID as their Identity provider (IdP). :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-cert.png" alt-text="Screenshot of the Use a certificate or smart card."::: Now we'll walk through each step: :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/entry.png" alt-text="Screenshot of the entry for X.509 certificate."::: -1. Microsoft Entra ID will request a client certificate, the user picks the client certificate, and clicks **Ok**. +1. Microsoft Entra ID requests a client certificate, the user picks the client certificate, and clicks **Ok**. >[!NOTE] >Trusted CA hints are not supported, so the list of certificates can't be further scoped. We're looking into adding this functionality in the future. Now we'll walk through each step: :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/cert-picker.png" alt-text="Screenshot of the certificate picker." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/cert-picker.png"::: 1. Microsoft Entra ID verifies the certificate revocation list to make sure the certificate isn't revoked and is valid. Microsoft Entra ID identifies the user by using the [username binding configured](how-to-certificate-based-authentication.md#step-4-configure-username-binding-policy) on the tenant to map the certificate field value to the user attribute value.-1. If a unique user is found with a Conditional Access policy that requires multifactor authentication, and the [certificate authentication binding rule](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy) satisfies MFA, then Microsoft Entra ID signs the user in immediately. If MFA is required but the certificate satisfies only a single factor, either passwordless sign-in or FIDO2 will be offered as a second factor if they are already registered. +1. If a unique user is found with a Conditional Access policy that requires multifactor authentication, and the [certificate authentication binding rule](how-to-certificate-based-authentication.md#step-3-configure-authentication-binding-policy) satisfies MFA, then Microsoft Entra ID signs the user in immediately. If MFA is required but the certificate satisfies only a single factor, either passwordless sign-in or FIDO2 are offered as a second factor if they are already registered. 1. Microsoft Entra ID completes the sign-in process by sending a primary refresh token back to indicate successful sign-in. 1. If the user sign-in is successful, the user can access the application. ## Certificate-based authentication is MFA capable -Microsoft Entra CBA is an MFA (multifactor authentication) capable method, that is Microsoft Entra CBA can be either Single (SF) or multifactor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to get MFA and proof up to register other authentication methods when the user is in scope for CBA. +Microsoft Entra CBA is capable of multifactor authentication (MFA) method. Microsoft Entra CBA can be either single-factor (SF) or multifactor (MF) depending on the tenant configuration. Enabling CBA makes a user potentially capable to complete MFA. A user may need more configuration to complete MFA, and proof up to register other authentication methods when the user is in scope for CBA. -If CBA enabled user only has a Single Factor (SF) certificate and need MFA - 1. Use Password + SF certificate. - 1. Issue Temporary Access Pass (TAP) - 1. Admin adds Phone Number to user account and allows Voice/text message method for user. +If the CBA-enabled user only has a Single Factor (SF) certificate and needs to complete MFA: + 1. Use a password and SF certificate. + 1. Issue a Temporary Access Pass. + 1. Authentication Policy Administrator adds a phone number and allows voice/text message authentication for the user account. -If CBA enabled user has not yet been issued a certificate and need MFA - 1. Issue Temporary Access Pass (TAP) - 1. Admin adds Phone Number to user account and allows Voice/text message method for user. +If the CBA-enabled user hasn't yet been issued a certificate and needs to complete MFA: + 1. Issue a Temporary Access Pass. + 1. Authentication Policy Administrator adds a phone number and allows voice/text message authentication for the user account. -If CBA enabled user cannot use MF cert (such as on mobile device without smart card support) and need MFA - 1. Issue Temporary Access Pass (TAP) - 1. User Register another MFA method (when user can use MF cert) - 1. Use Password + MF cert (when user can use MF cert) - 1. Admin adds Phone Number to user account and allows Voice/text message method for user +If the CBA-enabled user can't use an MF cert, such as on mobile device without smart card support, and needs to complete MFA: + 1. Issue a Temporary Access Pass. + 1. User needs to register another MFA method (when user can use MF cert). + 1. Use password and MF cert (when user can use MF cert). + 1. Authentication Policy Administrator adds a phone number and allows voice/text message authentication for the user account. ## MFA with Single-factor certificate-based authentication If CBA enabled user cannot use MF cert (such as on mobile device without smart c Microsoft Entra CBA can be used as a second factor to meet MFA requirements with single-factor certificates. Some of the supported combinations are -1. CBA (first factor) + passwordless phone sign-in (PSI as second factor) -1. CBA (first factor) + FIDO2 security keys (second factor) -1. Password (first factor) + CBA (second factor) +1. CBA (first factor) and passwordless phone sign-in (PSI as second factor) +1. CBA (first factor) and FIDO2 security keys (second factor) +1. Password (first factor) and CBA (second factor) Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Microsoft Entra CBA. >[!IMPORTANT]->A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods. Make sure users who do not have a valid certificate are not part of CBA auth method scope. More info on [Microsoft Entra multifactor authentication](../authentication/concept-mfa-howitworks.md) +>A user is considered MFA capable when they are included in the CBA method settings. This means the user can't use proof up as part of their authentication to register other available methods. Make sure users without a valid certificate aren't included in the CBA method settings. For more information about how authentication works, see [Microsoft Entra multifactor authentication](../authentication/concept-mfa-howitworks.md). **Steps to set up passwordless phone signin(PSI) with CBA** For passwordless sign-in to work, users should disable legacy notification throu 1. Follow the steps at [Enable passwordless phone sign-in authentication](../authentication/howto-authentication-passwordless-phone.md#enable-passwordless-phone-sign-in-authentication-methods) >[!IMPORTANT]- >In the above configuration under step 4, please choose **Passwordless** option. Change the mode for each groups added for PSI for **Authentication mode**, choose **Passwordless** for passwordless sign-in to work with CBA. If the admin configures "Any", CBA + PSI will not work. + >In the above configuration under step 4, please choose **Passwordless** option. Change the mode for each groups added for PSI for **Authentication mode**, choose **Passwordless** for passwordless sign-in to work with CBA. If the admin configures "Any", CBA and PSI don't work. -1. Select **Protection** > **multifactor authentication** > **Additional cloud-based multifactor authentication settings**. +1. Select **Protection** > **Multifactor authentication** > **Additional cloud-based multifactor authentication settings**. :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/configure.png" alt-text="Screenshot of how to configure multifactor authentication settings."::: Let's look at an example of a user who has single factor certificates and has co :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/cert-picker.png" alt-text="Screenshot of how to select a certificate."::: -1. Because the certificate is configured to be single-factor authentication strength, the user needs a second factor to meet MFA requirements. The user will see available second factors, which in this case is passwordless sign-in. Select **Approve a request on my Microsoft Authenticator app**. +1. Because the certificate is configured to be single-factor authentication strength, the user needs a second factor to meet MFA requirements. The user sees available second factors, which in this case is passwordless sign-in. Select **Approve a request on my Microsoft Authenticator app**. :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/second-factor-request.png" alt-text="Screenshot of second factor request."::: 1. You'll get a notification on your phone. Select **Approve Sign-in?**. Let's look at an example of a user who has single factor certificates and has co :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/number.png" alt-text="Screenshot of number match."::: -1. Select **Yes** and user will be authenticated and signed in. +1. Select **Yes** and user can authenticate and sign in. ## Understanding the authentication binding policy -The authentication binding policy helps determine the strength of authentication as either single-factor or multifactor. An administrator can change the default value from single factor to multifactor, or set up custom policy configurations either by using issuer subject or policy OID fields in the certificate. +The authentication binding policy helps determine the strength of authentication as either single-factor or multifactor. An administrator can change the default value from single-factor to multifactor, or set up custom policy configurations either by using issuer subject or policy OID fields in the certificate. ### Certificate strengths When a user has a multifactor certificate, they can perform multifactor authenti Because multiple authentication binding policy rules can be created with different certificate fields, there are some rules that determine the authentication protection level. They are as follows: -1. Exact match is used for strong authentication by using policy OID. If you have a certificate A with policy OID **1.2.3.4.5** and a derived credential B based on that certificate has a policy OID **1.2.3.4.5.6**, and the custom rule is defined as **Policy OID** with value **1.2.3.4.5** with MFA, only certificate A will satisfy MFA, and credential B will satisfy only single-factor authentication. If the user used derived credential during sign-in and was configured to have MFA, the user will be asked for a second factor for successful authentication. -1. Policy OID rules will take precedence over certificate issuer rules. If a certificate has both policy OID and Issuer, the policy OID is always checked first, and if no policy rule is found then the issuer subject bindings are checked. Policy OID has a higher strong authentication binding priority than the issuer. +1. Exact match is used for strong authentication by using policy OID. If you have a certificate A with policy OID **1.2.3.4.5** and a derived credential B based on that certificate has a policy OID **1.2.3.4.5.6**, and the custom rule is defined as **Policy OID** with value **1.2.3.4.5** with MFA, only certificate A satisfies MFA, and credential B satisfies only single-factor authentication. If the user used derived credential during sign-in and was configured to have MFA, the user is asked for a second factor for successful authentication. +1. Policy OID rules take precedence over certificate issuer rules. If a certificate has both policy OID and Issuer, the policy OID is always checked first, and if no policy rule is found then the issuer subject bindings are checked. Policy OID has a higher strong authentication binding priority than the issuer. 1. If one CA binds to MFA, all user certificates that the CA issues qualify as MFA. The same logic applies for single-factor authentication. 1. If one policy OID binds to MFA, all user certificates that include this policy OID as one of the OIDs (A user certificate could have multiple policy OIDs) qualify as MFA. 1. If there's a conflict between multiple policy OIDs (such as when a certificate has two policy OIDs, where one binds to single-factor authentication and the other binds to MFA) then treat the certificate as a single-factor authentication. The username binding policy helps validate the certificate of the user. By defau ### Achieve higher security with certificate bindings -There are four supported methods. In general, mapping types are considered high-affinity if they're based on identifiers that you can't reuse (Such as Subject Key Identifiers or SHA1 Public Key). These identifiers convey a higher assurance that only a single certificate can be used to authenticate the respective user. Therefore, all mapping types based on usernames and email addresses are considered low-affinity. Therefore, Microsoft Entra ID implements two mappings considered low-affinity (based on reusable identifiers), and the other two are considered high-affinity bindings. For more information, see [certificateUserIds](concept-certificate-based-authentication-certificateuserids.md). +There are four supported methods for certificate bindings. In general, mapping types are considered high-affinity if they're based on identifiers that you can't reuse, such as Subject Key Identifiers or SHA1 Public Key. These identifiers convey a higher assurance that only a single certificate can be used to authenticate the respective user. All mapping types based on usernames and email addresses are considered low-affinity. Microsoft Entra ID implements two mappings considered low-affinity based on reusable identifiers. The other two are considered high-affinity bindings. For more information, see [certificateUserIds](concept-certificate-based-authentication-certificateuserids.md). -|Certificate mapping Field | Examples of values in certificateUserIds | User object attributes | Type | +|Certificate mapping field | Examples of values in certificateUserIds | User object attributes | Type | |--|--||-|-|PrincipalName | ΓÇ£X509:\<PN>bob@woodgrove.comΓÇ¥ | userPrincipalName <br> onPremisesUserPrincipalName <br> certificateUserIds | low-affinity | -|RFC822Name | ΓÇ£X509:\<RFC822>user@woodgrove.comΓÇ¥ | userPrincipalName <br> onPremisesUserPrincipalName <br> certificateUserIds | low-affinity | -|X509SKI | ΓÇ£X509:\<SKI>123456789abcdefΓÇ¥| certificateUserIds | high-affinity | -|X509SHA1PublicKey |ΓÇ£X509:\<SHA1-PUKEY>123456789abcdefΓÇ¥ | certificateUserIds | high-affinity | +|PrincipalName | X509:\<PN>bob@woodgrove.com | userPrincipalName <br> onPremisesUserPrincipalName <br> certificateUserIds | low-affinity | +|RFC822Name | X509:\<RFC822>user@woodgrove.com | userPrincipalName <br> onPremisesUserPrincipalName <br> certificateUserIds | low-affinity | +|X509SKI | X509:\<SKI>123456789abcdef| certificateUserIds | high-affinity | +|X509SHA1PublicKey |X509:\<SHA1-PUKEY>123456789abcdef | certificateUserIds | high-affinity | <a name='how-azure-ad-resolves-multiple-username-policy-binding-rules'></a> There are four supported methods. In general, mapping types are considered high- Use the highest priority (lowest number) binding. 1. Look up the user object by using the username or User Principal Name.-1. If the X.509 certificate field is on the presented certificate, Microsoft Entra ID will match the value in the certificate field to the user object attribute value. +1. If the X.509 certificate field is on the presented certificate, Microsoft Entra ID matches the value in the certificate field to the user object attribute value. 1. If a match is found, user authentication is successful. 1. If a match isn't found, move to the next priority binding. 1. If the X.509 certificate field isn't on the presented certificate, move to the next priority binding. Use the highest priority (lowest number) binding. Each of the Microsoft Entra attributes (userPrincipalName, onPremiseUserPrincipalName, certificateUserIds) available to bind certificates to Microsoft Entra user accounts has unique constraint to ensure a certificate only matches a single Microsoft Entra user account. However, Microsoft Entra CBA does support configuring multiple binding methods in the username binding policy. This allows an administrator to accommodate multiple certificate configurations. However the combination of some methods can also potentially permit one certificate to match to multiple Microsoft Entra user accounts. >[!IMPORTANT]->When using multiple bindings, Microsoft Entra CBA authentication is only as secure as your low-affinity binding as Microsoft Entra CBA will validate each of the bindings to authenticate the user. In order to eliminate a scenario where a single certificate matching multiple Microsoft Entra accounts, the tenant administrator should: +>When using multiple bindings, Microsoft Entra CBA authentication is only as secure as your low-affinity binding as Microsoft Entra CBA validates each of the bindings to authenticate the user. In order to eliminate a scenario where a single certificate matching multiple Microsoft Entra accounts, the tenant administrator should: >- Configure a single binding method in the username binding policy. >- If a tenant has multiple binding methods configured and doesn't want to allow one certificate to multiple accounts, the tenant admin must ensure all allowable methods configured in the policy map to the same Microsoft Entra account, i.e all user accounts should have values matching all the bindings. >- If a tenant has multiple binding methods configured, the admin should make sure that they do not have more than one low-affinity binding Microsoft Entra ID downloads and caches the customers certificate revocation lis An admin can configure the CRL distribution point during the setup process of the trusted issuers in the Microsoft Entra tenant. Each trusted issuer should have a CRL that can be referenced by using an internet-facing URL. >[!IMPORTANT]->The maximum size of a CRL for Microsoft Entra ID to successfully download on an interactive sign-in and cache is 20 MB in Azure Global and 45 MB in Azure US Government clouds, and the time required to download the CRL must not exceed 10 seconds. If Microsoft Entra ID can't download a CRL, certificate-based authentications using certificates issued by the corresponding CA will fail. As a best practice to keep CRL files within size limits, keep certificate lifetimes within reasonable limits and to clean up expired certificates. For more information, see [Is there a limit for CRL size?](certificate-based-authentication-faq.yml#is-there-a-limit-for-crl-size-). +>The maximum size of a CRL for Microsoft Entra ID to successfully download on an interactive sign-in and cache is 20 MB in Azure Global and 45 MB in Azure US Government clouds, and the time required to download the CRL must not exceed 10 seconds. If Microsoft Entra ID can't download a CRL, certificate-based authentications using certificates issued by the corresponding CA fail. As a best practice to keep CRL files within size limits, keep certificate lifetimes within reasonable limits and to clean up expired certificates. For more information, see [Is there a limit for CRL size?](certificate-based-authentication-faq.yml#is-there-a-limit-for-crl-size-). -When a user performs an interactive sign-in with a certificate, and the CRL exceeds the interactive limit for a cloud, their initial sign-in will fail with the following error: +When a user performs an interactive sign-in with a certificate, and the CRL exceeds the interactive limit for a cloud, their initial sign-in fails with the following error: "The Certificate Revocation List (CRL) downloaded from {uri} has exceeded the maximum allowed size ({size} bytes) for CRLs in Microsoft Entra ID. Try again in few minutes. If the issue persists, contact your tenant administrators." -After the error, Microsoft Entra ID will attempt to download the CRL subject to the service-side limits (45 MB in Azure Global and 150 MB in Azure US Government clouds). +After the error, Microsoft Entra ID attempts to download the CRL subject to the service-side limits (45 MB in Azure Global and 150 MB in Azure US Government clouds). >[!IMPORTANT]->If the admin skips the configuration of the CRL, Microsoft Entra ID will not perform any CRL checks during the certificate-based authentication of the user. This can be helpful for initial troubleshooting, but shouldn't be considered for production use. +>If the admin skips the configuration of the CRL, Microsoft Entra ID doesn't perform any CRL checks during the certificate-based authentication of the user. This can be helpful for initial troubleshooting, but shouldn't be considered for production use. As of now, we don't support Online Certificate Status Protocol (OCSP) because of performance and reliability reasons. Instead of downloading the CRL at every connection by the client browser for OCSP, Microsoft Entra ID downloads once at the first sign-in and caches it, thereby improving the performance and reliability of CRL verification. We also index the cache so the search is much faster every time. Customers must publish CRLs for certificate revocation. The following steps are a typical flow of the CRL check: -1. Microsoft Entra ID will attempt to download the CRL at the first sign-in event of any user with a certificate of the corresponding trusted issuer or certificate authority. -1. Microsoft Entra ID will cache and re-use the CRL for any subsequent usage. It will honor the **Next update date** and, if available, **Next CRL Publish date** (used by Windows Server CAs) in the CRL document. -1. The user certificate-based authentication will fail if: +1. Microsoft Entra ID attempts to download the CRL at the first sign-in event of any user with a certificate of the corresponding trusted issuer or certificate authority. +1. Microsoft Entra ID caches and re-uses the CRL for any subsequent usage. It honors the **Next update date** and, if available, **Next CRL Publish date** (used by Windows Server CAs) in the CRL document. +1. The user certificate-based authentication fails if: - A CRL has been configured for the trusted issuer and Microsoft Entra ID can't download the CRL, due to availability, size, or latency constraints. - The user's certificate is listed as revoked on the CRL. :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/user-cert.png" alt-text="Screenshot of the revoked user certificate in the CRL." ::: - - Microsoft Entra ID will attempt to download a new CRL from the distribution point if the cached CRL document is expired. + - Microsoft Entra ID attempts to download a new CRL from the distribution point if the cached CRL document is expired. >[!NOTE]->Microsoft Entra ID will check the CRL of the issuing CA and other CAs in the PKI trust chain up to the root CA. We have a limit of up to 10 CAs from the leaf client certificate for CRL validation in the PKI chain. The limitation is to make sure a bad actor will not bring down the service by uploading a PKI chain with a huge number of CAs with a bigger CRL size. -If the tenantΓÇÖs PKI chain has more than 5 CAs and in case of a CA compromise, the administrator should remove the compromised trusted issuer from the Microsoft Entra tenant configuration. +>Microsoft Entra ID checks the CRL of the issuing CA and other CAs in the PKI trust chain up to the root CA. We have a limit of up to 10 CAs from the leaf client certificate for CRL validation in the PKI chain. The limitation is to make sure a bad actor doesn't bring down the service by uploading a PKI chain with a huge number of CAs with a bigger CRL size. +If the tenant's PKI chain has more than 5 CAs and in case of a CA compromise, the administrator should remove the compromised trusted issuer from the Microsoft Entra tenant configuration. >[!IMPORTANT] Certificate-based authentication can fail for reasons such as the certificate be :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/validation-error.png" alt-text="Screenshot of a certificate validation error." ::: -If CBA fails on a browser, even if the failure is because you cancel the certificate picker, you need to close the browser session and open a new session to try CBA again. A new session is required because browsers cache the certificate. When CBA is re-tried, the browser will send the cached certificate during the TLS challenge, which causes sign-in failure and the validation error. +If CBA fails on a browser, even if the failure is because you cancel the certificate picker, you need to close the browser session and open a new session to try CBA again. A new session is required because browsers cache the certificate. When CBA is re-tried, the browser sends the cached certificate during the TLS challenge, which causes sign-in failure and the validation error. Click **More details** to get logging information that can be sent to an administrator, who in turn can get more information from the Sign-in logs. Click **Other ways to sign in** to try other methods available to the user to si ## Certificate-based authentication in MostRecentlyUsed (MRU) methods -Once a user authenticates successfully using CBA, the user's MostRecentlyUsed (MRU) authentication method will be set to CBA. Next time, when the user enters their UPN and clicks **Next**, the user will be taken to the CBA method directly, and need not select **Use the certificate or smart card**. +Once a user authenticates successfully using CBA, the user's MostRecentlyUsed (MRU) authentication method is set to CBA. Next time, when the user enters their UPN and clicks **Next**, the user is taken to the CBA method directly, and need not select **Use the certificate or smart card**. To reset the MRU method, the user needs to cancel the certificate picker, click **Other ways to sign in**, and select another method available to the user and authenticate successfully. |
active-directory | Concept Mfa Authprovider | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-authprovider.md | Title: Microsoft Entra multifactor authenticationentication Providers -description: When should you use an Auth Provider with Azure MFA? + Title: Microsoft Entra multifactor authentication providers +description: When should you use an authentication provider with Microsoft Entra multifactor authentication (MFA)? -A Microsoft Entra multifactor authenticationentication Provider is used to take advantage of features provided by Microsoft Entra multifactor authentication for users who **do not have licenses**. +A Microsoft Entra multifactor authentication provider is used to take advantage of features provided by Microsoft Entra multifactor authentication for users who **do not have licenses**. ## Caveats related to the Azure MFA SDK |
active-directory | Concept Password Ban Bad Combined Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md | The following Microsoft Entra password policy requirements apply for all passwor ## Password expiration policies -Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Microsoft Entra Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire. +Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Azure AD Module for PowerShell](/powershell/module/Azuread/) to set user passwords not to expire. > [!NOTE] > By default, only passwords for user accounts that aren't synchronized through Microsoft Entra Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Microsoft Entra ID](../hybrid/connect/how-to-connect-password-hash-synchronization.md#password-expiration-policy). The following expiration requirements apply to other providers that use Microsof | Property | Requirements | | | |-| Password expiry duration (Maximum password age) |Default value: **90** days.<br>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Microsoft Entra Module for Windows PowerShell. | +| Password expiry duration (Maximum password age) |Default value: **90** days.<br>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure AD PowerShell module. | | Password expiry (Let passwords never expire) |Default value: **false** (indicates that password's have an expiration date).<br>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet.| ## Next steps |
active-directory | Concept Sspr Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-policy.md | The following Microsoft Entra password policy options are defined. Unless noted, | Characters allowed |A ΓÇô Z<br>a - z<br>0 ΓÇô 9<br>@ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / \` ~ " ( ) ; < ><br>Blank space | | Characters not allowed | Unicode characters | | Password restrictions |A minimum of 8 characters and a maximum of 256 characters.<br>Requires three out of four of the following types of characters:<br>- Lowercase characters<br>- Uppercase characters<br>- Numbers (0-9)<br>- Symbols (see the previous password restrictions) |-| Password expiry duration (Maximum password age) |Default value: **90** days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with [Get-MsolPasswordPolicy](/powershell/module/msonline/get-msolpasswordpolicy).<br>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Microsoft Entra Module for Windows PowerShell.| +| Password expiry duration (Maximum password age) |Default value: **90** days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with [Get-MsolPasswordPolicy](/powershell/module/msonline/get-msolpasswordpolicy).<br>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure AD module for PowerShell.| | Password expiry (Let passwords never expire) |Default value: **false** (indicates that passwords have an expiration date).<br>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet. | | Password change history | The last password *can't* be used again when the user changes a password. | | Password reset history | The last password *can* be used again when the user resets a forgotten password. | A one-gate policy requires one piece of authentication data, such as an email ad ## Password expiration policies -A *Global Administrator* or *User Administrator* can use the [Microsoft Entra Module for Windows PowerShell](/powershell/module/Azuread/) to set user passwords not to expire. +A *Global Administrator* or *User Administrator* can use the [Azure Active Directory module for PowerShell](/powershell/module/Azuread/) to set user passwords not to expire. You can also use PowerShell cmdlets to remove the never-expires configuration or to see which user passwords are set to never expire. |
active-directory | Concepts Azure Multi Factor Authentication Prompts Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md | To configure or review the *Remain signed-in* option, complete the following ste To remember multifactor authentication settings on trusted devices, complete the following steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).-1. Browse to **Protection** > then **multifactor authentication**. +1. Browse to **Protection** > **Multifactor authentication**. 1. Under **Configure**, select **Additional cloud-based MFA settings**. 1. In the *multifactor authentication service settings* page, scroll to **remember multifactor authentication settings**. Disable the setting by unchecking the checkbox. |
active-directory | Feature Availability | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/feature-availability.md | This following tables list Microsoft Entra feature availability in Azure Governm | HR-provisioning app | Availability | |-|:--:|-|Workday to Microsoft Entra User Provisioning | ✅ | +|Workday to Microsoft Entra user provisioning | ✅ | |Workday Writeback | ✅ |-|SuccessFactors to Microsoft Entra User Provisioning | ✅ | +|SuccessFactors to Microsoft Entra user provisioning | ✅ | |SuccessFactors to Writeback | ✅ |-|Provisioning agent configuration and registration with Gov cloud tenant| Works with special undocumented command-line invocation:<br> AADConnectProvisioningAgent.Installer.exe ENVIRONMENTNAME=AzureUSGovernment | +|Provisioning agent configuration and registration with Gov cloud tenant| Works with special undocumented command-line invocation:<br> `AADConnectProvisioningAgent.Installer.exe ENVIRONMENTNAME=AzureUSGovernment` | |
active-directory | How To Certificate Based Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-certificate-based-authentication.md | To enable Microsoft Entra CBA and configure user bindings in the Microsoft Entra :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/policy.png" alt-text="Screenshot of Authentication policy."::: 1. Click **Configure** to set up authentication binding and username binding.-1. The protection level attribute has a default value of **Single-factor authentication**. Select **multifactor authentication** to change the default value to MFA. +1. The protection level attribute has a default value of **Single-factor authentication**. Select **Multifactor authentication** to change the default value to MFA. >[!NOTE] >The default protection level value will be in effect if no custom rules are added. If custom rules are added, the protection level defined at the rule level will be honored instead. To enable Microsoft Entra CBA and configure user bindings in the Microsoft Entra To create a rule by certificate issuer, click **Certificate issuer**. 1. Select a **Certificate issuer identifier** from the list box.- 1. Click **multifactor authentication**. + 1. Click **Multifactor authentication**. :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/multifactor-issuer.png" alt-text="Screenshot of multifactor authentication policy."::: To create a rule by Policy OID, click **Policy OID**. 1. Enter a value for **Policy OID**.- 1. Click **multifactor authentication**. + 1. Click **Multifactor authentication**. :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/multifactor-policy-oid.png" alt-text="Screenshot of mapping to Policy OID."::: |
active-directory | How To Mfa Registration Campaign | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-registration-campaign.md | To enable a registration campaign in the Microsoft Entra admin center, complete 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Protection** > **Authentication methods** > **Registration campaign** and click **Edit**.-1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either Enabled or Disabled. For the registration campaign, the Microsoft managed value is Enabled for voice call and text message users with free and trial subscriptions. For more information, see [Protecting authentication methods in Microsoft Entra ID](concept-authentication-default-enablement.md). +1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either Enabled or Disabled. From Sept. 25 to Oct. 20, 2023, the Microsoft managed value for the registration campaing will change to **Enabled** for voice call and text message users across all tenants. For more information, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md). :::image type="content" border="true" source="media/how-to-mfa-registration-campaign/admin-experience.png" alt-text="Screenshot of enabling a registration campaign."::: The following table lists **authenticationMethodsRegistrationCampaign** properti ||--|-| |snoozeDurationInDays|Range: 0 - 14|Defines the number of days before the user is nudged again.<br>If the value is 0, the user is nudged during every MFA attempt.<br>Default: 1 day| |enforceRegistrationAfterAllowedSnoozes|"true"<br>"false"|Dictates whether a user is required to perform setup after 3 snoozes.<br>If true, user is required to register.<br>If false, user can snooze indefinitely.<br>Default: true<br>Please note this property only comes into effect once the Microsoft managed value for the registration campaign will change to Enabled for text message and voice call for your organization.|-|state|"enabled"<br>"disabled"<br>"default"|Allows you to enable or disable the feature.<br>Default value is used when the configuration hasn't been explicitly set and will use Microsoft Entra ID default value for this setting. Currently maps to disabled.<br>Change states to either enabled or disabled as needed.| +|state|"enabled"<br>"disabled"<br>"default"|Allows you to enable or disable the feature.<br>Default value is used when the configuration hasn't been explicitly set and will use Microsoft Entra ID default value for this setting. From Sept. 25 to Oct. 20, 2023, the default state will change to enabled for voice call and text message users across all tenants.<br>Change state to enabled (for all users) or disabled as needed.| |excludeTargets|N/A|Allows you to exclude different users and groups that you want omitted from the feature. If a user is in a group that is excluded and a group that is included, the user will be excluded from the feature.| |includeTargets|N/A|Allows you to include different users and groups that you want the feature to target.| |
active-directory | Howto Authentication Passwordless Security Key On Premises | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md | The [`AzureADHybridAuthenticationManagement` module](https://www.powershellgalle # First, ensure TLS 1.2 for PowerShell gallery access. [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12 - # Install the Azure AD Kerberos PowerShell Module. + # Install the AzureADHybridAuthenticationManagement PowerShell module. Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber ``` |
active-directory | Howto Mfa App Passwords | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-app-passwords.md | By default, users can't create app passwords. The app passwords feature must be 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). 1. Browse to **Conditional Access** > **Named locations**. 5. Click on **"Configure MFA trusted IPs"** in the bar across the top of the *Conditional Access | Named Locations* window.-6. On the **multifactor authentication** page, select the **Allow users to create app passwords to sign in to non-browser apps** option. +6. On the **Multifactor authentication** page, select the **Allow users to create app passwords to sign in to non-browser apps** option. ![Screenshot that shows the service settings for multifactor authentication to allow the user of app passwords](media/concept-authentication-methods/app-password-authentication-method.png) |
active-directory | Howto Mfa Mfasettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-mfasettings.md | The following settings are available: To configure account lockout settings, complete these steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).-1. Browse to **Protection** > **multifactor authentication** > **Account lockout**. +1. Browse to **Protection** > **Multifactor authentication** > **Account lockout**. 1. Enter the values for your environment, and then select **Save**. ![Screenshot that shows the account lockout settings.](./media/howto-mfa-mfasettings/account-lockout-settings.png) When a user reports a MFA prompt as suspicious, the event shows up in the Sign-i - To view the risk detections report, select **Protection** > **Identity Protection** > **Risk detection**. The risk event is part of the standard **Risk Detections** report, and will appear as Detection Type **User Reported Suspicious Activity**, Risk level **High**, Source **End user reported**. -- To view fraud reports in the Sign-ins report, select **Identity** > **Monitoring & health** > **Sign-in logs** > **Authentication Details**. The fraud report is part of the standard **Azure AD Sign-ins** report and appears in the Result Detail as MFA denied, Fraud Code Entered. +- To view fraud reports in the Sign-ins report, select **Identity** > **Monitoring & health** > **Sign-in logs** > **Authentication Details**. The fraud report is part of the standard **Microsoft Entra sign-ins** report and appears in the Result Detail as MFA denied, Fraud Code Entered. - To view fraud reports in the Audit logs, select **Identity** > **Monitoring & health** > **Audit logs**. The fraud report appears under Activity type Fraud reported - user is blocked for MFA or Fraud reported - no action taken based on the tenant-level settings for fraud report. You can configure Microsoft Entra ID to send email notifications when users repo To configure fraud alert notifications: -1. Go to **Protection** > **Multi-Factor Authentication** > **Notifications**. +1. Go to **Protection** > **Multifactor authentication** > **Notifications**. 1. Enter the email address to send the notification to. 1. To remove an existing email address, select **...** next to the email address, and then select **Delete**. 1. Select **Save**. Helga@contoso.com,1234567,1234567abcdef1234567abcdef,60,Contoso,HardwareKey > [!NOTE] > Be sure to include the header row in your CSV file. -An Authentication Policy Administrator can sign in to the [Microsoft Entra admin center](https://entra.microsoft.com), go to **Protection** > **multifactor authentication** > **OATH tokens**, and upload the CSV file. +An Authentication Policy Administrator can sign in to the [Microsoft Entra admin center](https://entra.microsoft.com), go to **Protection** > **Multifactor authentication** > **OATH tokens**, and upload the CSV file. Depending on the size of the CSV file, it might take a few minutes to process. Select **Refresh** to get the status. If there are any errors in the file, you can download a CSV file that lists them. The field names in the downloaded CSV file are different from those in the uploaded version. To use your own custom messages, complete the following steps: Settings for app passwords, trusted IPs, verification options, and remembering multifactor authentication on trusted devices are available in the service settings. This is a legacy portal. -You can access service settings from the [Microsoft Entra admin center](https://entra.microsoft.com) by going to **Protection** > **multifactor authentication** > **Getting started** > **Configure** > **Additional cloud-based MFA settings**. A window or tab opens with additional service settings options. +You can access service settings from the [Microsoft Entra admin center](https://entra.microsoft.com) by going to **Protection** > **Multifactor authentication** > **Getting started** > **Configure** > **Additional cloud-based MFA settings**. A window or tab opens with additional service settings options. ### Trusted IPs To enable trusted IPs by using Conditional Access policies, complete the followi If you don't want to use Conditional Access policies to enable trusted IPs, you can configure the service settings for Microsoft Entra multifactor authentication by using the following steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).-1. Browse to **Protection** > **multifactor authentication** > **Service settings**. +1. Browse to **Protection** > **Multifactor authentication** > **Service settings**. 1. On the **Service settings** page, under **Trusted IPs**, choose one or both of the following options: * **For requests from federated users on my intranet**: To choose this option, select the checkbox. All federated users who sign in from the corporate network bypass multifactor authentication by using a claim that's issued by AD FS. Ensure that AD FS has a rule to add the intranet claim to the appropriate traffic. If the rule doesn't exist, create the following rule in AD FS: To enable or disable verification methods, complete the following steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). 1. Browse to **Identity** > **Users**. 1. Select **Per-user MFA**.-1. Under **multifactor authentication** at the top of the page, select **Service settings**. +1. Under **Multifactor authentication** at the top of the page, select **Service settings**. 1. On the **Service settings** page, under **Verification options**, select or clear the appropriate checkboxes. 1. Select **Save**. To enable and configure the option to allow users to remember their MFA status a 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). 1. Browse to **Identity** > **Users**. 1. Select **Per-user MFA**.-1. Under **multifactor authentication** at the top of the page, select **service settings**. +1. Under **Multifactor authentication** at the top of the page, select **service settings**. 1. On the **service settings** page, under **remember multifactor authentication**, select **Allow users to remember multifactor authentication on devices they trust**. 1. Set the number of days to allow trusted devices to bypass multifactor authentications. For the optimal user experience, extend the duration to 90 or more days. 1. Select **Save**. |
active-directory | Howto Mfa Nps Extension Rdg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md | Install the NPS extension on a server that has the Network Policy and Access Ser ### Configure certificates for use with the NPS extension using a PowerShell script -Next, you need to configure certificates for use by the NPS extension to ensure secure communications and assurance. The NPS components include a Windows PowerShell script that configures a self-signed certificate for use with NPS. +Next, you need to configure certificates for use by the NPS extension to ensure secure communications and assurance. The NPS components include a PowerShell script that configures a self-signed certificate for use with NPS. The script performs the following actions: Once you have successfully authenticated using the secondary authentication meth ### View Event Viewer logs for successful logon events -To view the successful sign-in events in the Windows Event Viewer logs, you can issue the following Windows PowerShell command to query the Windows Terminal Services and Windows Security logs. +To view the successful sign-in events in the Windows Event Viewer logs, you can issue the following PowerShell command to query the Windows Terminal Services and Windows Security logs. To query successful sign-in events in the Gateway operational logs _(Event Viewer\Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway\Operational)_, use the following PowerShell commands: |
active-directory | Howto Mfa Nps Extension Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md | The NPS extension requires Windows Server 2008 R2 SP1 or later, with the Network The following libraries are installed automatically with the NPS extension: -- [Visual C++ Redistributable Packages for Visual Studio 2013 (X64)](https://www.microsoft.com/download/details.aspx?id=40784)-- [Azure AD PowerShell Module for Windows PowerShell version 1.1.166.0](https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185)+- [Visual C++ Redistributable Packages for Visual Studio 2013 (X64)](https://www.microsoft.com/download/details.aspx?id=40784) +- [Azure AD PowerShell module version 1.1.166.0](https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185) -If the Microsoft Azure Active Directory PowerShell Module is not already present, it is installed with a configuration script that you run as part of the setup process. There is no need to install the module ahead of time if it is not already installed. +If the Azure Active Directory PowerShell module is not already present, it is installed with a configuration script that you run as part of the setup process. There is no need to install the module ahead of time if it is not already installed. ### Azure Active Directory synced with on-premises Active Directory The NPS extension must be installed on a server that has the Network Policy and ### Configure certificates for use with the NPS extension by using a PowerShell script -To ensure secure communications and assurance, configure certificates for use by the NPS extension. The NPS components include a Windows PowerShell script that configures a self-signed certificate for use with NPS. +To ensure secure communications and assurance, configure certificates for use by the NPS extension. The NPS components include a PowerShell script that configures a self-signed certificate for use with NPS. The script performs the following actions: |
active-directory | Howto Mfa Nps Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md | You need to manually install the following library: The following libraries are installed automatically with the extension. - [Visual C++ Redistributable Packages for Visual Studio 2013 (X64)](https://www.microsoft.com/download/details.aspx?id=40784)-- [Azure AD PowerShell Module for Windows PowerShell version 1.1.166.0](https://www.powershellgallery.com/packages/MSOnline/1.1.166.0)+- [PowerShell module version 1.1.166.0](https://www.powershellgallery.com/packages/MSOnline/1.1.166.0) -The Azure AD PowerShell Module for Windows PowerShell is also installed through a configuration script you run as part of the setup process, if not already present. There's no need to install this module ahead of time if it's not already installed. +The PowerShell module is also installed through a configuration script you run as part of the setup process, if not already present. There's no need to install this module ahead of time if it's not already installed. ### Obtain the directory tenant ID If you need to create and configure a test account, use the following steps: 1. Sign in to [https://aka.ms/mfasetup](https://aka.ms/mfasetup) with a test account. 2. Follow the prompts to set up a verification method. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).-1. Browse to **Protection** > **multifactor authentication** and enable for the test account. +1. Browse to **Protection** > **Multifactor authentication** and enable for the test account. > [!IMPORTANT] > |
active-directory | Howto Mfa Userdevicesettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md | To delete a user's app passwords, complete the following steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator). 1. Browse to **Identity** > **Users** > **All users**. -1. Select **multifactor authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location: +1. Select **Multifactor authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location: [![Select multifactor authentication from the Users window in Azure AD.](media/howto-mfa-userstates/selectmfa-cropped.png)](media/howto-mfa-userstates/selectmfa.png#lightbox) 1. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right. 1. Select **Manage user settings**, then check the box for **Delete all existing app passwords generated by the selected users**, as shown in the following example: |
active-directory | Howto Mfaserver Adfs Windows Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-adfs-windows-server.md | Before you begin, be aware of the following information: `C:\Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1` -12. To use your newly registered adapter, edit the global authentication policy in AD FS. In the AD FS management console, go to the **Authentication Policies** node. In the **multifactor authentication** section, click the **Edit** link next to the **Global Settings** section. In the **Edit Global Authentication Policy** window, select **multifactor authentication** as an additional authentication method, and then click **OK**. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect. +12. To use your newly registered adapter, edit the global authentication policy in AD FS. In the AD FS management console, go to the **Authentication Policies** node. In the **Multifactor authentication** section, click the **Edit** link next to the **Global Settings** section. In the **Edit Global Authentication Policy** window, select **Multifactor authentication** as an additional authentication method, and then click **OK**. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect. ![Edit global authentication policy](./media/howto-mfaserver-adfs-2012/global.png) |
active-directory | Howto Mfaserver Deploy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy.md | Follow these steps to download the Microsoft Entra multifactor authentication Se > Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. The following steps only work if you were an existing MFA Server customer. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).-1. Browse to **Protection** > **multifactor authentication** > **Server settings**. +1. Browse to **Protection** > **Multifactor authentication** > **Server settings**. 4. Select **Download** and follow the instructions on the download page to save the installer. ![Download MFA Server](./media/howto-mfaserver-deploy/downloadportal.png) |
active-directory | Howto Password Smart Lockout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-password-smart-lockout.md | When using [pass-through authentication](../hybrid/connect/how-to-connect-pta.md For example, if you want your Microsoft Entra smart lockout duration to be higher than AD DS, then Microsoft Entra ID would be 120 seconds (2 minutes) while your on-premises AD is set to 1 minute (60 seconds). If you want your Microsoft Entra lockout threshold to be 5, then you want your on-premises AD DS lockout threshold to be 10. This configuration would ensure smart lockout prevents your on-premises AD DS accounts from being locked out by brute force attacks on your Microsoft Entra accounts. > [!IMPORTANT]-> An administrator can unlock the users' cloud account if they have been locked out by the Smart Lockout capability, without the need of waiting for the lockout duration to expire. For more information, see [Reset a user's password using Azure Active Directory](../fundamentals/users-reset-password-azure-portal.md). +> An administrator can unlock the users' cloud account if they have been locked out by the Smart Lockout capability, without the need of waiting for the lockout duration to expire. For more information, see [Reset a user's password using Microsoft Entra ID](../fundamentals/users-reset-password-azure-portal.md). ## Verify on-premises account lockout policy |
active-directory | Tutorial Enable Sspr Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-enable-sspr-writeback.md | To enable SSPR writeback, first enable the writeback option in Microsoft Entra C 1. Sign in to your Microsoft Entra Connect server and start the **Microsoft Entra Connect** configuration wizard. 1. On the **Welcome** page, select **Configure**. 1. On the **Additional tasks** page, select **Customize synchronization options**, and then select **Next**.-1. On the **Connect to Microsoft Entra ID** page, enter a global administrator credential for your Azure tenant, and then select **Next**. +1. On the **Connect to Microsoft Entra ID** page, enter a Global Administrator credential for your Azure tenant, and then select **Next**. 1. On the **Connect directories** and **Domain/OU** filtering pages, select **Next**. 1. On the **Optional features** page, select the box next to **Password writeback** and select **Next**. With password writeback enabled in Microsoft Entra Connect, now configure Micros To enable password writeback in SSPR, complete the following steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Protection** > **Password reset**, then choose **On-premises integration**. 1. Check the option for **Write back passwords to your on-premises directory** . 1. (optional) If Microsoft Entra Connect provisioning agents are detected, you can additionally check the option for **Write back passwords with Microsoft Entra Connect cloud sync**. To enable password writeback in SSPR, complete the following steps: If you no longer want to use the SSPR writeback functionality you have configured as part of this tutorial, complete the following steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Protection** > **Password reset**, then choose **On-premises integration**. 1. Uncheck the option for **Write back passwords to your on-premises directory**. 1. Uncheck the option for **Write back passwords with Microsoft Entra Connect cloud sync**. If you no longer want to use the SSPR writeback functionality you have configure 1. When ready, select **Save**. If you no longer want to use the Microsoft Entra Connect cloud sync for SSPR writeback functionality but want to continue using Microsoft Entra Connect Sync agent for writebacks complete the following steps:-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Protection** > **Password reset**, then choose **On-premises integration**. 1. Uncheck the option for **Write back passwords with Microsoft Entra Connect cloud sync**. 1. When ready, select **Save**. |
active-directory | Tutorial Risk Based Sspr Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/tutorial-risk-based-sspr-mfa.md | Microsoft Entra ID Protection includes a default policy that can help get users It's recommended to enable the MFA registration policy for users that are to be enabled for additional Microsoft Entra ID Protection policies. To enable this policy, complete the following steps: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).-1. Browse to **Protection** > **multifactor authentication** > **MFA registration policy**. +1. Browse to **Protection** > **Multifactor authentication** > **MFA registration policy**. 1. By default, the policy applies to *All users*. If desired, select **Assignments**, then choose the users or groups to apply the policy on. 1. Under *Controls*, select **Access**. Make sure the option for *Require Microsoft Entra multifactor authentication registration* is checked, then choose **Select**. 1. Set **Enforce Policy** to *On*, then select **Save**. |
active-directory | About Microsoft Identity Platform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/about-microsoft-identity-platform.md | -Many developers have previously worked with the Azure AD v1.0 platform to authenticate work and school accounts (provisioned by Azure AD) by requesting tokens from the Azure AD v1.0 endpoint, using Azure AD Authentication Library (ADAL), Azure portal for application registration and configuration, and the Microsoft Graph API for programmatic application configuration. +Many developers have previously worked with the Azure AD v1.0 platform to authenticate Microsoft work and school accounts by requesting tokens from the Azure AD v1.0 endpoint, using Azure AD Authentication Library (ADAL), Azure portal for application registration and configuration, and the Microsoft Graph API for programmatic application configuration. With the unified Microsoft identity platform (v2.0), you can write code once and authenticate any Microsoft identity into your application. For several platforms, the fully supported open-source Microsoft Authentication Library (MSAL) is recommended for use against the identity platform endpoints. MSAL is simple to use, provides great single sign-on (SSO) experiences for your users, helps you achieve high reliability and performance, and is developed using Microsoft Secure Development Lifecycle (SDL). When calling APIs, you can configure your application to take advantage of incremental consent, which allows you to delay the request for consent for more invasive scopes until the application's usage warrants this at runtime. MSAL also supports Azure Active Directory B2C, so your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs. |
active-directory | Active Directory Authentication Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/active-directory-authentication-libraries.md | Title: Azure Active Directory Authentication Libraries + Title: Azure Active Directory Authentication Library description: The Azure AD Authentication Library (ADAL) allows client application developers to easily authenticate users to cloud or on-premises Active Directory (AD) and then obtain access tokens for securing API calls. -# Azure Active Directory Authentication Libraries +# Azure Active Directory Authentication Library [!INCLUDE [active-directory-azuread-dev](../../../includes/active-directory-azuread-dev.md)] The Azure Active Directory Authentication Library (ADAL) v1.0 enables applicatio - Support for asynchronous method calls > [!NOTE]-> Looking for the Azure AD v2.0 libraries (MSAL)? Checkout the [MSAL library guide](../develop/reference-v2-libraries.md). +> Looking for the Azure AD v2.0 libraries? Checkout the [MSAL library guide](../develop/reference-v2-libraries.md). > [!WARNING] |
active-directory | Active Directory Devhowto Adal Error Handling | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/active-directory-devhowto-adal-error-handling.md | In this article, we explore the specific cases for each platform supported by AD - **AcquireToken**: Client can attempt silent acquisition, but can also perform interactive requests that require sign-in. > [!TIP]-> It's a good idea to log all errors and exceptions when using ADAL and Azure AD. Logs are not only helpful for understanding the overall health of your application, but are also important when debugging broader problems. While your application may recover from certain errors, they may hint at broader design problems that require code changes in order to resolve. +> It's a good idea to log all errors and exceptions when using ADAL. Logs are not only helpful for understanding the overall health of your application, but are also important when debugging broader problems. While your application may recover from certain errors, they may hint at broader design problems that require code changes in order to resolve. > > When implementing the error conditions covered in this document, you should log the error code and description for the reasons discussed earlier. See the [Error and logging reference](#error-and-logging-reference) for examples of logging code. > window.Logging = { ## Related content -* [Azure AD Authentication Libraries][AAD-Auth-Libraries] -* [Azure AD Authentication Scenarios][AAD-Auth-Scenarios] -* [Integrating Applications with Azure AD Authentication][AAD-Integrating-Apps] +* [Azure AD Authentication Library][Auth-Libraries] +* [Authentication scenarios][Auth-Scenarios] +* [Register an application with the Microsoft identity platform][Integrating-Apps] Use the comments section that follows, to provide feedback and help us refine and shape our content. -[![Shows the "Sign in with Microsoft" button][AAD-Sign-In]][AAD-Sign-In] +[![Shows the "Sign in with Microsoft" button][Sign-In]][Sign-In] + <!--Reference style links --> -[AAD-Auth-Libraries]: ./active-directory-authentication-libraries.md -[AAD-Auth-Scenarios]:v1-authentication-scenarios.md -[AAD-Integrating-Apps]:../develop/quickstart-register-app.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json +[Auth-Libraries]: ./active-directory-authentication-libraries.md +[Auth-Scenarios]:v1-authentication-scenarios.md +[Integrating-Apps]:../develop/quickstart-register-app.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json <!--Image references-->-[AAD-Sign-In]:./media/active-directory-devhowto-multi-tenant-overview/sign-in-with-microsoft-light.png +[Sign-In]:./media/active-directory-devhowto-multi-tenant-overview/sign-in-with-microsoft-light.png |
active-directory | Concept Conditional Access Conditions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-conditions.md | This setting has an effect on access attempts made from the following mobile app - When administrators create a policy assigned to Exchange ActiveSync clients, **Exchange Online** should be the only cloud application assigned to the policy. - Administrators can narrow the scope of this policy to specific platforms using the **Device platforms** condition. -If the access control assigned to the policy uses **Require approved client app**, the user is directed to install and use the Outlook mobile client. In the case that **Multifactor Authentication**, **Terms of use**, or **custom controls** are required, affected users are blocked, because basic authentication doesnΓÇÖt support these controls. +If the access control assigned to the policy uses **Require approved client app**, the user is directed to install and use the Outlook mobile client. In the case that **Multifactor authentication**, **Terms of use**, or **custom controls** are required, affected users are blocked, because basic authentication doesnΓÇÖt support these controls. For more information, see the following articles: |
active-directory | Policy Migration Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/policy-migration-mfa.md | -This article shows an example of how to migrate a classic policy that requires **multifactor authentication** for a cloud app. +This article shows an example of how to migrate a classic policy that requires **Multifactor authentication** for a cloud app. ![Classic policy details requiring MFA for Salesforce app](./media/policy-migration/33.png) |
active-directory | Troubleshoot Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access.md | -The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using error messages and Microsoft Entra sign-ins log. +The information in this article can be used to troubleshoot unexpected sign-in outcomes related to Conditional Access using error messages and Microsoft Entra sign-in logs. ## Select "all" consequences To find out which Conditional Access policy or policies applied and why do the f 1. **Username** to see information related to specific users. 1. **Date** scoped to the time frame in question. - ![Screenshot showing selecting the Conditional Access filter in the sign-ins log.](./media/troubleshoot-conditional-access/image3.png) + ![Screenshot showing selecting the Conditional Access filter in the sign-in log.](./media/troubleshoot-conditional-access/image3.png) 1. Once the sign-in event that corresponds to the user's sign-in failure has been found select the **Conditional Access** tab. The Conditional Access tab shows the specific policy or policies that resulted in the sign-in interruption. 1. Information in the **Troubleshooting and support** tab may provide a clear reason as to why a sign-in failed such as a device that didn't meet compliance requirements. More information about error codes can be found in the article [Microsoft Entra In some specific scenarios, users are blocked because there are cloud apps with dependencies on resources blocked by Conditional Access policy. -To determine the service dependency, check the sign-ins log for the application and resource called by the sign-in. In the following screenshot, the application called is **Azure Portal** but the resource called is **Windows Azure Service Management API**. To target this scenario appropriately all the applications and resources should be similarly combined in Conditional Access policy. +To determine the service dependency, check the sign-in log for the application and resource called by the sign-in. In the following screenshot, the application called is **Azure Portal** but the resource called is **Windows Azure Service Management API**. To target this scenario appropriately all the applications and resources should be similarly combined in Conditional Access policy. :::image type="content" source="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png" alt-text="Screenshot that shows an example sign-in log showing an Application calling a Resource. This scenario is also known as a service dependency." lightbox="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png"::: |
active-directory | App Only Access Primer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/app-only-access-primer.md | Always follow the principle of least privilege: you should never request app rol ## Designing and publishing app roles for a resource service -If you're building a service on Microsoft Entra ID that exposes APIs for other clients to call, you may wish to support automated access with app roles (app-only permissions). You can define the app roles for your application in the **App roles** section of your app registration in Microsoft Entra portal. For more information on how to create app roles, see [Declare roles for an application](./howto-add-app-roles-in-apps.md#declare-roles-for-an-application). +If you're building a service on Microsoft Entra ID that exposes APIs for other clients to call, you may wish to support automated access with app roles (app-only permissions). You can define the app roles for your application in the **App roles** section of your app registration in Microsoft Entra admin center. For more information on how to create app roles, see [Declare roles for an application](./howto-add-app-roles-in-apps.md#declare-roles-for-an-application). When exposing app roles for others to use, provide clear descriptions of the scenario to the admin who is going to assign them. App roles should generally be as narrow as possible and support specific functional scenarios, since app-only access isn't constrained by user rights. Avoid exposing a single role that grants full `read` or full `read/write` access to all APIs and resources your service contains. |
active-directory | Configurable Token Lifetimes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/configurable-token-lifetimes.md | ID tokens are passed to websites and native clients. ID tokens contain profile i You cannot set token lifetime policies for refresh tokens and session tokens. For lifetime, timeout, and revocation information on refresh tokens, see [Refresh tokens](refresh-tokens.md). > [!IMPORTANT]-> As of January 30, 2021 you cannot configure refresh and session token lifetimes. Microsoft Entra ID no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the [default configuration](#configurable-token-lifetime-properties). You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement. +> As of January 30, 2021 you cannot configure refresh and session token lifetimes. Microsoft Entra no longer honors refresh and session token configuration in existing policies. New tokens issued after existing tokens have expired are now set to the [default configuration](#configurable-token-lifetime-properties). You can still configure access, SAML, and ID token lifetimes after the refresh and session token configuration retirement. > > Existing token's lifetime will not be changed. After they expire, a new token will be issued based on the default value. > |
active-directory | Desktop Quickstart Portal Nodejs Desktop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/desktop-quickstart-portal-nodejs-desktop.md | -> For the code sample for this quickstart to work, you need to add a reply URL as **msal://redirect**. +> For the code sample for this quickstart to work, you need to add a reply URL as `msal://redirect`. > > <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button> > |
active-directory | Developer Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-glossary.md | For more information, see [Application and Service Principal Objects][AAD-App-SP In order to allow an application to integrate with and delegate Identity and Access Management functions to Microsoft Entra ID, it must be registered with a Microsoft Entra [tenant](#tenant). When you register your application with Microsoft Entra ID, you're providing an identity configuration for your application, allowing it to integrate with Microsoft Entra ID and use features like: -- Robust management of single sign-on using Microsoft Entra Identity Management and [OpenID Connect][OpenIDConnect] protocol implementation+- Robust management of single sign-on using Microsoft Entra identity management and [OpenID Connect][OpenIDConnect] protocol implementation - Brokered access to [protected resources](#resource-server) by [client applications](#client-application), via OAuth 2.0 [authorization server](#authorization-server) - [Consent framework](#consent) for managing client access to protected resources, based on resource owner authorization. |
active-directory | Developer Support Help Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-support-help-options.md | If you can't find an answer to your problem by searching Microsoft Q&A, submit a If you need help with one of the Microsoft Authentication Libraries (MSAL), open an issue in its repository on GitHub. +<!-- docutune:disable --> + | MSAL | GitHub issues URL | | - | | | MSAL for Android | https://github.com/AzureAD/microsoft-authentication-library-for-android/issues | If you need help with one of the Microsoft Authentication Libraries (MSAL), open | MSAL Python | https://github.com/AzureAD/microsoft-authentication-library-for-python/issues | | MSAL React | https://github.com/AzureAD/microsoft-authentication-library-for-js/issues | +<!-- docutune:enable --> + ## Stay informed of updates and new releases <div class='icon is-large'> |
active-directory | Federation Metadata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/federation-metadata.md | + + Title: Azure AD federation metadata +description: This article describes the federation metadata document that Microsoft Entra ID publishes for services that accept Microsoft Entra ID tokens. +++++++ Last updated : 09/07/2023++++++# Federation metadata ++Microsoft Entra ID publishes a federation metadata document for services that is configured to accept the security tokens that Microsoft Entra ID issues. The federation metadata document format is described in the [Web Services Federation Language (WS-Federation) Version 1.2](https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html), which extends [Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf). ++## Tenant-specific and tenant-independent metadata endpoints ++Microsoft Entra ID publishes tenant-specific and tenant-independent endpoints. ++Tenant-specific endpoints are designed for a particular tenant. The tenant-specific federation metadata includes information about the tenant, including tenant-specific issuer and endpoint information. Applications that restrict access to a single tenant use tenant-specific endpoints. ++Tenant-independent endpoints provide information that is common to all Microsoft Entra tenants. This information applies to tenants hosted at *login.microsoftonline.com* and is shared across tenants. Tenant-independent endpoints are recommended for multi-tenant applications, since they are not associated with any particular tenant. ++## Federation metadata endpoints ++Microsoft Entra ID publishes federation metadata at `https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml`. ++For **tenant-specific endpoints**, the `TenantDomainName` can be one of the following types: ++* A registered domain name of an Azure AD tenant, such as: `contoso.onmicrosoft.com`. +* The immutable tenant ID of the domain, such as `72f988bf-86f1-41af-91ab-2d7cd011db45`. ++For **tenant-independent endpoints**, the `TenantDomainName` is `common`. This document lists only the Federation Metadata elements that are common to all Azure AD tenants that are hosted at login.microsoftonline.com. ++For example, a tenant-specific endpoint might be `https://login.microsoftonline.com/contoso.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml`. The tenant-independent endpoint is [https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml](https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml). You can view the federation metadata document by typing this URL in a browser. ++## Contents of federation metadata ++The following section provides information needed by services that consume the tokens issued by Azure AD. ++### Entity ID ++The `EntityDescriptor` element contains an `EntityID` attribute. The value of the `EntityID` attribute represents the issuer, that is, the security token service (STS) that issued the token. It is important to validate the issuer when you receive a token. ++The following metadata shows a sample tenant-specific `EntityDescriptor` element with an `EntityID` element. ++```xml +<EntityDescriptor +xmlns="urn:oasis:names:tc:SAML:2.0:metadata" +ID="_b827a749-cfcb-46b3-ab8b-9f6d14a1294b" +entityID="https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db45/"> +``` ++You can replace the tenant ID in the tenant-independent endpoint with your tenant ID to create a tenant-specific `EntityID` value. The resulting value will be the same as the token issuer. The strategy allows a multi-tenant application to validate the issuer for a given tenant. ++The following metadata shows a sample tenant-independent `EntityID` element. Please note, that the `{tenant}` is a literal, not a placeholder. ++```xml +<EntityDescriptor +xmlns="urn:oasis:names:tc:SAML:2.0:metadata" +ID="="_0e5bd9d0-49ef-4258-bc15-21ce143b61bd" +entityID="https://sts.windows.net/{tenant}/"> +``` ++### Token signing certificates ++When a service receives a token that is issued by an Azure AD tenant, the signature of the token must be validated with a signing key that is published in the federation metadata document. The federation metadata includes the public portion of the certificates that the tenants use for token signing. The certificate raw bytes appear in the `KeyDescriptor` element. The token signing certificate is valid for signing only when the value of the `use` attribute is `signing`. ++A federation metadata document published by Azure AD can have multiple signing keys, such as when Azure AD is preparing to update the signing certificate. When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document. ++The following metadata shows a sample `KeyDescriptor` element with a signing key. ++```xml +<KeyDescriptor use="signing"> +<KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig#"> +<X509Data> +<X509Certificate> +MIIDPjCCAiqgAwIBAgIQVWmXY/+9RqFTeGY1D711EORX/lVXpr+ecGgqfUWF8MPB07XkYuJ54DAuYT318+2XrzMjOtqkT94VkXmxv6dFGhG8YZ8vNMPd4tdj9c0lpvWQdqXtL1TlFRpD/P6UMEigfN0c9oWDg9U7Ilymgei0UXtf1gtcQbc5sSQU0S4vr9YJp2gLFIGK11Iqg4XSGdcI0QWLLkkC6cBukhVnd6BCYbLjTYy3fNs4DzNdemJlxGl8sLexFytBF6YApvSdus3nFXaMCtBGx16HzkK9ne3lobAwL2o79bP4imEGqg+ibvyNmbrwFGnQrBc1jTF9LyQX9q+louxVfHs6ZiVwIDAQABo2IwYDBeBgNVHQEEVzBVgBCxDDsLd8xkfOLKm4Q/SzjtoS8wLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldIIQVWmXY/+9RqFA/OG9kFulHDAJBgUrDgMCHQUAA4IBAQAkJtxxm/ErgySlNk69+1odTMP8Oy6L0H17z7XGG3w4TqvTUSWaxD4hSFJ0e7mHLQLQD7oV/erACXwSZn2pMoZ89MBDjOMQA+e6QzGB7jmSzPTNmQgMLA8fWCfqPrz6zgH+1F1gNp8hJY57kfeVPBiyjuBmlTEBsBlzolY9dd/55qqfQk6cgSeCbHCy/RU/iep0+UsRMlSgPNNmqhj5gmN2AFVCN96zF694LwuPae5CeR2ZcVknexOWHYjFM0MgUSw0ubnGl0h9AJgGyhvNGcjQqu9vd1xkupFgaN+f7P3p3EVN5csBg5H94jEcQZT7EKeTiZ6bTrpDAnrr8tDCy8ng +</X509Certificate> +</X509Data> +</KeyInfo> +</KeyDescriptor> + ``` ++The `KeyDescriptor` element appears in two places in the federation metadata document; in the WS-Federation-specific section and the SAML-specific section. The certificates published in both sections will be the same. ++In the WS-Federation-specific section, a WS-Federation metadata reader would read the certificates from a `RoleDescriptor` element with the `SecurityTokenServiceType` type. ++The following metadata shows a sample `RoleDescriptor` element. ++```xml +<RoleDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:fed="https://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="https://docs.oasis-open.org/wsfed/federation/200706"> +``` ++In the SAML-specific section, a WS-Federation metadata reader would read the certificates from a `IDPSSODescriptor` element. ++The following metadata shows a sample `IDPSSODescriptor` element. ++```xml +<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +``` +There are no differences in the format of tenant-specific and tenant-independent certificates. ++### WS-Federation endpoint URL ++The federation metadata includes the URL that is Azure AD uses for single sign-in and single sign-out in WS-Federation protocol. This endpoint appears in the `PassiveRequestorEndpoint` element. ++The following metadata shows a sample `PassiveRequestorEndpoint` element for a tenant-specific endpoint. ++```xml +<fed:PassiveRequestorEndpoint> +<EndpointReference xmlns="https://www.w3.org/2005/08/addressing"> +<Address> +https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db45/wsfed +</Address> +</EndpointReference> +</fed:PassiveRequestorEndpoint> +``` ++For the tenant-independent endpoint, the WS-Federation URL appears in the WS-Federation endpoint, as shown in the following sample. ++```xml +<fed:PassiveRequestorEndpoint> +<EndpointReference xmlns="https://www.w3.org/2005/08/addressing"> +<Address> +https://login.microsoftonline.com/common/wsfed +</Address> +</EndpointReference> +</fed:PassiveRequestorEndpoint> +``` ++### SAML protocol endpoint URL ++The federation metadata includes the URL that Azure AD uses for single sign-in and single sign-out in SAML 2.0 protocol. These endpoints appear in the `IDPSSODescriptor` element. ++The sign-in and sign-out URLs appear in the `SingleSignOnService` and `SingleLogoutService` elements. ++The following metadata shows a sample `PassiveResistorEndpoint` for a tenant-specific endpoint. ++```xml +<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +… + <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/contoso.onmicrosoft.com/saml2" /> + <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/contoso.onmicrosoft.com /saml2" /> + </IDPSSODescriptor> +``` ++Similarly the endpoints for the common SAML 2.0 protocol endpoints are published in the tenant-independent federation metadata, as shown in the following sample. ++```xml +<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> +… + <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/common/saml2" /> + <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/common/saml2" /> + </IDPSSODescriptor> +``` |
active-directory | How To Integrate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-to-integrate.md | Integration with the Microsoft identity platform comes with benefits that do not **Multi-factor authentication.** The Microsoft identity platform provides native multi-factor authentication. IT administrators can require multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn more about [Multi-Factor Authentication](/azure/multi-factor-authentication/). -**Anomalous sign in detection.** The Microsoft identity platform processes more than a billion sign-ins a day, while using machine learning algorithms to detect suspicious activity and notify IT administrators of possible problems. By supporting the Microsoft identity platform sign-in, your application gets the benefit of this protection. Learn more about [viewing Microsoft Entra access report](../reports-monitoring/overview-reports.md). +**Anomalous sign in detection.** The Microsoft identity platform processes more than a billion sign-ins a day, while using machine learning algorithms to detect suspicious activity and notify IT administrators of possible problems. By supporting the Microsoft identity platform sign-in, your application gets the benefit of this protection. Learn more about [viewing Microsoft Entra reports](../reports-monitoring/overview-monitoring-health.md). **Conditional Access.** In addition to multi-factor authentication, administrators can require specific conditions be met before users can sign-in to your application. Conditions that can be set include the IP address range of client devices, membership in specified groups, and the state of the device being used for access. Learn more about [Microsoft Entra Conditional Access](../conditional-access/overview.md). |
active-directory | Howto Create Self Signed Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-self-signed-certificate.md | -For testing, you can use a self-signed public certificate instead of a Certificate Authority (CA)-signed certificate. In this how-to, you'll use Windows PowerShell to create and export a self-signed certificate. +For testing, you can use a self-signed public certificate instead of a Certificate Authority (CA)-signed certificate. In this how-to, you'll use PowerShell to create and export a self-signed certificate. > [!CAUTION] > Self-signed certificates are not trusted by default and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority. To customize the start and expiry date and other properties of the certificate, ## Create and export your public certificate -Use the certificate you create using this method to authenticate from an application running from your machine. For example, authenticate from Windows PowerShell. +Use the certificate you create using this method to authenticate from an application running from your machine. For example, authenticate from PowerShell. In a PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate. |
active-directory | Msal Compare Msal Js And Adal Js | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md | -[Microsoft Authentication Library for JavaScript](https://github.com/AzureAD/microsoft-authentication-library-for-js) (MSAL.js, also known as *msal-browser*) 2.x is the authentication library we recommend using with JavaScript applications on the Microsoft identity platform. This article highlights the changes you need to make to migrate an app that uses the ADAL.js to use MSAL.js 2.x +[Microsoft Authentication Library for JavaScript](https://github.com/AzureAD/microsoft-authentication-library-for-js) (MSAL.js, also known as `msal-browser`) 2.x is the authentication library we recommend using with JavaScript applications on the Microsoft identity platform. This article highlights the changes you need to make to migrate an app that uses the ADAL.js to use MSAL.js 2.x > [!NOTE] > We strongly recommend MSAL.js 2.x over MSAL.js 1.x. The auth code grant flow is more secure and allows single-page applications to maintain a good user experience despite the privacy measures browsers like Safari have implemented to block 3rd party cookies, among other benefits. |
active-directory | Msal Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-migration.md | If any of your applications use the Azure Active Directory Authentication Librar If you've developed apps against Azure Active Directory (v1.0) endpoint in the past, you're likely using ADAL. Since Microsoft identity platform (v2.0) endpoint has changed significantly, the new library (MSAL) was entirely built for the new endpoint. -The following diagram shows the v2.0 vs v1.0 endpoint experience at a high level, including the app registration experience, SDKs, endpoints, and supported identities. --![Diagram that shows the v1.0 versus the v2.0 architecture.](../azuread-dev/media/about-microsoft-identity-platform/about-microsoft-identity-platform.svg) --MSAL leverages all the [benefits of Microsoft identity platform (v2.0) endpoint](../azuread-dev/azure-ad-endpoint-comparison.md). - MSAL is designed to enable a secure solution without developers having to worry about the implementation details. It simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. We recommend you use MSAL to [increase the resilience of authentication and authorization in client applications that you develop](../architecture/resilience-client-app.md?tabs=csharp#use-the-microsoft-authentication-library-msal). MSAL provides multiple benefits over ADAL, including the following features: |
active-directory | Quickstart Single Page App React Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-react-sign-in.md | Run the project with a web server by using Node.js: - [Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform](./quickstart-web-api-aspnet-core-protect-api.md) -- Learn more by building this React SPA from scratch with the following series - [Tutorial: Sign in users and call Microsoft Graph](./single-page-app-tutorial-01-register-app.md)+- Learn more by building this React SPA from scratch with the following series - [Tutorial: Sign in users and call Microsoft Graph](./tutorial-single-page-app-react-register-app.md) |
active-directory | Quickstart V2 Javascript Auth Code React | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-javascript-auth-code-react.md | -> > [Tutorial: Sign in users and call Microsoft Graph](./single-page-app-tutorial-01-register-app.md) +> > [Tutorial: Sign in users and call Microsoft Graph](./tutorial-single-page-app-react-register-app.md) |
active-directory | Saml Protocol Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/saml-protocol-reference.md | Microsoft Entra ID exposes tenant-specific and common (tenant-independent) SSO a ## Next steps -For information about the federation metadata documents that Microsoft Entra ID publishes, see [Federation Metadata](../azuread-dev/azure-ad-federation-metadata.md). +For information about the federation metadata documents that Microsoft Entra ID publishes, see [Federation Metadata](federation-metadata.md). |
active-directory | Scenario Daemon App Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-daemon-app-configuration.md | import com.microsoft.aad.msal4j.SilentParameters; # [Node.js](#tab/nodejs) -Install the packages by running `npm install` in the folder where *package.json* file resides. Then, import **msal-node** package: +Install the packages by running `npm install` in the folder where `package.json` file resides. Then, import the `msal-node` package: ```JavaScript const msal = require('@azure/msal-node'); |
active-directory | Signing Key Rollover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/signing-key-rollover.md | -The Microsoft identity platform uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. In practical terms, this works in the following way: The Microsoft identity platform uses a signing key that consists of a public and private key pair. When a user signs in to an application that uses the Microsoft identity platform for authentication, the Microsoft identity platform creates a security token that contains information about the user. This token is signed by the Microsoft identity platform using its private key before it's sent back to the application. To verify that the token is valid and originated from Microsoft identity platform, the application must validate the tokenΓÇÖs signature using the public keys exposed by the Microsoft identity platform that is contained in the tenantΓÇÖs [OpenID Connect discovery document](https://openid.net/specs/openid-connect-discovery-1_0.html) or SAML/WS-Fed [federation metadata document](../azuread-dev/azure-ad-federation-metadata.md). +The Microsoft identity platform uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. In practical terms, this works in the following way: The Microsoft identity platform uses a signing key that consists of a public and private key pair. When a user signs in to an application that uses the Microsoft identity platform for authentication, the Microsoft identity platform creates a security token that contains information about the user. This token is signed by the Microsoft identity platform using its private key before it's sent back to the application. To verify that the token is valid and originated from Microsoft identity platform, the application must validate the tokenΓÇÖs signature using the public keys exposed by the Microsoft identity platform that is contained in the tenantΓÇÖs [OpenID Connect discovery document](https://openid.net/specs/openid-connect-discovery-1_0.html) or SAML/WS-Fed [federation metadata document](federation-metadata.md). For security purposes, the Microsoft identity platformΓÇÖs signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. There's no set or guaranteed time between these key rolls - any application that integrates with the Microsoft identity platform should be prepared to handle a key rollover event no matter how frequently it may occur. If your application doesn't handle sudden refreshes, and attempts to use an expired key to verify the signature on a token, your application will incorrectly reject the token. Checking every 24 hours for updates is a best practice, with throttled (once every five minutes at most) immediate refreshes of the key document if a token is encountered that doesn't validate with the keys in your application's cache. app.UseJwtBearerAuthentication( }); ``` -### <a name="passport"></a>Web applications / APIs protecting resources using Node.js passport-azure-ad module +### <a name="passport"></a>Web applications / APIs protecting resources using Node.js `passport-azure-ad` module + If your application is using the Node.js passport-ad module, it already has the necessary logic to handle key rollover automatically. You can confirm that your application passport-ad by searching for the following snippet in your application's app.js If the key is being stored somewhere or hardcoded in your application, you can m You can validate whether your application supports automatic key rollover by using the following PowerShell scripts. -To check and update signing keys with PowerShell, you'll need the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module. +To check and update signing keys with PowerShell, you'll need the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell module. -1. Install the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module: +1. Install the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell module: ```powershell Install-Module -Name MSIdentityTools To check and update signing keys with PowerShell, you'll need the [MSIdentityToo ## How to perform a manual rollover if your application does not support automatic rollover If your application doesn't support automatic rollover, you need to establish a process that periodically monitors Microsoft identity platform's signing keys and performs a manual rollover accordingly. -To check and update signing keys with PowerShell, you'll need the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module. +To check and update signing keys with PowerShell, you'll need the [`MSIdentityTools`](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell module. -1. Install the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module: +1. Install the [`MSIdentityTools`](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell module: ```powershell Install-Module -Name MSIdentityTools |
active-directory | Single Page App Tutorial 04 Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-page-app-tutorial-04-call-api.md | - Title: "Tutorial: Call an API from a React single-page app" -description: Call an API from a React single-page app. ------- Previously updated : 11/28/2022-#Customer intent: As a React developer, I want to know how to create a user interface and access the Microsoft Graph API ---# Tutorial: Call an API from a React single-page app --Before being able to interact with the single-page app (SPA), we need to initiate an API call to Microsoft Graph and create the user interface (UI) for the application. After this is added, we can sign in to the application and get profile data information from the Microsoft Graph API. --In this tutorial, you learn how to: --> [!div class="checklist"] -> * Create the API call to Microsoft Graph -> * Create a UI for the application -> * Import and use components in the application -> * Create a component that renders the user's profile information -> * Call the API from the application --## Prerequisites --* Completion of the prerequisites and steps in [Tutorial: Create components for sign in and sign out in a React single-page app](single-page-app-tutorial-03-sign-in-users.md). --## Creating a helper the Microsoft Graph client --To allow the SPA to request access to Microsoft Graph, a reference to the `graphConfig` object needs to be added. This contains the Graph REST API endpoint defined in *authConfig.js* file. --### [Visual Studio](#tab/visual-studio) --1. Right click on the *src* folder, select **Add** > **New Item**. Create a new file called *graph.js* and select **Add**. -1. Replace the contents of the file with the following code snippet to request access to Microsoft Graph; -- :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/graph.js" ::: --### [Visual Studio Code](#tab/visual-studio-code) --1. In the *src* folder, create a new file called *graph.js*. -1. Add the following code snippet to request access to Microsoft Graph; -- :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/graph.js" ::: ----## Change filename and add required imports --By default, the application runs via a JavaScript file called *App.js*. It needs to be changed to *App.jsx* file, which is an extension that allows a developer to write HTML in React. --1. Rename *App.js* to *App.jsx*. -1. Replace the existing imports with the following snippet; -- ```javascript - import React, { useState } from 'react'; -- import { PageLayout } from './components/PageLayout'; - import { loginRequest } from './authConfig'; - import { callMsGraph } from './graph'; - import { ProfileData } from './components/ProfileData'; -- import { AuthenticatedTemplate, UnauthenticatedTemplate, useMsal } from '@azure/msal-react'; -- import './App.css'; -- import Button from 'react-bootstrap/Button'; - ``` --### Adding the `ProfileContent` function --The `ProfileContent` function is used to render the user's profile information. In the *App.jsx* file, add the following code below your imports: --```javascript --/** -* Renders information about the signed-in user or a button to retrieve data about the user -*/ -const ProfileContent = () => { - const { instance, accounts } = useMsal(); - const [graphData, setGraphData] = useState(null); - - function RequestProfileData() { - // Silently acquires an access token which is then attached to a request for MS Graph data - instance - .acquireTokenSilent({ - ...loginRequest, - account: accounts[0], - }) - .then((response) => { - callMsGraph(response.accessToken).then((response) => setGraphData(response)); - }); - } - - return ( - <> - <h5 className="card-title">Welcome {accounts[0].name}</h5> - <br/> - {graphData ? ( - <ProfileData graphData={graphData} /> - ) : ( - <Button variant="secondary" onClick={RequestProfileData}> - Request Profile Information - </Button> - )} - </> - ); -}; -``` --### Replacing the default function to render authenticated information --The following code will render based on whether the user is authenticated or not. Replace the default function `App()` to render authenticated information with the following code: --```javascript -/** -* If a user is authenticated the ProfileContent component above is rendered. Otherwise a message indicating a user is not authenticated is rendered. -*/ -const MainContent = () => { - return ( - <div className="App"> - <AuthenticatedTemplate> - <ProfileContent /> - </AuthenticatedTemplate> - - <UnauthenticatedTemplate> - <h5> - <center> - Please sign-in to see your profile information. - </center> - </h5> - </UnauthenticatedTemplate> - </div> - ); -}; - -export default function App() { - return ( - <PageLayout> - <center> - <MainContent /> - </center> - </PageLayout> - ); -} -``` --## Calling the API from the application --All the required code snippets have been added, so the application can now be called and tested in a web browser. --1. Navigate to the browser previously opened in [Tutorial: Prepare an application for authentication](./single-page-app-tutorial-02-prepare-spa.md). If your browser is closed, open a new window with the address `http://localhost:3000/`. --1. Select the **Sign In** button. For the purposes of this tutorial, choose the **Sign in using Popup** option. -- :::image type="content" source="./media/single-page-app-tutorial-04-call-api/sign-in-window.png" alt-text="Screenshot of React App sign-in window."::: --1. After the popup window appears with the sign-in options, select the account with which to sign-in. -- :::image type="content" source="./media/single-page-app-tutorial-04-call-api/pick-account.png" alt-text="Screenshot requesting user to choose Microsoft account to sign into."::: --1. A second window may appear indicating that a code will be sent to your email address. If this happens, select **Send code**. Open the email from the sender **Microsoft account team**, and enter the 7-digit single-use code. Once entered, select **Sign in**. -- :::image type="content" source="./media/single-page-app-tutorial-04-call-api/enter-code.png" alt-text="Screenshot prompting user to enter verification code to sign-in."::: --1. For **Stay signed in**, you can select either **No** or **Yes**. -- :::image type="content" source="./media/single-page-app-tutorial-04-call-api/stay-signed-in.png" alt-text="Screenshot prompting user to decide whether to stay signed in or not."::: --1. The app will now ask for permission to sign-in and access data. Select **Accept** to continue. -- :::image type="content" source="./media/single-page-app-tutorial-04-call-api/permissions-requested.png" alt-text="Screenshot prompting user to allow the application to access permissions."::: --1. The SPA will now display a button saying **Request Profile Information**. Select it to display the Microsoft Graph profile data acquired from the Microsoft Graph API. -- :::image type="content" source="./media/single-page-app-tutorial-04-call-api/display-api-call-results.png" alt-text="Screenshot of React App depicting the results of the API call."::: --## Next steps --Learn how to use the Microsoft identity platform by trying out the following tutorial series on how to build a web API. --> [!div class="nextstepaction"] -> [Tutorial: Register a web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md) |
active-directory | Spa Quickstart Portal Javascript Auth Code React | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/spa-quickstart-portal-javascript-auth-code-react.md | -> > [Tutorial: Sign in users and call Microsoft Graph from a React single-page app](./single-page-app-tutorial-01-register-app.md) +> > [Tutorial: Sign in users and call Microsoft Graph from a React single-page app](./tutorial-single-page-app-react-register-app.md) |
active-directory | Tutorial Single Page App React Call Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-single-page-app-react-call-api.md | + + Title: "Tutorial: Call an API from a React single-page app" +description: Call an API from a React single-page app. +++++++ Last updated : 09/25/2023+#Customer intent: As a React developer, I want to know how to create a user interface and access the Microsoft Graph API +++# Tutorial: Call an API from a React single-page app ++Before being able to interact with the single-page app (SPA), we need to initiate an API call to Microsoft Graph and create the user interface (UI) for the application. After this is added, we can sign in to the application and get profile data information from the Microsoft Graph API. ++In this tutorial: ++> [!div class="checklist"] +> * Create the API call to Microsoft Graph +> * Create a UI for the application +> * Import and use components in the application +> * Create a component that renders the user's profile information +> * Call the API from the application ++## Prerequisites ++* Completion of the prerequisites and steps in [Tutorial: Create components for sign in and sign out in a React single-page app](tutorial-single-page-app-react-sign-in-users.md). ++## Create the API call to Microsoft Graph ++To allow the SPA to request access to Microsoft Graph, a reference to the `graphConfig` object needs to be added. This contains the Graph REST API endpoint defined in *authConfig.js* file. ++- In the *src* folder, open *graph.js* and replace the contents of the file with the following code snippet to request access to Microsoft Graph. ++ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/graph.js" ::: ++## Update imports to use components in the application ++The following code snippet imports the UI components that were created previously to the application. It also imports the required components from the `@azure/msal-react` package. These components will be used to render the user interface and call the API. ++- In the *src* folder, open *App.jsx* and replace the contents of the file with the following code snippet to request access. ++ ```javascript + import React, { useState } from 'react'; + + import { PageLayout } from './components/PageLayout'; + import { loginRequest } from './authConfig'; + import { callMsGraph } from './graph'; + import { ProfileData } from './components/ProfileData'; + + import { AuthenticatedTemplate, UnauthenticatedTemplate, useMsal } from '@azure/msal-react'; + + import './App.css'; + + import Button from 'react-bootstrap/Button'; + ``` ++### Add the `ProfileContent` function ++The `ProfileContent` function is used to render the user's profile information after the user has signed in. This function will be called when the user selects the **Request Profile Information** button. ++- In the *App.jsx* file, add the following code below your imports: ++ ```JavaScript + /** + * Renders information about the signed-in user or a button to retrieve data about the user + */ + const ProfileContent = () => { + const { instance, accounts } = useMsal(); + const [graphData, setGraphData] = useState(null); + + function RequestProfileData() { + // Silently acquires an access token which is then attached to a request for MS Graph data + instance + .acquireTokenSilent({ + ...loginRequest, + account: accounts[0], + }) + .then((response) => { + callMsGraph(response.accessToken).then((response) => setGraphData(response)); + }); + } + + return ( + <> + <h5 className="card-title">Welcome {accounts[0].name}</h5> + <br/> + {graphData ? ( + <ProfileData graphData={graphData} /> + ) : ( + <Button variant="secondary" onClick={RequestProfileData}> + Request Profile Information + </Button> + )} + </> + ); + }; + ``` ++### Add the `MainContent` function ++The `MainContent` function is used to render the user's profile information after the user has signed in. This function will be called when the user selects the **Request Profile Information** button. ++- In the *App.jsx* file, replace the `App()` function with the following code: ++ ```JavaScript + /** + * If a user is authenticated the ProfileContent component above is rendered. Otherwise a message indicating a user is not authenticated is rendered. + */ + const MainContent = () => { + return ( + <div className="App"> + <AuthenticatedTemplate> + <ProfileContent /> + </AuthenticatedTemplate> + + <UnauthenticatedTemplate> + <h5> + <center> + Please sign-in to see your profile information. + </center> + </h5> + </UnauthenticatedTemplate> + </div> + ); + }; + + export default function App() { + return ( + <PageLayout> + <center> + <MainContent /> + </center> + </PageLayout> + ); + } + ``` ++## Call the Microsoft Graph API from the application ++All the required code snippets have been added, so the application can now be called and tested in a web browser. ++1. Navigate to the browser previously opened in [Tutorial: Prepare an application for authentication](./tutorial-single-page-app-react-prepare-spa.md). If your browser is closed, open a new window with the address `http://localhost:3000/`. ++1. Select the **Sign In** button. For the purposes of this tutorial, choose the **Sign in using Popup** option. ++ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/sign-in-window.png" alt-text="Screenshot of React App sign-in window."::: ++1. After the popup window appears with the sign-in options, select the account with which to sign-in. ++ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/pick-account.png" alt-text="Screenshot requesting user to choose Microsoft account to sign into."::: ++1. A second window may appear indicating that a code will be sent to your email address. If this happens, select **Send code**. Open the email from the sender **Microsoft account team**, and enter the 7-digit single-use code. Once entered, select **Sign in**. ++ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/enter-code.png" alt-text="Screenshot prompting user to enter verification code to sign-in."::: ++1. For **Stay signed in**, you can select either **No** or **Yes**. ++ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/stay-signed-in.png" alt-text="Screenshot prompting user to decide whether to stay signed in or not."::: ++1. The app will now ask for permission to sign-in and access data. Select **Accept** to continue. ++ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/permissions-requested.png" alt-text="Screenshot prompting user to allow the application to access permissions."::: ++1. The SPA will now display a button saying **Request Profile Information**. Select it to display the Microsoft Graph profile data acquired from the Microsoft Graph API. ++ :::image type="content" source="./media/single-page-app-tutorial-04-call-api/display-api-call-results.png" alt-text="Screenshot of React App depicting the results of the API call."::: ++## Next steps ++Learn how to use the Microsoft identity platform by trying out the following tutorial series on how to build a web API. ++> [!div class="nextstepaction"] +> [Tutorial: Register a web API with the Microsoft identity platform](web-api-tutorial-01-register-app.md) |
active-directory | Tutorial Single Page App React Prepare Spa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-single-page-app-react-prepare-spa.md | + + Title: "Tutorial: Prepare an application for authentication" +description: Register a tenant application and configure it for a React SPA. ++++++++ Last updated : 09/25/2023+#Customer intent: As a React developer, I want to know how to create a new React project in an IDE and add authentication. +++# Tutorial: Prepare a Single-page application for authentication ++After registration is complete, a React project can be created using an integrated development environment (IDE). This tutorial demonstrates how to create a single-page React application using `npm` and create files needed for authentication and authorization. ++In this tutorial: ++> [!div class="checklist"] +> * Create a new React project +> * Configure the settings for the application +> * Install identity and bootstrap packages +> * Add authentication code to the application ++## Prerequisites ++* Completion of the prerequisites and steps in [Tutorial: Register an application](tutorial-single-page-app-react-register-app.md). +* Although any IDE that supports React applications can be used, the following Visual Studio IDEs are used for this tutorial. They can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page. For macOS users, it's recommended to use Visual Studio Code. + - Visual Studio 2022 + - Visual Studio Code +* [Node.js](https://nodejs.org/en/download/). ++## Create a new React project ++Use the following tabs to create a React project within the IDE. ++### [Visual Studio](#tab/visual-studio) ++1. Open Visual Studio, and then select **Create a new project**. +1. Search for and choose the **Standalone JavaScript React Project** template, and then select **Next**. +1. Enter a name for the project, such as *reactspalocal*. +1. Choose a location for the project or accept the default option, and then select **Next**. +1. In **Additional information**, select **Create**. +1. From the toolbar, select **Start Without Debugging** to launch the application. A web browser will open with the address `http://localhost:3000/` by default. The browser remains open and re-renders for every saved change. +1. Create additional folders and files to achieve the following folder structure: ++ ```console + Γö£ΓöÇΓöÇΓöÇ public + Γöé ΓööΓöÇΓöÇΓöÇ https://docsupdatetracker.net/index.html + ΓööΓöÇΓöÇΓöÇsrc + Γö£ΓöÇΓöÇΓöÇ components + Γöé ΓööΓöÇΓöÇΓöÇ PageLayout.jsx + Γöé ΓööΓöÇΓöÇΓöÇ ProfileData.jsx + Γöé ΓööΓöÇΓöÇΓöÇ SignInButton.jsx + Γöé ΓööΓöÇΓöÇΓöÇ SignOutButton.jsx + ΓööΓöÇΓöÇ App.css + ΓööΓöÇΓöÇ App.jsx + ΓööΓöÇΓöÇ authConfig.js + ΓööΓöÇΓöÇ graph.js + ΓööΓöÇΓöÇ index.css + ΓööΓöÇΓöÇ index.js + ``` +++### [Visual Studio Code](#tab/visual-studio-code) ++1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project. +1. Open a new terminal by selecting **Terminal** > **New Terminal**. +1. Run the following commands to create a new React project with the name *reactspalocal*, change to the new directory and start the React project. A web browser will open with the address `http://localhost:3000/` by default. The browser remains open and re-renders for every saved change. ++ ```powershell + npx create-react-app reactspalocal + cd reactspalocal + npm start + ``` ++1. Create additional folders and files to achieve the following folder structure: ++ ```console + Γö£ΓöÇΓöÇΓöÇ public + Γöé ΓööΓöÇΓöÇΓöÇ https://docsupdatetracker.net/index.html + ΓööΓöÇΓöÇΓöÇsrc + Γö£ΓöÇΓöÇΓöÇ components + Γöé ΓööΓöÇΓöÇΓöÇ PageLayout.jsx + Γöé ΓööΓöÇΓöÇΓöÇ ProfileData.jsx + Γöé ΓööΓöÇΓöÇΓöÇ SignInButton.jsx + Γöé ΓööΓöÇΓöÇΓöÇ SignOutButton.jsx + ΓööΓöÇΓöÇ App.css + ΓööΓöÇΓöÇ App.jsx + ΓööΓöÇΓöÇ authConfig.js + ΓööΓöÇΓöÇ graph.js + ΓööΓöÇΓöÇ index.css + ΓööΓöÇΓöÇ index.js + ``` +++## Install identity and bootstrap packages ++Identity related **npm** packages must be installed in the project to enable user authentication. For project styling, **Bootstrap** will be used. ++### [Visual Studio](#tab/visual-studio) ++1. In the **Solution Explorer**, right-click the **npm** option and select **Install new npm packages**. +1. Search for **@azure/msal-browser**, then select **Install Package**. Repeat for **@azure/msal-react** and **@azure/msal-common**. +1. Search for and install **react-bootstrap**. +1. Select **Close**. ++### [Visual Studio Code](#tab/visual-studio-code) ++1. In the **Terminal** bar, select the **+** icon to create a new terminal. A separate terminal window will open with the previous node terminal continuing to run in the background. +1. Ensure that the correct directory is selected (*reactspalocal*) then enter the following into the terminal to install the relevant `msal` and `bootstrap` packages. ++ ```powershell + npm install @azure/msal-browser @azure/msal-react @azure/msal-common + npm install react-bootstrap bootstrap + ``` +++To learn more about these packages refer to the documentation in [msal-browser](/javascript/api/@azure/msal-browser), [msal-common](/javascript/api/@azure/msal-common), [msal-react](/javascript/api/@azure/msal-react). ++## Creating the authentication configuration file ++1. In the *src* folder, open *authConfig.js* and add the following code snippet: ++ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/authConfig.js" ::: ++1. Replace the following values with the values from the Microsoft Entra admin center. + - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application. + - `authority` - This is composed of two parts: + - The *Instance* is endpoint of the cloud provider. Check with the different available endpoints in [National clouds](authentication-national-cloud.md#azure-ad-authentication-endpoints). + - The *Tenant ID* is the identifier of the tenant where the application is registered. Replace the `_Enter_the_Tenant_Info_Here` with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application. ++1. Save the file. ++## Modify *index.js* to include the authentication provider ++All parts of the app that require authentication must be wrapped in the [`MsalProvider`](/javascript/api/@azure/msal-react/#@azure-msal-react-msalprovider) component. You instantiate a [PublicClientApplication](/javascript/api/@azure/msal-browser/publicclientapplication) then pass it to `MsalProvider`. ++1. In the *src* folder, open *index.js* and replace the contents of the file with the following code snippet to use the `msal` packages and bootstrap styling: ++ :::code language="javascript" source="~/ms-identity-docs-code-javascript/react-spa/src/index.js" ::: ++1. Save the file. ++## Next steps ++> [!div class="nextstepaction"] +> [Tutorial: Create components for sign in and sign out in a React single-page app](tutorial-single-page-app-react-sign-in-users.md) |
active-directory | Tutorial Single Page App React Register App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-single-page-app-react-register-app.md | + + Title: "Tutorial: Register a Single-page application with the Microsoft identity platform" +description: Register an application in a Microsoft Entra tenant. ++++++++ Last updated : 02/27/2023+#Customer intent: As a React developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue access tokens to client applications that request them. +++# Tutorial: Register a Single-page application with the Microsoft identity platform ++To interact with the Microsoft identity platform, Microsoft Entra ID must be made aware of the application you create. This tutorial shows you how to register a single-page application (SPA) in a tenant on the Microsoft Entra admin center. ++In this tutorial: ++> [!div class="checklist"] +> * Register the application in a tenant +> * Add a Redirect URI to the application +> * Record the application's unique identifiers ++## Prerequisites ++* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/). +* This Azure account must have permissions to manage applications. Any of the following Microsoft Entra roles include the required permissions: + * Application administrator + * Application developer + * Cloud application administrator ++## Register the application and record identifiers +++To complete registration, provide the application a name, specify the supported account types, and add a redirect URI. Once registered, the application **Overview** pane displays the identifiers needed in the application source code. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**, select **New registration**. +1. Enter a **Name** for the application, such as *NewSPA1*. +1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. +1. Under **Redirect URI (optional)**, use the drop-down menu to select **Single-page-application (SPA)** and enter `http://localhost:3000` into the text box. +1. Select **Register**. ++ :::image type="content" source="./media/single-page-app-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type in the Azure portal."::: ++1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code. ++ :::image type="content" source="./media/single-page-app-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page on the Azure portal."::: ++ >[!NOTE] + > The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md). ++## Next steps ++> [!div class="nextstepaction"] +> [Tutorial: Prepare an application for authentication](tutorial-single-page-app-react-prepare-spa.md) |
active-directory | Tutorial Single Page App React Sign In Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-single-page-app-react-sign-in-users.md | + + Title: "Tutorial: Create components for sign in and sign out in a React single-page app" +description: Add sign in and sign out components to your React single-page app ++++++++ Last updated : 09/26/2023+#Customer intent: As a React developer, I want to know how to use functional components to add sign in and sign out experiences in my React application. +++# Tutorial: Create components for sign in and sign out in a React single page app ++Functional components are the building blocks of React apps. This tutorial demonstrates how functional components can be used to build the sign in and sign out experience in a React single-page app (SPA). The `useMsal` hook is used to retrieve an access token to allow user sign-in. ++In this tutorial: ++> [!div class="checklist"] +> +> - Add components to the application +> - Create a way of displaying the user's profile information +> - Create a layout that displays the sign in and sign out experience +> - Add the sign in and sign out experiences ++## Prerequisites ++* Completion of the prerequisites and steps in [Tutorial: Prepare an application for authentication](tutorial-single-page-app-react-prepare-spa.md). ++### Add the page layout component ++1. Open *PageLayout.jsx* and add the following code to render the page layout. The [useIsAuthenticated](/javascript/api/@azure/msal-react) hook returns whether or not a user is currently signed-in. ++ ```javascript + /* + * Copyright (c) Microsoft Corporation. All rights reserved. + * Licensed under the MIT License. + */ ++ import React from "react"; + import Navbar from "react-bootstrap/Navbar"; ++ import { useIsAuthenticated } from "@azure/msal-react"; + import { SignInButton } from "./SignInButton"; + import { SignOutButton } from "./SignOutButton"; ++ /** + * Renders the navbar component with a sign in or sign out button depending on whether or not a user is authenticated + * @param props + */ + export const PageLayout = (props) => { + const isAuthenticated = useIsAuthenticated(); ++ return ( + <> + <Navbar bg="primary" variant="dark" className="navbarStyle"> + <a className="navbar-brand" href="/"> + Microsoft Identity Platform + </a> + <div className="collapse navbar-collapse justify-content-end"> + {isAuthenticated ? <SignOutButton /> : <SignInButton />} + </div> + </Navbar> + <br /> + <br /> + <h5> + <center> + Welcome to the Microsoft Authentication Library For Javascript - + React SPA Tutorial + </center> + </h5> + <br /> + <br /> + {props.children} + </> + ); + }; + ``` ++1. Save the file. ++### Display profile information ++1. Open the *ProfileData.jsx* and add the following code, which creates a component that displays the user's profile information: ++ ```javascript + import React from "react"; + /** + * Renders information about the user obtained from MS Graph + * @param props + */ + export const ProfileData = (props) => { + return ( + <div id="profile-div"> + <p> + <strong>First Name: </strong> {props.graphData.givenName} + </p> + <p> + <strong>Last Name: </strong> {props.graphData.surname} + </p> + <p> + <strong>Email: </strong> {props.graphData.userPrincipalName} + </p> + <p> + <strong>Id: </strong> {props.graphData.id} + </p> + </div> + ); + }; + ``` ++1. Save the file. ++### Adding the sign in experience ++1. Open *SignInButton.jsx* and add the following code, which creates a button that signs in the user using either a pop-up or redirect. ++ ```javascript + import React from "react"; + import { useMsal } from "@azure/msal-react"; + import { loginRequest } from "../authConfig"; + import DropdownButton from "react-bootstrap/DropdownButton"; + import Dropdown from "react-bootstrap/Dropdown"; ++ /** + * Renders a drop down button with child buttons for logging in with a popup or redirect + * Note the [useMsal] package + */ ++ export const SignInButton = () => { + const { instance } = useMsal(); ++ const handleLogin = (loginType) => { + if (loginType === "popup") { + instance.loginPopup(loginRequest).catch((e) => { + console.log(e); + }); + } else if (loginType === "redirect") { + instance.loginRedirect(loginRequest).catch((e) => { + console.log(e); + }); + } + }; + return ( + <DropdownButton + variant="secondary" + className="ml-auto" + drop="start" + title="Sign In" + > + <Dropdown.Item as="button" onClick={() => handleLogin("popup")}> + Sign in using Popup + </Dropdown.Item> + <Dropdown.Item as="button" onClick={() => handleLogin("redirect")}> + Sign in using Redirect + </Dropdown.Item> + </DropdownButton> + ); + }; + ``` ++1. Save the file. ++### Adding the sign out experience ++1. Open *SignOutButton.jsx* and add the following code, which creates a button that signs out the user using either a pop-up or redirect. ++ ```javascript + import React from "react"; + import { useMsal } from "@azure/msal-react"; + import DropdownButton from "react-bootstrap/DropdownButton"; + import Dropdown from "react-bootstrap/Dropdown"; ++ /** + * Renders a sign out button + */ + export const SignOutButton = () => { + const { instance } = useMsal(); ++ const handleLogout = (logoutType) => { + if (logoutType === "popup") { + instance.logoutPopup({ + postLogoutRedirectUri: "/", + mainWindowRedirectUri: "/", + }); + } else if (logoutType === "redirect") { + instance.logoutRedirect({ + postLogoutRedirectUri: "/", + }); + } + }; ++ return ( + <DropdownButton + variant="secondary" + className="ml-auto" + drop="start" + title="Sign Out" + > + <Dropdown.Item as="button" onClick={() => handleLogout("popup")}> + Sign out using Popup + </Dropdown.Item> + <Dropdown.Item as="button" onClick={() => handleLogout("redirect")}> + Sign out using Redirect + </Dropdown.Item> + </DropdownButton> + ); + }; + ``` ++1. Save the file. ++## Next steps ++> [!div class="nextstepaction"] +> [Tutorial: Call an API from a React single-page app](tutorial-single-page-app-react-call-api.md) |
active-directory | Tutorial V2 Angular Auth Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-angular-auth-code.md | This tutorial uses the following libraries: | [MSAL Angular](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular) | Microsoft Authentication Library for JavaScript Angular Wrapper | | [MSAL Browser](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-browser) | Microsoft Authentication Library for JavaScript v2 browser package | -You can find the source code for all of the MSAL.js libraries in the [microsoft-authentication-library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) repository on GitHub. +You can find the source code for all of the MSAL.js libraries in the [`microsoft-authentication-library-for-js`](https://github.com/AzureAD/microsoft-authentication-library-for-js) repository on GitHub. ### Get the completed code sample To complete registration, provide the application a name, specify the supported 1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project. 1. Open a new terminal by selecting **Terminal** > **New Terminal**. 1. You may need to switch terminal types. Select the down arrow next to the **+** icon in the terminal and select **Command Prompt**.-1. Run the following commands to create a new Angular project with the name _msal-angular-tutorial_, install Angular Material component libraries, MSAL Browser, MSAL Angular and generate home and profile components. +1. Run the following commands to create a new Angular project with the name `msal-angular-tutorial`, install Angular Material component libraries, MSAL Browser, MSAL Angular and generate home and profile components. ```cmd npm install -g @angular/cli |
active-directory | Tutorial V2 Javascript Auth Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md | To continue with the tutorial and build the application yourself, move on to the ## Create your project -Once you have [Node.js](https://nodejs.org/en/download/) installed, create a folder to host your application, for example *msal-spa-tutorial*. +Once you have [Node.js](https://nodejs.org/en/download/) installed, create a folder to host your application, such as `msal-spa-tutorial`. Next, implement a small [Express](https://expressjs.com/) web server to serve your *https://docsupdatetracker.net/index.html* file. |
active-directory | V2 Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-overview.md | Choose your preferred [application scenario](authentication-flows-app-scenarios. For a more in-depth look at building applications using the Microsoft identity platform, see our multipart tutorial series for the following applications: -- [React Single-page app (SPA)](single-page-app-tutorial-01-register-app.md)+- [React Single-page app (SPA)](tutorial-single-page-app-react-register-app.md) - [.NET Web app](web-app-tutorial-01-register-application.md) - [.NET Web API](web-api-tutorial-01-register-app.md) |
active-directory | Concept Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-primary-refresh-token.md | The PRT is issued during user authentication on a Windows 10 or newer device in In Microsoft Entra registered device scenarios, the Microsoft Entra WAM plugin is the primary authority for the PRT since Windows logon isn't happening with this Microsoft Entra account. > [!NOTE]-> 3rd party identity providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 or newer devices. Without WS-Trust, PRT cannot be issued to users on Microsoft Entra hybrid joined or Microsoft Entra joined devices. On ADFS only usernamemixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and **must NOT be exposed** as extranet facing endpoints through the Web Application Proxy. +> 3rd party identity providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 or newer devices. Without WS-Trust, PRT cannot be issued to users on Microsoft Entra hybrid joined or Microsoft Entra joined devices. On ADFS only usernamemixed endpoints are required. On ADFS if Smartcard/certificate is used during Windows sign-in certificatemixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and **must NOT be exposed** as extranet facing endpoints through the Web Application Proxy. > [!NOTE] > Microsoft Entra Conditional Access policies are not evaluated when PRTs are issued. |
active-directory | Enterprise State Roaming Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md | This section gives suggestions on how to troubleshoot and diagnose problems rela Enterprise State Roaming requires the device to be registered with Microsoft Entra ID. Although not specific to Enterprise State Roaming, using the following instructions can help confirm that the Windows 10 or newer Client is registered, and confirm thumbprint, Microsoft Entra settings URL, NGC status, and other information. 1. Open the command prompt unelevated. To do this in Windows, open the Run launcher (Win + R) and type ΓÇ£cmdΓÇ¥ to open.-1. Once the command prompt is open, type ΓÇ£*dsregcmd.exe /status*ΓÇ¥. -1. For expected output, the **AzureAdJoined** field value should be ΓÇ£YESΓÇ¥, **WamDefaultSet** field value should be ΓÇ£YESΓÇ¥, and the **WamDefaultGUID** field value should be a GUID with ΓÇ£(AzureAD)ΓÇ¥ at the end. +1. Once the command prompt is open, type `*dsregcmd.exe /status*`. +1. For expected output, the **AzureAdJoined** field value should be `YES`, **WamDefaultSet** field value should be `YES`, and the **WamDefaultGUID** field value should be a GUID with `(AzureAD)` at the end. **Potential issue**: **WamDefaultSet** and **AzureAdJoined** both have ΓÇ£NOΓÇ¥ in the field value, the device was domain-joined and registered with Microsoft Entra ID, and the device doesn't sync. If it's showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Microsoft Entra ID. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. |
active-directory | Howto Vm Sign In Azure Ad Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md | An Azure user who has the Owner or Contributor role assigned for a VM doesn't au There are two ways to configure role assignments for a VM: -- Microsoft Entra portal experience+- Microsoft Entra admin center experience - Azure Cloud Shell experience > [!NOTE] There are two ways to configure role assignments for a VM: <a name='azure-ad-portal'></a> -### Microsoft Entra portal +<a name='microsoft-entra-portal'></a> ++### Microsoft Entra admin center To configure role assignments for your Microsoft Entra ID-enabled Windows Server 2019 Datacenter VMs: Exit code -2145648607 translates to `DSREG_AUTOJOIN_DISC_FAILED`. The extension - `curl https://pas.windows.net/ -D -` > [!NOTE]- > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Identity** > **Overview** > **Properties** > **Tenant ID**. + > Replace `<TenantID>` with the Microsoft Entra tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Identity** > **Overview** > **Properties** > **Tenant ID**. > > Attempts to connect to `enterpriseregistration.windows.net` might return 404 Not Found, which is expected behavior. Attempts to connect to `pas.windows.net` might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable. |
active-directory | Hybrid Join Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-control.md | Use the following example to create a Group Policy Object (GPO) to deploy a regi 1. Key Path: **SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD**. 1. Value name: **TenantId**. 1. Value type: **REG_SZ**.- 1. Value data: The GUID or **Tenant ID** of your Microsoft Entra instance (This value can be found in the **Microsoft Entra admin center** > **Identity** > **Properties** > **Tenant ID**). + 1. Value data: The GUID or **Tenant ID** of your Microsoft Entra tenant, which can be found in **Identity** > **Overview** > **Properties** > **Tenant ID**. 1. Select **OK**. 1. Right-click on the Registry and select **New** > **Registry Item**. 1. On the **General** tab, configure the following. |
active-directory | Hybrid Join Manual | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-manual.md | In your forest, the SCP object for the autoregistration of domain-joined devices `CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context]` Depending on how you have deployed Microsoft Entra Connect, the SCP object might have already been configured.-You can verify the existence of the object and retrieve the discovery values by using the following Windows PowerShell script: +You can verify the existence of the object and retrieve the discovery values by using the following PowerShell script: - ```PowerShell + ```powershell $scp = New-Object System.DirectoryServices.DirectoryEntry; $scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com"; |
active-directory | Hybrid Join Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-plan.md | For devices running the Windows desktop operating system, supported versions are ### Windows down-level devices -- Windows 8.1-- Windows 7 support ended on January 14, 2020. For more information, see [Support for Windows 7 has ended](https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020) - Windows Server 2012 R2 - Windows Server 2012-- Windows Server 2008 R2 for support information on Windows Server 2008 and 2008 R2, see [Prepare for Windows Server 2008 end of support](https://www.microsoft.com/cloud-platform/windows-server-2008) As a first planning step, you should review your environment and determine whether you need to support Windows down-level devices. |
active-directory | Manage Stale Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md | To clean up Microsoft Entra ID: - **Windows 7/8** - Disable or delete Windows 7/8 devices in your on-premises AD first. You can't use Microsoft Entra Connect to disable or delete Windows 7/8 devices in Microsoft Entra ID. Instead, when you make the change in your on-premises, you must disable/delete in Microsoft Entra ID. > [!NOTE]-> - Deleting devices in your on-premises AD or Microsoft Entra ID does not remove registration on the client. It will only prevent access to resources using device as an identity (e.g. Conditional Access). Read additional information on how to [remove registration on the client](faq.yml). +> - Deleting devices in your on-premises Active Directory or Microsoft Entra ID does not remove registration on the client. It will only prevent access to resources using device as an identity (such as Conditional Access). Read additional information on how to [remove registration on the client](faq.yml). > - Deleting a Windows 10 or newer device only in Microsoft Entra ID will re-synchronize the device from your on-premises using Microsoft Entra Connect but as a new object in "Pending" state. A re-registration is required on the device. > - Removing the device from sync scope for Windows 10 or newer /Server 2016 devices will delete the Microsoft Entra device. Adding it back to sync scope will place a new object in "Pending" state. A re-registration of the device is required. > - If you are not using Microsoft Entra Connect for Windows 10 or newer devices to synchronize (e.g. ONLY using AD FS for registration), you must manage lifecycle similar to Windows 7/8 devices. |
active-directory | Troubleshoot Device Dsregcmd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-dsregcmd.md | The state is displayed only when the device is Microsoft Entra joined or Microso - **DeviceAuthStatus**: Performs a check to determine the device's health in Microsoft Entra ID. The health statuses are: * *SUCCESS* if the device is present and enabled in Microsoft Entra ID. * *FAILED. Device is either disabled or deleted* if the device is either disabled or deleted. For more information about this issue, see [Microsoft Entra device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). - * *FAILED. ERROR* if the test was unable to run. This test requires network connectivity to Microsoft Entra ID. + * *FAILED. ERROR* if the test was unable to run. This test requires network connectivity to Microsoft Entra ID under the system context. > [!NOTE] > The **DeviceAuthStatus** field was added in the Windows 10 May 2021 update (version 21H1). |
active-directory | Troubleshoot Hybrid Join Windows Current | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md | Use Event Viewer to look for the log entries that are logged by the Microsoft En > [!NOTE] > The CloudAP plug-in logs error events in the operational logs, and it logs the info events in the analytics logs. The analytics and operational log events are both required to troubleshoot issues. -1. Event 1006 in the analytics logs denotes the start of the PRT acquisition flow, and event 1007 in the analytics logs denotes the end of the PRT acquisition flow. All events in the Microsoft Entra ID logs (analytics and operational) that are logged between events 1006 and 1007 were logged as part of the PRT acquisition flow. +1. Event 1006 in the analytics logs denotes the start of the PRT acquisition flow, and event 1007 in the analytics logs denotes the end of the PRT acquisition flow. All events in the Microsoft Entra logs (analytics and operational) that are logged between events 1006 and 1007 were logged as part of the PRT acquisition flow. 1. Event 1007 logs the final error code. |
active-directory | Troubleshoot Mac Sso Extension Plugin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-mac-sso-extension-plugin.md | By default, only MSAL apps invoke the SSO Extension, and then in turn the Extens |**1** |**All Items**|Shows all types of credentials across Keychain Access| |**2** |**Keychain Search Bar**|Allows filtering by credential. To filter for the Microsoft Entra PRT type **`primaryrefresh`**| |**3** |**Kind**|Refers to the type of credential. The Microsoft Entra PRT credential is an **Application Password** credential type|- |**4** |**Account**|Displays the Microsoft Entra User Account, which owns the PRT in the format: **`UserObjectId.TenantId-login.windows.net`** | + |**4** |**Account**|Displays the Microsoft Entra user account, which owns the PRT in the format: **`UserObjectId.TenantId-login.windows.net`** | |**5** |**Where**|Displays the full name of the credential. The Microsoft Entra PRT credential begins with the following format: **`primaryrefreshtoken-29d9ed98-a469-4536-ade2-f981bc1d605`** The **29d9ed98-a469-4536-ade2-f981bc1d605** is the Application ID for the **Microsoft Authentication Broker** service, responsible for handling PRT acquisition requests| |**6** |**Modified**|Shows when the credential was last updated. For the Microsoft Entra PRT credential, anytime the credential is bootstrapped or updated by an interactive sign-on event it updates the date/timestamp| |**7** |**Keychain** |Indicates which Keychain the selected credential resides. The Microsoft Entra PRT credential resides in the **Local Items** or **iCloud** Keychain. When iCloud is enabled on the macOS device, the **Local Items** Keychain will become the **iCloud** keychain| |
active-directory | Troubleshoot Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-primary-refresh-token.md | +<!-- docutune:ignore AAD --> + On devices that are joined to Microsoft Entra ID or hybrid Microsoft Entra ID, the main component of authentication is the PRT. You obtain this token by signing in to Windows 10 by using Microsoft Entra credentials on a Microsoft Entra joined device for the first time. The PRT is cached on that device. For subsequent sign-ins, the cached token is used to let you use the desktop. As part of the process of locking and unlocking the device or signing in again to Windows, a background network authentication attempt is made one time every four hours to refresh the PRT. If problems occur that prevent refreshing the token, the PRT eventually expires. Expiration affects single sign-on (SSO) to Microsoft Entra resources. It also causes sign-in prompts to be shown. -If you suspect that a PRT problem exists, we recommend that you first collect Microsoft Entra ID logs, and follow the steps that are outlined in the troubleshooting checklist. Do this for any Microsoft Entra client issue first, ideally within a repro session. Complete this process before you file a support request. +If you suspect that a PRT problem exists, we recommend that you first collect Microsoft Entra logs, and follow the steps that are outlined in the troubleshooting checklist. Do this for any Microsoft Entra client issue first, ideally within a repro session. Complete this process before you file a support request. ## Troubleshooting checklist |
active-directory | Clean Up Unmanaged Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/clean-up-unmanaged-accounts.md | Some overtaken domains might not be updated. For example, a missing DNS TXT reco Use the sample application on [Azure-Samples/Remove-Unmanaged-Guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests). -## Reset redemption using MSIdentityTools PowerShell Module +## Reset redemption using `MSIdentityTools` PowerShell module -MSIdentityTools PowerShell Module is a collection of cmdlets and scripts, which you use in the Microsoft identity platform and Microsoft Entra ID. Use the cmdlets and scripts to augment PowerShell SDK capabilities. See, [microsoftgraph/msgraph-sdk-powershell](https://github.com/microsoftgraph/msgraph-sdk-powershell). +The `MSIdentityTools` PowerShell module is a collection of cmdlets and scripts, which you use in the Microsoft identity platform and Microsoft Entra ID. Use the cmdlets and scripts to augment PowerShell SDK capabilities. See, [microsoftgraph/msgraph-sdk-powershell](https://github.com/microsoftgraph/msgraph-sdk-powershell). Run the following cmdlets: |
active-directory | Domains Admin Takeover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-admin-takeover.md | The key and templates aren't moved over when the unmanaged organization is in a Although RMS for individuals is designed to support Microsoft Entra authentication to open protected content, it doesn't prevent users from also protecting content. If users did protect content with the RMS for individuals subscription, and the key and templates weren't moved over, that content isn't accessible after the domain takeover. -### Microsoft Entra ID PowerShell cmdlets for the ForceTakeover option +### Azure AD PowerShell cmdlets for the ForceTakeover option You can see these cmdlets used in [PowerShell example](#powershell-example). |
active-directory | Groups Naming Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-naming-policy.md | Some administrator roles are exempted from these policies, across all group work ## Install PowerShell cmdlets -Be sure to uninstall any older version of the Azure Active Directory PowerShell for Graph Module for Windows PowerShell and install [Azure Active Directory PowerShell for Graph - Public Preview Release 2.0.0.137](https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.137) before you run the PowerShell commands. +Be sure to uninstall any older version of the Azure Active Directory PowerShell for Graph module and install [Azure Active Directory PowerShell for Graph - Public Preview Release 2.0.0.137](https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.137) before you run the PowerShell commands. 1. Open the Windows PowerShell app as an administrator. 2. Uninstall any previous version of AzureADPreview. |
active-directory | Groups Self Service Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-self-service-management.md | Groups created in | Security group default behavior | Microsoft 365 group defaul 2. Select **All groups** > **Groups**, and then select **General** settings. + > [!NOTE] + > This setting only restricts access of group information in **My Groups**. It does not restrict access to group information via other methods like Microsoft Graph API calls or the Entra Admin Center + ![Microsoft Entra groups general settings.](./media/groups-self-service-management/groups-settings-general.png) > [!NOTE] > In June 2024, the setting **Restrict users access to My Groups** will change to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to ΓÇÿYes,ΓÇÖ end users will be able to access My Groups in June 2024, but will not be able to see security groups. |
active-directory | Groups Settings Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-cmdlets.md | The cmdlets are part of the Azure Active Directory PowerShell V2 module. For ins ## Install PowerShell cmdlets -Be sure to uninstall any older version of the Azure Active Directory PowerShell for Graph Module for Windows PowerShell and install [Azure Active Directory PowerShell for Graph - Public Preview Release (later than 2.0.0.137)](https://www.powershellgallery.com/packages/AzureADPreview) before you run the PowerShell commands. +Be sure to uninstall any older version of the Azure Active Directory PowerShell for Graph module and install [Azure Active Directory PowerShell for Graph - Public Preview Release (later than 2.0.0.137)](https://www.powershellgallery.com/packages/AzureADPreview) before you run the PowerShell commands. 1. Open the Windows PowerShell app as an administrator. 2. Uninstall any previous version of AzureADPreview. |
active-directory | Allow Deny List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/allow-deny-list.md | If you switch from one policy to the other, this discards the existing policy co > [!Note] > The AzureADPreview Module is not a fully supported module as it is in preview. -To set the allow or blocklist by using PowerShell, you must install the preview version of the Azure AD PowerShell Module for Windows PowerShell. Specifically, install the AzureADPreview module version 2.0.0.98 or later. +To set the allow or blocklist by using PowerShell, you must install the preview version of the Azure AD PowerShell module. Specifically, install the AzureADPreview module version 2.0.0.98 or later. To check the version of the module (and see if it's installed): 1. Open Windows PowerShell as an elevated user (Run as Administrator). -2. Run the following command to see if you have any versions of the Azure AD PowerShell Module for Windows PowerShell installed on your computer: +2. Run the following command to see if you have any versions of the Azure AD PowerShell module installed on your computer: ```powershell Get-Module -ListAvailable AzureAD* |
active-directory | Auditing And Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/auditing-and-reporting.md | -You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Microsoft Entra ID** under **External Identities** > **Access reviews**. You can also search for "access reviews" from **All services** in the Azure portal. To learn how to use access reviews, see [Manage guest access with Microsoft Entra access reviews](../governance/manage-guest-access-with-access-reviews.md). +You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Microsoft Entra ID** under **Identity Governance** > **Access reviews**. To learn how to use access reviews, see [Manage guest access with Microsoft Entra access reviews](../governance/manage-guest-access-with-access-reviews.md). ## Audit logs -The Microsoft Entra audit logs provide records of system and user activities, including activities initiated by guest users. To access audit logs, in **Microsoft Entra ID**, under **Monitoring**, select **Audit logs**. To access audit logs of one specific user, select **Microsoft Entra ID** > **Users** > select the user > **Audit logs**. +The Microsoft Entra audit logs provide records of system and user activities, including activities initiated by guest users. To access audit logs, in **Identity**, under **Monitoring & health**, select **Audit logs**. To access audit logs of one specific user, select **Identity** > **Users** > **All users** > select the user > **Audit logs**. :::image type="content" source="media/auditing-and-reporting/audit-log.png" alt-text="Screenshot showing an example of audit log output." lightbox="media/auditing-and-reporting/audit-log-large.png"::: |
active-directory | Authentication Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/authentication-conditional-access.md | -# Authentication and Conditional Access for External Identities +# Authentication and Conditional Access for External ID > [!TIP] > This article applies to B2B collaboration and B2B direct connect. If your tenant is configured for customer identity and access management, see [Security and governance in Microsoft Entra ID for customers](customers/concept-security-customers.md). |
active-directory | B2b Direct Connect Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-direct-connect-overview.md | -Microsoft Entra B2B direct connect is a feature of External Identities that lets you set up a mutual trust relationship with another Microsoft Entra organization for seamless collaboration. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, users from both organizations can work together using their home credentials and a shared channel in Teams, without having to be added to each otherΓÇÖs organizations as guests. Use B2B direct connect to share resources with external Microsoft Entra organizations. Or use it to share resources across multiple Microsoft Entra tenants within your own organization. +B2B direct connect is a feature of Microsoft Entra External ID that lets you set up a mutual trust relationship with another Microsoft Entra organization for seamless collaboration. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, users from both organizations can work together using their home credentials and a shared channel in Teams, without having to be added to each otherΓÇÖs organizations as guests. Use B2B direct connect to share resources with external Microsoft Entra organizations. Or use it to share resources across multiple Microsoft Entra tenants within your own organization. ![Diagram illustrating B2B direct connect](media/b2b-direct-connect-overview/b2b-direct-connect-overview.png) |
active-directory | B2b Fundamentals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-fundamentals.md | -This article contains recommendations and best practices for business-to-business (B2B) collaboration in Microsoft Entra ID. +This article contains recommendations and best practices for business-to-business (B2B) collaboration in Microsoft Entra External ID. > [!IMPORTANT] > The [email one-time passcode feature](one-time-passcode.md) is now turned on by default for all new tenants and for any existing tenants where you haven't explicitly turned it off. When this feature is turned off, the fallback authentication method is to prompt invitees to create a Microsoft account. This article contains recommendations and best practices for business-to-busines | Recommendation | Comments | | | | | Consult Microsoft Entra guidance for securing your collaboration with external partners | Learn how to take a holistic governance approach to your organization's collaboration with external partners by following the recommendations in [Securing external collaboration in Microsoft Entra ID and Microsoft 365](../architecture/secure-external-access-resources.md). |-| Carefully plan your cross-tenant access and external collaboration settings | Microsoft Entra ID gives you a flexible set of controls for managing collaboration with external users and organizations. You can allow or block all collaboration, or configure collaboration only for specific organizations, users, and apps. Before configuring settings for cross-tenant access and external collaboration, take a careful inventory of the organizations you work and partner with. Then determine if you want to enable [B2B direct connect](b2b-direct-connect-overview.md) or [B2B collaboration](what-is-b2b.md) with other Microsoft Entra tenants, and how you want to manage [B2B collaboration invitations](external-collaboration-settings-configure.md). | +| Carefully plan your cross-tenant access and external collaboration settings | Microsoft Entra External ID gives you a flexible set of controls for managing collaboration with external users and organizations. You can allow or block all collaboration, or configure collaboration only for specific organizations, users, and apps. Before configuring settings for cross-tenant access and external collaboration, take a careful inventory of the organizations you work and partner with. Then determine if you want to enable [B2B direct connect](b2b-direct-connect-overview.md) or [B2B collaboration](what-is-b2b.md) with other Microsoft Entra tenants, and how you want to manage [B2B collaboration invitations](external-collaboration-settings-configure.md). | | Use tenant restrictions to control how external accounts are used on your networks and managed devices. | With tenant restrictions, you can prevent your users from using accounts they've created in unknown tenants or accounts they've received from external organizations. We recommend you disallow these accounts and use B2B collaboration instead. | | For an optimal sign-in experience, federate with identity providers | Whenever possible, federate directly with identity providers to allow invited users to sign in to your shared apps and resources without having to create Microsoft Accounts (MSAs) or Microsoft Entra accounts. You can use the [Google federation feature](google-federation.md) to allow B2B guest users to sign in with their Google accounts. Or, you can use the [SAML/WS-Fed identity provider (preview) feature](direct-federation.md) to set up federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. | | Use the Email one-time passcode feature for B2B guests who canΓÇÖt authenticate by other means | The [Email one-time passcode](one-time-passcode.md) feature authenticates B2B guest users when they can't be authenticated through other means like Microsoft Entra ID, a Microsoft account (MSA), or Google federation. When the guest user redeems an invitation or accesses a shared resource, they can request a temporary code, which is sent to their email address. Then they enter this code to continue signing in. | |
active-directory | B2b Quickstart Add Guest Users Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md | -#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a guest user in the portal, and understand the end user experience. +#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a guest user in the Microsoft Entra admin center, and understand the end user experience. # Quickstart: Add a guest user and send an invitation In this quickstart, you'll learn how to add a new guest user to your Microsoft E If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -The updated experience for creating new users covered in this article is available as a Microsoft Entra ID preview feature. This feature is enabled by default, but you can opt out by going to **Microsoft Entra ID** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). +The updated experience for creating new users covered in this article is available as a Microsoft Entra ID preview feature. This feature is enabled by default, but you can opt out by going to **Identity** > **Settings** > **Preview hub** and disabling the **Create user experience** feature. For more information about previews, see [Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). Instructions for the legacy create user process can be found in the [Add or delete users](../fundamentals/add-users.md) article. Instructions for the legacy create user process can be found in the [Add or dele To complete the scenario in this quickstart, you need: -- A role that allows you to create users in your tenant directory, such as the Global Administrator role or a limited administrator directory role such as Guest Inviter or User Administrator.+- A role that allows you to create users in your tenant directory, such as at least a [Guest Inviter role](../roles/permissions-reference.md#guest-inviter) or a [User administrator](../roles/permissions-reference.md#user-administrator). - Access to a valid email address outside of your Microsoft Entra tenant, such as a separate work, school, or social email address. You'll use this email to create the guest account in your tenant directory and access the invitation. When no longer needed, delete the test guest user. In this quickstart, you created a guest user in the Microsoft Entra admin center and sent an invitation to share apps. Then you viewed the redemption process from the guest user's perspective, and verified that the guest user was able to access their My Apps page. To learn more about adding guest users for collaboration, see [Add Microsoft Entra B2B collaboration users in the Microsoft Entra admin center](add-users-administrator.md). To learn more about adding guest users with PowerShell, see [Add and invite guests with PowerShell](b2b-quickstart-invite-powershell.md).-You can also bulk invite guest users [via the portal](tutorial-bulk-invite.md) or [via PowerShell](bulk-invite-powershell.md). +You can also bulk invite guest users [via the admin center](tutorial-bulk-invite.md) or [via PowerShell](bulk-invite-powershell.md). |
active-directory | B2b Quickstart Invite Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-quickstart-invite-powershell.md | Title: 'Quickstart: Add a guest user with PowerShell' -description: In this quickstart, you learn how to use PowerShell to send an invitation to an external Microsoft Entra B2B collaboration user. You'll use the Microsoft Graph Identity Sign-ins and the Microsoft Graph Users PowerShell modules. +description: In this quickstart, you learn how to use PowerShell to send an invitation to a Microsoft Entra B2B collaboration user. You'll use the Microsoft Graph Identity Sign-ins and the Microsoft Graph Users PowerShell modules. Previously updated : 07/31/2023 Last updated : 09/22/2023 -#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a user through PowerShell. ++#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a user via PowerShell. # Quickstart: Add a guest user with PowerShell -There are many ways you can invite external partners to your apps and services with Microsoft Entra B2B collaboration. In the previous quickstart, you saw how to add guest users directly in the Azure portal. You can also use PowerShell to add guest users, either one at a time or in bulk. In this quickstart, youΓÇÖll use the New-MgInvitation command to add one guest user to your Azure tenant. +There are many ways you can invite external partners to your apps and services with Microsoft Entra B2B collaboration. In the previous quickstart, you saw how to add guest users directly in the Microsoft Entra admin center. You can also use PowerShell to add guest users, either one at a time or in bulk. In this quickstart, youΓÇÖll use the New-MgInvitation command to add one guest user to your Microsoft Entra tenant. If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. ## Prerequisites -### PowerShell Module -Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Users). You can use the `#Requires` statement to prevent running a script unless the required PowerShell modules are met. ++To complete the scenario in this quickstart, you need: ++- A role that allows you to create users in your tenant directory, such as at least a [Guest Inviter role](../roles/permissions-reference.md#guest-inviter) or a [User administrator](../roles/permissions-reference.md#user-administrator). +- Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Users). You can use the `#Requires` statement to prevent running a script unless the required PowerShell modules are met. ```powershell #Requires -Modules Microsoft.Graph.Identity.SignIns, Microsoft.Graph.Users ``` -### Get a test email account --You need a test email account that you can send the invitation to. The account must be from outside your organization. You can use any type of account, including a social account such as a gmail.com or outlook.com address. +- Get a test email account. You need a test email account that you can send the invitation to. The account must be from outside your organization. You can use any type of account, including a social account such as a gmail.com or outlook.com address. ## Sign in to your tenant When prompted, enter your credentials. ## Verify the user exists in the directory -1. To verify that the invited user was added to Microsoft Entra ID, run the following command (replace **john\@contoso.com** with your invited email): +1. To verify that the invited user was added to Microsoft Entra ID, run the following command (replace **john@contoso.com** with your invited email): ```powershell Get-MgUser -Filter "Mail eq 'John@contoso.com'" Remove-MgUser -UserId '3f80a75e-750b-49aa-a6b0-d9bf6df7b4c6' ## Next steps-In this quickstart, you invited and added a single guest user to your directory using PowerShell. You can also invite a guest user using the [Azure portal](b2b-quickstart-add-guest-users-portal.md). Additionally you can [invite guest users in bulk using PowerShell](tutorial-bulk-invite.md). +In this quickstart, you invited and added a single guest user to your directory using PowerShell. You can also invite a guest user using the [Microsoft Entra admin center](b2b-quickstart-add-guest-users-portal.md). Additionally you can [invite guest users in bulk using PowerShell](tutorial-bulk-invite.md). |
active-directory | B2b Sponsors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-sponsors.md | Title: Add sponsors to a guest user in the Microsoft Entra admin center - Microsoft Entra ID (preview) + Title: Add sponsors to a guest user in the Microsoft Entra admin center - External ID (preview) description: Shows how an admin can add sponsors to guest users in Microsoft Entra B2B collaboration. -# Customer intent: As a tenant administrator, I want to know how to add sponsors to guest users in Microsoft Entra ID. +# Customer intent: As a tenant administrator, I want to know how to add sponsors to guest users in Microsoft Entra External ID. # Sponsors field for B2B users (preview) |
active-directory | Claims Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/claims-mapping.md | -# B2B collaboration user claims mapping in Microsoft Entra ID +# B2B collaboration user claims mapping in Microsoft Entra External ID -Microsoft Entra ID supports customizing the claims that are issued in the SAML token for [B2B collaboration](what-is-b2b.md) users. When a user authenticates to the application, Microsoft Entra ID issues a SAML token to the app that contains information (or claims) about the user that uniquely identifies them. By default, this claim includes the user's user name, email address, first name, and last name. +With Microsoft Entra External ID, you can customize the claims that are issued in the SAML token for [B2B collaboration](what-is-b2b.md) users. When a user authenticates to the application, Microsoft Entra ID issues a SAML token to the app that contains information (or claims) about the user that uniquely identifies them. By default, this claim includes the user's user name, email address, first name, and last name. In the [Microsoft Entra admin center](https://entra.microsoft.com), you can view or edit the claims that are sent in the SAML token to the application. To access the settings, browse to **Identity** > **Applications** > **Enterprise applications** > the application that's configured for single sign-on > **Single sign-on**. See the SAML token settings in the **User Attributes** section. |
active-directory | Cross Tenant Access Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-overview.md | -Microsoft Entra organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Microsoft Entra organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md) give you granular control over how external Microsoft Entra organizations collaborate with you (inbound access) and how your users collaborate with external Microsoft Entra organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and Microsoft Entra hybrid joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Microsoft Entra organizations. +Microsoft Entra organizations can use External ID cross-tenant access settings to manage how they collaborate with other Microsoft Entra organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md) give you granular control over how external Microsoft Entra organizations collaborate with you (inbound access) and how your users collaborate with external Microsoft Entra organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and Microsoft Entra hybrid joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Microsoft Entra organizations. This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Microsoft Entra organizations, including across Microsoft clouds. More settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains. |
active-directory | Cross Tenant Access Settings B2b Collaboration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md | Title: Configure B2B collaboration cross-tenant access -description: Use cross-tenant collaboration settings to manage how you collaborate with other Microsoft Entra organizations. Learn how to configure outbound access to external organizations and inbound access from external Microsoft Entra ID for B2B collaboration. +description: Use cross-tenant collaboration settings to manage how you collaborate with other Microsoft Entra organizations. Learn how to configure outbound access to external organizations and inbound access from external Microsoft Entra organizations for B2B collaboration. |
active-directory | Cross Tenant Access Settings B2b Direct Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md | Title: Configure B2B direct connect cross-tenant access -description: Use cross-tenant access settings to manage how you collaborate with other Microsoft Entra organizations. Learn how to configure outbound access to external organizations and inbound access from external Microsoft Entra ID for B2B direct connect. +description: Use cross-tenant access settings to manage how you collaborate with other Microsoft Entra organizations. Learn how to configure outbound access to external organizations and inbound access from external Microsoft Entra organizations for B2B direct connect. |
active-directory | How To Web App Node Use Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-use-certificate.md | Microsoft Entra ID for customers supports two types of authentication for [confi In production, you should purchase a certificate signed by a well-known certificate authority, and use [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) to manage certificate access and lifetime for you. However, for testing purposes, you can create a self-signed certificate and configure your apps to authenticate with it. -In this article, you learn to generate a self-signed certificate by using [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) on the Azure portal, OpenSSL or Windows PowerShell. If you have a client secret already, you'll learn how to safely delete it. +In this article, you learn to generate a self-signed certificate by using [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) on the Azure portal, OpenSSL, or PowerShell. If you have a client secret already, you'll learn how to safely delete it. When needed, you can also create a self-signed certificate programmatically by using [.NET](/azure/key-vault/certificates/quick-create-net), [Node.js](/azure/key-vault/certificates/quick-create-node), [Go](/azure/key-vault/certificates/quick-create-go), [Python](/azure/key-vault/certificates/quick-create-python) or [Java](/azure/key-vault/certificates/quick-create-java) client libraries. |
active-directory | Quickstart Get Started Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/quickstart-get-started-guide.md | In this quickstart, we'll guide you through customizing the look and feel of you ## Customize your sign-in experience +When you set up a customer tenant free trial, the guide will start automatically as part of the configuration of your new customer tenant. If you created your customer tenant with an Azure subscription, you can start the guide manually by following the steps below. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Home** > **Go to Microsoft Entra ID** +1. On the **Get started** tab, select **Start the guide**. ++ :::image type="content" source="media/how-to-create-customer-tenant-portal/guide-link.png" alt-text="Screenshot that shows how to start the guide."::: + You can customize your customer's sign-in and sign-up experience in the External ID for customers tenant. Follow the guide that will help you set up the tenant in three easy steps. First you must specify how would you like your customer to sign in. At this step you can choose between two options: **Email and password** or **Email and one-time passcode**. You can configure social accounts later, which would allow your customers to sign in using their [Google](how-to-google-federation-customers.md) or [Facebook](how-to-facebook-federation-customers.md) account. You can also [define custom attributes](how-to-define-custom-attributes.md) to collect from the user during sign-up. If you prefer, you can add your company logo, change the background color or adjust the sign-in layout. These optional changes will apply to the look and feel of all your apps in this tenant with customer configurations. After you have the created tenant, additional branding options are available. You can [customize the default branding](how-to-customize-branding-customers.md) and [add languages](how-to-customize-languages-customers.md). Once you're finished with the customization, select **Continue**. |
active-directory | Customize Invitation Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customize-invitation-api.md | -We've had many customers tell us that they want to customize the invitation process. [With our API](/graph/api/resources/invitation), you can customize the invitation process in a way that works best for your organization. +[With the Microsoft Graph REST API](/graph/api/resources/invitation), you can customize the invitation process in a way that works best for your organization. ## Capabilities of the invitation API |
active-directory | Default Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/default-account.md | -# Add Microsoft Entra ID as an identity provider for External Identities +# Add Microsoft Entra ID as an identity provider for External ID Microsoft Entra ID is available as an identity provider option for B2B collaboration by default. If an external guest user has a Microsoft Entra account through work or school, they can redeem your B2B collaboration invitations or complete your sign-up user flows using their Microsoft Entra account. |
active-directory | Direct Federation Adfs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/direct-federation-adfs.md | An AD FS server must already be set up and functioning before you begin this pro ## Configure AD FS for WS-Fed federation -Microsoft Entra B2B can be configured to federate with IdPs that use the WS-Fed protocol with the specific requirements listed below. Currently, the two WS-Fed providers have been tested for compatibility with Microsoft Entra External ID include AD FS and Shibboleth. Here, weΓÇÖll use Active Directory Federation Services (AD FS) as an example of the WS-Fed IdP. For more information about establishing a relying party trust between a WS-Fed compliant provider with Microsoft Entra External ID, download the Microsoft Azure AD Identity Provider Compatibility Docs. +Microsoft Entra B2B can be configured to federate with IdPs that use the WS-Fed protocol with the specific requirements listed below. Currently, the two WS-Fed providers have been tested for compatibility with Microsoft Entra External ID include AD FS and Shibboleth. Here, weΓÇÖll use Active Directory Federation Services (AD FS) as an example of the WS-Fed IdP. For more information about establishing a relying party trust between a WS-Fed compliant provider with Microsoft Entra External ID, download the Microsoft Entra identity provider compatibility docs. To set up federation, the following attributes must be received in the WS-Fed message from the IdP. These attributes can be configured by linking to the online security token service XML file or by entering them manually. Step 12 in [Create a test AD FS instance](https://medium.com/in-the-weeds/create-a-test-active-directory-federation-services-3-0-instance-on-an-azure-virtual-machine-9071d978e8ed) describes how to find the AD FS endpoints or how to generate your metadata URL, for example `https://fs.iga.azure-test.net/federationmetadata/2007-06/federationmetadata.xml`. |
active-directory | Direct Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/direct-federation.md | ->- *Direct federation* in Microsoft Entra ID is now referred to as *SAML/WS-Fed identity provider (IdP) federation*. +>- *Direct federation* in Microsoft Entra External ID is now referred to as *SAML/WS-Fed identity provider (IdP) federation*. This article describes how to set up federation with any organization whose identity provider (IdP) supports the SAML 2.0 or WS-Fed protocol. When you set up federation with a partner's IdP, new guest users from that domain can use their own IdP-managed organizational account to sign in to your Microsoft Entra tenant and start collaborating with you. There's no need for the guest user to create a separate Microsoft Entra account. |
active-directory | External Identities Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/external-identities-overview.md | Title: External Identities in Microsoft Entra ID + Title: Microsoft Entra External ID overview description: Microsoft Entra External ID allow you to collaborate with or publish apps to people outside your organization. Compare solutions for External Identities, including Microsoft Entra B2B collaboration, Microsoft Entra B2B collaboration, and Azure AD B2C. -# External Identities in Microsoft Entra ID +# Overview of Microsoft Entra External ID Microsoft Entra External ID refers to all the ways you can securely interact with users outside of your organization. If you want to collaborate with partners, distributors, suppliers, or vendors, you can share your resources and define how your internal users can access external organizations. If you're a developer creating consumer-facing apps, you can manage your customers' identity experiences. -With External Identities, external users can "bring their own identities." Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The external userΓÇÖs identity provider manages their identity, and you manage access to your apps with Microsoft Entra ID or Azure AD B2C to keep your resources protected. +With External ID, external users can "bring their own identities." Whether they have a corporate or government-issued digital identity, or an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The external userΓÇÖs identity provider manages their identity, and you manage access to your apps with Microsoft Entra ID or Azure AD B2C to keep your resources protected. The following capabilities make up External Identities: You can use [cross-tenant access settings](cross-tenant-access-overview.md) to m ## B2B direct connect -B2B direct connect is a new way to collaborate with other Microsoft Entra organizations. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, you create two-way trust relationships with other Microsoft Entra organizations to allow users to seamlessly sign in to your shared resources and vice versa. B2B direct connect users aren't added as guests to your Microsoft Entra directory. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Learn more about [B2B direct connect in Microsoft Entra ID](b2b-direct-connect-overview.md). +B2B direct connect is a new way to collaborate with other Microsoft Entra organizations. This feature currently works with Microsoft Teams shared channels. With B2B direct connect, you create two-way trust relationships with other Microsoft Entra organizations to allow users to seamlessly sign in to your shared resources and vice versa. B2B direct connect users aren't added as guests to your Microsoft Entra directory. When two organizations mutually enable B2B direct connect, users authenticate in their home organization and receive a token from the resource organization for access. Learn more about [B2B direct connect in Microsoft Entra External ID](b2b-direct-connect-overview.md). Currently, B2B direct connect enables the Teams Connect shared channels feature, which lets your users collaborate with external users from multiple organizations with a Teams shared channel for chat, calls, file-sharing, and app-sharing. Once youΓÇÖve set up B2B direct connect with an external organization, the following Teams shared channels capabilities become available: Azure AD B2C is a Customer Identity and Access Management (CIAM) solution that l With Azure AD B2C, customers can sign in with an identity they've already established (like Facebook or Gmail). You can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. -Although Azure AD B2C is built on the same technology as Microsoft Entra ID, it's a separate service with some feature differences. For more information about how an Azure AD B2C tenant differs from a Microsoft Entra tenant, see [Supported Microsoft Entra features](../../active-directory-b2c/supported-azure-ad-features.md) in the [Azure AD B2C documentation](../../active-directory-b2c/index.yml). +Although Azure AD B2C is built on the same technology as Microsoft Entra External ID, it's a separate service with some feature differences. For more information about how an Azure AD B2C tenant differs from a Microsoft Entra tenant, see [Supported Microsoft Entra features](../../active-directory-b2c/supported-azure-ad-features.md) in the [Azure AD B2C documentation](../../active-directory-b2c/index.yml). ## Comparing External Identities feature sets The following table gives a detailed comparison of the scenarios you can enable | **Single sign-on (SSO)** | SSO to all Microsoft Entra connected apps is supported. For example, you can provide access to Microsoft 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday. | SSO to a Teams shared channel. | SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Microsoft 365 or to other Microsoft SaaS apps isn't supported. | | **Licensing and billing** | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md). | Based on monthly active users (MAU), including B2B collaboration, B2B direct connect, and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for B2B](external-identities-pricing.md). | Based on monthly active users (MAU), including B2B collaboration and Azure AD B2C users. Learn more about [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/) and [billing setup for Azure AD B2C](../../active-directory-b2c/billing.md). | | **Security policy and compliance** | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). | Managed by the host/inviting organization (for example, with [Conditional Access policies](authentication-conditional-access.md) and cross-tenant access settings). See also the [Teams documentation](/microsoftteams/security-compliance-overview). | Managed by the organization via [Conditional Access and Identity Protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md). |-| **multifactor authentication** | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, the user is presented with an MFA challenge from the resource organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, and Conditional Access policies require MFA, the user is blocked from accessing resources. You *must* configure your inbound trust settings to accept MFA claims from the organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | [Integrates directly](../../active-directory-b2c/multi-factor-authentication.md) with Microsoft Entra multifactor authentication. | +| **Multifactor authentication** | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, the user is presented with an MFA challenge from the resource organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | If inbound trust settings to accept MFA claims from the user's home tenant are configured, and MFA policies have already been met in the user's home tenant, the external user can sign in. If MFA trust isn't enabled, and Conditional Access policies require MFA, the user is blocked from accessing resources. You *must* configure your inbound trust settings to accept MFA claims from the organization. [Learn more](authentication-conditional-access.md#mfa-for-azure-ad-external-users) about MFA for Microsoft Entra external users. | [Integrates directly](../../active-directory-b2c/multi-factor-authentication.md) with Microsoft Entra multifactor authentication. | | **Microsoft cloud settings** | [Supported.](cross-cloud-settings.md) | [Not supported.](cross-cloud-settings.md) | Not applicable. | | **Entitlement management** | [Supported.](../governance/entitlement-management-overview.md) | Not supported. | Not applicable. | | **Line-of-business (LOB) apps** | Supported. | Not supported. Only B2B direct connect-enabled apps can be shared (currently, Teams Connect shared channels). | Works with [RESTful API](../../active-directory-b2c/technical-overview.md#add-your-own-business-logic-and-call-restful-apis). | Based on your organizationΓÇÖs requirements you might use cross-tenant synchroni ## Managing External Identities features -Microsoft Entra B2B collaboration and B2B direct connect are features Microsoft Entra ID, and they're managed in the Azure portal through the Microsoft Entra service. To control inbound and outbound collaboration, you can use a combination of *cross-tenant access settings* and *external collaboration settings*. +Microsoft Entra B2B collaboration and B2B direct connect are features of Microsoft Entra External ID, and they're managed in the Azure portal through the Microsoft Entra service. To control inbound and outbound collaboration, you can use a combination of *cross-tenant access settings* and *external collaboration settings*. ### Cross-tenant access settings To set up B2B collaboration between tenants in different clouds, both tenants ne External collaboration settings determine whether your users can send B2B collaboration invitations to external users and the level of access guest users have to your directory. With these settings, you can: -- **Determine guest user permissions**. Microsoft Entra ID allows you to restrict what external guest users can see in your Microsoft Entra directory. For example, you can limit guest users' view of group memberships, or allow guests to view only their own profile information.+- **Determine guest user permissions**. Control what external guest users can see in your Microsoft Entra directory. For example, you can limit guest users' view of group memberships, or allow guests to view only their own profile information. - **Specify who can invite guests**. By default, all users in your organization, including B2B collaboration guest users, can invite external users to B2B collaboration. If you want to limit the ability to send invitations, you can turn invitations on or off for everyone, or limit invitations to certain roles. |
active-directory | Invite Internal Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/invite-internal-users.md | You can use the Microsoft Entra admin center, PowerShell, or the invitation API ## Use PowerShell to send a B2B invitation -You'll need Azure AD PowerShell module version 2.0.2.130 or later. Use the following command to update to the latest AzureAD PowerShell module and invite the internal user to B2B collaboration: +You'll need Azure AD PowerShell module version 2.0.2.130 or later. Use the following command to update to the latest module and invite the internal user to B2B collaboration: ```powershell Uninstall-Module AzureAD |
active-directory | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/troubleshoot.md | You can enable this feature by using the setting 'ShowPeoplePickerSuggestionsFor By default, SharePoint Online and OneDrive have their own set of external user options and don't use the settings from Microsoft Entra ID. You need to enable [SharePoint and OneDrive integration with Microsoft Entra B2B](/sharepoint/sharepoint-azureb2b-integration-preview) to ensure the options are consistent among those applications. ## Invitations have been disabled for directory -If you're notified that you don't have permissions to invite users, verify that your user account is authorized to invite external users under Microsoft Entra ID > User settings > External users > Manage external collaboration settings: +If you're notified that you don't have permissions to invite users, verify that your user account is authorized to invite external users under Identity > Users > User settings > External users > Manage external collaboration settings: :::image type="content" source="media/troubleshoot/external-user-settings.png" alt-text="Screenshot showing the External User settings."::: Rarely, you might see this message: ΓÇ£This action can't be completed because th <a name='i-receive-the-error-that-azure-ad-cant-find-the-aad-extensions-app-in-my-tenant'></a> -## I receive the error that Microsoft Entra ID can't find the aad-extensions-app in my tenant +## I receive the error that Microsoft Entra ID can't find the `aad-extensions-app` in my tenant When you're using self-service sign-up features, like custom user attributes or user flows, an app called `aad-extensions-app. Do not modify. Used by AAD for storing user data.` is automatically created. It's used by Microsoft Entra External ID to store information about users who sign up and custom attributes collected. |
active-directory | Tutorial Bulk Invite | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/tutorial-bulk-invite.md | Check to see that the guest users you added exist in the directory either in the ### View guest users with PowerShell -To view guest users with PowerShell, you'll need the [Microsoft.Graph.Users PowerShell Module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true). Then sign in using the `Connect-MgGraph` command with an admin account to consent to the required scopes: +To view guest users with PowerShell, you'll need the [`Microsoft.Graph.Users` PowerShell module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true). Then sign in using the `Connect-MgGraph` command with an admin account to consent to the required scopes: ```powershell Connect-MgGraph -Scopes "User.Read.All" ``` |
active-directory | What Is B2b | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/what-is-b2b.md | -Microsoft Entra B2B collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with external users, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Microsoft Entra ID or an IT department. +B2B collaboration is a feature within Microsoft Entra External ID that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company's applications and services with external users, while maintaining control over your own corporate data. Work safely and securely with external partners, large or small, even if they don't have Microsoft Entra ID or an IT department. ![Diagram illustrating B2B collaboration.](media/what-is-b2b/b2b-collaboration-overview.png) |
active-directory | Create New Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/create-new-tenant.md | -You can do all of your administrative tasks using the Microsoft Entra portal, including creating a new tenant for your organization. +You can do all of your administrative tasks using the Microsoft Entra admin center, including creating a new tenant for your organization. In this quickstart, you'll learn how to get to the Azure portal and Microsoft Entra ID, and you'll learn how to create a basic tenant for your organization. |
active-directory | How To Get Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-get-support.md | Microsoft Q&A is Azure's recommended source for community support. We recommend ||| | Microsoft Authentication Library (MSAL) | [[`msal`]](/answers/topics/azure-ad-msal.html) | | Open Web Interface for .NET (OWIN) middleware | [[`azure-active-directory`]](/answers/topics/azure-active-directory.html) |-| [Azure AD B2B / External Identities](../external-identities/what-is-b2b.md) | [[`azure-ad-b2b`]](/answers/topics/azure-ad-b2b.html) | +| [Microsoft Entra B2B / External Identities](../external-identities/what-is-b2b.md) | [[`azure-ad-b2b`]](/answers/topics/azure-ad-b2b.html) | | [Azure AD B2C](https://azure.microsoft.com/services/active-directory-b2c/) | [[`azure-ad-b2c`]](/answers/topics/azure-ad-b2c.html) | | [Microsoft Graph API](https://developer.microsoft.com/graph/) | [[`azure-ad-graph`]](/answers/topics/azure-ad-graph.html) | | All other authentication and authorization areas | [[`azure-active-directory`]](/answers/topics/azure-active-directory.html) | |
active-directory | Security Defaults | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-defaults.md | After you enable security defaults in your tenant, any user accessing the follow - Azure PowerShell - Azure CLI -This policy applies to all users who are accessing Azure Resource Manager services, whether they're an administrator or a user. +This policy applies to all users who are accessing Azure Resource Manager services, whether they're an administrator or a user. This applies to ARM APIs such as accessing your subscription, VMs, storage accounts etc. This does not include Microsoft Entra ID or Microsoft Graph. > [!NOTE] > Pre-2017 Exchange Online tenants have modern authentication disabled by default. In order to avoid the possibility of a login loop while authenticating through these tenants, you must [enable modern authentication](/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online). |
active-directory | Users Default Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-default-permissions.md | You can restrict default permissions for member users in the following ways: | **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global Administrators and User Administrators can still create Microsoft 365 groups. To learn how, see [Microsoft Entra cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). | | **Restrict access to Microsoft Entra administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Microsoft Entra administration portal. <br>**Yes** Restricts non-administrators from browsing the Microsoft Entra administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It doesn't restrict access to Microsoft Entra data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It doesn't restrict access as long as a user is assigned a custom role (or any role). </p><p></p><p>**When should I use this switch?** <br>Use this option to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Don't use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management that blocks non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Microsoft Entra administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Microsoft Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management targets access to all Azure management. | | **Restrict non-admin users from creating tenants** | Users can create tenants in the Microsoft Entra ID and Microsoft Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations. </p><p></p><p>**What does this switch do?** <br> Setting this option to **Yes** restricts creation of Microsoft Entra tenants to the Global Administrator or tenant creator roles. Setting this option to **No** allows non-admin users to create Microsoft Entra tenants. Tenant create will continue to be recorded in the Audit log. </p><p></p><p>**How do I grant only a specific non-administrator users the ability to create new tenants?** <br> Set this option to Yes, then assign them the tenant creator role.|-| **Restrict users from recovering the BitLocker key(s) for their owned devices** | This setting can be found in the Microsoft Entra ID and Microsoft Entra portal in the Device Settings. Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). | +| **Restrict users from recovering the BitLocker key(s) for their owned devices** | This setting can be found in the Microsoft Entra admin center in the Device Settings. Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). | | **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. | The **Restrict non-admin users from creating tenants** option is shown [below](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/UserSettings) |
active-directory | Configure Logic App Lifecycle Workflows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/configure-logic-app-lifecycle-workflows.md | Title: Configure a Logic App for Lifecycle Workflow use -description: Configure an Azure Logic App for use with Lifecycle Workflows +description: Configure an Azure Logic App for use with Lifecycle Workflows Last updated 06/22/2023 -- # Configure a Logic App for Lifecycle Workflow use Before you can use an existing Azure Logic App with the custom task extension feature of Lifecycle Workflows, it must first be made compatible. This reference guide provides a list of steps that must be taken to make the Azure Logic App compatible. For a guide on creating a new compatible Logic App via the Lifecycle Workflows portal, see [Trigger Logic Apps based on custom task extensions](trigger-custom-task.md). Before configuring your Azure Logic App custom extension for use with Lifecycle - Normal - Proof of Possession(POP) - To determine the security token type of your custom task extension, you'd check the **Custom extensions** page: :::image type="content" source="media/configure-logic-app-lifecycle-workflows/custom-task-extension-token-type.png" alt-text="Screenshot of custom task extension and token type."::: - > [!NOTE] > New custom task extensions will only have Proof of Possession(POP) token security type. Only task extensions created before the inclusion of the Proof of Possession token security type will have a type of Normal. To configure those you follow these steps: 1. On the left of the screen, select **Logic App code view**. 1. In the editor paste the following code:- ```LCW Logic App code view template ++ ```json { "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", To configure those you follow these steps: }, "parameters": {} }- ```+ 1. Select Save. 1. Switch to the **Logic App designer** and inspect the configured trigger and callback action. To build your custom business logic, add other actions between the trigger and callback action. If you're only interested in the fire-and-forget scenario, you may remove the callback action. -1. On the left of the screen, select **Identity**. +1. On the left of the screen, select **Identity**. 1. Under the system assigned tab, enable the status to register it with Microsoft Entra ID. -1. Select Save. +1. Select Save. ## Configure authorization policy for custom task extension with POP security token type If the security token type is **Proof of Possession (POP)** for your custom task extension, you'd set the authorization policy by following these steps: -1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Microsoft Entra admin center only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Microsoft Entra portal** to find the required Application ID. +1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Microsoft Entra admin center only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications** in the Microsoft Entra admin center to find the required Application ID. 1. Go back to the logic app you created, and select **Authorization**. 1. Create two authorization policies based on these tables: - Policy name: POP-Policy - - Policy type: AADPOP + Policy name: `POP-Policy` ++ Policy type: `AADPOP` |Claim |Value | ||| If the security token type is **Proof of Possession (POP)** for your custom task |u | management.azure.com | |p | /subscriptions/(subscriptionId)/resourceGroups/(resourceGroupName)/providers/Microsoft.Logic/workflows/(LogicApp name) | - 1. Save the Authorization policy. - > [!CAUTION] > Please pay attention to the details as minor differences can lead to problems later.-- For Issuer, ensure you did include the slash after your Tenant ID-- For appid, ensure the custom claim is ΓÇ£appidΓÇ¥ in all lowercase. The appid value represents Lifecycle Workflows and is always the same.++- For `Issuer`, ensure you included the slash after your Tenant ID +- For `appid`, ensure the custom claim is `appid` in all lowercase. The `appid` value represents Lifecycle Workflows and is always the same. ## Configure authorization policy for custom task extension with normal security token type If the security token type is **Normal** for your custom task extension, you'd set the authorization policy by following these steps: -1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Microsoft Entra admin center only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Microsoft Entra portal** to find the required Application ID. +1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Microsoft Entra admin center only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications** in the Microsoft Entra admin center to find the required Application ID. 1. Go back to the logic app you created, and select **Authorization**. 1. Create two authorization policies based on these tables: - Policy name: AzureADLifecycleWorkflowsAuthPolicy + Policy name: `AzureADLifecycleWorkflowsAuthPolicy` - Policy type: AAD + Policy type: `AAD` |Claim |Value | ||| If the security token type is **Normal** for your custom task extension, you'd s |Audience | Application ID of your Logic Apps Managed Identity | |appid | ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7 | - Policy name: AzureADLifecycleWorkflowsAuthPolicyV2App + Policy name: `AzureADLifecycleWorkflowsAuthPolicyV2App` - Policy type: AAD + Policy type: `AAD` |Claim |Value | ||| If the security token type is **Normal** for your custom task extension, you'd s > [!CAUTION] > Please pay attention to the details as minor differences can lead to problems later.-- For Issuer, ensure you did include the slash after your Tenant ID-- For Audience, ensure you're using the Application ID and not the Object ID of your Managed Identity-- For appid, ensure the custom claim is ΓÇ£appidΓÇ¥ in all lowercase. The appid value represents Lifecycle Workflows and is always the same.++- For `Issuer`, ensure you includes the slash after your Tenant ID. +- For Audience, ensure you're using the Application ID and not the Object ID of your Managed Identity. +- For `appid`, ensure the custom claim is `appid` in all lowercase. The `appid` value represents Lifecycle Workflows and is always the same. ## Using the Logic App with Lifecycle Workflows |
active-directory | Entitlement Management Logs And Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-logs-and-reporting.md | Archiving Microsoft Entra audit logs requires you to have Azure Monitor in an Az 1. Check if there's already a setting to send the audit logs to that workspace. -1. If there isn't already a setting, select **Add diagnostic setting**. Use the instructions in [Integrate Microsoft Entra ID logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) to send the Microsoft Entra audit log to the Azure Monitor workspace. +1. If there isn't already a setting, select **Add diagnostic setting**. Use the instructions in [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) to send the Microsoft Entra audit log to the Azure Monitor workspace. ![Diagnostics settings pane](./media/entitlement-management-logs-and-reporting/audit-log-diagnostics-settings.png) $wks = Get-AzOperationalInsightsWorkspace ### Retrieve Log Analytics ID with multiple Azure subscriptions - [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) operates in one subscription at a time. So, if you have multiple Azure subscriptions, you want to make sure you connect to the one that has the Log Analytics workspace with the Microsoft Entra ID logs. + [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) operates in one subscription at a time. So, if you have multiple Azure subscriptions, you want to make sure you connect to the one that has the Log Analytics workspace with the Microsoft Entra logs. The following cmdlets display a list of subscriptions, and find the ID of the subscription that has the Log Analytics workspace: $subs | ft You can reauthenticate and associate your PowerShell session to that subscription using a command such as `Connect-AzAccount ΓÇôSubscription $subs[0].id`. To learn more about how to authenticate to Azure from PowerShell, including non-interactively, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps). -If you have multiple Log Analytics workspaces in that subscription, then the cmdlet [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) returns the list of workspaces. Then you can find the one that has the Microsoft Entra ID logs. The `CustomerId` field returned by this cmdlet is the same as the value of the "Workspace ID" displayed in the Microsoft Entra admin center in the Log Analytics workspace overview. +If you have multiple Log Analytics workspaces in that subscription, then the cmdlet [Get-AzOperationalInsightsWorkspace](/powershell/module/Az.OperationalInsights/Get-AzOperationalInsightsWorkspace) returns the list of workspaces. Then you can find the one that has the Microsoft Entra logs. The `CustomerId` field returned by this cmdlet is the same as the value of the "Workspace ID" displayed in the Microsoft Entra admin center in the Log Analytics workspace overview. ```powershell $wks = Get-AzOperationalInsightsWorkspace |
active-directory | How To Lifecycle Workflow Sync Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/how-to-lifecycle-workflow-sync-attributes.md | The EmployeeHireDate and EmployeeLeaveDateTime contain dates and times that must |SuccessFactors to Active Directory User Provisioning|FormatDateTime([endDate], ,"M/d/yyyy hh:mm:ss tt","yyyyMMddHHmmss.fZ")|On-premises AD string attribute|[Attribute mappings for SAP Success Factors](../saas-apps/sap-successfactors-inbound-provisioning-tutorial.md)| |Custom import to Active Directory|Must be in the format "yyyyMMddHHmmss.fZ"|On-premises AD string attribute|| |Microsoft Graph User API|Must be in the format "YYYY-MM-DDThh:mm:ssZ"|EmployeeHireDate and EmployeeLeaveDateTime||-|Workday to Microsoft Entra User Provisioning|Can use a direct mapping. No expression is needed but may be used to adjust the time portion of EmployeeHireDate and EmployeeLeaveDateTime|EmployeeHireDate and EmployeeLeaveDateTime|| -|SuccessFactors to Microsoft Entra User Provisioning|Can use a direct mapping. No expression is needed but may be used to adjust the time portion of EmployeeHireDate and EmployeeLeaveDateTime|EmployeeHireDate and EmployeeLeaveDateTime|| +|Workday to Microsoft Entra user provisioning|Can use a direct mapping. No expression is needed but may be used to adjust the time portion of EmployeeHireDate and EmployeeLeaveDateTime|EmployeeHireDate and EmployeeLeaveDateTime|| +|SuccessFactors to Microsoft Entra user provisioning|Can use a direct mapping. No expression is needed but may be used to adjust the time portion of EmployeeHireDate and EmployeeLeaveDateTime|EmployeeHireDate and EmployeeLeaveDateTime|| For more information on expressions, see [Reference for writing expressions for attribute mappings in Microsoft Entra ID](../app-provisioning/functions-for-customizing-application-data.md) |
active-directory | How To Inbound Synch Ms Graph | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md | The structure of how to do this consists of the following steps. They are: - [Review status](#review-status) - [Next steps](#next-steps) -Use these [Azure AD PowerShell Module for Windows PowerShell](/powershell/module/msonline/) commands to enable synchronization for a production tenant, a prerequisite for being able to call the Administration Web Service for that tenant. +Use these [Azure AD PowerShell module](/powershell/module/msonline/) commands to enable synchronization for a production tenant, a prerequisite for being able to call the Administration Web Service for that tenant. ## Basic setup |
active-directory | How To Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-troubleshoot.md | When you troubleshoot agent problems, you verify that the agent was installed co You can verify these items in the portal and on the local server that's running the agent. -<a name='entra-portal-agent-verification'></a> --### Microsoft Entra portal agent verification +### Microsoft Entra admin center agent verification [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] |
active-directory | How To Bypassdirsyncoverrides | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-bypassdirsyncoverrides.md | Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD -Alt ## Next Steps -Learn more about [Microsoft Entra Connect: ADSyncTools PowerShell Module](reference-connect-adsynctools.md) +Learn more about [Microsoft Entra Connect: `ADSyncTools` PowerShell module](reference-connect-adsynctools.md) |
active-directory | How To Connect Configure Ad Ds Connector Account | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-configure-ad-ds-connector-account.md | -The PowerShell Module named [ADSyncConfig.psm1](reference-connect-adsyncconfig.md) was introduced with build 1.1.880.0 (released in August 2018) that includes a collection of cmdlets to help you configure the correct Active Directory permissions for your Microsoft Entra Connect deployment. +The PowerShell module named [`ADSyncConfig.psm1`](reference-connect-adsyncconfig.md) was introduced with build 1.1.880.0 (released in August 2018) that includes a collection of cmdlets to help you configure the correct Active Directory permissions for your Microsoft Entra Connect deployment. ## Overview The following PowerShell cmdlets can be used to setup Active Directory permissions of the AD DS Connector account, for each feature that you select to enable in Microsoft Entra Connect. To prevent any issues, you should prepare Active Directory permissions in advance whenever you want to install Microsoft Entra Connect using a custom domain account to connect to your forest. This ADSyncConfig module can also be used to configure permissions after Microsoft Entra Connect is deployed. The following table provides a summary of the permissions required on AD objects | Device writeback |Read and Write permissions to device objects and containers documented in [device writeback](how-to-connect-device-writeback.md). | | Group writeback |Read, Create, Update, and Delete group objects for synchronized **Office 365 groups**.| -## Using the ADSyncConfig PowerShell Module +## Using the ADSyncConfig PowerShell module + The ADSyncConfig module requires the [Remote Server Administration Tools (RSAT) for AD DS](/windows-server/remote/remote-server-administration-tools) since it depends on the AD DS PowerShell module and tools. To install RSAT for AD DS, open a Windows PowerShell window with ΓÇÿRun As AdministratorΓÇÖ and execute: ``` powershell |
active-directory | How To Connect Emergency Ad Fs Certificate Rotation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-emergency-ad-fs-certificate-rotation.md | You can also get the thumbprint by using AD FS Management. Go to **Service** > * ## Determine whether AD FS renews the certificates automatically By default, AD FS is configured to generate token signing and token decryption certificates automatically. It does so both during the initial configuration and when the certificates are approaching their expiration date. -You can run the following Windows PowerShell command: `PS C:\>Get-AdfsProperties | FL AutoCert*, Certificate*`. +You can run the following PowerShell command: `Get-AdfsProperties | FL AutoCert*, Certificate*`. The `AutoCertificateRollover` property describes whether AD FS is configured to renew token signing and token decrypting certificates automatically. Do either of the following: Now that you've added the first certificate, made it primary, and removed the ol ## Update Microsoft Entra ID with the new token-signing certificate -1. Open the Azure AD PowerShell Module for Windows PowerShell. Alternatively, open Windows PowerShell, and then run the `Import-Module msonline` command. +1. Open the Azure AD PowerShell module. Alternatively, open Windows PowerShell, and then run the `Import-Module msonline` command. 1. Connect to Microsoft Entra ID by running the following command: |
active-directory | How To Connect Fed Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-management.md | It's easy to add a domain to be federated with Microsoft Entra ID by using Micro The following sections provide details about some of the common tasks that you might have to perform to customize your AD FS sign-in page. ## <a name="customlogo"></a>Add a custom company logo or illustration -To change the logo of the company that's displayed on the **Sign-in** page, use the following Windows PowerShell cmdlet and syntax. +To change the logo of the company that's displayed on the **Sign-in** page, use the following PowerShell cmdlet and syntax. > [!NOTE] > The recommended dimensions for the logo are 260 x 35 \@ 96 dpi with a file size no greater than 10 KB. Set-AdfsWebTheme -TargetName default -Logo @{path="c:\Contoso\logo.PNG"} > The *TargetName* parameter is required. The default theme that's released with AD FS is named Default. ## <a name="addsignindescription"></a>Add a sign-in description -To add a sign-in page description to the **Sign-in page**, use the following Windows PowerShell cmdlet and syntax. +To add a sign-in page description to the **Sign-in page**, use the following PowerShell cmdlet and syntax. ```azurepowershell-interactive Set-AdfsGlobalWebContent -SignInPageDescriptionText "<p>Sign-in to Contoso requires device registration. Select <A href='http://fs1.contoso.com/deviceregistration/'>here</A> for more information.</p>" |
active-directory | How To Connect Fed O365 Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-o365-certs.md | On your AD FS server, open the MSOnline PowerShell prompt, and connect to Micros > [!NOTE] > MSOL-Cmdlets are part of the MSOnline PowerShell module.-> You can download the MSOnline PowerShell Module directly from the PowerShell Gallery. +> You can download the MSOnline PowerShell module directly from the PowerShell Gallery. > > Two certificates should be listed now, one of which has a **NotAfter** date of a ### Step 2: Update the new token signing certificates for the Microsoft 365 trust Update Microsoft 365 with the new token signing certificates to be used for the trust, as follows. -1. Open the Azure AD PowerShell Module for Windows PowerShell. +1. Open the Azure AD PowerShell module. 2. Run $cred=Get-Credential. When this cmdlet prompts you for credentials, type your cloud service administrator account credentials. 3. Run Connect-MsolService ΓÇôCredential $cred. This cmdlet connects you to the cloud service. Creating a context that connects you to the cloud service is required before running any of the additional cmdlets installed by the tool. 4. If you are running these commands on a computer that is not the AD FS primary federation server, run Set-MSOLAdfscontext -Computer <AD FS primary server>, where <AD FS primary server> is the internal FQDN name of the primary AD FS server. This cmdlet creates a context that connects you to AD FS. |
active-directory | How To Connect Fed Saml Idp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-saml-idp.md | It is recommended that you always import the latest Microsoft Entra metadata whe <a name='add-azure-ad-as-a-relying-party'></a> ## Add Microsoft Entra ID as a relying party+ You must enable communication between your SAML 2.0 identity provider and Microsoft Entra ID. This configuration will be dependent on your specific identity provider and you should refer to documentation for it. You would typically set the relying party ID to the same as the entityID from the Microsoft Entra metadata. >[!NOTE] >Verify the clock on your SAML 2.0 identity provider server is synchronized to an accurate time source. An inaccurate clock time can cause federated logins to fail. -## Install Windows PowerShell for sign-on with SAML 2.0 identity provider -After you have configured your SAML 2.0 identity provider for use with Microsoft Entra sign-on, the next step is to download and install the Azure AD PowerShell Module for Windows PowerShell. Once installed, you will use these cmdlets to configure your Microsoft Entra domains as federated domains. +## Install PowerShell for sign-on with SAML 2.0 identity provider ++After you have configured your SAML 2.0 identity provider for use with Microsoft Entra sign-on, the next step is to download and install the Azure AD PowerShell module. Once installed, you will use these cmdlets to configure your Microsoft Entra domains as federated domains. -The Azure AD PowerShell Module for Windows PowerShell is a download for managing your organizations data in Microsoft Entra ID. This module installs a set of cmdlets to Windows PowerShell; you run those cmdlets to set up single sign-on access to Microsoft Entra ID and in turn to all of the cloud services you are subscribed to. For instructions about how to download and install the cmdlets, see [/previous-versions/azure/jj151815(v=azure.100)](/previous-versions/azure/jj151815(v=azure.100)) +The Azure AD PowerShell module is a download for managing your organizations data in Microsoft Entra ID. This module installs a set of cmdlets to PowerShell; you run those cmdlets to set up single sign-on access to Microsoft Entra ID and in turn to all of the cloud services you are subscribed to. For instructions about how to download and install the cmdlets, see [/previous-versions/azure/jj151815(v=azure.100)](/previous-versions/azure/jj151815(v=azure.100)) <a name='set-up-a-trust-between-your-saml-identity-provider-and-azure-ad'></a> ## Set up a trust between your SAML identity provider and Microsoft Entra ID-Before configuring federation on a Microsoft Entra domain, it must have a custom domain configured. You cannot federate the default domain that is provided by Microsoft. The default domain from Microsoft ends with ΓÇ£onmicrosoft.comΓÇ¥. -You will run a series of cmdlets in the Windows PowerShell command-line interface to add or convert domains for single sign-on. +Before configuring federation on a Microsoft Entra domain, it must have a custom domain configured. You cannot federate the default domain that is provided by Microsoft. The default domain from Microsoft ends with `onmicrosoft.com`. +You will run a series of PowerShell cmdlets to add or convert domains for single sign-on. Each Microsoft Entra domain that you want to federate using your SAML 2.0 identity provider must either be added as a single sign-on domain or converted to be a single sign-on domain from a standard domain. Adding or converting a domain sets up a trust between your SAML 2.0 identity provider and Microsoft Entra ID. Once federation has been configured you can switch back to ΓÇ£non-federatedΓÇ¥ ( <a name='provision-user-principals-to-azure-ad--microsoft-365'></a> ## Provision user principals to Microsoft Entra ID / Microsoft 365-Before you can authenticate your users to Microsoft 365, you must provision Microsoft Entra ID with user principals that correspond to the assertion in the SAML 2.0 claim. If these user principals are not known to Microsoft Entra ID in advance, then they cannot be used for federated sign-in. Either Microsoft Entra Connect or Windows PowerShell can be used to provision user principals. +Before you can authenticate your users to Microsoft 365, you must provision Microsoft Entra ID with user principals that correspond to the assertion in the SAML 2.0 claim. If these user principals are not known to Microsoft Entra ID in advance, then they cannot be used for federated sign-in. Either Microsoft Entra Connect or PowerShell can be used to provision user principals. Microsoft Entra Connect can be used to provision principals to your domains in your Microsoft Entra Directory from the on-premises Active Directory. For more detailed information, see [Integrate your on-premises directories with Microsoft Entra ID](../whatis-hybrid-identity.md). -Windows PowerShell can also be used to automate adding new users to Microsoft Entra ID and to synchronize changes from the on-premises directory. To use the Windows PowerShell cmdlets, you must download the [Azure AD PowerShell Module](/powershell/azure/active-directory/install-adv2). +PowerShell can also be used to automate adding new users to Microsoft Entra ID and to synchronize changes from the on-premises directory. To use the PowerShell cmdlets, you must download the [Azure Active Directory PowerShell module](/powershell/azure/active-directory/install-adv2). This procedure shows how to add a single user to Microsoft Entra ID. As the administrator, before you verify and manage single sign-on (also called i 1. You have reviewed the Microsoft Entra SAML 2.0 Protocol Requirements 2. You have configured your SAML 2.0 identity provider-3. Install Windows PowerShell for single sign-on with SAML 2.0 identity provider +3. Install PowerShell for single sign-on with SAML 2.0 identity provider 4. Set up a trust between SAML 2.0 identity provider and Microsoft Entra ID-5. Provisioned a known test user principal to Microsoft Entra ID (Microsoft 365) either through Windows PowerShell or Microsoft Entra Connect. +5. Provisioned a known test user principal to Microsoft Entra ID (Microsoft 365) via either PowerShell or Microsoft Entra Connect. 6. Configure directory synchronization using [Microsoft Entra Connect](../whatis-hybrid-identity.md). After setting up single sign-on with your SAML 2.0 SP-Lite based identity Provider, you should verify that it is working correctly. |
active-directory | How To Connect Import Export Config | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-import-export-config.md | To migrate the settings: 3. Run the script as shown here, and save the entire down-level server configuration directory. Copy this directory to the new staging server. You must copy the entire **Exported-ServerConfiguration-*** folder to the new server.- ![Screenshot that shows script in Windows PowerShell.](media/how-to-connect-import-export-config/migrate-2.png)![Screenshot that shows copying the Exported-ServerConfiguration-* folder.](media/how-to-connect-import-export-config/migrate-3.png) + ![Screenshot that shows script in PowerShell.](media/how-to-connect-import-export-config/migrate-2.png)![Screenshot that shows copying the Exported-ServerConfiguration-* folder.](media/how-to-connect-import-export-config/migrate-3.png) 4. Start **Microsoft Entra Connect** by double-clicking the icon on the desktop. Accept the Microsoft Software License Terms, and on the next page, select **Customize**. 5. Select the **Import synchronization settings** check box. Select **Browse** to browse the copied-over Exported-ServerConfiguration-* folder. Select the MigratedPolicy.json to import the migrated settings. |
active-directory | How To Connect Install Custom | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-custom.md | On the next page, you can select optional features for your scenario. >[!WARNING] >Microsoft Entra Connect versions 1.0.8641.0 and earlier rely on Azure Access Control Service for password writeback. This service was retired on November 7, 2018. If you use any of these versions of Microsoft Entra Connect and have enabled password writeback, users might lose the ability to change or reset their passwords when the service is retired. These versions of Microsoft Entra Connect don't support password writeback. >->For more information, see [Migrate from Azure Access Control Service](../../azuread-dev/active-directory-acs-migration.md). -> >If you want to use password writeback, download the [latest version of Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594). ![Screenshot showing the "Optional Features" page.](./media/how-to-connect-install-custom/optional2a.png) |
active-directory | How To Connect Install Multiple Domains | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-multiple-domains.md | Use the steps below to add an additional top-level domain. If you have already Use the following steps to remove the Microsoft Online trust and update your original domain. -1. On your AD FS federation server open **AD FS Management.** -2. On the left, expand **Trust Relationships** and **Relying Party Trusts** +1. On your AD FS federation server open **AD FS Management**. +2. On the left, expand **Trust Relationships** and **Relying Party Trusts**. 3. On the right, delete the **Microsoft Office 365 Identity Platform** entry. ![Remove Microsoft Online](./media/how-to-connect-install-multiple-domains/trust4.png)-4. On a machine that has [Azure AD PowerShell Module for Windows PowerShell](/previous-versions/azure/jj151815(v=azure.100)) installed on it run the following PowerShell: `$cred=Get-Credential`. +4. On a machine that has [Azure AD PowerShell module](/previous-versions/azure/jj151815(v=azure.100)) installed on it run the following PowerShell: `$cred=Get-Credential`. 5. Enter the username and password of a Hybrid Identity Administrator for the Microsoft Entra domain you are federating with.-6. In PowerShell, enter `Connect-MsolService -Credential $cred` -7. In PowerShell, enter `Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -SupportMultipleDomain`. This update is for the original domain. So using the above domains it would be: `Update-MsolFederatedDomain -DomainName bmcontoso.com -SupportMultipleDomain` +6. In PowerShell, enter `Connect-MsolService -Credential $cred`. +7. In PowerShell, enter `Update-MSOLFederatedDomain -DomainName <Federated Domain Name> -SupportMultipleDomain`. This update is for the original domain. So using the above domains it would be: `Update-MsolFederatedDomain -DomainName bmcontoso.com -SupportMultipleDomain` Use the following steps to add the new top-level domain using PowerShell -1. On a machine that has [Azure AD PowerShell Module for Windows PowerShell](/previous-versions/azure/jj151815(v=azure.100)) installed on it run the following PowerShell: `$cred=Get-Credential`. -2. Enter the username and password of a Hybrid Identity Administratoristrator for the Microsoft Entra domain you are federating with +1. On a machine that has [Azure AD PowerShell module](/previous-versions/azure/jj151815(v=azure.100)) installed on it run the following PowerShell: `$cred=Get-Credential`. +2. Enter the username and password of a Hybrid Identity Administrator for the Microsoft Entra domain you are federating with 3. In PowerShell, enter `Connect-MsolService -Credential $cred` 4. In PowerShell, enter `New-MsolFederatedDomain ΓÇôSupportMultipleDomain ΓÇôDomainName` |
active-directory | How To Connect Modify Group Writeback | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-modify-group-writeback.md | To configure directory settings to disable automatic writeback of newly created ``` > [!NOTE] -> We recommend using Microsoft Graph PowerShell SDK with [Windows PowerShell 7](/powershell/scripting/whats-new/migrating-from-windows-powershell-51-to-powershell-7?view=powershell-7.3&preserve-view=true). +> We recommend using Microsoft Graph PowerShell SDK with [PowerShell 7](/powershell/scripting/whats-new/migrating-from-windows-powershell-51-to-powershell-7?view=powershell-7.3&preserve-view=true). - Microsoft Graph: Use the [directorySetting](/graph/api/resources/directorysetting?view=graph-rest-beta&preserve-view=true) resource type. |
active-directory | How To Connect Monitor Federation Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-monitor-federation-changes.md | Follow these steps to set up alerts to monitor the trust relationship: After the environment is configured, the data flows as follows: - 1. Microsoft Entra ID Logs get populated per the activity in the tenant. + 1. Microsoft Entra logs are populated per the activity in the tenant. 2. The log information flows to the Azure Log Analytics workspace. 3. A background job from Azure Monitor executes the log query based on the configuration of the Alert Rule in the configuration step (2) above. ``` After the environment is configured, the data flows as follows: ## Next steps -- [Integrate Microsoft Entra ID logs with Azure Monitor logs](../../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)+- [Integrate Microsoft Entra logs with Azure Monitor logs](../../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) - [Create, view, and manage log alerts using Azure Monitor](../../../azure-monitor/alerts/alerts-create-new-alert-rule.md) - [Manage AD FS trust with Microsoft Entra ID using Microsoft Entra Connect](how-to-connect-azure-ad-trust.md) - [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs) |
active-directory | How To Connect Password Hash Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-password-hash-synchronization.md | The following section describes, in-depth, how password hash synchronization wor When synchronizing passwords, the plain-text version of your password is not exposed to the password hash synchronization feature, to Microsoft Entra ID, or any of the associated services. -User authentication takes place against Microsoft Entra rather than against the organization's own Active Directory instance. The SHA256 password data stored in Microsoft Entra ID--a hash of the original MD4 hash--is more secure than what is stored in Active Directory. Further, because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack. +User authentication takes place against Microsoft Entra rather than against the organization's own Active Directory instance. The SHA256 password data stored in Microsoft Entra ID (a hash of the original MD4 hash) is more secure than what is stored in Active Directory. Further, because this SHA256 hash cannot be decrypted, it cannot be brought back to the organization's Active Directory environment and presented as a valid user password in a pass-the-hash attack. ### Password policy considerations If your organization uses the accountExpires attribute as part of user account m ### Overwrite synchronized passwords -An administrator can manually reset your password directly in Microsoft Entra ID by using Windows PowerShell (unless the user is in a Federated Domain). +An administrator can manually reset your password directly in Microsoft Entra ID by using PowerShell (unless the user is in a federated domain). In this case, the new password overrides your synchronized password, and all password policies defined in the cloud are applied to the new password. |
active-directory | How To Connect Pta Quick Start | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-pta-quick-start.md | First, you can do it interactively by just running the downloaded Authentication Second, you can create and run an unattended deployment script. This is useful when you want to deploy multiple Authentication Agents at once, or install Authentication Agents on Windows servers that don't have user interface enabled, or that you can't access with Remote Desktop. Here are the instructions on how to use this approach: 1. Run the following command to install an Authentication Agent: `AADConnectAuthAgentSetup.exe REGISTERCONNECTOR="false" /q`.-2. You can register the Authentication Agent with our service using Windows PowerShell. Create a PowerShell Credentials object `$cred` that contains a global administrator username and password for your tenant. Run the following command, replacing *\<username\>* and *\<password\>*: +2. You can register the Authentication Agent with our service via PowerShell. Create a PowerShell Credentials object `$cred` that contains a global administrator username and password for your tenant. Run the following command, replacing `<username>` and `<password>`: ```powershell $User = "<username>" |
active-directory | How To Connect Staged Rollout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-staged-rollout.md | Enable *seamless SSO* by doing the following tasks: 5. Call `Get-AzureADSSOStatus | ConvertFrom-Json`. This command displays a list of Active Directory forests (see the "Domains" list) on which this feature has been enabled. By default, it's set to false at the tenant level. - ![Example of the Windows PowerShell output](./media/how-to-connect-staged-rollout/staged-3.png) + ![Example of the PowerShell output](./media/how-to-connect-staged-rollout/staged-3.png) 6. Call `$creds = Get-Credential`. At the prompt, enter the domain administrator credentials for the intended Active Directory forest. |
active-directory | How To Connect Sync Staging Server | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-staging-server.md | We need to ensure that only one Sync Server is syncing changes at any given time > ![Screenshot shows Ready to Configure screen in the Active Microsoft Entra Connect dialog box.](media/how-to-connect-sync-staging-server/active-server-config.png) Since the server will be in staging mode, it will not write changes to Microsoft Entra ID, but retain any changes to the AD in its Connector Space, ready to write them. -It is recommended to leave the sync process on for the server in Staging Mode, so if it becomes active, it will quickly take over and won't have to do a large sync to catch up to the current state of the AD/Azure AD objects in scope. +It is recommended to leave the sync process on for the server in Staging Mode, so if it becomes active, it will quickly take over and won't have to do a large sync to catch up to the current state of the Active Directory / Microsoft Entra objects in scope. 5. After selecting to start the sync process and clicking Configure, the Microsoft Entra Connect server will be configured into Staging Mode. When this is completed, you will be prompted with a screen that confirms Staging Mode is enabled. |
active-directory | How To Connect Syncservice Features | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-syncservice-features.md | The synchronization feature of Microsoft Entra Connect has two components: * The on-premises component named **Microsoft Entra Connect Sync**, also called **sync engine**. * The service residing in Microsoft Entra ID also known as **Microsoft Entra Connect Sync service** -This topic explains how the following features of the **Microsoft Entra Connect Sync service** work and how you can configure them using Windows PowerShell. +This topic explains how the following features of the **Microsoft Entra Connect Sync service** work and how you can configure them using PowerShell. -These settings are configured by the [Azure AD PowerShell Module for Windows PowerShell](/previous-versions/azure/jj151815(v=azure.100)). Download and install it separately from Microsoft Entra Connect. The cmdlets documented in this topic were introduced in the [2016 March release (build 9031.1)](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx#Version_9031_1). If you do not have the cmdlets documented in this topic or they do not produce the same result, then make sure you run the latest version. +These settings are configured by the [Azure AD PowerShell module](/previous-versions/azure/jj151815(v=azure.100)). Download and install it separately from Microsoft Entra Connect. The cmdlets documented in this topic were introduced in the [2016 March release (build 9031.1)](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx#Version_9031_1). If you do not have the cmdlets documented in this topic or they do not produce the same result, then make sure you run the latest version. To see the configuration in your Microsoft Entra directory, run `Get-MsolDirSyncFeatures`. ![Get-MsolDirSyncFeatures result](./media/how-to-connect-syncservice-features/getmsoldirsyncfeatures.png) |
active-directory | Howto Troubleshoot Upn Changes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/howto-troubleshoot-upn-changes.md | Learn more: [How to use the Microsoft Authenticator app](https://support.microso Microsoft Authenticator app has four main functions: -* **multifactor authentication** with push notification or verification code +* **Multifactor authentication** with push notification or verification code * **Authentication broker** on iOS and Android devices fir SSO for applications using brokered authentication * [Enable cross-app SSO on Android using MSAL](../../develop/msal-android-single-sign-on.md) * **Device registration** or workplace join, to Microsoft Entra ID, which is a requirement for Intune App Protection and Device Enrolment/Management |
active-directory | Reference Connect Accounts Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-accounts-permissions.md | The following table is a summary of the custom settings wizard pages, the creden ### Create the AD DS Connector account > [!IMPORTANT]-> A new PowerShell Module named *ADSyncConfig.psm1* was introduced with build 1.1.880.0 (released in August 2018). The module includes a collection of cmdlets that help you configure the correct Windows Server AD permissions for the Microsoft Entra DS Connector account. +> A new PowerShell module named *ADSyncConfig.psm1* was introduced with build 1.1.880.0 (released in August 2018). The module includes a collection of cmdlets that help you configure the correct Windows Server AD permissions for the Microsoft Entra Domain Services Connector account. > > For more information, see [Microsoft Entra Connect: Configure AD DS Connector account permission](how-to-connect-configure-ad-ds-connector-account.md). |
active-directory | Reference Connect Adconnectivitytools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-adconnectivitytools.md | -The following documentation provides reference information for the ADConnectivityTools PowerShell Module that is included with Microsoft Entra Connect in `C:\Program Files\Microsoft Azure Active Directory Connect\Tools\ADConnectivityTool.psm1`. +The following documentation provides reference information for the `ADConnectivityTools` PowerShell module included with Microsoft Entra Connect in `C:\Program Files\Microsoft Azure Active Directory Connect\Tools\ADConnectivityTool.psm1`. ## Confirm-DnsConnectivity |
active-directory | Reference Connect Adsync | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-adsync.md | -# Microsoft Entra Connect: ADSync PowerShell Reference -The following documentation provides reference information for the ADSync.psm1 PowerShell Module that is included with Microsoft Entra Connect. +# Microsoft Entra Connect: ADSync PowerShell Reference +The following documentation provides reference information for the `ADSync.psm1` PowerShell module that is included with Microsoft Entra Connect. ## Add-ADSyncADDSConnectorAccount |
active-directory | Reference Connect Adsyncconfig | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-adsyncconfig.md | -The following documentation provides reference information for the ADSyncConfig.psm1 PowerShell Module that is included with Microsoft Entra Connect. +The following documentation provides reference information for the `ADSyncConfig.psm1` PowerShell module included with Microsoft Entra Connect. ## Get-ADSyncADConnectorAccount |
active-directory | Reference Connect Adsynctools | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-adsynctools.md | -The following documentation provides reference information for the ADSyncTools.psm1 PowerShell Module that is included with Microsoft Entra Connect. +The following documentation provides reference information for the `ADSyncTools.psm1` PowerShell module included with Microsoft Entra Connect. -## Install the ADSyncTools PowerShell Module -To install the ADSyncTools PowerShell Module do the following: +## Install the ADSyncTools PowerShell module ++To install the ADSyncTools PowerShell module do the following: 1. Open Windows PowerShell with administrative privileges 2. Type or copy and paste the following: |
active-directory | Tshoot Connect Install Issues | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-install-issues.md | However, if you donΓÇÖt meet the express installation criteria and must do the c * [Custom installation of Microsoft Entra Connect](./how-to-connect-install-custom.md) * [Microsoft Entra Connect: Upgrade from a previous version to the latest](./how-to-upgrade-previous-version.md) * [Microsoft Entra Connect: What is staging server?](./plan-connect-topologies.md#staging-server)-* [What is the ADConnectivityTool PowerShell Module?](./how-to-connect-adconnectivitytools.md) +* [What is the `ADConnectivityTool` PowerShell module?](./how-to-connect-adconnectivitytools.md) ## Next steps - [Microsoft Entra Connect Sync](how-to-connect-sync-whatis.md). |
active-directory | Tshoot Connect Largeobjecterror Usercertificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-largeobjecterror-usercertificate.md | To obtain the list of objects in your tenant with LargeObject errors, use one of ## Mitigation options Until the LargeObject error is resolved, other attribute changes to the same object cannot be exported to Microsoft Entra ID. To resolve the error, you can consider the following options: - * Upgrade Azure AD Connect to build 1.1.524.0 or after. In Azure AD Connect build 1.1.524.0, the out-of-box synchronization rules have been updated to not export attributes userCertificate and userSMIMECertificate if the attributes have more than 15 values. For details on how to upgrade Azure AD Connect, refer to article [Microsoft Entra Connect: Upgrade from a previous version to the latest](./how-to-upgrade-previous-version.md). + * Upgrade Microsoft Entra Connect to build 1.1.524.0 or after. In Microsoft Entra Connect build 1.1.524.0, the out-of-box synchronization rules have been updated to not export attributes userCertificate and userSMIMECertificate if the attributes have more than 15 values. For details on how to upgrade Microsoft Entra Connect, refer to article [Microsoft Entra Connect: Upgrade from a previous version to the latest](./how-to-upgrade-previous-version.md). * Implement an **outbound sync rule** in Microsoft Entra Connect that exports a **null value instead of the actual values for objects with more than 15 certificate values**. This option is suitable if you do not require any of the certificate values to be exported to Microsoft Entra ID for objects with more than 15 values. For details on how to implement this sync rule, refer to next section [Implementing sync rule to limit export of userCertificate attribute](#implementing-sync-rule-to-limit-export-of-usercertificate-attribute). Ensure no synchronization takes place while you are in the middle of implementin 2. Disable scheduled synchronization by running cmdlet: `Set-ADSyncScheduler -SyncCycleEnabled $false` > [!Note]-> The preceding steps are only applicable to newer versions (1.1.xxx.x) of Azure AD Connect with the built-in scheduler. If you are using older versions (1.0.xxx.x) of Azure AD Connect that uses Windows Task Scheduler, or you are using your own custom scheduler (not common) to trigger periodic synchronization, you need to disable them accordingly. +> The preceding steps are only applicable to newer versions (1.1.xxx.x) of Microsoft Entra Connect with the built-in scheduler. If you are using older versions (1.0.xxx.x) of Microsoft Entra Connect that uses Windows Task Scheduler, or you are using your own custom scheduler (not common) to trigger periodic synchronization, you need to disable them accordingly. 1. Start the **Synchronization Service Manager** by going to START → Synchronization Service. Now that the issue is resolved, re-enable the built-in sync scheduler: 2. Re-enable scheduled synchronization by running cmdlet: `Set-ADSyncScheduler -SyncCycleEnabled $true` > [!Note]-> The preceding steps are only applicable to newer versions (1.1.xxx.x) of Azure AD Connect with the built-in scheduler. If you are using older versions (1.0.xxx.x) of Azure AD Connect that uses Windows Task Scheduler, or you are using your own custom scheduler (not common) to trigger periodic synchronization, you need to disable them accordingly. +> The preceding steps are only applicable to newer versions (1.1.xxx.x) of Microsoft Entra Connect with the built-in scheduler. If you are using older versions (1.0.xxx.x) of Microsoft Entra Connect that uses Windows Task Scheduler, or you are using your own custom scheduler (not common) to trigger periodic synchronization, you need to disable them accordingly. ## Next steps Learn more about [Integrating your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md). |
active-directory | Tshoot Connect Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-sso.md | This article helps you find troubleshooting information about common problems re ## Check status of feature -Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Identity** > **Hybrid management** > **Azure AD Connect** > **Connect Sync** pane in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/). +Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Connect Sync** pane in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/). ![Screenshot of the Microsoft Entra admin center: Microsoft Entra Connect pane.](./media/tshoot-connect-sso/sso10.png) |
active-directory | Tshoot Connect Tshoot Sql Connectivity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-tshoot-sql-connectivity.md | Import-module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\T >[!NOTE] >Install-Module requires updating to [PowerShell 5.0 (WMF 5.0)](https://www.microsoft.com/download/details.aspx?id=50395) or later; -Or install [PackageManagement PowerShell Modules Preview - March 2016 for PowerShell 3.0/4.0](/powershell/module/PackageManagement) +Or install [PackageManagement PowerShell module preview - March 2016 for PowerShell 3.0/4.0](/powershell/module/PackageManagement) - **Show all commands**: `Get-Command -Module AdSyncTools` - **Execute the PowerShell function**: `Connect-ADSyncDatabase` with the following parameters |
active-directory | Decommission Connect Sync V1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/decommission-connect-sync-v1.md | Last updated 05/31/2023 + - # Decommission Azure AD Connect V1 The one-year advanced notice of Azure AD Connect V1's retirement was announced in August 2021. As of August 31, 2022, all V1 versions went out of support and were subject to stop working unexpectedly at any point. |
active-directory | Howto Export Risk Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-export-risk-data.md | AADRiskyUsers ## Storage account -By routing logs to an Azure storage account, you can keep it for longer than the default retention period. For more information, see the article [Tutorial: Archive Microsoft Entra ID logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). +By routing logs to an Azure storage account, you can keep it for longer than the default retention period. For more information, see the article [Tutorial: Archive Microsoft Entra logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). ## Azure Event Hubs -Azure Event Hubs can look at incoming data from sources like Microsoft Entra ID Protection and provide real-time analysis and correlation. For more information, see the article [Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) +Azure Event Hubs can look at incoming data from sources like Microsoft Entra ID Protection and provide real-time analysis and correlation. For more information, see the article [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) ## Other options Organizations can use the [Microsoft Graph API to programmatically interact with ## Next steps -- [What is Microsoft Entra ID monitoring?](../reports-monitoring/overview-monitoring.md)+- [What is Microsoft Entra monitoring?](../reports-monitoring/overview-monitoring-health.md) - [Install and use the log analytics views for Microsoft Entra ID](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md) - [Connect data from Microsoft Entra ID Protection](../../sentinel/data-connectors/azure-active-directory-identity-protection.md) - [Microsoft Entra ID Protection and the Microsoft Graph PowerShell SDK](howto-identity-protection-graph-api.md)-- [Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)+- [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
active-directory | Add Application Portal Assign Users | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-assign-users.md | To create a user account in your Microsoft Entra tenant: To assign a user account to an enterprise application: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).-1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. For example, the application that you created in the previous quickstart named **Azure AD SAML toolkit 1**. +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. For example, the application that you created in the previous quickstart named **Azure AD SAML Toolkit 1**. 1. In the left pane, select **Users and groups**, and then select **Add user/group**. :::image type="content" source="media/add-application-portal-assign-users/assign-user.png" alt-text="Assign user account to an application in your Microsoft Entra tenant."::: |
active-directory | Add Application Portal Setup Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal-setup-sso.md | -Microsoft Entra ID has a gallery that contains thousands of pre-integrated applications that use SSO. This article uses an enterprise application named **Azure AD SAML toolkit 1** as an example, but the concepts apply for most pre-configured enterprise applications in the gallery. +Microsoft Entra ID has a gallery that contains thousands of pre-integrated applications that use SSO. This article uses an enterprise application named **Azure AD SAML Toolkit 1** as an example, but the concepts apply for most pre-configured enterprise applications in the gallery. It is recommended that you use a non-production environment to test the steps in this article. To enable SSO for an application: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. -1. Enter the name of the existing application in the search box, and then select the application from the search results. For example, **Azure AD SAML toolkit 1**. +1. Enter the name of the existing application in the search box, and then select the application from the search results. For example, **Azure AD SAML Toolkit 1**. 1. In the **Manage** section of the left menu, select **Single sign-on** to open the **Single sign-on** pane for editing. 1. Select **SAML** to open the SSO configuration page. After the application is configured, users can sign in to it by using their credentials from the Microsoft Entra tenant.-1. The process of configuring an application to use Microsoft Entra ID for SAML-based SSO varies depending on the application. For any of the enterprise applications in the gallery, use the **configuration guide** link to find information about the steps needed to configure the application. The steps for the **Azure AD SAML toolkit 1** are listed in this article. +1. The process of configuring an application to use Microsoft Entra ID for SAML-based SSO varies depending on the application. For any of the enterprise applications in the gallery, use the **configuration guide** link to find information about the steps needed to configure the application. The steps for the **Azure AD SAML Toolkit 1** are listed in this article. :::image type="content" source="media/add-application-portal-setup-sso/saml-configuration.png" alt-text="Configure single sign-on for an enterprise application."::: -1. In the **Set up Azure AD SAML toolkit 1** section, record the values of the **Login URL**, **Microsoft Entra Identifier**, and **Logout URL** properties to be used later. +1. In the **Set up Azure AD SAML Toolkit 1** section, record the values of the **Login URL**, **Microsoft Entra Identifier**, and **Logout URL** properties to be used later. ## Configure single sign-on in the tenant Using single sign-on in the application requires you to register the user accoun To register a user account with the application: -1. Open a new browser window and browse to the sign-in URL for the application. For the **Azure AD SAML toolkit** application, the address is `https://samltoolkit.azurewebsites.net`. +1. Open a new browser window and browse to the sign-in URL for the application. For the **Azure AD SAML Toolkit** application, the address is `https://samltoolkit.azurewebsites.net`. 1. Select **Register** in the upper right corner of the page. - :::image type="content" source="media/add-application-portal-setup-sso/toolkit-register.png" alt-text="Register a user account in the Azure AD SAML toolkit application."::: + :::image type="content" source="media/add-application-portal-setup-sso/toolkit-register.png" alt-text="Register a user account in the Azure AD SAML Toolkit application."::: 1. For **Email**, enter the email address of the user that will access the application. Ensure that the user account is already assigned to the application. 1. Enter a **Password** and confirm it. You can test the single sign-on configuration from the **Set up single sign-on** To test SSO: -1. In the **Test single sign-on with Azure AD SAML toolkit 1** section, on the **Set up single sign-on with SAML** pane, select **Test**. +1. In the **Test single sign-on with Azure AD SAML Toolkit 1** section, on the **Set up single sign-on with SAML** pane, select **Test**. 1. Sign in to the application using the Microsoft Entra credentials of the user account that you assigned to the application. |
active-directory | Add Application Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/add-application-portal.md | -In this quickstart, you use the Microsoft Entra admin center to add an enterprise application to your Microsoft Entra tenant. Microsoft Entra ID has a gallery that contains thousands of enterprise applications that have been preintegrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md). +In this quickstart, you use the Microsoft Entra admin center to add an enterprise application to your Microsoft Entra tenant. Microsoft Entra ID has a gallery that contains thousands of enterprise applications that have been preintegrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md). It's recommended that you use a nonproduction environment to test the steps in this quickstart. To add an enterprise application to your tenant: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. 1. Select **New application**.-1. The **Browse Microsoft Entra Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons indicating whether they support federated single sign-on (SSO) and provisioning. Search for and select the application. In this quickstart, **Azure AD SAML toolkit* is being used. +1. The **Browse Microsoft Entra Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons indicating whether they support federated single sign-on (SSO) and provisioning. Search for and select the application. In this quickstart, **Azure AD SAML Toolkit* is being used. :::image type="content" source="media/add-application-portal/browse-gallery.png" alt-text="Browse in the enterprise application gallery for the application that you want to add."::: |
active-directory | Application Sign In Unexpected User Consent Error | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md | End-users won't be able to grant consent to apps that have been detected as risk ## Next steps -[Apps, permissions, and consent in Azure Active Directory (v1 endpoint)](../develop/quickstart-register-app.md)<br> +[Apps, permissions, and consent in Azure Active Directory (v1.0 endpoint)](../develop/quickstart-register-app.md)<br> -[Scopes, permissions, and consent in the Microsoft Entra ID (v2.0 endpoint)](../develop/permissions-consent-overview.md) +[Scopes, permissions, and consent in the Microsoft identity platform (v2.0 endpoint)](../develop/permissions-consent-overview.md) [Unexpected consent prompt when signing in to an application](application-sign-in-unexpected-user-consent-prompt.md) |
active-directory | Delete Application Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/delete-application-portal.md | To delete an enterprise application, you need: 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.-1. Enter the name of the existing application in the search box, and then select the application from the search results. In this article, we use the **Azure AD SAML toolkit 1** as an example. +1. Enter the name of the existing application in the search box, and then select the application from the search results. In this article, we use the **Azure AD SAML Toolkit 1** as an example. 1. In the **Manage** section of the left menu, select **Properties**. 1. At the top of the **Properties** pane, select **Delete**, and then select **Yes** to confirm you want to delete the application from your Microsoft Entra tenant. |
active-directory | F5 Big Ip Kerberos Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md | Initiate the APM Guided Configuration to launch the Easy Button template. 1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**. - ![Screenshot of the Microsoft Entra Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) + ![Screenshot of the Azure A D Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) 2. Review the configuration steps and select **Next** The BIG-IP does not support group Managed Service Accounts (gMSA), therefore cre 1. Enter the following PowerShell command. Replace the **UserPrincipalName** and **SamAccountName** values with your environment values. For better security, use a dedicated SPN that matches the host header of the application. - ```New-ADUser -Name "F5 BIG-IP Delegation Account" UserPrincipalName $HOST_SPN SamAccountName "f5-big-ip" -PasswordNeverExpires $true Enabled $true -AccountPassword (Read-Host -AsSecureString "Account Password") ``` + `New-ADUser -Name "F5 BIG-IP Delegation Account" UserPrincipalName $HOST_SPN SamAccountName "f5-big-ip" -PasswordNeverExpires $true Enabled $true -AccountPassword (Read-Host -AsSecureString "Account Password")` HOST_SPN = host/f5-big-ip.contoso.com@contoso.com The BIG-IP does not support group Managed Service Accounts (gMSA), therefore cre 2. Create a **Service Principal Name (SPN)** for the APM service account to use during delegation to the web application service account: - ```Set-AdUser -Identity f5-big-ip -ServicePrincipalNames @Add="host/f5-big-ip.contoso.com"} ``` + `Set-AdUser -Identity f5-big-ip -ServicePrincipalNames @{ Add="host/f5-big-ip.contoso.com" }` >[!NOTE] >It is mandatory to include the host/ part in the format of UserPrincipleName (host/name.domain@domain) or ServicePrincipleName (host/name.domain). The BIG-IP does not support group Managed Service Accounts (gMSA), therefore cre * Confirm your web application is running in the computer context or a dedicated service account. * For the Computer context, use the following command to query the account object in the Active Directory to see its defined SPNs. Replace <name_of_account> with the account for your environment. - ```Get-ADComputer -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ``` + `Get-ADComputer -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames` For example: Get-ADUser -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames * For the dedicated service account, use the following command to query the account object in Active Directory to see its defined SPNs. Replace <name_of_account> with the account for your environment. - ```Get-ADUser -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ``` + `Get-ADUser -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames` For example:- Get-ADComputer -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ++ `Get-ADComputer -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames` 4. If the application ran in the machine context, add the SPN to the object of the computer account in Active Directory: - ```Set-ADComputer -Identity APP-VM-01 -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ``` + `Set-ADComputer -Identity APP-VM-01 -ServicePrincipalNames @{ Add="http/myexpenses.contoso.com" }` With SPNs defined, establish trust for the APM service account delegate to that service. The configuration varies depending on the topology of your BIG-IP instance and application server. With SPNs defined, establish trust for the APM service account delegate to that 1. Set trust for the APM service account to delegate authentication: - ```Get-ADUser -Identity f5-big-ip | Set-ADAccountControl -TrustedToAuthForDelegation $true ``` + `Get-ADUser -Identity f5-big-ip | Set-ADAccountControl -TrustedToAuthForDelegation $true` 2. The APM service account needs to know the target SPN it's trusted to delegate to. Set the target SPN to the service account running your web application: - ```Set-ADUser -Identity f5-big-ip -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/myexpenses.contoso.com')} ``` + `Set-ADUser -Identity f5-big-ip -Add @{ 'msDS-AllowedToDelegateTo'=@('HTTP/myexpenses.contoso.com') }` >[!NOTE] >You can complete these tasks with the Active Directory Users and Computers, Microsoft Management Console (MMC) snap-in, on a domain controller. In the Windows Server 2012 version, and higher, cross-domain KCD uses Resource-B You can use the PrincipalsAllowedToDelegateToAccount property of the application service account (computer or dedicated service account) to grant delegation from BIG-IP. For this scenario, use the following PowerShell command on a domain controller (Windows Server 2012 R2, or later) in the same domain as the application. -Use an SPN defined against a web application service account. For better security, use a dedicated SPN that matches the host header of the application. For example, because the web application host header in this example is myexpenses.contoso.com, add HTTP/myexpenses.contoso.com to the application service account object in Active Directory (AD): +Use an SPN defined against a web application service account. For better security, use a dedicated SPN that matches the host header of the application. For example, because the web application host header in this example is `myexpenses.contoso.com`, add `HTTP/myexpenses.contoso.com` to the application service account object in Active Directory (AD): -```Set-AdUser -Identity web_svc_account -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ``` +`Set-AdUser -Identity web_svc_account -ServicePrincipalNames @{ Add="http/myexpenses.contoso.com" }` For the following commands, note the context. If the web_svc_account service runs in the context of a user account, use these commands: -```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ``` -```Set-ADUser -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount ``` -```$big-ip Get-ADUser web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ``` +`$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com` ++``Set-ADUser -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount` ++`$big-ip Get-ADUser web_svc_account -Properties PrincipalsAllowedToDelegateToAccount` If the web_svc_account service runs in the context of a computer account, use these commands: -```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ``` -```Set-ADComputer -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount ``` -```$big-ip Get-ADComputer web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ``` +`$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com` ++`Set-ADComputer -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount` ++`$big-ip Get-ADComputer web_svc_account -Properties PrincipalsAllowedToDelegateToAccount` For more information, see [Kerberos Constrained Delegation across domains](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831477(v=ws.11)). |
active-directory | F5 Big Ip Ldap Header Easybutton | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md | Initiate the APM **Guided Configuration** to launch the **Easy Button** template 1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**. - ![Screenshot of the Microsoft Entra Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) + ![Screenshot of the Azure A D Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png) 2. Review the list of steps and select **Next** This section contains properties to manually configure a new BIG-IP SAML applica For this scenario, select **F5 BIG-IP APM Azure AD Integration > Add**. - ![Screenshot of the Add option under Configuration Properties on Azure Configuration.](./media/f5-big-ip-easy-button-ldap/azure-config-add-app.png) #### Azure Configuration |
active-directory | F5 Passwordless Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-passwordless-vpn.md | Set up a SAML federation trust between the BIG-IP to allow the Microsoft Entra B 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 2. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**, then select **New application**.-3. In the gallery, search for F5 and select **F5 BIG-IP APM Azure AD integration**. +3. In the gallery, search for *F5* and select **F5 BIG-IP APM Azure AD integration**. 4. Enter a name for the application. 5. Select **Add** then **Create**. 6. The name, as an icon, appears in the Microsoft Entra admin center and Office 365 portal. |
active-directory | Migrate Adfs Saml Based Sso | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-saml-based-sso.md | SaaS apps need to know where to send authentication requests and how to validate | **IdP sign-out URL**<p>Sign-out URL of the IdP from the app's perspective (where the user is redirected when they choose to sign out of the app).| The sign-out URL is either the same as the sign-on URL, or the same URL with "wa=wsignout1.0" appended. For example: `https://fs.contoso.com/adfs/ls/?wa=wsignout1.0`| Replace {tenant-id} with your tenant ID.<p>For apps that use the SAML-P protocol:<p>[https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) <p> ΓÇÄFor apps that use the WS-Federation protocol: [https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0](https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0) | | **Token signing certificate**<p>The IdP uses the private key of the certificate to sign issued tokens. It verifies that the token came from the same IdP that the app is configured to trust.| Find the AD FS token signing certificate in AD FS Management under **Certificates**.| Find it in the Microsoft Entra admin center in the application's **Single sign-on properties** under the header **SAML Signing Certificate**. There, you can download the certificate for upload to the app. <p>ΓÇÄIf the application has more than one certificate, you can find all certificates in the federation metadata XML file. | | **Identifier/ "issuer"**<p>Identifier of the IdP from the app's perspective (sometimes called the "issuer ID").<p>ΓÇÄIn the SAML token, the value appears as the Issuer element.| The identifier for AD FS is usually the federation service identifier in AD FS Management under **Service > Edit Federation Service Properties**. For example: `http://fs.contoso.com/adfs/services/trust`| Replace {tenant-id} with your tenant ID.<p>https:\//sts.windows.net/{tenant-id}/ |-| **IdP federation metadata**<p>Location of the IdP's publicly available federation metadata. (Some apps use federation metadata as an alternative to the administrator configuring URLs, identifier, and token signing certificate individually.)| Find the AD FS federation metadata URL in AD FS Management under **Service > Endpoints > Metadata > Type: Federation Metadata**. For example: `https://fs.contoso.com/FederationMetadat). | +| **IdP federation metadata**<p>Location of the IdP's publicly available federation metadata. (Some apps use federation metadata as an alternative to the administrator configuring URLs, identifier, and token signing certificate individually.)| Find the AD FS federation metadata URL in AD FS Management under **Service > Endpoints > Metadata > Type: Federation Metadata**. For example: `https://fs.contoso.com/FederationMetadat). | ## Next steps |
active-directory | Migrate Okta Sign On Policies Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sign-on-policies-conditional-access.md | Before you convert to Conditional Access, confirm the base MFA tenant settings f ![Screenshot of the multifactor authentication screen.](media/migrate-okta-sign-on-policies-conditional-access/legacy-portal.png) -5. Confirm there are no users enabled for legacy MFA: On the **multifactor authentication** menu, on **multifactor authentication status**, select **Enabled** and **Enforced**. If the tenant has users in the following views, disable them in the legacy menu. +5. Confirm there are no users enabled for legacy MFA: On the **Multifactor authentication** menu, on **Multifactor authentication status**, select **Enabled** and **Enforced**. If the tenant has users in the following views, disable them in the legacy menu. ![Screenshot of the multifactor authentication screen with the search feature highlighted.](media/migrate-okta-sign-on-policies-conditional-access/disable-user-portal.png) |
active-directory | Migrate Okta Sync Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sync-provisioning.md | You can connect to Microsoft Graph PowerShell and examine the current ImmutableI `Install-Module AzureAD` in an administrative session before you run the following commands: ```Powershell-Import-module AzureAD +Import-Module AzureAD Connect-MgGraph ``` After you prepare your list of source and destination targets, install a Microso 1. Download and install Microsoft Entra Connect on a server. See, [Custom installation of Microsoft Entra Connect](../hybrid/connect/how-to-connect-install-custom.md). 2. In the left panel, select **Identifying users**.-3. On the **Uniquely identifying your users** page, under **Select how users should be identified with Azure AD**, select **Choose a specific attribute**. +3. On the **Uniquely identifying your users** page, under **Select how users should be identified with Microsoft Entra ID**, select **Choose a specific attribute**. 4. If you haven't modified the Okta default, select **mS-DS-ConsistencyGUID**. >[!WARNING] After you disable Okta provisioning, the Microsoft Entra cloud sync agent can sy ## Next steps - [Tutorial: Migrate your applications from Okta to Microsoft Entra ID](migrate-applications-from-okta.md)-- [Tutorial: Migrate Okta federation to Microsoft Entra managed authentication](migrate-okta-federation.md)+- [Tutorial: Migrate Okta federation to Microsoft Entra ID managed authentication](migrate-okta-federation.md) - [Tutorial: Migrate Okta sign-on policies to Microsoft Entra Conditional Access](./migrate-okta-sign-on-policies-conditional-access.md) |
active-directory | Silverfort Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/silverfort-integration.md | +<!-- docutune:ignore "Azure A ?D" --> + In this tutorial, learn how to integrate your on-premises Silverfort implementation with Microsoft Entra ID. Learn more: [Microsoft Entra hybrid joined devices](../devices/concept-hybrid-join.md). Set up Silverfort Azure AD Adapter in your Microsoft Entra tenant: 4. Select **Save Changes**. 5. On the **Permissions requested** dialog, select **Accept**. - ![image shows Microsoft Entra bridge connector](./media/silverfort-integration/bridge-connector.png) + ![image shows Azure A D bridge connector](./media/silverfort-integration/bridge-connector.png) ![image shows registration confirmation](./media/silverfort-integration/grant-permission.png) Set up Silverfort Azure AD Adapter in your Microsoft Entra tenant: 7. On the **Settings** page, select **Save Changes**. - ![image shows the Azure AD Adapter](./media/silverfort-integration/silverfort-adapter.png) + ![image shows the Azure A D Adapter](./media/silverfort-integration/silverfort-adapter.png) 8. Sign in to your Microsoft Entra account. In the left pane, select **Enterprise applications**. The **Silverfort Azure AD Adapter** application appears as registered. Set up Silverfort Azure AD Adapter in your Microsoft Entra tenant: 17. For Action, select **Azure AD BRIDGE**. - ![image shows save Azure AD bridge](./media/silverfort-integration/save-bridge.png) + ![image shows save Azure A D bridge](./media/silverfort-integration/save-bridge.png) 18. Select **Save**. You're prompted to turn on the policy. |
active-directory | V2 Howto App Gallery Listing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/v2-howto-app-gallery-listing.md | To publish your application in the Microsoft Entra application gallery, you need To publish your application in the gallery, you must first read and agree to specific [terms and conditions](https://azure.microsoft.com/support/legal/active-directory-app-gallery-terms/). - Implement support for *single sign-on* (SSO). To learn more about supported options, see [Plan a single sign-on deployment](plan-sso-deployment.md). - For password SSO, make sure that your application supports form authentication so that password vaulting can be used.- - For federated applications (OpenID and SAML/WS-Fed), the application must support the [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/). Enterprise gallery applications must support multiple user configurations and not any specific user. - - For federated applications (OpenID and SAML/WS-Fed), the application can be single **or** multitenanted - - For OpenID Connect, if the application is multitenanted the [Microsoft Entra consent framework](../develop/application-consent-experience.md) must be correctly implemented. -- Provisioning is optional yet highly recommended. To learn more about Microsoft Entra SCIM, see [build a SCIM endpoint and configure user provisioning with Microsoft Entra ID](../app-provisioning/use-scim-to-provision-users-and-groups.md).+ - For federated applications (SAML/WS-Fed), the application should preferably support [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/) but it is not mandatory and it can be an on-premises application as well. Enterprise gallery applications must support multiple user configurations and not any specific user. ++ - For OpenID Connect, the application should be multitenant and [Microsoft Entra ID consent framework](../develop/application-consent-experience.md) must be correctly implemented. Refer to [this](../develop/howto-convert-app-to-be-multi-tenant.md) link to convert the application into multitenant. +- Provisioning is optional yet highly recommended. To learn more about Microsoft Entra SCIM, see [build a SCIM endpoint and configure user provisioning with Azure AD](../app-provisioning/use-scim-to-provision-users-and-groups.md). You can sign up for a free, test Development account. It's free for 90 days and you get all of the premium Microsoft Entra features with it. You can also extend the account if you use it for development work: [Join the Microsoft 365 Developer Program](/office/developer-program/microsoft-365-developer-program). Create documentation that includes the following information at minimum: ### App documentation on the Microsoft site -When your application is added to the gallery, documentation is created that explains the step-by-step process. For an example, see [Tutorials for integrating SaaS applications with Microsoft Entra ID](../saas-apps/tutorial-list.md). This documentation is created based on your submission to the gallery. You can easily update the documentation if you make changes to your application by using your GitHub account. +When your SAML application is added to the gallery, documentation is created that explains the step-by-step process. For an example, see [Tutorials for integrating SaaS applications with Microsoft Entra ID](../saas-apps/tutorial-list.md). This documentation is created based on your submission to the gallery. You can easily update the documentation if you make changes to your application by using your GitHub account. ++For OIDC application, there is no application specific documentation, we have only the generic [tutorial](../develop/v2-protocols-oidc.md) for all the OpenID Connect applications. ## Submit your application You can track application requests by customer name at the Microsoft Application ### Timelines -Listing an **SAML 2.0 or WS-Fed application** in the gallery takes 7 to 10 business days. +Listing an **SAML 2.0 or WS-Fed application** in the gallery takes 12 to 15 business days. :::image type="content" source="./media/howto-app-gallery-listing/timeline.png" alt-text="Screenshot that shows the timeline for listing a SAML application."::: -Listing an **OpenID Connect application** in the gallery takes 2 to 5 business days. +Listing an **OpenID Connect application** in the gallery takes 7 to 10 business days. Listing an **SCIM provisioning application** in the gallery varies, depending on numerous factors. |
active-directory | Msi Tutorial Linux Vm Access Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/msi-tutorial-linux-vm-access-arm.md | To complete these steps, you need an SSH client. If you are using Windows, you c ``` > [!NOTE]- > The value of the `resource` parameter must be an exact match for what is expected by Azure AD. When using the Resource Manager resource ID, you must include the trailing slash on the URI.  + > The value of the `resource` parameter must be an exact match for what is expected by Microsoft Entra ID. When using the Resource Manager resource ID, you must include the trailing slash on the URI.  The response includes the access token you need to access Azure Resource Manager.  |
active-directory | Tutorial Linux Vm Access Arm | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm.md | When you use managed identities for Azure resources, your code can get access to To complete these steps, you need an SSH client. If you're using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/about). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md). -1. In the portal, navigate to your Linux VM and in the **Overview**, select **Connect**.   -2. **Connect** to the VM with the SSH client of your choice.  -3. In the terminal window, using `curl`, make a request to the local managed identities for Azure resources endpoint to get an access token for Azure Resource Manager.   +1. In the portal, navigate to your Linux VM and in the **Overview**, select **Connect**. ++2. **Connect** to the VM with the SSH client of your choice. ++3. In the terminal window, using `curl`, make a request to the local managed identities for Azure resources endpoint to get an access token for Azure Resource Manager. +  +The `curl` request for the access token is below. ++```bash +curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true +``` ++> [!NOTE] +> The value of the `resource` parameter must be an exact match for what is expected by Microsoft Entra ID. In the case of the Resource Manager resource ID, you must include the trailing slash on the URI. ++The response includes the access token you need to access Azure Resource Manager. ++Response: ++```json +{ + "access_token":"eyJ0eXAiOi...", + "refresh_token":"", + "expires_in":"3599", + "expires_on":"1504130527", + "not_before":"1504126627", + "resource":"https://management.azure.com", + "token_type":"Bearer" +} +``` ++You can use this access token to access Azure Resource Manager, for example to read the details of the Resource Group to which you previously granted this VM access. Replace the values of `<SUBSCRIPTION-ID>`, `<RESOURCE-GROUP>`, and `<ACCESS-TOKEN>` with the ones you created earlier. ++> [!NOTE] +> The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the Resource Group, and the uppercase “G” in “resourceGroup”.   ++```bash +curl https://management.azure.com/subscriptions/<SUBSCRIPTION-ID>/resourceGroups/<RESOURCE-GROUP>?api-version=2016-09-01 -H "Authorization: Bearer <ACCESS-TOKEN>"  +``` ++The response back with the specific Resource Group information:  - The `curl` request for the access token is below.   - - ```bash - curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true    - ``` - - > [!NOTE] - > The value of the “resource” parameter must be an exact match for what is expected by Azure AD.  In the case of the Resource Manager resource ID, you must include the trailing slash on the URI.  - - The response includes the access token you need to access Azure Resource Manager.  - - Response:   -- ```bash - {"access_token":"eyJ0eXAiOi...", - "refresh_token":"", - "expires_in":"3599", - "expires_on":"1504130527", - "not_before":"1504126627", - "resource":"https://management.azure.com", - "token_type":"Bearer"}  - ``` - - You can use this access token to access Azure Resource Manager, for example to read the details of the Resource Group to which you previously granted this VM access. Replace the values of \<SUBSCRIPTION ID\>, \<RESOURCE GROUP\>, and \<ACCESS TOKEN\> with the ones you created earlier.  - - > [!NOTE] - > The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the Resource Group, and the uppercase “G” in “resourceGroup”.   - - ```bash - curl https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>?api-version=2016-09-01 -H "Authorization: Bearer <ACCESS TOKEN>"  - ``` - - The response back with the specific Resource Group information:  -   - ```bash - {"id":"/subscriptions/98f51385-2edc-4b79-bed9-7718de4cb861/resourceGroups/DevTest","name":"DevTest","location":"westus","properties":{"provisioningState":"Succeeded"}}  - ``` +```json +{ +"id":"/subscriptions/98f51385-2edc-4b79-bed9-7718de4cb861/resourceGroups/DevTest", +"name":"DevTest", +"location":"westus", +"properties": +{ + "provisioningState":"Succeeded" + } +}  +``` ## Next steps -In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. To learn more about Azure Resource Manager see: +In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. For more information about Azure Resource Manager, see: > [!div class="nextstepaction"] >[Azure Resource Manager](../../azure-resource-manager/management/overview.md) |
active-directory | Concept Sign Ins | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-sign-ins.md | Title: Sign-in logs in Microsoft Entra ID -description: Learn about the four types of sign-in logs available in Microsoft Entra Monitoring and health. +description: Learn about the four types of sign-in logs available in Microsoft Entra monitoring and health. |
active-directory | Howto Configure Prerequisites For Reporting Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md | To get access to the reporting data through the API, you need to have one of the In order to access the sign-in reports for a tenant, a Microsoft Entra tenant must have associated Microsoft Entra ID P1 or P2 license. If the directory type is Azure AD B2C, the sign-in reports are accessible through the API without any other license requirement. -Registration is needed even if you're accessing the reporting API using a script. The registration gives you an **Application ID**, which is required for the authorization calls and enables your code to receive tokens. To configure your directory to access the Microsoft Entra ID reporting API, you must sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) in one of the required roles. +Registration is needed even if you're accessing the reporting API using a script. The registration gives you an **Application ID**, which is required for the authorization calls and enables your code to receive tokens. To configure your directory to access the Microsoft Entra reporting API, you must sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) in one of the required roles. > [!IMPORTANT] > Applications running under credentials with administrator privileges can be very powerful, so be sure to keep the application's ID and secret credentials in a secure location. To enable your application to access Microsoft Graph without user intervention, ### Grant permissions -To access the Microsoft Entra ID reporting API, you must grant your app *Read directory data* and *Read all audit log data* permissions for the Microsoft Graph API. +To access the Microsoft Entra reporting API, you must grant your app *Read directory data* and *Read all audit log data* permissions for the Microsoft Graph API. 1. Browse to **Identity** > **Applications** > **App Registrations**. 1. Select **Add a permission**. Once you have the app registration configured, you can run activity log queries ## Access reports using Microsoft Graph PowerShell -To use PowerShell to access the Microsoft Entra ID reporting API, you need to gather a few configuration settings. These settings were created as a part of the [app registration process](#register-an-azure-ad-application). +To use PowerShell to access the Microsoft Entra reporting API, you need to gather a few configuration settings. These settings were created as a part of the [app registration process](#register-an-azure-ad-application). - Tenant ID - Client app ID Programmatic access APIs: <a name='troubleshoot-errors-in-azure-active-directory-reporting-api'></a> -### Troubleshoot errors in Microsoft Entra ID reporting API +### Troubleshoot errors in Microsoft Entra reporting API **500 HTTP internal server error while accessing Microsoft Graph beta endpoint**: We don't currently support the Microsoft Graph beta endpoint - make sure to access the activity logs using the Microsoft Graph v1.0 endpoint. - GET `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits` |
active-directory | Howto Manage Inactive User Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md | The last sign-in date and time shown on this tile may take up to 6 hours to upda ## Next steps -* [Get data using the Microsoft Entra ID reporting API with certificates](./howto-configure-prerequisites-for-reporting-api.md) +* [Get data using the Microsoft Entra reporting API with certificates](./howto-configure-prerequisites-for-reporting-api.md) * [Audit API reference](/graph/api/resources/directoryaudit) * [Sign-in activity report API reference](/graph/api/resources/signin) |
active-directory | Howto Stream Logs To Event Hub | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-stream-logs-to-event-hub.md | Download and open the [configuration guide for ArcSight SmartConnector for Azure 1. Complete the steps in the **Prerequisites** section of the ArcSight configuration guide. This section includes the following steps: * Set user permissions in Azure to ensure there's a user with the **owner** role to deploy and configure the connector. * Open ports on the server with Syslog NG Daemon SmartConnector so it's accessible from Azure. - * The deployment runs a Windows PowerShell script, so you must enable PowerShell to run scripts on the machine where you want to deploy the connector. + * The deployment runs a PowerShell script, so you must enable PowerShell to run scripts on the machine where you want to deploy the connector. 1. Follow the steps in the **Deploying the Connector** section of the ArcSight configuration guide to deploy the connector. This section walks you through how to download and extract the connector, configure application properties and run the deployment script from the extracted folder. |
active-directory | Overview Monitoring Health | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-monitoring-health.md | Title: What is Microsoft Entra Monitoring and health? -description: Provides a general overview of Microsoft Entra Monitoring and health. + Title: What is Microsoft Entra monitoring and health? +description: Provides a general overview of Microsoft Entra monitoring and health. -# What is Microsoft Entra Monitoring and health? +# What is Microsoft Entra monitoring and health? -The features of Microsoft Entra Monitoring and health provide a comprehensive view of identity related activity in your environment. This data enables you to: +The features of Microsoft Entra monitoring and health provide a comprehensive view of identity related activity in your environment. This data enables you to: - Determine how your users utilize your apps and services. - Detect potential risks affecting the health of your environment. |
active-directory | Plan Monitoring And Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/plan-monitoring-and-reporting.md | -# Microsoft Entra Monitoring & health deployment dependencies +# Microsoft Entra monitoring and health deployment dependencies Your Microsoft Entra reporting and monitoring solution depends on legal, security, operational requirements, and your environment's processes. Use the following sections to learn about design options and deployment strategy. You'll need a Microsoft Entra ID P1 or P2 license to access the Microsoft Entra For detailed feature and licensing information, see the [Microsoft Entra pricing guide](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). -To deploy Microsoft Entra Monitoring & health you'll need a user who is a Global Administrator or Security Administrator for the Microsoft Entra tenant. +To deploy Microsoft Entra monitoring and health, you'll need a user who is a Global Administrator or Security Administrator for the Microsoft Entra tenant. * [Azure Monitor data platform](../../azure-monitor/data-platform.md) * [Azure Monitor naming and terminology changes](../../azure-monitor/overview.md) To deploy Microsoft Entra Monitoring & health you'll need a user who is a Global <a name='plan-and-deploy-an-azure-ad-reporting-and-monitoring-deployment-project'></a> -## Plan and deploy a Microsoft Entra Monitoring & health deployment project +## Plan and deploy a Microsoft Entra monitoring and health deployment project Reporting and monitoring are used to meet your business requirements, gain insights into usage patterns, and increase your organization's security posture. In this project, you'll define the audiences that will consume and monitor reports, and define your Microsoft Entra monitoring architecture. |
active-directory | Recommendation Migrate From Adal To Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-migrate-from-adal-to-msal.md | Title: Migrate from ADAL to MSAL recommendation -description: Learn why you should migrate from the Azure Active Directory Library to the Microsoft Authentication Libraries. +description: Learn why you should migrate from the Azure Active Directory Authentication Library to the Microsoft Authentication Libraries. -# Microsoft Entra recommendation: Migrate from the Azure Active Directory Library to the Microsoft Authentication Libraries +# Microsoft Entra recommendation: Migrate from the Azure Active Directory Authentication Library to the Microsoft Authentication Libraries [Microsoft Entra recommendations](overview-recommendations.md) is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices. |
active-directory | Reference Audit Activities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-audit-activities.md | Title: Microsoft Entra audit activity reference + Title: Microsoft Entra audit log activity reference description: Get an overview of the audit activities that can be logged in your audit logs in Microsoft Entra ID. |
active-directory | Reference Powershell Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-powershell-reporting.md | -> These PowerShell cmdlets currently only work with the [Microsoft Entra ID Preview](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#directory_auditing) Module. Please note that the preview module is not suggested for production use. +> These PowerShell cmdlets currently only work with the [Azure Active Directory PowerShell for Graph Preview](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#directory_auditing) module. Please note that the preview module is not suggested for production use. To install the public preview release, use the following: |
active-directory | Reference Reports Data Retention | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-reports-data-retention.md | If you already have activities data with your free license, then you can see it | Sign-ins | Seven days | 30 days | 30 days | | Microsoft Entra multifactor authentication usage | 30 days | 30 days | 30 days | -You can retain the audit and sign-in activity data for longer than the default retention period outlined in the previous table by routing it to an Azure storage account using Azure Monitor. For more information, see [Archive Microsoft Entra ID logs to an Azure storage account](quickstart-azure-monitor-route-logs-to-storage-account.md). +You can retain the audit and sign-in activity data for longer than the default retention period outlined in the previous table by routing it to an Azure storage account using Azure Monitor. For more information, see [Archive Microsoft Entra logs to an Azure storage account](quickstart-azure-monitor-route-logs-to-storage-account.md). **Security signals** You can retain the audit and sign-in activity data for longer than the default r ## Next steps - [Stream logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md)-- [Learn how to download Microsoft Entra ID logs](howto-download-logs.md)+- [Learn how to download Microsoft Entra logs](howto-download-logs.md) |
active-directory | Delegate By Task | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/delegate-by-task.md | You can further restrict permissions by assigning roles at smaller scopes or by > | Task | Least privileged role | Additional roles | > | - | | - | > | Create Microsoft Entra Domain Services instance | [Application Administrator](permissions-reference.md#application-administrator)<br>[Groups Administrator](permissions-reference.md#groups-administrator)<br> [Domain Services Contributor](../../role-based-access-control/built-in-roles.md#domain-services-contributor)| |-> | Perform all Microsoft Entra Domain Services tasks | [AAD DC Administrators group](../../active-directory-domain-services/tutorial-create-management-vm.md#administrative-tasks-you-can-perform-on-a-managed-domain) | | +> | Perform all Microsoft Entra Domain Services tasks | [AAD DC Administrators group](../../active-directory-domain-services/tutorial-create-management-vm.md#administrative-tasks-you-can-perform-on-a-managed-domain) | | > | Read all configuration | Reader on Azure subscription containing AD DS service | | ## Devices |
active-directory | Cisco Webex Provisioning Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cisco-webex-provisioning-tutorial.md | -> This tutorial describes a connector built on top of the Microsoft Entra user Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md). +> This tutorial describes a connector built on top of the Microsoft Entra user provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md). > > This connector is currently in Preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). |
active-directory | Colab Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/colab-tutorial.md | + + Title: Microsoft Entra SSO integration with CoLab +description: Learn how to configure single sign-on between Microsoft Entra ID and CoLab. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with CoLab ++In this tutorial, you learn how to integrate CoLab with Microsoft Entra ID. When you integrate CoLab with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to CoLab. +* Enable your users to be automatically signed-in to CoLab with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with CoLab, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* CoLab single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* CoLab supports **SP and IDP** initiated SSO. +* CoLab supports **Just In Time** user provisioning. ++## Adding CoLab from the gallery ++To configure the integration of CoLab into Microsoft Entra ID, you need to add CoLab from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **CoLab** in the search box. +1. Select **CoLab** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for CoLab ++Configure and test Microsoft Entra SSO with CoLab using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in CoLab. ++To configure and test Microsoft Entra SSO with CoLab, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure CoLab SSO](#configure-colab-sso)** - to configure the single sign-on settings on application side. + 1. **[Create CoLab test user](#create-colab-test-user)** - to have a counterpart of B.Simon in CoLab that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **CoLab** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a value using the following pattern: + `urn:auth0:colab-production:<customer>` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + ` https://login.colabsoftware.com/login/callback?connection=<Customer>` ++1. If you wish to configure the application in **SP** initiated mode, then perform the following step: ++ In the **Sign on URL** textbox, type the URL: + `https://app.colabsoftware.com/` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [CoLab support team](mailto:support@colabsoftware.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate") ++1. On the **Set up CoLab** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to CoLab. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **CoLab**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure CoLab SSO ++To configure single sign-on on **CoLab** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Microsoft Entra admin center to [CoLab support team](mailto:support@colabsoftware.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create CoLab test user ++In this section, a user called B.Simon is created in CoLab. CoLab supports just-in-time provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in CoLab, a new one is created when you attempt to access CoLab. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +#### SP initiated: + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to CoLab Sign on URL where you can initiate the login flow. + +* Go to CoLab Sign-on URL directly and initiate the login flow from there. + +#### IDP initiated: + +* Click on **Test this application** in Microsoft Entra admin center and you should be automatically signed in to the CoLab for which you set up the SSO. + +You can also use Microsoft My Apps to test the application in any mode. When you click the CoLab tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the CoLab for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure CoLab you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | F5 Big Ip Headers Easy Button | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-headers-easy-button.md | The Service Provider settings define the properties for the SAML SP instance of ### Microsoft Entra ID -This section defines all properties that you would normally use to manually configure a new BIG-IP SAML application within your Microsoft Entra tenant. Easy Button provides a set of pre-defined application templates for Oracle PeopleSoft, Oracle E-business Suite, Oracle JD Edwards, SAP ERP as well as generic SHA template for any other apps. For this scenario select **F5 BIG-IP APM Microsoft Entra Integration > Add**. +This section defines all properties that you would normally use to manually configure a new BIG-IP SAML application within your Microsoft Entra tenant. Easy Button provides a set of pre-defined application templates for Oracle PeopleSoft, Oracle E-business Suite, Oracle JD Edwards, SAP ERP as well as generic SHA template for any other apps. For this scenario, select **F5 BIG-IP APM Azure AD Integration > Add**. ![Screenshot for Azure configuration add BIG-IP application.](./media/f5-big-ip-headers-easy-button/azure-configuration-add-app.png) |
active-directory | Flock Safety Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/flock-safety-tutorial.md | + + Title: Microsoft Entra SSO integration with Flock Safety +description: Learn how to configure single sign-on between Microsoft Entra ID and Flock Safety. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Flock Safety ++In this tutorial, you learn how to integrate Flock Safety with Microsoft Entra ID. When you integrate Flock Safety with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Flock Safety. +* Enable your users to be automatically signed-in to Flock Safety with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Flock Safety, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Flock Safety single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Flock Safety supports **SP** initiated SSO. +* Flock Safety supports **Just In Time** user provisioning. ++## Adding Flock Safety from the gallery ++To configure the integration of Flock Safety into Microsoft Entra ID, you need to add Flock Safety from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Flock Safety** in the search box. +1. Select **Flock Safety** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for Flock Safety ++Configure and test Microsoft Entra SSO with Flock Safety using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Flock Safety. ++To configure and test Microsoft Entra SSO with Flock Safety, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Flock Safety SSO](#configure-flock-safety-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Flock Safety test user](#create-flock-safety-test-user)** - to have a counterpart of B.Simon in Flock Safety that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Flock Safety** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a value using the following pattern: + `urn:auth0:prod-flock:<ID>` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + `https://login.flocksafety.com/login/callback?connection=<ID>` ++ c. In the **Sign on URL** textbox, type a URL using the following pattern: + `https://users.flocksafety.com/sso-login/<CustomName>` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Flock Safety support team](mailto:support@flocksafety.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate") ++1. On the **Set up Flock Safety** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Flock Safety. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Flock Safety**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Flock Safety SSO ++To configure single sign-on on **Flock Safety** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Microsoft Entra admin center to [Flock Safety support team](mailto:support@flocksafety.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Flock Safety test user ++In this section, a user called Britta Simon is created in Flock Safety. Flock Safety supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Flock Safety, a new one is created after authentication. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Flock Safety Sign-on URL where you can initiate the login flow. + +* Go to Flock Safety Sign-on URL directly and initiate the login flow from there. + +* You can use Microsoft My Apps. When you click the Flock Safety tile in the My Apps, this will redirect to Flock Safety Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure Flock Safety you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Glia Hub Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/glia-hub-tutorial.md | + + Title: Microsoft Entra SSO integration with Glia Hub +description: Learn how to configure single sign-on between Microsoft Entra ID and Glia Hub. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Glia Hub ++In this tutorial, you learn how to integrate Glia Hub with Microsoft Entra ID. When you integrate Glia Hub with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Glia Hub. +* Enable your users to be automatically signed-in to Glia Hub with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Glia Hub, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Glia Hub single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Glia Hub supports **SP and IDP** initiated SSO. ++## Adding Glia Hub from the gallery ++To configure the integration of Glia Hub into Microsoft Entra ID, you need to add Glia Hub from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Glia Hub** in the search box. +1. Select **Glia Hub** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for Glia Hub ++Configure and test Microsoft Entra SSO with Glia Hub using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Glia Hub. ++To configure and test Microsoft Entra SSO with Glia Hub, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Glia Hub SSO](#configure-glia-hub-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Glia Hub test user](#create-glia-hub-test-user)** - to have a counterpart of B.Simon in Glia Hub that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Glia Hub** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ 1. In the **Identifier** textbox, type a URL using the following pattern: + `https://<CustomerName>.app.glia.com` ++ 1. In the **Reply URL** textbox, type a URL using the following pattern: + `https://<CustomerName>.app.glia.com/saml/acs` ++ 1. In the **Relay State** textbox, type a URL using the following pattern: + `https://<CustomerName>.app.glia.com` ++ 1. In the **Logout Url** textbox, type a URL using the following pattern: + `https://<CustomerName>.app.glia.com/saml/logout` ++1. Perform the following step, if you wish to configure the application in **SP** initiated mode: ++ 1. In the **Sign on URL** textbox, type a URL using the following pattern: + `https://<CustomerName>.app.glia.com` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL, Sign on URL, Relay State and Logout Url. Contact [Glia Hub support team](mailto:support@glia.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. Glia Hub application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. ++ ![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Image") ++1. In addition to above, Glia Hub application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements. + + | Name | Source Attribute| + | | | + | idp_name_attribute | user.userprincipalname | ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Glia Hub. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Glia Hub**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Glia Hub SSO ++To configure single sign-on on **Glia Hub** side, you need to send the **App Federation Metadata Url** to [Glia Hub support team](mailto:support@glia.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Glia Hub test user ++In this section, you create a user called B.Simon in Glia Hub. Work with [Glia Hub support team](mailto:support@glia.com) to add the users in the Glia Hub platform. Users must be created and activated before you use single sign-on. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +#### SP initiated: + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Glia Hub Sign on URL where you can initiate the login flow. + +* Go to Glia Hub Sign-on URL directly and initiate the login flow from there. + +#### IDP initiated: + +* Click on **Test this application** in Microsoft Entra admin center and you should be automatically signed in to the Glia Hub for which you set up the SSO. + +You can also use Microsoft My Apps to test the application in any mode. When you click the Glia Hub tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Glia Hub for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure Glia Hub you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Granite Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/granite-tutorial.md | + + Title: Microsoft Entra SSO integration with Granite +description: Learn how to configure single sign-on between Microsoft Entra ID and Granite. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Granite ++In this tutorial, you learn how to integrate Granite with Microsoft Entra ID. When you integrate Granite with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Granite. +* Enable your users to be automatically signed-in to Granite with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Granite, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Granite single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Granite supports **SP** initiated SSO. +* Granite supports **Just In Time** user provisioning. ++## Adding Granite from the gallery ++To configure the integration of Granite into Microsoft Entra ID, you need to add Granite from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Granite** in the search box. +1. Select **Granite** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for Granite ++Configure and test Microsoft Entra SSO with Granite using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Granite. ++To configure and test Microsoft Entra SSO with Granite, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Granite SSO](#configure-granite-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Granite test user](#create-granite-test-user)** - to have a counterpart of B.Simon in Granite that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Granite** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a value using the following pattern: + `<Customer_Name>.granitegrc.com` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + `https://<Customer_Name>.granitegrc.com/simplesaml/module.php/saml/sp/saml2-acs.php/default` ++ c. In the **Sign on URL** textbox, type a URL using the following pattern: + `https://<Customer_Name>.granitegrc.com` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Granite support team](mailto:support@granitegrc.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. Granite application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. ++ ![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Image") ++1. In addition to above, Granite application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements. + + | Name | Source Attribute| + | | | + | mail | user.mail | + | username | user.userprincipalname | + | groups | user.groups | + | company | user.companyname | + | department | user.department | + | objectid | user.objectid | ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Granite. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Granite**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Granite SSO ++To configure single sign-on on **Granite** side, you need to send the **App Federation Metadata Url** to [Granite support team](mailto:support@granitegrc.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Granite test user ++In this section, a user called B.Simon is created in Granite. Granite supports just-in-time provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Granite, a new one is created when you attempt to access Granite. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Granite Sign on URL where you can initiate the login flow. + +* Go to Granite Sign-on URL directly and initiate the login flow from there. + +* You can use Microsoft My Apps. When you click the Granite tile in the My Apps, this will redirect to Granite Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure Granite you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Guru Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/guru-tutorial.md | + + Title: Microsoft Entra SSO integration with Guru +description: Learn how to configure single sign-on between Microsoft Entra ID and Guru. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Guru ++In this tutorial, you learn how to integrate Guru with Microsoft Entra ID. When you integrate Guru with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Guru. +* Enable your users to be automatically signed-in to Guru with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Guru, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Guru single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Guru supports **IDP** initiated SSO. +* Guru supports **Just In Time** user provisioning. ++## Adding Guru from the gallery ++To configure the integration of Guru into Microsoft Entra ID, you need to add Guru from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Guru** in the search box. +1. Select **Guru** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). ++## Configure and test Microsoft Entra SSO for Guru ++Configure and test Microsoft Entra SSO with Guru using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Guru. ++To configure and test Microsoft Entra SSO with Guru, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Guru SSO](#configure-guru-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Guru test user](#create-guru-test-user)** - to have a counterpart of B.Simon in Guru that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Guru** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a value using the following pattern: + `getguru.com/<TeamID>` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + `https://api.getguru.com/samlsso/<TeamID>` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. You can get `TeamID` from **[Configure Guru SSO](#configure-guru-sso)** section. If you have any queries, please contact [Guru support team](mailto:support@getguru.com). You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. Guru application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. ++ ![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Image") ++1. In addition to above, Guru application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements. + + | Name | Source Attribute| + | | | + | firstName | user.givenname | + | lastName | user.surname | ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate") ++1. On the **Set up Guru** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Guru. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Guru**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Guru SSO ++1. Log in to your Guru company site as an administrator. ++1. Go to **Settings** > **Apps and Integrations** and click **SSO/SCIM**. ++1. In the **SSO/SCIM** section, perform the following steps: ++ ![Screenshot shows the administration portal.](media/guru-tutorial/manage.png "Admin") ++ 1. Copy **Team ID** and save it to your computer. ++ 1. Copy **Single Sign On Url**, paste this value into the **Reply URL** text box in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++ 1. Copy **Audience URI**, paste this value into the **Identifier** text box in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++ 1. In the **Identity Provider Single Sign-On Url** textbox, paste the **Login URL** value, which you have copied from the Microsoft Entra admin center. ++ 1. In the **Identity Provider Issuer** textbox, paste the **Microsoft Entra ID Identifier** value, which you have copied from the Microsoft Entra admin center. ++ 1. Open the downloaded **Certificate (Base64)** from the Microsoft Entra admin center into Notepad and paste the content into the **X.509 Certificate** textbox. ++ 1. Click **Enable SSO**. ++### Create Guru test user ++In this section, a user called B.Simon is created in Guru. Guru supports just-in-time provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Guru, a new one is created when you attempt to access Guru. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on Test this application in Microsoft Entra admin center and you should be automatically signed in to the Guru for which you set up the SSO. + +* You can use Microsoft My Apps. When you click the Guru tile in the My Apps, you should be automatically signed in to the Guru for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure Guru you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Insightly Saml Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/insightly-saml-tutorial.md | + + Title: Microsoft Entra SSO integration with Insightly SAML +description: Learn how to configure single sign-on between Microsoft Entra ID and Insightly SAML. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Insightly SAML ++In this tutorial, you learn how to integrate Insightly SAML with Microsoft Entra ID. When you integrate Insightly SAML with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Insightly SAML. +* Enable your users to be automatically signed-in to Insightly SAML with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Insightly SAML, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Insightly SAML single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Insightly SAML supports **IDP** initiated SSO. ++## Adding Insightly SAML from the gallery ++To configure the integration of Insightly SAML into Microsoft Entra ID, you need to add Insightly SAML from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Insightly SAML** in the search box. +1. Select **Insightly SAML** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for Insightly SAML ++Configure and test Microsoft Entra SSO with Insightly SAML using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Insightly SAML. ++To configure and test Microsoft Entra SSO with Insightly SAML, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Insightly SAML SSO](#configure-insightly-saml-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Insightly SAML test user](#create-insightly-saml-test-user)** - to have a counterpart of B.Simon in Insightly SAML that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Insightly SAML** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a URL using one of the following patterns: ++ | **Identifier** | + || + | `https://crm.na1.insightly.com/user/saml?instanceId=<ID>` | + | `https://crm.au1.insightly.com/user/saml?instanceId=<ID>` | ++ b. In the **Reply URL** textbox, type a URL using one of the following patterns: ++ | **Reply URL** | + || + | `https://crm.na1.insightly.com/user/saml?instanceId=<ID>` | + | `https://crm.au1.insightly.com/user/saml?instanceId=<ID>` | ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Insightly SAML support team](mailto:support@insight.ly) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate") ++1. On the **Set up Insightly SAML** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Insightly SAML. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Insightly SAML**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Insightly SAML SSO ++To configure single sign-on on **Insightly SAML** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Microsoft Entra admin center to [Insightly SAML support team](mailto:support@insight.ly). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Insightly SAML test user ++In this section, you create a user called B.Simon in Insightly SAML. Work with [Insightly SAML support team](mailto:support@insight.ly) to add the users in the Insightly SAML platform. Users must be created and activated before you use single sign-on. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on Test this application in Microsoft Entra admin center and you should be automatically signed in to the Insightly SAML for which you set up the SSO. + +* You can use Microsoft My Apps. When you click the Insightly SAML tile in the My Apps, you should be automatically signed in to the Insightly SAML for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next steps ++Once you configure Insightly SAML you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Insightsfirst Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/insightsfirst-tutorial.md | + + Title: Microsoft Entra SSO integration with Insightsfirst +description: Learn how to configure single sign-on between Microsoft Entra ID and Insightsfirst. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Insightsfirst ++In this tutorial, you learn how to integrate Insightsfirst with Microsoft Entra ID. When you integrate Insightsfirst with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Insightsfirst. +* Enable your users to be automatically signed-in to Insightsfirst with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Insightsfirst, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Insightsfirst single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Insightsfirst supports **SP** initiated SSO. +* Insightsfirst supports **Just In Time** user provisioning. ++> [!NOTE] +> Identifier of this application is a fixed string value so only one instance can be configured in one tenant. ++## Adding Insightsfirst from the gallery ++To configure the integration of Insightsfirst into Microsoft Entra ID, you need to add Insightsfirst from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Insightsfirst** in the search box. +1. Select **Insightsfirst** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). ++## Configure and test Microsoft Entra SSO for Insightsfirst ++Configure and test Microsoft Entra SSO with Insightsfirst using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Insightsfirst. ++To configure and test Microsoft Entra SSO with Insightsfirst, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Insightsfirst SSO](#configure-insightsfirst-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Insightsfirst test user](#create-insightsfirst-test-user)** - to have a counterpart of B.Simon in Insightsfirst that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Insightsfirst** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type one of the following URLs: ++ | **Identifier** | + || + | `https://insightsfirst-implementation.evalueserve.com` | + | `https://insightsfirst.evalueserve.com/` | ++ b. In the **Reply URL** textbox, type one of the following URLs: ++ | **Reply URL** | + || + | `https://insightsfirst-implementation.evalueserve.com/InsightFirstSSO/api/Assertion/ConsumerService` | + | `https://insightsfirst.evalueserve.com/InsightFirstSSO/api/Assertion/ConsumerService` | ++ c. In the **Sign on URL** textbox, type one of the following URLs: ++ | **Sign on URL** | + || + | `https://insightsfirst.evalueserve.com/Microsoft` | + | `https://insightsfirst-implementation.evalueserve.com/Microsoft` | ++1. Insightsfirst application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. ++ ![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Image") ++1. In addition to above, Insightsfirst application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements. + + | Name | Source Attribute| + | | | + | Email | user.mail | ++1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog. ++ ![Screenshot shows to Edit SAML Signing Certificate.](common/edit-certificate.png "Certificate") ++1. In the **SAML Signing Certificate** section, copy the **Thumbprint Value** and save it on your computer. ++ ![Screenshot shows to Copy Thumbprint value.](common/copy-thumbprint.png "Thumbprint") ++1. On the **Set up Insightsfirst** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration appropriate URL.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Insightsfirst. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Insightsfirst**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Insightsfirst SSO ++To configure single sign-on on **Insightsfirst** side, you need to send the **Thumbprint Value** and appropriate copied URLs from Microsoft Entra admin center to [Insightsfirst support team](mailto:insightsfirst.support@evalueserve.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Insightsfirst test user ++In this section, a user called Britta Simon is created in Insightsfirst. Insightsfirst supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Insightsfirst, a new one is created after authentication. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Insightsfirst Sign-on URL where you can initiate the login flow. + +* Go to Insightsfirst Sign-on URL directly and initiate the login flow from there. + +* You can use Microsoft My Apps. When you click the Insightsfirst tile in the My Apps, this will redirect to Insightsfirst Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure Insightsfirst you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Mic Saas Portal Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mic-saas-portal-tutorial.md | + + Title: Microsoft Entra SSO integration with MIC SAAS Portal +description: Learn how to configure single sign-on between Microsoft Entra ID and MIC SAAS Portal. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with MIC SAAS Portal ++In this tutorial, you learn how to integrate MIC SAAS Portal with Microsoft Entra ID. When you integrate MIC SAAS Portal with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to MIC SAAS Portal. +* Enable your users to be automatically signed-in to MIC SAAS Portal with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with MIC SAAS Portal, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* MIC SAAS Portal single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* MIC SAAS Portal supports **SP** initiated SSO. +* MIC SAAS Portal supports **Just In Time** user provisioning. ++## Adding MIC SAAS Portal from the gallery ++To configure the integration of MIC SAAS Portal into Microsoft Entra ID, you need to add MIC SAAS Portal from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **MIC SAAS Portal** in the search box. +1. Select **MIC SAAS Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for MIC SAAS Portal ++Configure and test Microsoft Entra SSO with MIC SAAS Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in MIC SAAS Portal. ++To configure and test Microsoft Entra SSO with MIC SAAS Portal, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure MIC SAAS Portal SSO](#configure-mic-saas-portal-sso)** - to configure the single sign-on settings on application side. + 1. **[Create MIC SAAS Portal test user](#create-mic-saas-portal-test-user)** - to have a counterpart of B.Simon in MIC SAAS Portal that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **MIC SAAS Portal** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a URL using the following pattern: + `https://sso.eu.micgtm.com/auth/realms/<INSTANCE>` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + `https://sso.eu.micgtm.com/auth/realms/<INSTANCE>/broker/<PROVIDER>/endpoint` ++ c. In the **Sign on URL** textbox, type a URL using the following pattern: + `https://gtmportal.eu.micgtm.com/?idp=<INSTANCE>` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [MIC SAAS Portal support team](mailto:support@mic-cust.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate") ++1. On the **Set up MIC SAAS Portal** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to MIC SAAS Portal. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **MIC SAAS Portal**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure MIC SAAS Portal SSO ++To configure single sign-on on **MIC SAAS Portal** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Microsoft Entra admin center to [MIC SAAS Portal support team](mailto:support@mic-cust.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create MIC SAAS Portal test user ++In this section, a user called Britta Simon is created in MIC SAAS Portal. MIC SAAS Portal supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in MIC SAAS Portal, a new one is created after authentication. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to MIC SAAS Portal Sign-on URL where you can initiate the login flow. + +* Go to MIC SAAS Portal Sign-on URL directly and initiate the login flow from there. + +* You can use Microsoft My Apps. When you click the MIC SAAS Portal tile in the My Apps, this will redirect to MIC SAAS Portal Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure MIC SAAS Portal you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Parallels Desktop Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/parallels-desktop-tutorial.md | To configure single sign-on on **Parallels Desktop** side, follow the latest ver ### Create Parallels Desktop test user -Add existing user accounts to the Admin or User groups on the Azure AD side, following Parallels's Azure SSO setup guide that can be found on [this page](https://kb.parallels.com/en/129240). When a user account gets deactivated following their departure from the organization, that is immediately reflected in the user count of the Parallels's product license. +Add existing user accounts to the Admin or User groups on the Microsoft Entra ID side, following Parallels's Azure SSO setup guide that can be found on [this page](https://kb.parallels.com/en/129240). When a user account gets deactivated following their departure from the organization, that is immediately reflected in the user count of the Parallels's product license. ## Test SSO |
active-directory | Prosci Portal Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/prosci-portal-tutorial.md | + + Title: Microsoft Entra SSO integration with Prosci Portal +description: Learn how to configure single sign-on between Microsoft Entra ID and Prosci Portal. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Prosci Portal ++In this tutorial, you'll learn how to integrate Prosci Portal with Microsoft Entra ID. When you integrate Prosci Portal with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Prosci Portal. +* Enable your users to be automatically signed-in to Prosci Portal with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Prosci Portal, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Prosci Portal single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Prosci Portal supports **SP** initiated SSO. ++> [!NOTE] +> Identifier of this application is a fixed string value so only one instance can be configured in one tenant. ++## Adding Prosci Portal from the gallery ++To configure the integration of Prosci Portal into Microsoft Entra ID, you need to add Prosci Portal from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Prosci Portal** in the search box. +1. Select **Prosci Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for Prosci Portal ++Configure and test Microsoft Entra SSO with Prosci Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Prosci Portal. ++To configure and test Microsoft Entra SSO with Prosci Portal, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Prosci Portal SSO](#configure-prosci-portal-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Prosci Portal test user](#create-prosci-portal-test-user)** - to have a counterpart of B.Simon in Prosci Portal that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Prosci Portal** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type one of the following values: ++ | **Environment**| **URL** | + ||| + | Production |`urn:auth0:prosci-prod:microsoft`| + | Staging |`urn:auth0:prosci-staging:microsoft`| ++ b. In the **Reply URL** textbox, type one of the following URLs: ++ | **Environment**| **URL** | + ||| + | Production | `https://id.prosci.com/login/callback?connection=microsoft` | + | Staging | `https://id-staging.prosci.com/login/callback?connection=microsoft` | ++ c. In the **Sign on URL** textbox, type one of the following URLs: + + | **Environment**| **URL** | + ||| + | Production | `https://id.prosci.com` | + | Staging | `https://id-staging.prosci.com` | ++ d. In the **Relay State** textbox, type one of the following URLs: ++ | **Environment**| **URL** | + ||| + | Production | `https://portal.prosci.com` | + | Staging | `https://portal-staging.prosci.com` | ++ e. In the **Logout Url** textbox, type one of the following URLs: ++ | **Environment**| **URL** | + ||| + | Production | `https://id.prosci.com/logout` | + | Staging | `https://id-staging.prosci.com/logout` | ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate") ++1. On the **Set up Prosci Portal** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to Copy configuration URLs.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by granting access to Prosci Portal. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Prosci Portal**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Prosci Portal SSO ++To configure single sign-on on **Prosci Portal** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Microsoft Entra admin center to [Prosci Portal support team](mailto:support@prosci.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Prosci Portal test user ++In this section, you create a user called B.Simon in Prosci Portal. Work with [Prosci Portal support team](mailto:support@prosci.com) to add the users in the Prosci Portal platform. Users must be created and activated before you use single sign-on. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Prosci Portal Sign-on URL where you can initiate the login flow. + +* Go to Prosci Portal Sign-on URL directly and initiate the login flow from there. + +* You can use Microsoft My Apps. When you click the Prosci Portal tile in the My Apps, this will redirect to Prosci Portal Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure Prosci Portal you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Rolemapper Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/rolemapper-tutorial.md | + + Title: Microsoft Entra SSO integration with RoleMapper +description: Learn how to configure single sign-on between Microsoft Entra ID and RoleMapper. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with RoleMapper ++In this tutorial, you learn how to integrate RoleMapper with Microsoft Entra ID. When you integrate RoleMapper with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to RoleMapper. +* Enable your users to be automatically signed-in to RoleMapper with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with RoleMapper, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* RoleMapper single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* RoleMapper supports **SP and IDP** initiated SSO. +* RoleMapper supports **Just In Time** user provisioning. ++## Adding RoleMapper from the gallery ++To configure the integration of RoleMapper into Microsoft Entra ID, you need to add RoleMapper from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **RoleMapper** in the search box. +1. Select **RoleMapper** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for RoleMapper ++Configure and test Microsoft Entra SSO with RoleMapper using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in RoleMapper. ++To configure and test Microsoft Entra SSO with RoleMapper, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure RoleMapper SSO](#configure-rolemapper-sso)** - to configure the single sign-on settings on application side. + 1. **[Create RoleMapper test user](#create-rolemapper-test-user)** - to have a counterpart of B.Simon in RoleMapper that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **RoleMapper** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a value using the following pattern: + `api.role-mapper.com/sso/<CustomerName>` ++ b. In the **Reply URL** textbox, type a URL using the following pattern: + `https://api.role-mapper.com/sso/saml2/<CustomerName>` ++1. Perform the following step, if you wish to configure the application in **SP** initiated mode: ++ In the **Sign on URL** textbox, type a URL using the following pattern: + `https://api.role-mapper.com/sso/<CustomerName>` ++ > [!NOTE] + > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [RoleMapper support team](mailto:support@rolemapper.tech) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ++ ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate") ++1. On the **Set up RoleMapper** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to RoleMapper. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **RoleMapper**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure RoleMapper SSO ++To configure single sign-on on **RoleMapper** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Microsoft Entra admin center to [RoleMapper support team](mailto:support@rolemapper.tech). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create RoleMapper test user ++In this section, a user called Britta Simon is created in RoleMapper. RoleMapper supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in RoleMapper, a new one is created after authentication. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +#### SP initiated: + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to RoleMapper Sign on URL where you can initiate the login flow. + +* Go to RoleMapper Sign-on URL directly and initiate the login flow from there. + +#### IDP initiated: + +* Click on **Test this application** in Microsoft Entra admin center and you should be automatically signed in to the RoleMapper for which you set up the SSO. + +You can also use Microsoft My Apps to test the application in any mode. When you click the RoleMapper tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the RoleMapper for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next steps ++Once you configure RoleMapper you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Serenity Connect Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/serenity-connect-tutorial.md | + + Title: Microsoft Entra SSO integration with Serenity Connect. +description: Learn how to configure single sign-on between Microsoft Entra ID and Serenity Connect. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with Serenity Connect ++In this tutorial, you learn how to integrate Serenity Connect with Microsoft Entra ID. When you integrate Serenity Connect with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to Serenity Connect. +* Enable your users to be automatically signed-in to Serenity Connect with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with Serenity Connect, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Serenity Connect single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* Serenity Connect supports **SP** initiated SSO. ++## Adding Serenity Connect from the gallery ++To configure the integration of Serenity Connect into Microsoft Entra ID, you need to add Serenity Connect from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Serenity Connect** in the search box. +1. Select **Serenity Connect** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for Serenity Connect ++Configure and test Microsoft Entra SSO with Serenity Connect using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Serenity Connect. ++To configure and test Microsoft Entra SSO with Serenity Connect, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Serenity Connect SSO](#configure-serenity-connect-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Serenity Connect test user](#create-serenity-connect-test-user)** - to have a counterpart of B.Simon in Serenity Connect that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Serenity Connect** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ [ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ](common/edit-urls.png#lightbox) ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type a value using the following pattern: + `urn:amazon:cognito:sp:us-east-2_<SerenityUniqueID>` ++ b. In the **Reply URL** textbox, type the URL: + `https://serenityconnect.auth.us-east-2.amazoncognito.com/saml2/idpresponse` ++ c. In the **Sign on URL** textbox, type the URL: + `https://app.serenityconnect.com/sso-sign-in` ++ > [!NOTE] + > This value is not real. Update this value with the actual Identifier. Contact [Serenity Connect support team](mailto:hello@serenityconnect.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. ++1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ++ [ ![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate") ](common/copy-metadataurl.png#lightbox) ++### Create a Microsoft Entra ID test user ++In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Serenity Connect. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Serenity Connect**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure Serenity Connect SSO ++To configure single sign-on on **Serenity Connect** side, you need to send the **App Federation Metadata Url** to [Serenity Connect support team](mailto:hello@serenityconnect.com). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create Serenity Connect test user ++In this section, you create a user called B.Simon in Serenity Connect. Work with [Serenity Connect support team](mailto:hello@serenityconnect.com) to add the users in the Serenity Connect platform. Users must be created and activated before you use single sign-on. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Serenity Connect Sign-on URL where you can initiate the login flow. + +* Go to Serenity Connect Sign-on URL directly and initiate the login flow from there. + +* You can use Microsoft My Apps. When you click the Serenity Connect tile in the My Apps, this will redirect to Serenity Connect Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure Serenity Connect you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app) |
active-directory | Sps Production Manager Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sps-production-manager-tutorial.md | + + Title: Microsoft Entra SSO integration with SPS|Production Manager. +description: Learn how to configure single sign-on between Microsoft Entra ID and SPS|Production Manager. ++++++++ Last updated : 09/25/2023+++++# Microsoft Entra SSO integration with SPS|Production Manager ++In this tutorial, you'll learn how to integrate SPS|Production Manager with Microsoft Entra ID. When you integrate SPS|Production Manager with Microsoft Entra ID, you can: ++* Control in Microsoft Entra ID who has access to SPS|Production Manager. +* Enable your users to be automatically signed-in to SPS|Production Manager with their Microsoft Entra accounts. +* Manage your accounts in one central location. ++## Prerequisites ++To integrate Microsoft Entra ID with SPS|Production Manager, you need: ++* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* SPS|Production Manager single sign-on (SSO) enabled subscription. ++## Scenario description ++In this tutorial, you configure and test Microsoft Entra SSO in a test environment. ++* SPS|Production Manager supports **IDP** initiated SSO. ++## Adding SPS|Production Manager from the gallery ++To configure the integration of SPS|Production Manager into Microsoft Entra ID, you need to add SPS|Production Manager from the gallery to your list of managed SaaS apps. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **SPS|Production Manager** in the search box. +1. Select **SPS|Production Manager** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. ++Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) ++## Configure and test Microsoft Entra SSO for SPS|Production Manager ++Configure and test Microsoft Entra SSO with SPS|Production Manager using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in SPS|Production Manager. ++To configure and test Microsoft Entra SSO with SPS|Production Manager, perform the following steps: ++1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure SPS|Production Manager SSO](#configure-spsproduction-manager-sso)** - to configure the single sign-on settings on application side. + 1. **[Create SPS|Production Manager test user](#create-spsproduction-manager-test-user)** - to have a counterpart of B.Simon in SPS|Production Manager that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ++## Configure Microsoft Entra SSO ++Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **SPS|Production Manager** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. ++ ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") ++1. On the **Basic SAML Configuration** section, perform the following steps: ++ a. In the **Identifier** textbox, type one of the following URLs: ++ | Environment | URL | + |-|-| + | Production| `https://microsoft-v20.spsinc.net/microsoft-v20` | + | Staging | `https://microsoft-v20.spsinc.net/microsoft-staging1-v20` | ++ b. In the **Reply URL** textbox, type one of the following URLs: + + | Environment | URL | + |-|-| + | Production| `https://microsoft-v20.spsinc.net/microsoft-v20/saml-auth/AssertionConsumerService` | + | Staging | `https://microsoft-v20.spsinc.net/microsoft-staging1-v20/saml-auth/AssertionConsumerService` | ++1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog. ++ ![Screenshot shows to Edit SAML Signing Certificate.](common/edit-certificate.png "Certificate") ++1. In the **SAML Signing Certificate** section, copy the **Thumbprint Value** and save it on your computer. ++ ![Screenshot shows to Copy Thumbprint value.](common/copy-thumbprint.png "Thumbprint") ++1. On the **Set up Insightsfirst** section, copy the appropriate URL(s) based on your requirement. ++ ![Screenshot shows to copy configuration appropriate URL.](common/copy-configuration-urls.png "Metadata") ++### Create a Microsoft Entra ID test user ++In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. ++### Assign the Microsoft Entra ID test user ++In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to SPS|Production Manager. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **SPS|Production Manager**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. ++## Configure SPS|Production Manager SSO ++To configure single sign-on on **SPS|Production Manager** side, you need to send the **Thumbprint Value** and appropriate copied URLs from Microsoft Entra admin center to [SPS|Production Manager support team](mailto:support@spsinc.net). They set this setting to have the SAML SSO connection set properly on both sides. ++### Create SPS|Production Manager test user ++In this section, you create a user called B.Simon in SPS|Production Manager. Work with [SPS|Production Manager support team](mailto:support@spsinc.net) to add the users in the SPS|Production Manager platform. Users must be created and activated before you use single sign-on. ++## Test SSO ++In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on Test this application in Microsoft Entra admin center and you should be automatically signed in to the SPS|Production Manager for which you set up the SSO. + +* You can use Microsoft My Apps. When you click the SPS|Production Manager tile in the My Apps, you should be automatically signed in to the SPS|Production Manager for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md). ++## Next Steps ++Once you configure SPS|Production Manager you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). |
active-directory | Workday Inbound Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/workday-inbound-tutorial.md | To do this change, you must use [Workday Studio](https://community.workday.com/s 5. Select **Edit attribute list for Workday**. - ![Screenshot that shows the "Workday to Microsoft Entra user Provisioning - Provisioning" page with the "Edit attribute list for Workday" action highlighted.](./media/workday-inbound-tutorial/wdstudio_aad1.png) + ![Screenshot that shows the "Workday to Microsoft Entra user provisioning - Provisioning" page with the "Edit attribute list for Workday" action highlighted.](./media/workday-inbound-tutorial/wdstudio_aad1.png) 6. Scroll to the bottom of the attribute list to where the input fields are. |
active-directory | Fedramp Identification And Authentication Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-identification-and-authentication-controls.md | Each row in the following table provides prescriptive guidance to help you devel | FedRAMP Control ID and description | Microsoft Entra guidance and recommendations | | - | - | | **IA-2 User Identification and Authentication**<br>The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). | **Uniquely identify and authenticate users or processes acting for users.**<p> Microsoft Entra ID uniquely identifies user and service principal objects directly. Microsoft Entra ID provides multiple authentication methods, and you can configure methods that adhere to National Institute of Standards and Technology (NIST) authentication assurance level (AAL) 3.<p>Identifiers <br> <li>Users: [Working with users in Microsoft Graph: ID property](/graph/api/resources/users)<br><li>Service principals: [ServicePrincipal resource type : ID property](/graph/api/resources/serviceprincipal)<p>Authentication and multifactor authentication<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) |-| **IA-2(1)**<br>The information system implements multifactor authentication for network access to privileged accounts.<br><br>**IA-2(3)**<br>The information system implements multifactor authentication for local access to privileged accounts. | **multifactor authentication for all access to privileged accounts.** <p>Configure the following elements for a complete solution to ensure all access to privileged accounts requires multifactor authentication.<p>Configure Conditional Access policies to require multifactor authentication for all users.<br> Implement Microsoft Entra Privileged Identity Management to require multifactor authentication for activation of privileged role assignment prior to use.<p>With Privileged Identity Management activation requirement, privilege account activation isn't possible without network access, so local access is never privileged.<p>multifactor authentication and Privileged Identity Management<br> <li>[Conditional Access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Configure Microsoft Entra role settings in Privileged Identity Management](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new) | +| **IA-2(1)**<br>The information system implements multifactor authentication for network access to privileged accounts.<br><br>**IA-2(3)**<br>The information system implements multifactor authentication for local access to privileged accounts. | **Multifactor authentication for all access to privileged accounts.** <p>Configure the following elements for a complete solution to ensure all access to privileged accounts requires multifactor authentication.<p>Configure Conditional Access policies to require multifactor authentication for all users.<br> Implement Microsoft Entra Privileged Identity Management to require multifactor authentication for activation of privileged role assignment prior to use.<p>With Privileged Identity Management activation requirement, privilege account activation isn't possible without network access, so local access is never privileged.<p>multifactor authentication and Privileged Identity Management<br> <li>[Conditional Access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Configure Microsoft Entra role settings in Privileged Identity Management](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new) | | **IA-2(2)**<br>The information system implements multifactor authentication for network access to non-privileged accounts.<br><br>**IA-2(4)**<br>The information system implements multifactor authentication for local access to nonprivileged accounts. | **Implement multifactor authentication for all access to nonprivileged accounts**<p>Configure the following elements as an overall solution to ensure all access to nonprivileged accounts requires MFA.<p> Configure Conditional Access policies to require MFA for all users.<br> Configure device management policies via MDM (such as Microsoft Intune), Microsoft Endpoint Manager (MEM) or group policy objects (GPO) to enforce use of specific authentication methods.<br> Configure Conditional Access policies to enforce device compliance.<p>Microsoft recommends using a multifactor cryptographic hardware authenticator (for example, FIDO2 security keys, Windows Hello for Business (with hardware TPM), or smart card) to achieve AAL3. If your organization is cloud-based, we recommend using FIDO2 security keys or Windows Hello for Business.<p>Windows Hello for Business hasn't been validated at the required FIPS 140 Security Level and as such federal customers would need to conduct risk assessment and evaluation before accepting it as AAL3. For more information regarding Windows Hello for Business FIPS 140 validation, see [Microsoft NIST AALs](nist-overview.md).<p>See the following guidance regarding MDM policies differ slightly based on authentication methods. <p>Smart Card / Windows Hello for Business<br> [Passwordless Strategy - Require Windows Hello for Business or smart card](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p> Hybrid Only<br> [Passwordless Strategy - Configure user accounts to disallow password authentication](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<p> Smart Card Only<br>[Create a Rule to Send an Authentication Method Claim](/windows-server/identity/ad-fs/operations/create-a-rule-to-send-an-authentication-method-claim)<br>[Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<p>FIDO2 Security Key<br> [Passwordless Strategy - Excluding the password credential provider](/windows/security/identity-protection/hello-for-business/passwordless-strategy)<br> [Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br> [Conditional Access - Require MFA for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<p>Authentication Methods<br> [Microsoft Entra passwordless sign-in (preview) | FIDO2 security keys](../authentication/concept-authentication-passwordless.md)<br> [Passwordless security key sign-in Windows - Microsoft Entra ID](../authentication/howto-authentication-passwordless-security-key-windows.md)<br> [ADFS: Certificate Authentication with Microsoft Entra ID and Office 365](/archive/blogs/samueld/adfs-certauth-aad-o365)<br> [How Smart Card Sign-in Works in Windows (Windows 10)](/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows)<br> [Windows Hello for Business Overview (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-overview)<p>Additional Resources:<br> [Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-configuration-service-provider)<br>[Plan a passwordless authentication deployment with Microsoft Entra ID](../authentication/howto-authentication-passwordless-deployment.md)<br> | | **IA-2(5)**<br>The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. | **When multiple users have access to a shared or group account password, require each user to first authenticate by using an individual authenticator.**<p>Use an individual account per user. If a shared account is required, Microsoft Entra ID permits binding of multiple authenticators to an account so that each user has an individual authenticator. <p>Resources<br><li>[How it works: Microsoft Entra multifactor authentication](../authentication/concept-mfa-howitworks.md)<br> <li>[Manage authentication methods for Microsoft Entra multifactor authentication](../authentication/howto-mfa-userdevicesettings.md) | | **IA-2(8)**<br>The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. | **Implement replay-resistant authentication mechanisms for network access to privileged accounts.**<p>Configure Conditional Access policies to require multifactor authentication for all users. All Microsoft Entra authentication methods at authentication assurance level 2 and 3 use either nonce or challenges and are resistant to replay attacks.<p>References<br> <li>[Conditional Access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) | |
active-directory | Plan Issuance Solution | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/verifiable-credentials/plan-issuance-solution.md | Each issuer has a single key set used for signing, updating, and recovery. This ### Microsoft Entra Verified ID service -![Diagram of Microsoft Microsoft Entra Verified ID service](media/plan-issuance-solution/plan-for-issuance-solution-verifiable-credentials-vc-services.png) +![Diagram of Microsoft Entra Verified ID service](media/plan-issuance-solution/plan-for-issuance-solution-verifiable-credentials-vc-services.png) The Microsoft Entra Verified ID service enables you to issue and revoke VCs based on your configuration. The service: |
ai-services | Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/authentication.md | Each request to an Azure AI service must include an authentication header. This * Authenticate with a [single-service](#authenticate-with-a-single-service-resource-key) or [multi-service](#authenticate-with-a-multi-service-resource-key) resource key * Authenticate with a [token](#authenticate-with-an-access-token)-* Authenticate with [Azure Active Directory (AAD)](#authenticate-with-an-access-token) +* Authenticate with [Azure Active Directory (AAD)](#authenticate-with-azure-active-directory) ## Prerequisites Let's quickly review the authentication headers available for use with Azure AI The first option is to authenticate a request with a resource key for a specific service, like Translator. The keys are available in the Azure portal for each resource that you've created. To use a resource key to authenticate a request, it must be passed along as the `Ocp-Apim-Subscription-Key` header. -These sample requests demonstrates how to use the `Ocp-Apim-Subscription-Key` header. Keep in mind, when using this sample you'll need to include a valid resource key. +These sample requests demonstrate how to use the `Ocp-Apim-Subscription-Key` header. Keep in mind, when using this sample you'll need to include a valid resource key. This is a sample call to the Translator service: ```cURL curl -X POST 'https://api.cognitive.microsofttranslator.com/translate?api-versio --data-raw '[{ "text": "How much for the cup of coffee?" }]' | json_pp ``` +## Authenticate with Azure Active Directory ++> [!IMPORTANT] +> Azure AD authentication always needs to be used together with custom subdomain name of your Azure resource. [Regional endpoints](./cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints) do not support Azure AD authentication. ++In the previous sections, we showed you how to authenticate against Azure AI services using a single-service or multi-service subscription key. While these keys provide a quick and easy path to start development, they fall short in more complex scenarios that require Azure [role-based access control (Azure RBAC)](../../articles/role-based-access-control/overview.md). Let's take a look at what's required to authenticate using Azure Active Directory (Azure AD). ++In the following sections, you'll use either the Azure Cloud Shell environment or the Azure CLI to create a subdomain, assign roles, and obtain a bearer token to call the Azure AI services. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI. ++> [!IMPORTANT] +> If your organization is doing authentication through Azure AD, you should [disable local authentication](./disable-local-auth.md) (authentication with keys) so that users in the organization must always use Azure AD. ++### Create a resource with a custom subdomain ++The first step is to create a custom subdomain. If you want to use an existing Azure AI services resource which does not have custom subdomain name, follow the instructions in [Azure AI services custom subdomains](./cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources) to enable custom subdomain for your resource. ++1. Start by opening the Azure Cloud Shell. Then [select a subscription](/powershell/module/az.accounts/set-azcontext): ++ ```powershell-interactive + Set-AzContext -SubscriptionName <SubscriptionName> + ``` ++2. Next, [create an Azure AI services resource](/powershell/module/az.cognitiveservices/new-azcognitiveservicesaccount) with a custom subdomain. The subdomain name needs to be globally unique and cannot include special characters, such as: ".", "!", ",". ++ ```powershell-interactive + $account = New-AzCognitiveServicesAccount -ResourceGroupName <RESOURCE_GROUP_NAME> -name <ACCOUNT_NAME> -Type <ACCOUNT_TYPE> -SkuName <SUBSCRIPTION_TYPE> -Location <REGION> -CustomSubdomainName <UNIQUE_SUBDOMAIN> + ``` ++3. If successful, the **Endpoint** should show the subdomain name unique to your resource. +++### Assign a role to a service principal ++Now that you have a custom subdomain associated with your resource, you're going to need to assign a role to a service principal. ++> [!NOTE] +> Keep in mind that Azure role assignments may take up to five minutes to propagate. ++1. First, let's register an [Azure AD application](/powershell/module/Az.Resources/New-AzADApplication). ++ ```powershell-interactive + $SecureStringPassword = ConvertTo-SecureString -String <YOUR_PASSWORD> -AsPlainText -Force ++ $app = New-AzureADApplication -DisplayName <APP_DISPLAY_NAME> -IdentifierUris <APP_URIS> -PasswordCredentials $SecureStringPassword + ``` ++ You're going to need the **ApplicationId** in the next step. ++2. Next, you need to [create a service principal](/powershell/module/az.resources/new-azadserviceprincipal) for the Azure AD application. ++ ```powershell-interactive + New-AzADServicePrincipal -ApplicationId <APPLICATION_ID> + ``` ++ >[!NOTE] + > If you register an application in the Azure portal, this step is completed for you. ++3. The last step is to [assign the "Cognitive Services User" role](/powershell/module/az.Resources/New-azRoleAssignment) to the service principal (scoped to the resource). By assigning a role, you're granting service principal access to this resource. You can grant the same service principal access to multiple resources in your subscription. + >[!NOTE] + > The ObjectId of the service principal is used, not the ObjectId for the application. + > The ACCOUNT_ID will be the Azure resource Id of the Azure AI services account you created. You can find Azure resource Id from "properties" of the resource in Azure portal. ++ ```azurecli-interactive + New-AzRoleAssignment -ObjectId <SERVICE_PRINCIPAL_OBJECTID> -Scope <ACCOUNT_ID> -RoleDefinitionName "Cognitive Services User" + ``` ++### Sample request ++In this sample, a password is used to authenticate the service principal. The token provided is then used to call the Computer Vision API. ++1. Get your **TenantId**: + ```powershell-interactive + $context=Get-AzContext + $context.Tenant.Id + ``` ++2. Get a token: + > [!NOTE] + > If you're using Azure Cloud Shell, the `SecureClientSecret` class isn't available. ++ #### [PowerShell](#tab/powershell) + ```powershell-interactive + $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList "https://login.windows.net/<TENANT_ID>" + $secureSecretObject = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.SecureClientSecret" -ArgumentList $SecureStringPassword + $clientCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential" -ArgumentList $app.ApplicationId, $secureSecretObject + $token=$authContext.AcquireTokenAsync("https://cognitiveservices.azure.com/", $clientCredential).Result + $token + ``` + + #### [Azure Cloud Shell](#tab/azure-cloud-shell) + ```Azure Cloud Shell + $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList "https://login.windows.net/<TENANT_ID>" + $clientCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential" -ArgumentList $app.ApplicationId, <YOUR_PASSWORD> + $token=$authContext.AcquireTokenAsync("https://cognitiveservices.azure.com/", $clientCredential).Result + $token + ``` ++ ++3. Call the Computer Vision API: + ```powershell-interactive + $url = $account.Endpoint+"vision/v1.0/models" + $result = Invoke-RestMethod -Uri $url -Method Get -Headers @{"Authorization"=$token.CreateAuthorizationHeader()} -Verbose + $result | ConvertTo-Json + ``` ++Alternatively, the service principal can be authenticated with a certificate. Besides service principal, user principal is also supported by having permissions delegated through another Azure AD application. In this case, instead of passwords or certificates, users would be prompted for two-factor authentication when acquiring token. ++## Authorize access to managed identities + +Azure AI services support Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../../articles/active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Azure AI services resources using Azure AD credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. ++### Enable managed identities on a VM ++Before you can use managed identities for Azure resources to authorize access to Azure AI services resources from your VM, you must enable managed identities for Azure resources on the VM. To learn how to enable managed identities for Azure Resources, see: ++- [Azure portal](../../articles/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md) +- [Azure PowerShell](../../articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md) +- [Azure CLI](../../articles/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm.md) +- [Azure Resource Manager template](../../articles/active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md) +- [Azure Resource Manager client libraries](../../articles/active-directory/managed-identities-azure-resources/qs-configure-sdk-windows-vm.md) ++For more information about managed identities, see [Managed identities for Azure resources](../../articles/active-directory/managed-identities-azure-resources/overview.md). ## Use Azure key vault to securely access credentials |
ai-services | Disable Local Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/disable-local-auth.md | + + Title: Disable local authentication in Azure AI Services ++description: "This article describes disabling local authentication in Azure AI Services." +++++ Last updated : 09/22/2023++++# Disable local authentication in Azure AI Services ++Azure AI Services provides Azure Active Directory (Azure AD) authentication support for all resources. This gives organizations control to disable local authentication methods and enforce Azure AD authentication. This feature provides you with seamless integration when you require centralized control and management of identities and resource credentials. ++You can disable local authentication using the Azure policy [Cognitive Services accounts should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc). You can set it at the subscription level or resource group level to enforce the policy for a group of services. ++Disabling local authentication doesn't take effect immediately. Allow a few minutes for the service to block future authentication requests. ++You can use PowerShell to determine whether the local authentication policy is currently enabled. First sign in with the `Connect-AzAccount` command. Then use the cmdlet **[Get-AzCognitiveServicesAccount](/powershell/module/az.cognitiveservices/get-azcognitiveservicesaccount)** to retrieve your resource, and check the property `DisableLocalAuth`. A value of `true` means local authentication is disabled. +++## Re-enable local authentication ++To enable local authentication, execute the PowerShell cmdlet **[Set-AzCognitiveServicesAccount](/powershell/module/az.cognitiveservices/set-azcognitiveservicesaccount)** with the parameter `-DisableLocalAuth false`.  Allow a few minutes for the service to accept the change to allow local authentication requests. ++## Next steps +- [Authenticate requests to Azure AI services](./authentication.md) |
ai-services | Batch Synthesis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/batch-synthesis.md | description: Learn how to use the batch synthesis API for asynchronous synthesis --+ Last updated 11/16/2022 |
ai-services | Batch Transcription Audio Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/batch-transcription-audio-data.md | |
ai-services | Batch Transcription Create | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/batch-transcription-create.md | |
ai-services | Batch Transcription Get | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/batch-transcription-get.md | |
ai-services | Batch Transcription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/batch-transcription.md | |
ai-services | Call Center Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/call-center-overview.md | description: Azure AI services for Language and Speech can help you realize part --+ Last updated 09/18/2022 |
ai-services | Call Center Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/call-center-quickstart.md | description: In this quickstart, you perform sentiment analysis and conversation --+ Last updated 09/20/2022 |
ai-services | Call Center Telephony Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/call-center-telephony-integration.md | description: A common scenario for speech to text is transcribing large volumes --+ Last updated 08/10/2022 |
ai-services | Captioning Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/captioning-concepts.md | description: An overview of key concepts for captioning with speech to text. --+ Last updated 06/02/2022 |
ai-services | Captioning Quickstart | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/captioning-quickstart.md | description: In this quickstart, you convert speech to text as captions. --+ Last updated 04/23/2022 |
ai-services | Custom Commands Encryption Of Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-commands-encryption-of-data-at-rest.md | description: Custom Commands encryption of data at rest. --+ Last updated 07/05/2020 |
ai-services | Custom Commands References | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-commands-references.md | description: In this article, you learn about concepts and definitions for Custo --+ Last updated 06/18/2020 |
ai-services | Custom Commands | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-commands.md | description: An overview of the features, capabilities, and restrictions for Cus --+ Last updated 03/11/2020 |
ai-services | Custom Keyword Basics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-keyword-basics.md | description: When a user speaks the keyword, your device sends their dictation t --+ Last updated 11/12/2021 |
ai-services | Custom Neural Voice Lite | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-neural-voice-lite.md | description: Use Custom Neural Voice Lite to demo and evaluate Custom Neural Voi --+ Last updated 10/27/2022 |
ai-services | Custom Neural Voice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-neural-voice.md | description: Custom Neural Voice is a text to speech feature that allows you to --+ Last updated 03/27/2023 |
ai-services | Custom Speech Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/custom-speech-overview.md | description: Custom Speech is a set of online tools that allows you to evaluate --+ Last updated 09/15/2023 |
ai-services | Devices Sdk Release Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/devices-sdk-release-notes.md | description: The release notes provide a log of updates, enhancements, bug fixes --+ Last updated 02/12/2022 |
ai-services | Direct Line Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/direct-line-speech.md | description: An overview of the features, capabilities, and restrictions for Voi --+ Last updated 03/11/2020 |
ai-services | Display Text Format | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/display-text-format.md | description: An overview of key concepts for display text formatting with speech --+ Last updated 09/19/2022 |
ai-services | Embedded Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/embedded-speech.md | description: Embedded Speech is designed for on-device scenarios where cloud con --+ Last updated 10/31/2022 |
ai-services | Gaming Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/gaming-concepts.md | description: Concepts for game development with Azure AI Speech. --+ Last updated 01/25/2023 |
ai-services | Get Speech Recognition Results | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-speech-recognition-results.md | description: Learn how to get speech recognition results. --+ Last updated 06/13/2022 |
ai-services | Get Started Intent Recognition Clu | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-intent-recognition-clu.md | description: In this quickstart, you recognize intents from audio data with the --+ Last updated 02/22/2023 |
ai-services | Get Started Intent Recognition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-intent-recognition.md | description: In this quickstart, you recognize intents from audio data with the --+ Last updated 02/22/2023 |
ai-services | Get Started Speaker Recognition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-speaker-recognition.md | description: In this quickstart, you use speaker recognition to confirm who is s --+ Last updated 01/08/2022 |
ai-services | Get Started Speech To Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-speech-to-text.md | description: In this quickstart, learn how to convert speech to text with recogn --+ Last updated 08/24/2023 |
ai-services | Get Started Speech Translation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-speech-translation.md | description: In this quickstart, you translate speech from one language to text --+ Last updated 09/16/2022 |
ai-services | Get Started Stt Diarization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-stt-diarization.md | description: In this quickstart, you convert speech to text continuously from a --+ Last updated 7/27/2023 |
ai-services | Get Started Text To Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/get-started-text-to-speech.md | description: In this quickstart, you convert text to speech. Learn about object --+ Last updated 08/25/2023 |
ai-services | How To Async Meeting Transcription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-async-meeting-transcription.md | |
ai-services | How To Audio Content Creation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-audio-content-creation.md | description: Audio Content Creation is an online tool that allows you to run Tex --+ Last updated 09/25/2022 |
ai-services | How To Configure Azure Ad Auth | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-configure-azure-ad-auth.md | description: Learn how to authenticate using Azure Active Directory Authenticati --+ Last updated 06/18/2021 |
ai-services | How To Configure Openssl Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-configure-openssl-linux.md | description: Learn how to configure OpenSSL for Linux. --+ Last updated 06/22/2022 |
ai-services | How To Configure Rhel Centos 7 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-configure-rhel-centos-7.md | description: Learn how to configure RHEL/CentOS 7 so that the Speech SDK can be --+ Last updated 04/01/2022 |
ai-services | How To Control Connections | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-control-connections.md | description: Learn how to monitor for connection status and manually connect or --+ Last updated 04/12/2021 |
ai-services | How To Custom Commands Debug Build Time | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-debug-build-time.md | description: In this article, you learn how to debug errors when authoring Custo --+ Last updated 06/18/2020 |
ai-services | How To Custom Commands Debug Runtime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-debug-runtime.md | description: In this article, you learn how to debug runtime errors in a Custom --+ Last updated 06/18/2020 |
ai-services | How To Custom Commands Deploy Cicd | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-deploy-cicd.md | description: In this article, you learn how to set up continuous deployment for --+ Last updated 06/18/2020 |
ai-services | How To Custom Commands Developer Flow Test | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-developer-flow-test.md | description: In this article, you learn different approaches to testing a custom --+ Last updated 06/18/2020 |
ai-services | How To Custom Commands Send Activity To Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-send-activity-to-client.md | description: In this article, you learn how to send activity from a Custom Comma --+ Last updated 06/18/2020 |
ai-services | How To Custom Commands Setup Speech Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-setup-speech-sdk.md | description: how to make requests to a published Custom Commands application fro --+ Last updated 06/18/2020 |
ai-services | How To Custom Commands Setup Web Endpoints | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-setup-web-endpoints.md | description: set up web endpoints for Custom Commands --+ Last updated 06/18/2020 |
ai-services | How To Custom Commands Update Command From Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-update-command-from-client.md | description: Learn how to update a command from a client application. --+ Last updated 10/20/2020 |
ai-services | How To Custom Commands Update Command From Web Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-commands-update-command-from-web-endpoint.md | description: Learn how to update the state of a command by using a call to a web --+ Last updated 10/20/2020 |
ai-services | How To Custom Speech Continuous Integration Continuous Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-continuous-integration-continuous-deployment.md | description: Apply DevOps with Custom Speech and CI/CD workflows. Implement an e --+ Last updated 05/08/2022 |
ai-services | How To Custom Speech Create Project | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-create-project.md | description: Learn about how to create a project for Custom Speech. --+ Last updated 11/29/2022 |
ai-services | How To Custom Speech Deploy Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-deploy-model.md | description: Learn how to deploy Custom Speech models. --+ Last updated 11/29/2022 |
ai-services | How To Custom Speech Evaluate Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-evaluate-data.md | description: In this article, you learn how to quantitatively measure and improv --+ Last updated 11/29/2022 |
ai-services | How To Custom Speech Human Labeled Transcriptions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-human-labeled-transcriptions.md | description: You use human-labeled transcriptions with your audio data to improv --+ Last updated 05/08/2022 |
ai-services | How To Custom Speech Inspect Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-inspect-data.md | description: Custom Speech lets you qualitatively inspect the recognition qualit --+ Last updated 11/29/2022 |
ai-services | How To Custom Speech Model And Endpoint Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-model-and-endpoint-lifecycle.md | description: Custom Speech provides base models for training and lets you create --+ Last updated 11/29/2022 |
ai-services | How To Custom Speech Test And Train | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-test-and-train.md | description: Learn about types of training and testing data for a Custom Speech --+ Last updated 10/24/2022 |
ai-services | How To Custom Speech Train Model | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-train-model.md | description: Learn how to train Custom Speech models. Training a speech to text --+ Last updated 09/15/2023 |
ai-services | How To Custom Speech Transcription Editor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-transcription-editor.md | description: The online transcription editor allows you to create or edit audio --+ Last updated 05/08/2022 |
ai-services | How To Custom Speech Upload Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-speech-upload-data.md | description: Learn about how to upload data to test or train a Custom Speech mod --+ Last updated 11/29/2022 |
ai-services | How To Custom Voice Create Voice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-voice-create-voice.md | description: Learn how to train a custom neural voice through the Speech Studio --+ Last updated 08/25/2023 |
ai-services | How To Custom Voice Prepare Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-voice-prepare-data.md | description: "Learn how to provide studio recordings and the associated scripts --+ Last updated 10/27/2022 |
ai-services | How To Custom Voice Talent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-voice-talent.md | description: Create a voice talent profile with an audio file recorded by the vo --+ Last updated 10/27/2022 |
ai-services | How To Custom Voice Training Data | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-voice-training-data.md | description: "Learn about the data types that you can use to train a Custom Neur --+ Last updated 10/27/2022 |
ai-services | How To Custom Voice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-custom-voice.md | description: Learn how to create a Custom Neural Voice project that contains dat --+ Last updated 10/27/2022 |
ai-services | How To Deploy And Use Endpoint | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-deploy-and-use-endpoint.md | description: Learn about how to deploy and use a custom neural voice model. --+ Last updated 11/30/2022 |
ai-services | How To Develop Custom Commands Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-develop-custom-commands-application.md | |
ai-services | How To Lower Speech Synthesis Latency | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-lower-speech-synthesis-latency.md | description: How to lower speech synthesis latency using Speech SDK, including s --+ Last updated 04/29/2021 |
ai-services | How To Migrate To Custom Neural Voice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-migrate-to-custom-neural-voice.md | description: This document helps users migrate from custom voice to custom neura --+ Last updated 11/12/2021 |
ai-services | How To Migrate To Prebuilt Neural Voice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-migrate-to-prebuilt-neural-voice.md | description: This document helps users migrate from prebuilt standard voice to p --+ Last updated 11/12/2021 |
ai-services | How To Pronunciation Assessment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-pronunciation-assessment.md | description: Learn about pronunciation assessment features that are currently pu --+ Last updated 06/05/2023 |
ai-services | How To Recognize Intents From Speech Csharp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-recognize-intents-from-speech-csharp.md | description: In this guide, you learn how to recognize intents from speech using --+ Last updated 02/08/2022 |
ai-services | How To Recognize Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-recognize-speech.md | description: Learn how to convert speech to text, including object construction, --+ Last updated 09/01/2023 |
ai-services | How To Select Audio Input Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-select-audio-input-devices.md | description: 'Learn about selecting audio input devices in the Speech SDK (C++, --+ Last updated 07/05/2019 |
ai-services | How To Speech Synthesis Viseme | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-speech-synthesis-viseme.md | description: Speech SDK supports viseme events during speech synthesis, which re --+ Last updated 10/23/2022 |
ai-services | How To Speech Synthesis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-speech-synthesis.md | |
ai-services | How To Track Speech Sdk Memory Usage | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-track-speech-sdk-memory-usage.md | description: The Speech SDK supports numerous programming languages for speech t --+ Last updated 12/10/2019 |
ai-services | How To Translate Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-translate-speech.md | description: Learn how to translate speech from one language to text in another --+ Last updated 06/08/2022 |
ai-services | How To Use Audio Input Streams | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-use-audio-input-streams.md | description: An overview of the capabilities of the Speech SDK audio input strea --+ Last updated 05/09/2023 |
ai-services | How To Use Codec Compressed Audio Input Streams | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-use-codec-compressed-audio-input-streams.md | |
ai-services | How To Use Custom Entity Pattern Matching | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-use-custom-entity-pattern-matching.md | description: In this guide, you learn how to recognize intents and custom entiti --+ Last updated 11/15/2021 |
ai-services | How To Use Logging | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-use-logging.md | |
ai-services | How To Use Meeting Transcription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-use-meeting-transcription.md | description: In this quickstart, learn how to transcribe meetings. You can add, --+ Last updated 05/06/2023 |
ai-services | How To Use Simple Language Pattern Matching | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-use-simple-language-pattern-matching.md | description: In this guide, you learn how to recognize intents and entities from --+ Last updated 04/19/2022 |
ai-services | How To Windows Voice Assistants Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/how-to-windows-voice-assistants-get-started.md | description: The steps to begin developing a windows voice agent, including a re --+ Last updated 04/15/2020 |
ai-services | Improve Accuracy Phrase List | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/improve-accuracy-phrase-list.md | Title: Improve recognition accuracy with phrase list description: Phrase lists can be used to customize speech recognition results based on context. --+ Last updated 09/01/2022 |
ai-services | Ingestion Client | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/ingestion-client.md | description: In this article we describe a tool released on GitHub that enables --+ Last updated 08/29/2022 |
ai-services | Intent Recognition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/intent-recognition.md | |
ai-services | Language Identification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/language-identification.md | description: Language identification is used to determine the language being spo --+ Last updated 9/19/2023 |
ai-services | Language Learning Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/language-learning-overview.md | description: Azure AI services for Speech can be used to learn languages. --+ Last updated 02/23/2023 |
ai-services | Language Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/language-support.md | description: The Speech service supports numerous languages for speech to text a --+ Last updated 01/12/2023 |
ai-services | Meeting Transcription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/meeting-transcription.md | description: You use the meeting transcription feature for meetings. It combines --+ Last updated 05/06/2023 |
ai-services | Migrate To Batch Synthesis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/migrate-to-batch-synthesis.md | description: This document helps developers migrate code from Long Audio REST AP --+ Last updated 09/01/2022 |
ai-services | Migrate V2 To V3 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/migrate-v2-to-v3.md | description: This document helps developers migrate code from v2 to v3 of the Sp --+ Last updated 09/15/2023 |
ai-services | Migrate V3 0 To V3 1 | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/migrate-v3-0-to-v3-1.md | description: This document helps developers migrate code from v3.0 to v3.1 of th --+ Last updated 09/15/2023 |
ai-services | Migration Overview Neural Voice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/migration-overview-neural-voice.md | description: This document summarizes the benefits of migration from non-neural --+ Last updated 11/12/2021 |
ai-services | Multi Device Conversation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/multi-device-conversation.md | description: Multi-device conversation makes it easy to create a speech or text --+ Last updated 02/19/2022 |
ai-services | Openai Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/openai-speech.md | description: In this how-to guide, you can use Speech to converse with Azure Ope --+ Last updated 04/15/2023 |
ai-services | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/overview.md | description: The Speech service provides speech to text, text to speech, and spe --+ Last updated 09/16/2022 |
ai-services | Pattern Matching Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/pattern-matching-overview.md | description: Pattern Matching with the IntentRecognizer helps you get started qu --+ Last updated 11/15/2021 keywords: intent recognition pattern matching |
ai-services | Power Automate Batch Transcription | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/power-automate-batch-transcription.md | |
ai-services | Pronunciation Assessment Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/pronunciation-assessment-tool.md | description: The pronunciation assessment tool in Speech Studio gives you feedba --+ Last updated 09/08/2022 |
ai-services | Quickstart Custom Commands Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/quickstart-custom-commands-application.md | description: In this quickstart, you create and test a basic Custom Commands app --+ Last updated 02/19/2022 |
ai-services | Multi Device Conversation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/quickstarts/multi-device-conversation.md | description: In this quickstart, you'll learn how to create and join clients to --+ Last updated 06/25/2020 |
ai-services | Setup Platform | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/quickstarts/setup-platform.md | description: In this quickstart, you learn how to install the Speech SDK for you --+ Last updated 09/05/2023 |
ai-services | Voice Assistants | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/quickstarts/voice-assistants.md | description: In this quickstart, you use the Speech SDK to create a custom voice --+ Last updated 06/25/2020 |
ai-services | Record Custom Voice Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/record-custom-voice-samples.md | description: Make a production-quality custom voice by preparing a robust script --+ Last updated 10/14/2022 |
ai-services | Regions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/regions.md | description: A list of available regions and endpoints for the Speech service, i --+ Last updated 09/16/2022 |
ai-services | Releasenotes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/releasenotes.md | |
ai-services | Resiliency And Recovery Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/resiliency-and-recovery-plan.md | |
ai-services | Rest Speech To Text Short | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/rest-speech-to-text-short.md | description: Learn how to use Speech to text REST API for short audio to convert --+ Last updated 05/02/2023 |
ai-services | Rest Speech To Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/rest-speech-to-text.md | description: Get reference documentation for Speech to text REST API. --+ Last updated 09/15/2023 |
ai-services | Rest Text To Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/rest-text-to-speech.md | description: Learn how to use the REST API to convert text into synthesized spee --+ Last updated 01/24/2022 |
ai-services | Role Based Access Control | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/role-based-access-control.md | description: Learn how to assign access roles for a Speech resource. --+ Last updated 04/03/2022 |
ai-services | Speaker Recognition Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speaker-recognition-overview.md | description: Speaker recognition provides algorithms that verify and identify sp --+ Last updated 01/08/2022 |
ai-services | Speech Container Batch Processing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-batch-processing.md | description: Use the Batch processing kit to scale Speech container requests. --+ Last updated 10/22/2020 |
ai-services | Speech Container Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-configuration.md | description: Speech service provides each container with a common configuration --+ Last updated 04/18/2023 |
ai-services | Speech Container Cstt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-cstt.md | description: Install and run custom speech to text containers with Docker to per --+ Last updated 08/29/2023 |
ai-services | Speech Container Howto On Premises | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-howto-on-premises.md | description: Using Kubernetes and Helm to define the speech to text and text to --+ Last updated 07/22/2021 |
ai-services | Speech Container Howto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-howto.md | description: Use the Speech containers with Docker to perform speech recognition --+ Last updated 04/18/2023 |
ai-services | Speech Container Lid | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-lid.md | description: Install and run language identification containers with Docker to p --+ Last updated 08/28/2023 |
ai-services | Speech Container Ntts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-ntts.md | description: Install and run neural text to speech containers with Docker to per --+ Last updated 08/28/2023 |
ai-services | Speech Container Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-overview.md | description: Use the Docker containers for the Speech service to perform speech --+ Last updated 09/11/2023 |
ai-services | Speech Container Stt | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-container-stt.md | description: Install and run speech to text containers with Docker to perform sp --+ Last updated 08/28/2023 |
ai-services | Speech Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-devices.md | description: Get started with the Speech devices. The Speech service works with --+ Last updated 12/27/2021 |
ai-services | Speech Encryption Of Data At Rest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-encryption-of-data-at-rest.md | |
ai-services | Speech Sdk Microphone | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-sdk-microphone.md | description: Speech SDK microphone array recommendations. These array geometries --+ Last updated 12/27/2021 |
ai-services | Speech Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-sdk.md | description: The Speech software development kit (SDK) exposes many of the Speec --+ Last updated 09/16/2022 |
ai-services | Speech Ssml Phonetic Sets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-ssml-phonetic-sets.md | description: This article presents Speech service phonetic alphabet and Internat --+ Last updated 09/16/2022 |
ai-services | Speech Studio Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-studio-overview.md | description: Speech Studio is a set of UI-based tools for building and integrati --+ Last updated 09/25/2022 |
ai-services | Speech Synthesis Markup Pronunciation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-synthesis-markup-pronunciation.md | description: Learn about Speech Synthesis Markup Language (SSML) elements to imp --+ Last updated 11/30/2022 |
ai-services | Speech Synthesis Markup Structure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-synthesis-markup-structure.md | description: Learn about the Speech Synthesis Markup Language (SSML) document st --+ Last updated 11/30/2022 |
ai-services | Speech Synthesis Markup Voice | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-synthesis-markup-voice.md | description: Learn about how you can use Speech Synthesis Markup Language (SSML) --+ Last updated 8/24/2023 |
ai-services | Speech Synthesis Markup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-synthesis-markup.md | description: Learn how to use the Speech Synthesis Markup Language to control pr --+ Last updated 8/16/2023 |
ai-services | Speech To Text | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-to-text.md | description: Get an overview of the benefits and capabilities of the speech to t --+ Last updated 04/05/2023 |
ai-services | Speech Translation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/speech-translation.md | description: With speech translation, you can add end-to-end, real-time, multi-l --+ Last updated 09/16/2022 |
ai-services | Spx Basics | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/spx-basics.md | description: In this Azure AI Speech CLI quickstart, you interact with speech to --+ Last updated 09/16/2022 |
ai-services | Spx Batch Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/spx-batch-operations.md | description: Learn how to do batch speech to text (speech recognition), batch te --+ Last updated 09/16/2022 |
ai-services | Spx Data Store Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/spx-data-store-configuration.md | |
ai-services | Spx Output Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/spx-output-options.md | |
ai-services | Spx Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/spx-overview.md | description: In this article, you learn about the Speech CLI, a command-line too --+ Last updated 09/16/2022 |
ai-services | Swagger Documentation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/swagger-documentation.md | |
ai-services | Text To Speech | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/text-to-speech.md | description: Get an overview of the benefits and capabilities of the text to spe --+ Last updated 09/25/2022 |
ai-services | Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/troubleshooting.md | description: This article provides information to help you solve issues you migh --+ Last updated 12/08/2022 |
ai-services | Tutorial Voice Enable Your Bot Speech Sdk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/tutorial-voice-enable-your-bot-speech-sdk.md | description: In this tutorial, you'll create an echo bot and configure a client --+ Last updated 01/24/2022 |
ai-services | Voice Assistants | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/voice-assistants.md | description: An overview of the features, capabilities, and restrictions for voi --+ Last updated 03/11/2020 |
ai-services | Windows Voice Assistants Automatic Enablement Guidelines | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/windows-voice-assistants-automatic-enablement-guidelines.md | description: The instructions to enable voice activation for a voice agent by d --+ Last updated 04/15/2020 |
ai-services | Windows Voice Assistants Best Practices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/windows-voice-assistants-best-practices.md | description: Guidelines for best practices when designing a voice agent experien --+ Last updated 05/1/2020 |
ai-services | Windows Voice Assistants Implementation Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/windows-voice-assistants-implementation-guide.md | description: The instructions to implement voice activation and above-lock capab --+ Last updated 04/15/2020 |
ai-services | Windows Voice Assistants Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/windows-voice-assistants-overview.md | description: An overview of the voice assistants on Windows, including capabilit --+ Last updated 02/19/2022 |
aks | Cluster Autoscaler | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/cluster-autoscaler.md | Title: Use the cluster autoscaler in Azure Kubernetes Service (AKS) description: Learn how to use the cluster autoscaler to automatically scale your Azure Kubernetes Service (AKS) clusters to meet application demands. Previously updated : 07/14/2023 Last updated : 09/26/2023 # Automatically scale a cluster to meet application demands on Azure Kubernetes Service (AKS) To keep up with application demands in Azure Kubernetes Service (AKS), you may need to adjust the number of nodes that run your workloads. The cluster autoscaler component watches for pods in your cluster that can't be scheduled because of resource constraints. When the cluster autoscaler detects issues, it scales up the number of nodes in the node pool to meet the application demand. It also regularly checks nodes for a lack of running pods and scales down the number of nodes as needed. -This article shows you how to enable and manage the cluster autoscaler in an AKS cluster. +This article shows you how to enable and manage the cluster autoscaler in an AKS cluster, which is based on the open source [Kubernetes][kubernetes-cluster-autoscaler] version. ## Before you begin This article requires Azure CLI version 2.0.76 or later. Run `az --version` to f ## About the cluster autoscaler -To adjust to changing application demands, such as between workdays and evenings or weekends, clusters often need a way to automatically scale. AKS clusters can scale in one of two ways: +To adjust to changing application demands, such as between workdays and evenings or weekends, clusters often need a way to automatically scale. AKS clusters can scale in the following ways: -* The **cluster autoscaler** watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes. For more information, see [How does scale-up work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-up-work) -* The **horizontal pod autoscaler** uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand. +* The **cluster autoscaler** periodically checks for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes. For more information, see [How does scale-up work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-up-work). +* The **[Horizontal Pod Autoscaler][horizontal-pod-autoscaler]** uses the Metrics Server in a Kubernetes cluster to monitor the resource demand of pods. If an application needs more resources, the number of pods is automatically increased to meet the demand. +* **[Vertical Pod Autoscaler][vertical-pod-autoscaler]** (preview) automatically sets resource requests and limits on containers per workload based on past usage to ensure pods are scheduled onto nodes that have the required CPU and memory resources. :::image type="content" source="media/autoscaler/cluster-autoscaler.png" alt-text="Screenshot of how the cluster autoscaler and horizontal pod autoscaler often work together to support the required application demands."::: -Both the horizontal pod autoscaler and cluster autoscaler can decrease the number of pods and nodes as needed. The cluster autoscaler decreases the number of nodes when there has been unused capacity after a period of time. Any pods on a node removed by the cluster autoscaler are safely scheduled elsewhere in the cluster. +The Horizontal Pod Autoscaler scales the number of pod replicas as needed, and the cluster autoscaler scales the number of nodes in a node pool as needed. The cluster autoscaler decreases the number of nodes when there has been unused capacity after a period of time. Any pods on a node removed by the cluster autoscaler are safely scheduled elsewhere in the cluster. -With autoscaling enabled, when the node pool size is lower than the minimum or greater than the maximum it applies the scaling rules. Next, the autoscaler waits to take effect until a new node is needed in the node pool or until a node may be safely deleted from the current node pool. For more information, see [How does scale-down work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-down-work) +While Vertical Pod Autoscaler or Horizontal Pod Autoscaler can be used to automatically adjust the number of Kubernetes pods in a workload, the number of nodes also needs to be able to scale to meet the computational needs of the pods. The cluster autoscaler addresses that need, handling scale up and scale down of Kubernetes nodes. It is common practice to enable cluster autoscaler for nodes, and either Vertical Pod Autoscaler or Horizontal Pod Autoscalers for pods. ++The cluster autoscaler and Horizontal Pod Autoscaler can work together and are often both deployed in a cluster. When combined, the Horizontal Pod Autoscaler runs the number of pods required to meet application demand, and the cluster autoscaler runs the number of nodes required to support the scheduled pods. ++> [!NOTE] +> Manual scaling is disabled when you use the cluster autoscaler. Let the cluster autoscaler determine the required number of nodes. If you want to manually scale your cluster, [disable the cluster autoscaler](#disable-the-cluster-autoscaler-on-a-cluster). ++With cluster autoscaler enabled, when the node pool size is lower than the minimum or greater than the maximum it applies the scaling rules. Next, the autoscaler waits to take effect until a new node is needed in the node pool or until a node may be safely deleted from the current node pool. For more information, see [How does scale-down work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-down-work) The cluster autoscaler may be unable to scale down if pods can't move, such as in the following situations: The cluster autoscaler may be unable to scale down if pods can't move, such as i For more information, see [What types of pods can prevent the cluster autoscaler from removing a node?][autoscaler-scaledown] -The cluster autoscaler uses startup parameters for things like time intervals between scale events and resource thresholds. For more information on what parameters the cluster autoscaler uses, see [using the autoscaler profile](#use-the-cluster-autoscaler-profile). --The cluster autoscaler and horizontal pod autoscaler can work together and are often both deployed in a cluster. When combined, the horizontal pod autoscaler runs the number of pods required to meet application demand, and the cluster autoscaler runs the number of nodes required to support the scheduled pods. +## Use the cluster autoscaler on your AKS cluster -> [!NOTE] -> Manual scaling is disabled when you use the cluster autoscaler. Let the cluster autoscaler determine the required number of nodes. If you want to manually scale your cluster, [disable the cluster autoscaler](#disable-the-cluster-autoscaler-on-a-cluster). +In this section, you deploy, upgrade, disable, or re-enable the cluster autoscaler on your cluster. -## Use the cluster autoscaler on your AKS cluster +The cluster autoscaler uses startup parameters for things like time intervals between scale events and resource thresholds. For more information on what parameters the cluster autoscaler uses, see [using the autoscaler profile](#use-the-cluster-autoscaler-profile). ### Enable the cluster autoscaler on a new cluster To further help improve cluster resource utilization and free up CPU and memory [az-aks-update]: /cli/azure/aks#az-aks-update [az-aks-scale]: /cli/azure/aks#az-aks-scale [vertical-pod-autoscaler]: vertical-pod-autoscaler.md+[horizontal-pod-autoscaler]:concepts-scale.md#horizontal-pod-autoscaler [az-group-create]: /cli/azure/group#az_group_create <!-- LINKS - external --> To further help improve cluster resource utilization and free up CPU and memory [kubernetes-hpa]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ [kubernetes-hpa-walkthrough]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/ [metrics-server]: https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/#metrics-server+[kubernetes-cluster-autoscaler]: https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler |
aks | Configure Kubenet | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/configure-kubenet.md | With *Azure CNI*, each pod receives an IP address in the IP subnet and can commu * An additional hop is required in the design of kubenet, which adds minor latency to pod communication. * Route tables and user-defined routes are required for using kubenet, which adds complexity to operations.+ * For more information, see [Customize cluster egress with a user-defined routing table in AKS](./egress-udr.md) and [Customize cluster egress with outbound types in AKS](./egress-outboundtype.md). * Direct pod addressing isn't supported for kubenet due to kubenet design. * Unlike Azure CNI clusters, multiple kubenet clusters can't share a subnet. * AKS doesn't apply Network Security Groups (NSGs) to its subnet and doesn't modify any of the NSGs associated with that subnet. If you provide your own subnet and add NSGs associated with that subnet, you must ensure the security rules in the NSGs allow traffic between the node and pod CIDR. For more details, see [Network security groups][aks-network-nsg]. The following considerations help outline when each network model may be the mos * Most of the pod communication is within the cluster. * You don't need advanced AKS features, such as virtual nodes or Azure Network Policy. -***Use *Azure CNI* when**: +**Use *Azure CNI* when**: * You have available IP address space. * Most of the pod communication is to resources outside of the cluster. kubenet networking requires organized route table rules to successfully route re > [!NOTE] > When you create and use your own VNet and route table with the kubenet network plugin, you need to use a [user-assigned control plane identity][bring-your-own-control-plane-managed-identity]. For a system-assigned control plane identity, you can't retrieve the identity ID before creating a cluster, which causes a delay during role assignment. >-> Both system-assigned and user-assigned managed identities are supported when you create and use your own VNet and route table with the azure network plugin. We highly recommend using a user-assigned managed identity for BYO scenarios. +> Both system-assigned and user-assigned managed identities are supported when you create and use your own VNet and route table with the Azure network plugin. We highly recommend using a user-assigned managed identity for BYO scenarios. ### Add a route table with a user-assigned managed identity to your AKS cluster |
aks | Image Integrity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/image-integrity.md | + + Title: Use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters (Preview) +description: Learn how to use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters. ++++ Last updated : 09/26/2023+++# Use Image Integrity to validate signed images before deploying them to your Azure Kubernetes Service (AKS) clusters (Preview) ++Azure Kubernetes Service (AKS) and its underlying container model provide increased scalability and manageability for cloud native applications. With AKS, you can launch flexible software applications according to the runtime needs of your system. However, this flexibility can introduce new challenges. ++In these application environments, using signed container images helps verify that your deployments are built from a trusted entity and that images haven't been tampered with since their creation. Image Integrity is a service that allows you to add an Azure Policy built-in definition to verify that only signed images are deployed to your AKS clusters. ++> [!NOTE] +> Image Integrity is a feature based on [Ratify][ratify]. On an AKS cluster, the feature name and property name is `ImageIntegrity`, while the relevant Image Integrity pods' names contain `Ratify`. +++## Prerequisites ++* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free). +* [Azure CLI][azure-cli-install] or [Azure PowerShell][azure-powershell-install]. +* `aks-preview` CLI extension version 0.5.96 or later. +* Ensure that the Azure Policy add-on for AKS is enabled on your cluster. If you don't have this add-on installed, see [Install Azure Policy add-on for AKS](../governance/policy/concepts/policy-for-kubernetes.md#install-azure-policy-add-on-for-aks). +* An AKS cluster enabled with OIDC Issuer. To create a new cluster or update an existing cluster, see [Configure an AKS cluster with OIDC Issuer](./use-oidc-issuer.md). +* The `EnableImageIntegrityPreview` and `AKS-AzurePolicyExternalData` feature flags registered on your Azure subscription. Register the feature flags using the following commands: + + 1. Register the `EnableImageIntegrityPreview` and `AKS-AzurePolicyExternalData` feature flags using the [`az feature register`][az-feature-register] command. ++ ```azurecli-interactive + # Register the EnableImageIntegrityPreview feature flag + az feature register --namespace "Microsoft.ContainerService" --name "EnableImageIntegrityPreview" ++ # Register the AKS-AzurePolicyExternalData feature flag + az feature register --namespace "Microsoft.ContainerService" --name "AKS-AzurePolicyExternalData" + ``` ++ It may take a few minutes for the status to show as *Registered*. ++ 2. Verify the registration status using the [`az feature show`][az-feature-show] command. ++ ```azurecli-interactive + # Verify the EnableImageIntegrityPreview feature flag registration status + az feature show --namespace "Microsoft.ContainerService" --name "EnableImageIntegrityPreview" ++ # Verify the AKS-AzurePolicyExternalData feature flag registration status + az feature show --namespace "Microsoft.ContainerService" --name "AKS-AzurePolicyExternalData" + ``` ++ 3. Once the status shows *Registered*, refresh the registration of the `Microsoft.ContainerService` resource provider using the [`az provider register`][az-provider-register] command. ++ ```azurecli-interactive + az provider register --namespace Microsoft.ContainerService + ``` ++## Considerations and limitations ++* Your AKS clusters must run Kubernetes version 1.26 or above. +* You shouldn't use this feature for production Azure Container Registry (ACR) registries or workloads. +* Image Integrity supports a maximum of 200 unique signatures concurrently cluster-wide. +* Notation is the only supported verifier. +* Audit is the only supported verification policy effect. ++## How Image Integrity works +++Image Integrity uses Ratify, Azure Policy, and Gatekeeper to validate signed images before deploying them to your AKS clusters. Enabling Image Integrity on your cluster deploys a `Ratify` pod. This `Ratify` pod performs the following tasks: ++1. Reconciles certificates from Azure Key Vault per the configuration you set up through `Ratify` CRDs. +2. Accesses images stored in ACR when validation requests come from [Azure Policy](../governance/policy/concepts/policy-for-kubernetes.md). To enable this experience, Azure Policy extends Gatekeeper, an admission controller webhook for [Open Policy Agent (OPA)](https://www.openpolicyagent.org/). +3. Determines whet |