Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Add Api Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-api-connector.md | See an example of a [validation-error response](#example-of-a-validation-error-r ## Before sending the token (preview) > [!IMPORTANT]-> API connectors used in this step are in preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> API connectors used in this step are in preview. For more information about previews, see [Product Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). An API connector at this step is invoked when a token is about to be issued during sign-ins and sign-ups. An API connector for this step can be used to enrich the token with claim values from external sources. |
active-directory-b2c | Cookie Definitions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/cookie-definitions.md | The following table lists the cookies used in Azure AD B2C. | `x-ms-cpim-ctx` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Context | | `x-ms-cpim-rp` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for storing membership data for the resource provider tenant. | | `x-ms-cpim-rc` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for storing the relay cookie. |+| `x-ms-cpim-geo` | b2clogin.com, login.microsoftonline.com, branded domain | 1 Hour | Used as a hint to determine the resource tenants home geographic location. | ## Cross-Site request forgery token |
active-directory-b2c | Force Password Reset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/force-password-reset.md | |
active-directory-b2c | Manage Custom Policies Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/manage-custom-policies-powershell.md | |
active-directory-b2c | Openid Connect Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/openid-connect-technical-profile.md | The technical profile also returns claims that aren't returned by the identity p | MarkAsFailureOnStatusCode5xx | No | Indicates whether a request to an external service should be marked as a failure if the Http status code is in the 5xx range. The default is `false`. | | DiscoverMetadataByTokenIssuer | No | Indicates whether the OIDC metadata should be discovered by using the issuer in the JWT token.If you need to build the metadata endpoint URL based on Issuer, set this to `true`.| | IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |-|token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic` (public preview), `private_key_jwt` (public preview). For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). | +|token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic` (public preview), `private_key_jwt`. For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). | |token_signing_algorithm| No | Specifies the signing algorithm to use when `token_endpoint_auth_method` is set to `private_key_jwt`. Possible values: `RS256` (default) or `RS512`.| | SingleLogoutEnabled | No | Indicates whether during sign-in the technical profile attempts to sign out from federated identity providers. For more information, see [Azure AD B2C session sign-out](./session-behavior.md#sign-out). Possible values: `true` (default), or `false`. | |ReadBodyClaimsOnIdpRedirect| No| Set to `true` to read claims from response body on identity provider redirect. This metadata is used with [Apple ID](identity-provider-apple-id.md), where claims return in the response payload.| Examples: - [Add Microsoft Account (MSA) as an identity provider using custom policies](identity-provider-microsoft-account.md) - [Sign in by using Azure AD accounts](identity-provider-azure-ad-single-tenant.md) - [Allow users to sign in to a multi-tenant Azure AD identity provider using custom policies](identity-provider-azure-ad-multi-tenant.md)+ |
active-directory-b2c | Page Layout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/page-layout.md | Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Self-asserted page (selfasserted) +**2.1.26** ++- Replaced `Keypress` to `Key Down` event and avoid `Asterisk` for non-required in classic mode. ++**2.1.25** ++- Fixed content security policy (CSP) violation and remove additional request header X-Aspnetmvc-Version. ++- Introduced Captcha mechanism for Self-asserted and Unified SSP Flows (_Beta-version-Internal use only_). ++**2.1.24** ++- Fixed accessibility bugs. ++- Fixed MFA related issue and IE11 compatibility issues. ++**2.1.23** ++- Fixed accessibility bugs. ++- Reduced `min-width` value for UI viewport for default template. ++**2.1.22** ++- Fixed accessibility bugs. ++- Added logic to adopt QR Code Image generated from backend library. ++**2.1.21** ++- Additional sanitization of script tags to avoid XSS attacks. + **2.1.20**-- Fixed an XSS issue on input from textbox+- Fixed Enter event trigger on MFA. +- CSS changes rendering page text/control in vertical manner for small screens **2.1.19**-- Fixed accessibility bugs-- Handle Undefined Error message for existing user sign up-- Move Password Mismatch Error to Inline instead of Page Level+- Fixed accessibility bugs. +- Handled Undefined Error message for existing user sign up. +- Moved Password mismatch error to Inline instead of page level. - Accessibility changes related to High Contrast button display and anchor focus improvements **2.1.18** Azure AD B2C page layout uses the following versions of the [jQuery library](htt - Enforce Validation Error Update on control change and enable continue on email verified - Added additional field to error code to validation failure response + **2.1.16** - Fixed "Claims for verification control have not been verified" bug while verifying code. - Hide error message on validation succeeds and send code to verify Azure AD B2C page layout uses the following versions of the [jQuery library](htt **2.1.10** - Correcting to the tab index-- Fixing WCAG 2.1 accessibility and screen reader issues +- Fixed WCAG 2.1 accessibility and screen reader issues **2.1.9** Azure AD B2C page layout uses the following versions of the [jQuery library](htt > [!TIP] > If you localize your page to support multiple locales, or languages in a user flow. The [localization IDs](localization-string-ids.md) article provides the list of localization IDs that you can use for the page version you select. +**2.1.14** ++- Replaced `Keypress` to `Key Down` event. ++**2.1.13** ++- Fixed content security policy (CSP) violation and remove additional request header X-Aspnetmvc-Version ++- Introduced Captcha mechanism for Self-asserted and Unified SSP Flows (_Beta-version-Internal use only_) ++**2.1.12** ++- Removed `ReplaceAll` function for IE11 compatibility. ++**2.1.11** ++- Fixed accessibility bugs. ++**2.1.10** ++- Added additional sanitization of script tags to avoid XSS attacks. + **2.1.9**-- Fix accessibility bugs++- Fixed accessibility bugs. + - Accessibility changes related to High Contrast button display and anchor focus improvements- + **2.1.8** - Add descriptive error message and fixed forgotPassword link! Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## MFA page (multifactor) +**1.2.12** ++- Replaced `KeyPress` to `KeyDown` event. ++**1.2.11** ++- Removed `ReplaceAll` function for IE11 compatibility. ++**1.2.10** ++- Fixed accessibility bugs. ++**1.2.9** ++- Fixed `Enter` event trigger on MFA. ++- CSS changes render page text/control in vertical manner for small screens ++- Fixed Multifactor tab navigation bug. ++**1.2.8** ++- Passed the response status for MFA verification with error for backend to further triage. ++**1.2.7** ++- Fixed accessibility issue on label for retries code. ++- Fixed issue caused by incompatibility of default parameter on IE 11. ++- Set up `H1` heading and enable by default. ++- Updated HandlebarJS version to 4.7.7. ++**1.2.6** ++- Corrected the `autocomplete` value on verification code field from false to off. ++- Fixed a few XSS encoding issues. + **1.2.5** - Fixed a language encoding issue that is causing the request to fail. Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Exception Page (globalexception) +**1.2.5** ++- Removed `ReplaceAl`l function for IE11 compatibility. ++**1.2.4** ++- Fixed accessibility bugs. ++**1.2.3** ++- Updated HandlebarJS version to 4.7.7. ++**1.2.2** ++- Set up `H1` heading and enable by default. + **1.2.1**+ - Updated jQuery version to 3.5.1. - Updated HandlebarJS version to 4.7.6. Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Other pages (ProviderSelection, ClaimsConsent, UnifiedSSD) +**1.2.4** ++- Remove `ReplaceAll` function for IE11 compatibility. ++**1.2.3** ++- Fixed accessibility bugs. ++**1.2.2** ++- Updated HandlebarJS version to 4.7.7 + **1.2.1**+ - Updated jQuery version to 3.5.1. - Updated HandlebarJS version to 4.7.6. Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Next steps For details on how to customize the user interface of your applications in custom policies, see [Customize the user interface of your application using a custom policy](customize-ui-with-html.md).++ |
active-directory-b2c | Secure Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/secure-rest-api.md | The following XML snippet is an example of a RESTful technical profile configure ## OAuth2 bearer authentication - Bearer token authentication is defined in [OAuth2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). In bearer token authentication, Azure AD B2C sends an HTTP request with a token in the authorization header. ```http A bearer token is an opaque string. It can be a JWT access token or any string t - **Bearer token**. To be able to send the bearer token in the Restful technical profile, your policy needs to first acquire the bearer token and then use it in the RESTful technical profile. - **Static bearer token**. Use this approach when your REST API issues a long-term access token. To use a static bearer token, create a policy key and make a reference from the RESTful technical profile to your policy key. - ## Using OAuth2 Bearer The following steps demonstrate how to use client credentials to obtain a bearer token and pass it into the Authorization header of the REST API calls. Add the validation technical profile reference to the sign up technical profile, ++ For example:- ```XML - <ValidationTechnicalProfiles> - .... - <ValidationTechnicalProfile ReferenceId="REST-AcquireAccessToken" /> - .... - </ValidationTechnicalProfiles> - ``` - +```ruby +```XML +<ValidationTechnicalProfiles> + .... + <ValidationTechnicalProfile ReferenceId="REST-AcquireAccessToken" /> + .... +</ValidationTechnicalProfiles> +``` +``` ::: zone-end To configure a REST API technical profile with API key authentication, create th 1. For **Key usage**, select **Encryption**. 1. Select **Create**. - ### Configure your REST API technical profile to use API key authentication After creating the necessary key, configure your REST API technical profile metadata to reference the credentials. The following XML snippet is an example of a RESTful technical profile configure ::: zone pivot="b2c-custom-policy" - Learn more about the [Restful technical profile](restful-technical-profile.md) element in the custom policy reference. ::: zone-end+ |
active-directory-b2c | Tenant Management Directory Quota | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-directory-quota.md | The response from the API call looks similar to the following json: { "directorySizeQuota": { "used": 211802,- "total": 300000 + "total": 50000000 } } ] If your tenant usage is higher that 80%, you can remove inactive users or reques ## Request increase directory quota size -You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) +You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) |
active-directory-b2c | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md | Title: "What's new in Azure Active Directory business-to-customer (B2C)" description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)." Previously updated : 08/01/2023 Last updated : 09/01/2023 +## August 2023 ++### Updated articles ++- [Page layout versions](page-layout.md) - Editorial updates +- [Secure your API used an API connector in Azure AD B2C](secure-rest-api.md) - Oauth Bearer Authentication updated to GA + ## June 2023 ### New articles Welcome to what's new in Azure Active Directory B2C documentation. This article - [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md) - [Use the Azure portal to create and delete consumer users in Azure AD B2C](manage-users-portal.md) -## April 2023 --### Updated articles --- [Configure Transmit Security with Azure Active Directory B2C for passwordless authentication](partner-bindid.md) - Update partner-bindid.md-- [Tutorial: Enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP](partner-f5.md) - Update partner-f5.md- |
active-directory-domain-services | Alert Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-service-principal.md | ms.assetid: f168870c-b43a-4dd6-a13f-5cfadc5edf2c + Last updated 01/29/2023 - # Known issues: Service principal alerts in Azure Active Directory Domain Services |
active-directory-domain-services | Create Forest Trust Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-forest-trust-powershell.md | For more conceptual information about forest types in Azure AD DS, see [How do f [Install-Script]: /powershell/module/powershellget/install-script <!-- EXTERNAL LINKS -->-[powershell-gallery]: https://www.powershellgallery.com/ +[powershell-gallery]: https://www.powershellgallery.com/ |
active-directory-domain-services | Policy Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/policy-reference.md | Title: Built-in policy definitions for Azure Active Directory Domain Services description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 08/08/2023 Last updated : 08/30/2023 |
active-directory-domain-services | Powershell Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-create-instance.md | |
active-directory-domain-services | Powershell Scoped Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-scoped-synchronization.md | |
active-directory-domain-services | Secure Your Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/secure-your-domain.md | |
active-directory-domain-services | Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/synchronization.md | ms.assetid: 57cbf436-fc1d-4bab-b991-7d25b6e987ef + Last updated 04/03/2023 - # How objects and credentials are synchronized in an Azure Active Directory Domain Services managed domain |
active-directory-domain-services | Template Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/template-create-instance.md | |
active-directory-domain-services | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot.md | ms.assetid: 4bc8c604-f57c-4f28-9dac-8b9164a0cf0b + Last updated 01/29/2023 - # Common errors and troubleshooting steps for Azure Active Directory Domain Services |
active-directory-domain-services | Tutorial Create Instance Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/tutorial-create-instance-advanced.md | To see this managed domain in action, create and join a virtual machine to the d [availability-zones]: ../reliability/availability-zones-overview.md [concepts-sku]: administration-concepts.md#azure-ad-ds-skus -<!-- EXTERNAL LINKS --> +<!-- EXTERNAL LINKS --> |
active-directory-domain-services | Tutorial Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/tutorial-create-instance.md | Before you domain-join VMs and deploy applications that use the managed domain, [concepts-sku]: administration-concepts.md#azure-ad-ds-skus <!-- EXTERNAL LINKS -->-[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix +[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix |
active-directory | Customize Application Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md | Applications and systems that support customization of the attribute list includ > Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). > [!NOTE]-> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. +> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. Provisioning multi-valued directory extension attributes is not supported. When you're editing the list of supported attributes, the following properties are provided: |
active-directory | Inbound Provisioning Api Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-concepts.md | -> API-driven inbound provisioning is currently in public preview and is governed by [Preview Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> API-driven inbound provisioning is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Introduction |
active-directory | Inbound Provisioning Api Configure App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md | -> API-driven inbound provisioning is currently in public preview and is governed by [Preview Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> API-driven inbound provisioning is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). This feature is available only when you configure the following Enterprise Gallery apps: * API-driven inbound user provisioning to Azure AD If you're configuring inbound user provisioning to on-premises Active Directory, ## Create your API-driven provisioning app -1. Log in to the [Microsoft Entra portal](<https://entra.microsoft.com>). +1. Log in to the [Microsoft Entra admin center](<https://entra.microsoft.com>). 2. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 3. Click on **New application** to create a new provisioning application. [![Screenshot of Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox) |
active-directory | Inbound Provisioning Api Curl Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-curl-tutorial.md | -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-custom-attributes.md | You have configured API-driven provisioning app. You're provisioning app is succ In this step, we'll add the two attributes "HireDate" and "JobCode" that are not part of the standard SCIM schema to the provisioning app and use them in the provisioning data flow. -1. Log in to Microsoft Entra portal with application administrator role. +1. Log in to Microsoft Entra admin center with application administrator role. 1. Go to **Enterprise applications** and open your API-driven provisioning app. 1. Open the **Provisioning** blade. 1. Click on the **Edit Provisioning** button. In this step, we'll add the two attributes "HireDate" and "JobCode" that are not 1. **Save** your changes > [!NOTE]-> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra Portal to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process. +> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra admin center to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process. ## Step 2 - Map the custom attributes |
active-directory | Inbound Provisioning Api Grant Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-grant-access.md | Depending on how your API client authenticates with Azure AD, you can select bet ## Configure a service principal This configuration registers an app in Azure AD that represents the external API client and grants it permission to invoke the inbound provisioning API. The service principal client id and client secret can be used in the OAuth client credentials grant flow. -1. Log in to Microsoft Entra portal (https://entra.microsoft.com) with global administrator or application administrator login credentials. +1. Log in to Microsoft Entra admin center (https://entra.microsoft.com) with global administrator or application administrator login credentials. 1. Browse to **Azure Active Directory** -> **Applications** -> **App registrations**. 1. Click on the option **New registration**. 1. Provide an app name, select the default options, and click on **Register**. This section describes how you can assign the necessary permissions to a managed ## Next steps - [Quick start using cURL](inbound-provisioning-api-curl-tutorial.md) - [Quick start using Postman](inbound-provisioning-api-postman.md)-- [Quick start using Postman](inbound-provisioning-api-graph-explorer.md)+- [Quick start using Graph Explorer](inbound-provisioning-api-graph-explorer.md) - [Frequently asked questions about API-driven inbound provisioning](inbound-provisioning-api-faqs.md) |
active-directory | Inbound Provisioning Api Graph Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-graph-explorer.md | This tutorial describes how you can quickly test [API-driven inbound provisionin ## Verify processing of bulk request payload -You can verify the processing either from the Microsoft Entra portal or using Graph Explorer. +You can verify the processing either from the Microsoft Entra admin center or using Graph Explorer. -### Verify processing from Microsoft Entra portal -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +### Verify processing from Microsoft Entra admin center +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-postman.md | In this step, you'll configure the Postman app and invoke the API using the conf If the API invocation is successful, you see the message `202 Accepted.` Under Headers, the **Location** attribute points to the provisioning logs API endpoint. ## Verify processing of bulk request payload-You can verify the processing either from the Microsoft Entra portal or using Postman. +You can verify the processing either from the Microsoft Entra admin center or using Postman. -### Verify processing from Microsoft Entra portal -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +### Verify processing from Microsoft Entra admin center +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-powershell.md | To illustrate the procedure, let's use the CSV file `Samples/csv-with-2-records. This section explains how to send the generated bulk request payload to your inbound provisioning API endpoint. -1. Log in to your Entra portal as *Application Administrator* or *Global Administrator*. +1. Log in to your Microsoft Entra admin center as *Application Administrator* or *Global Administrator*. 1. Copy the `ServicePrincipalId` associated with your provisioning app from **Provisioning App** > **Properties** > **Object ID**. :::image type="content" border="true" source="./media/inbound-provisioning-api-powershell/object-id.png" alt-text="Screenshot of the Object ID." lightbox="./media/inbound-provisioning-api-powershell/object-id.png"::: This section explains how to send the generated bulk request payload to your inb $ThumbPrint = $ClientCertificate.ThumbPrint ``` The generated certificate is stored **Current User\Personal\Certificates**. You can view it using the **Control Panel** -> **Manage user certificates** option. -1. To associate this certificate with a valid service principal, log in to your Entra portal as *Application Administrator*. +1. To associate this certificate with a valid service principal, log in to your Microsoft Entra admin center as *Application Administrator*. 1. Open [the service principal you configured](inbound-provisioning-api-grant-access.md#configure-a-service-principal) under **App Registrations**. 1. Copy the **Object ID** from the **Overview** blade. Use the value to replace the string `<AppObjectId>`. Copy the **Application (client) Id**. We will use it later and it is referenced as `<AppClientId>`. 1. Run the following command to upload your certificate to the registered service principal. PS > CSV2SCIM.ps1 -Path <path-to-csv-file> > [!NOTE] > The `AttributeMapping` and `ValidateAttributeMapping` command-line parameters refer to the mapping of CSV column attributes to the standard SCIM schema elements. -It doesn't refer to the attribute mappings that you perform in the Entra portal provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes. +It doesn't refer to the attribute mappings that you perform in the Microsoft Entra admin center provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes. | Parameter | Description | Processing remarks | |-|-|--| |
active-directory | On Premises Sap Connector Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-sap-connector-configure.md | Title: Azure AD Provisioning to SAP ERP Central Component (SAP ECC) 7.0 -description: This document describes how to configure Azure AD to provision users into SAP ECC 7. + Title: Azure AD Provisioning into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later. +description: This document describes how to configure Azure AD to provision users into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later. -# Configuring Azure AD to provision users into SAP ECC 7.0 -The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC) 7.0. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning. +# Configuring Azure AD to provision users into SAP ECC with NetWeaver AS ABAP 7.0 or later +The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning. [!INCLUDE [app-provisioning-sap.md](../../../includes/app-provisioning-sap.md)] |
active-directory | User Provisioning Sync Attributes For Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md | Next, if one or more of the users that will need access to the application do no The following sections outline how to create extension attributes for a tenant with cloud only users, and for a tenant with Active Directory users. ## Create an extension attribute in a tenant with cloud only users-You can use Microsoft Graph and PowerShell to extend the user schema for users in Azure AD. This is necessary if you do not have any users who need that attribute and originate in on-premises Active Directory. (If you do have Active Directory, then continue reading below in the section on how to [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect).) +You can use Microsoft Graph and PowerShell to extend the user schema for users in Azure AD. This is necessary if you have any users who need that attribute and do not originate in on-premises Active Directory. (If you do have Active Directory, then continue reading below in the section on how to [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect).) Once schema extensions are created, these extension attributes are automatically discovered when you next visit the provisioning page in the Azure portal, in most cases. Content-type: application/json "extension_inputAppId_extensionName": "extensionValue" } ```-Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get). +Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get). Note that the Graph v1.0 does not by default return any of a user's directory extension attributes, unless the attributes are specified in the request as one of the properties to return. ```json GET https://graph.microsoft.com/v1.0/users/{id}?$select=displayName,extension_inputAppId_extensionName |
active-directory | User Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning.md | In Azure Active Directory (Azure AD), the term *app provisioning* refers to auto Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and many more. -Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. Your application must support [SCIM](https://aka.ms/scimoverview). Or, you must build a SCIM gateway to connect to your legacy application. If so, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support these applications as well. --App provisioning lets you: +Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. The table below provides a mapping of protocols to connectors supported. ++|Protocol |Connector| +|--|--| +| SCIM | [SCIM - SaaS](use-scim-to-provision-users-and-groups.md) <br />[SCIM - On-prem / Private network](./on-premises-scim-provisioning.md) | +| LDAP | [LDAP](./on-premises-ldap-connector-configure.md)| +| SQL | [SQL](./tutorial-ecma-sql-connector.md) | +| REST | [Web Services](./on-premises-web-services-connector.md)| +| SOAP | [Web Services](./on-premises-web-services-connector.md)| +| Flat-file| [PowerShell](./on-premises-powershell-connector.md) | +| Custom | [Custom ECMA connectors](./on-premises-custom-connector.md) <br /> [Connectors and gateways built by partners](./partner-driven-integrations.md)| - **Automate provisioning**: Automatically create new accounts in the right systems for new people when they join your team or organization. - **Automate deprovisioning**: Automatically deactivate accounts in the right systems when people leave the team or organization. |
active-directory | Application Proxy Configure Cookie Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-cookie-settings.md | |
active-directory | Application Proxy Configure Custom Home Page | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md | |
active-directory | Application Proxy Ping Access Publishing Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md | Azure Active Directory (Azure AD) Application Proxy has partnered with PingAcces With PingAccess for Azure AD, you can give users access and single sign-on (SSO) to applications that use headers for authentication. Application Proxy treats these applications like any other, using Azure AD to authenticate access and then passing traffic through the connector service. PingAccess sits in front of the applications and translates the access token from Azure AD into a header. The application then receives the authentication in the format it can read. -Your users wonΓÇÖt notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so theyΓÇÖll still balance loads automatically. +Your users won't notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so they'll still balance loads automatically. ## How do I get access? For more information, see [Azure Active Directory editions](../fundamentals/what ## Publish your application in Azure -This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If youΓÇÖve already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section. +This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If you've already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section. > [!NOTE] > Since this scenario is a partnership between Azure AD and PingAccess, some of the instructions exist on the Ping Identity site. To publish your own on-premises application: > [!NOTE] > For a more detailed walkthrough of this step, see [Add an on-premises app to Azure AD](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). - 1. **Internal URL**: Normally you provide the URL that takes you to the appΓÇÖs sign-in page when youΓÇÖre on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess. + 1. **Internal URL**: Normally you provide the URL that takes you to the app's sign-in page when you're on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess. > [!WARNING] > For this type of single sign-on, the internal URL must use `https` and can't use `http`. Also, there is a constraint when configuring an application that no two apps should have the same internal URL as this allows App Proxy to maintain distinction between applications. To publish your own on-premises application: 1. **Translate URL in Headers**: Choose **No**. > [!NOTE]- > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener youΓÇÖve configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners). + > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener you've configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners). 1. Select **Add**. The overview page for the new application appears. In addition to the external URL, an authorize endpoint of Azure Active Directory Finally, set up your on-premises application so that users have read access and other applications have read/write access: -1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the APIs for Windows Azure Active Directory. +1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the permissions for Microsoft Graph. ![Shows the Request API permissions page](./media/application-proxy-configure-single-sign-on-with-ping-access/required-permissions.png) |
active-directory | Powershell Assign Group To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-group-to-app.md | |
active-directory | Powershell Assign User To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-user-to-app.md | |
active-directory | Powershell Display Users Group Of App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-display-users-group-of-app.md | |
active-directory | Powershell Get All App Proxy Apps Basic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-basic.md | |
active-directory | Powershell Get All App Proxy Apps By Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-by-connector-group.md | |
active-directory | Powershell Get All App Proxy Apps Extended | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended.md | |
active-directory | Powershell Get All App Proxy Apps With Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-with-policy.md | |
active-directory | Powershell Get All Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-connectors.md | |
active-directory | Powershell Get All Custom Domain No Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domain-no-cert.md | |
active-directory | Powershell Get All Custom Domains And Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domains-and-certs.md | |
active-directory | Powershell Get All Default Domain Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-default-domain-apps.md | |
active-directory | Powershell Get All Wildcard Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-wildcard-apps.md | |
active-directory | Powershell Get Custom Domain Identical Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-identical-cert.md | |
active-directory | Powershell Get Custom Domain Replace Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-replace-cert.md | |
active-directory | Powershell Move All Apps To Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-move-all-apps-to-connector-group.md | |
active-directory | Architecture Icons | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/architecture-icons.md | + + Title: Microsoft Entra architecture icons +description: Learn about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. +++++ Last updated : 08/15/2023++++# Customer intent: As a new or existing customer, I want to learn how I can use the official Microsoft Entra icons in architectural diagrams, training materials, or documentation. +++# Microsoft Entra architecture icons ++Helping our customers design and architect new solutions is core to the Microsoft Entra mission. Architecture diagrams can help communicate design decisions and the relationships between components of a given workload. This article provides information about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. ++## General guidelines ++### Do's ++- Use the icon to illustrate how products can work together. +- In diagrams, we recommend including the product name somewhere close to the icon. ++### Don'ts ++- Don't crop, flip, or rotate icons. +- Don't distort or change the icon shape in any way. +- Don't use Microsoft product icons to represent your product or service. +- Don't use Microsoft product icons in marketing communications. ++## Icon updates ++| Month | Change description | +|-|--| +| August 2023 | Added a downloadable package that contains the Microsoft Entra architecture icons, branding playbook (which contains guidelines about the Microsoft Security visual identity), and terms of use. | ++## Icon terms ++Microsoft permits the use of these icons in architectural diagrams, training materials, or documentation. You may copy, distribute, and display the icons only for the permitted use unless granted explicit permission by Microsoft. Microsoft reserves all other rights. ++ > [!div class="button"] + > [I agree to the above terms. Download icons.](https://download.microsoft.com/download/a/4/2/a4289cad-4eaf-4580-87fd-ce999a601516/Microsoft-Entra-architecture-icons.zip?wt.mc_id=microsoftentraicons_downloadmicrosoftentraicons_content_cnl_csasci) ++## More icon sets from Microsoft ++- [Azure architecture icons](/azure/architecture/icons) +- [Microsoft 365 architecture icons and templates](/microsoft-365/solutions/architecture-icons-templates) +- [Dynamics 365 icons](/dynamics365/get-started/icons) +- [Microsoft Power Platform icons](/power-platform/guidance/icons) |
active-directory | Govern Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/govern-service-accounts.md | |
active-directory | Multi Tenant Common Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-common-considerations.md | Additionally, while you can use the following Conditional Access conditions, be - **Sign-in risk and user risk.** User behavior in their home tenant determines, in part, the sign-in risk and user risk. The home tenant stores the data and risk score. If resource tenant policies block an external user, a resource tenant admin might not be able to enable access. [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md) explains how Identity Protection detects compromised credentials for Azure AD users. - **Locations.** The named location definitions in the resource tenant determine the scope of the policy. The scope of the policy doesn't evaluate trusted locations managed in the home tenant. If your organization wants to share trusted locations across tenants, define the locations in each tenant where you define the resources and Conditional Access policies. -## Other access control considerations +## Securing your multi-tenant environment +Review the [security checklist](/azure/security/fundamentals/steps-secure-identity) and [best practices](/azure/security/fundamentals/operational-best-practices) for guidance on securing your tenant. Ensure these best practices are followed and review them with any tenants that you collaborate closely with. +### Conditional access The following are considerations for configuring access control. - Define [access control policies](../external-identities/authentication-conditional-access.md) to control access to resources. - Design Conditional Access policies with external users in mind. - Create policies specifically for external users.-- If your organization is using the [**all users** dynamic group](../external-identities/use-dynamic-groups.md) condition in your existing Conditional Access policy, this policy affects external users because they are in scope of **all users**. - Create dedicated Conditional Access policies for external accounts. -### Require user assignment +### Monitoring your multi-tenant environment +- Monitor for changes to cross-tenant access policies using the [audit logs UI](../reports-monitoring/concept-audit-logs.md), [API](/graph/api/resources/azure-ad-auditlog-overview), or [Azure Monitor integration](../reports-monitoring/tutorial-configure-log-analytics-workspace.md) (for proactive alerts). The audit events use the categories "CrossTenantAccessSettings" and "CrossTenantIdentitySyncSettings." By monitoring for audit events under these categories, you can identify any cross-tenant access policy changes in your tenant and take action. When creating alerts in Azure Monitor, you can create a query such as the one below to identify any cross-tenant access policy changes. ++``` +AuditLogs +| where Category contains "CrossTenant" +``` ++- Monitor application access in your tenant using the [cross-tenant access activity](../reports-monitoring/workbook-cross-tenant-access-activity.md) dashboard. This allows you to see who is accessing resources in your tenant and where those users are coming from. +++### Dynamic groups ++If your organization is using the [**all users** dynamic group](../external-identities/use-dynamic-groups.md) condition in your existing Conditional Access policy, this policy affects external users because they are in scope of **all users**. ++### Require user assignment for applications If an application has the **User assignment required?** property set to **No**, external users can access the application. Application admins must understand access control impacts, especially if the application contains sensitive information. [Restrict your Azure AD app to a set of users in an Azure AD tenant](../develop/howto-restrict-your-app-to-a-set-of-users.md) explains how registered applications in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who successfully authenticate. +### Privileged Identity Management +Minimize persistent administrator access by enabling [privileged identity management](/azure/security/fundamentals/steps-secure-identity#implement-privilege-access-management). ++### Restricted Management Units +When you're using security groups to control who is in scope for cross-tenant synchronization, you will want to limit who can make changes to the security group. Minimize the number of owners of the security groups assigned to the cross-tenant synchronization job and include the groups in a [restricted management unit](../roles/admin-units-restricted-management.md). This will limit the number of people that can add or remove group members and provision accounts across tenants. ++## Other access control considerations + ### Terms and conditions [Azure AD terms of use](../conditional-access/terms-of-use.md) provides a simple method that organizations can use to present information to end users. You can use terms of use to require external users to approve terms of use before accessing your resources. |
active-directory | Multi Tenant User Management Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-user-management-scenarios.md | |
active-directory | Recoverability Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/recoverability-overview.md | Create a process of predefined communications to make others aware of the issue Document the state of your tenant and its objects regularly. Then if a hard delete or misconfiguration occurs, you have a roadmap to recovery. The following tools can help you document your current state: - [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Azure AD configurations.-- [Azure AD Exporter](https://github.com/microsoft/azureadexporter) is a tool you can use to export your configuration settings.+- [Entra Exporter](https://github.com/microsoft/entraexporter) is a tool you can use to export your configuration settings. - [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) is a module of the PowerShell Desired State Configuration framework. You can use it to export configurations for reference and application of the prior state of many settings. - [Conditional Access APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) can be used to manage your Conditional Access policies as code. Microsoft Graph APIs are highly customizable based on your organizational needs. *Securely store these configuration exports with access provided to a limited number of admins. -The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you need: +The [Entra Exporter](https://github.com/microsoft/entraexporter) can provide most of the documentation you need: - Verify that you've implemented the desired configuration. - Use the exporter to capture current configurations. The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provid - Store the output in a secure location with limited access. > [!NOTE]-> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Azure AD Exporter, or with the Microsoft Graph API. +> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Entra Exporter, or with the Microsoft Graph API. The [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module uses Microsoft Graph and PowerShell to retrieve the state of many of the configurations in Azure AD. This information can be used as reference information or, by using PowerShell Desired State Configuration scripting, to reapply a known good state. Use [Conditional Access Graph APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies. |
active-directory | Resilient External Processes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilient-external-processes.md | Identity experience framework (IEF) policies allow you to call an external syste - If the data that is necessary for authentication is relatively static and small, and has no other business reason to be externalized from the directory, then consider having it in the directory. -- Remove API calls from the pre-authenticated path whenever possible. If you can't, then you must place strict protections for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in front of your APIs. Attackers can load the sign-in page and try to flood your API with DoS attacks and cripple your application. For example, using CAPTCHA in your sign in, sign up flow can help.+- Remove API calls from the pre-authenticated path whenever possible. If you can't, then you must place strict protections for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in front of your APIs. Attackers can load the sign-in page and try to flood your API with DoS attacks and disable your application. For example, using CAPTCHA in your sign in, sign up flow can help. - Use [API connectors of built-in sign-up user flow](../../active-directory-b2c/api-connectors-overview.md) wherever possible to integrate with web APIs either After federating with an identity provider during sign-up or before creating the user. Since the user flows are already extensively tested, it's likely that you don't have to perform user flow-level functional, performance, or scale testing. You still need to test your applications for functionality, performance, and scale. |
active-directory | Service Accounts Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/service-accounts-managed-identities.md | |
active-directory | Service Accounts Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/service-accounts-principal.md | |
active-directory | Certificate Based Authentication Federation Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-android.md | description: Learn about the supported scenarios and the requirements for config + Last updated 09/30/2022 |
active-directory | Certificate Based Authentication Federation Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-get-started.md | description: Learn how to configure certificate-based authentication with federa + Last updated 05/04/2022 |
active-directory | Certificate Based Authentication Federation Ios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-ios.md | description: Learn about the supported scenarios and the requirements for config + Last updated 09/30/2022 |
active-directory | Concept Authentication Authenticator App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-authenticator-app.md | To get started with passwordless sign-in, see [Enable passwordless sign-in with The Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it's legitimate, select **Verify**. Otherwise, they can select **Deny**. -![Screenshot of example web browser prompt for Authenticator app notification to complete sign-in process.](media/tutorial-enable-azure-mfa/tutorial-enable-azure-mfa-browser-prompt.png) +> [!NOTE] +> Starting in August, 2023, sign-ins from unfamiliar locations no longer generate notifications. Similar to how unfamiliar locations work in [Smart lockout](howto-password-smart-lockout.md), a location becomes "familiar" during the first 14 days of use, or the first 10 sign-ins. If the location is unfamiliar, or if the relevant Google or Apple service responsible for push notifications isn't available, users won't see their notification as usual. In that case, they should open Microsoft Authenticator, or Authenticator Lite in a relevant companion app like Outlook, refresh by either pulling down or hitting **Refresh**, and approve the request. -In some rare instances where the relevant Google or Apple service responsible for push notifications is down, users may not receive their push notifications. In these cases users should manually navigate to the Microsoft Authenticator app (or relevant companion app like Outlook), refresh by either pulling down or hitting the refresh button, and approve the request. +![Screenshot of example web browser prompt for Authenticator app notification to complete sign-in process.](media/tutorial-enable-azure-mfa/tutorial-enable-azure-mfa-browser-prompt.png) -> [!NOTE] -> If your organization has staff working in or traveling to China, the *Notification through mobile app* method on Android devices doesn't work in that country/region as Google play services(including push notifications) are blocked in the region. However iOS notification do work. For Android devices ,alternate authentication methods should be made available for those users. +In China, the *Notification through mobile app* method on Android devices doesn't work because as Google play services (including push notifications) are blocked in the region. However, iOS notifications do work. For Android devices, alternate authentication methods should be made available for those users. ## Verification code from mobile app |
active-directory | Concept Authentication Default Enablement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-default-enablement.md | The following table lists each setting that can be set to Microsoft managed and | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled | | [System-preferred MFA](concept-system-preferred-multifactor-authentication.md) | Enabled | | [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled | +| [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled | As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication. |
active-directory | Concept Authentication Oath Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-oath-tokens.md | OATH TOTP hardware tokens typically come with a secret key, or seed, pre-program Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow. -OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). :::image type="content" border="true" source="./media/concept-authentication-methods/oath-tokens.png" alt-text="Screenshot of OATH token management." lightbox="./media/concept-authentication-methods/oath-tokens.png"::: |
active-directory | Concept Authentication Passwordless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-passwordless.md | The following providers offer FIDO2 security keys of different form factors that | [Feitian](https://shop.ftsafe.us/pages/microsoft) | ![y] | ![y]| ![y]| ![y]| ![y] | | [Fortinet](https://www.fortinet.com/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Giesecke + Devrient (G+D)](https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication) | ![y] | ![y]| ![y]| ![y]| ![n] |+| [Google](https://store.google.com/us/product/titan_security_key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [GoTrustID Inc.](https://www.gotrustid.com/idem-key) | ![n] | ![y]| ![y]| ![y]| ![n] | | [HID](https://www.hidglobal.com/products/crescendo-key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [HIDEEZ](https://hideez.com/products/hideez-key-4) | ![n] | ![y]| ![y]| ![y]| ![n] | The following providers offer FIDO2 security keys of different form factors that | [Nymi](https://www.nymi.com/nymi-band) | ![y] | ![n]| ![y]| ![n]| ![n] | | [Octatco](https://octatco.com/) | ![y] | ![y]| ![n]| ![n]| ![n] | | [OneSpan Inc.](https://www.onespan.com/products/fido) | ![n] | ![y]| ![n]| ![y]| ![n] |+| [PONE Biometrics](https://ponebiometrics.com/) | ![y] | ![n]| ![n]| ![y]| ![n] | | [Precision Biometric](https://www.innait.com/product/fido/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [RSA](https://www.rsa.com/products/securid/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Sentry](https://sentryenterprises.com/) | ![n] | ![n]| ![y]| ![n]| ![n] | |
active-directory | Concept Authentication Strengths | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-strengths.md | An authentication strength Conditional Access policy works together with [MFA tr ## Limitations -- **Conditional Access policies are only evaluated after the initial authentication** - As a result, authentication strength doesn't restrict a user's initial authentication. Suppose you are using the built-in phishing-resistant MFA strength. A user can still type in their password, but they will be required to use a phishing-resistant method such as FIDO2 security key before they can continue.+- **Conditional Access policies are only evaluated after the initial authentication** - As a result, authentication strength doesn't restrict a user's initial authentication. Suppose you are using the built-in phishing-resistant MFA strength. A user can still type in their password, but they will be required to use a phishing-resistant method such as FIDO2 security key before they can continue. - **Require multifactor authentication and Require authentication strength can't be used together in the same Conditional Access policy** - These two Conditional Access grant controls can't be used together because the built-in authentication strength **Multifactor authentication** is equivalent to the **Require multifactor authentication** grant control. An authentication strength Conditional Access policy works together with [MFA tr - **Windows Hello for Business** ΓÇô If the user signed in with Windows Hello for Business as their primary authentication method, it can be used to satisfy an authentication strength requirement that includes Windows Hello for Business. But if the user signed in with another method like password as their primary authenticating method, and the authentication strength requires Windows Hello for Business, they get prompted to sign in with Windows Hello for Business. ++## Known isssues ++The following known issues are currently being addressed: ++- **Sign-in frequency** - If both sign-in frequency and authentication strength requirements apply to a sign-in, and the user has previously signed in using a method that meets the authentication strength requirements, the sign-in frequency requirement doesn't apply. [Sign-in frequency](concepts-azure-multi-factor-authentication-prompts-session-lifetime.md) allows you to set the time interval for re-authentication of users based on their credentials, but it isn't fully integrated with authentication strength yet. It works independently and doesn't currently impact the actual sign-in procedure. Therefore, you may notice that some sign-ins using expired credentials don't prompt re-authentication and the sign-in process proceeds successfully. ++- **FIDO2 security key Advanced options** - Advanced options aren't supported for external users with a home tenant that is located in a different Microsoft cloud than the resource tenant. + ## FAQ ### Should I use authentication strength or the Authentication methods policy? Authentication strength is based on the Authentication methods policy. The Authe For example, the administrator of Contoso wants to allow their users to use Microsoft Authenticator with either push notifications or passwordless authentication mode. The administrator goes to the Microsoft Authenticator settings in the Authentication method policy, scopes the policy for the relevant users and set the **Authentication mode** to **Any**. -Then for ContosoΓÇÖs most sensitive resource, the administrator wants to restrict the access to only passwordless authentication methods. The administrator creates a new Conditional Access policy, using the built-in **Passwordless MFA strength**. +Then for Contoso's most sensitive resource, the administrator wants to restrict the access to only passwordless authentication methods. The administrator creates a new Conditional Access policy, using the built-in **Passwordless MFA strength**. As a result, users in Contoso can access most of the resources in the tenant using password + push notification from the Microsoft Authenticator OR only using Microsoft Authenticator (phone sign-in). However, when the users in the tenant access the sensitive application, they must use Microsoft Authenticator (phone sign-in). |
active-directory | Concept Certificate Based Authentication Certificateuserids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md | |
active-directory | Concept Fido2 Hardware Vendor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-fido2-hardware-vendor.md | The following table lists partners who are Microsoft-compatible FIDO2 security k | [Feitian](https://shop.ftsafe.us/pages/microsoft) | ![y] | ![y]| ![y]| ![y]| ![y] | | [Fortinet](https://www.fortinet.com/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Giesecke + Devrient (G+D)](https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication) | ![y] | ![y]| ![y]| ![y]| ![n] |+| [Google](https://store.google.com/us/product/titan_security_key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [GoTrustID Inc.](https://www.gotrustid.com/idem-key) | ![n] | ![y]| ![y]| ![y]| ![n] | | [HID](https://www.hidglobal.com/products/crescendo-key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [HIDEEZ](https://hideez.com/products/hideez-key-4) | ![n] | ![y]| ![y]| ![y]| ![n] | The following table lists partners who are Microsoft-compatible FIDO2 security k | [Nymi](https://www.nymi.com/nymi-band) | ![y] | ![n]| ![y]| ![n]| ![n] | | [Octatco](https://octatco.com/) | ![y] | ![y]| ![n]| ![n]| ![n] | | [OneSpan Inc.](https://www.onespan.com/products/fido) | ![n] | ![y]| ![n]| ![y]| ![n] |+| [PONE Biometrics](https://ponebiometrics.com/) | ![y] | ![n]| ![n]| ![y]| ![n] | | [Precision Biometric](https://www.innait.com/product/fido/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [RSA](https://www.rsa.com/products/securid/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Sentry](https://sentryenterprises.com/) | ![n] | ![n]| ![y]| ![n]| ![n] | |
active-directory | Concept Mfa Regional Opt In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-regional-opt-in.md | For Voice verification, the following region codes require an opt-in. | 236 | Central African Republic | | 237 | Cameroon | | 238 | Cabo Verde |-| 239 | Sao Tome and Principe | +| 239 | São Tomé and Príncipe | | 240 | Equatorial Guinea | | 241 | Gabon | | 242 | Congo | |
active-directory | Concept Password Ban Bad Combined Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md | description: Learn about the combined password policy and check for weak passwor + Last updated 04/02/2023 |
active-directory | Concept Resilient Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-resilient-controls.md | |
active-directory | Concept Sspr Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-policy.md | |
active-directory | Concepts Azure Multi Factor Authentication Prompts Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md | description: Learn about the recommended configuration for reauthentication prom + Previously updated : 03/28/2023 Last updated : 08/31/2023 Azure Active Directory (Azure AD) has multiple settings that determine how often The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt. -It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken). +It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions by using Microsoft Graph PowerShell](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession). This article details recommended configurations and how different settings work and interact with each other. To optimize the frequency of authentication prompts for your users, you can conf ### Evaluate session lifetime policies -Without any session lifetime settings, there are no persistent cookies in the browser session. Every time a user closes and open the browser, they get a prompt for reauthentication. In Office clients, the default time period is a rolling window of 90 days. With this default Office configuration, if the user has reset their password or there has been inactivity of over 90 days, the user is required to reauthenticate with all required factors (first and second factor). +Without any session lifetime settings, there are no persistent cookies in the browser session. Every time a user closes and opens the browser, they get a prompt for reauthentication. In Office clients, the default time period is a rolling window of 90 days. With this default Office configuration, if the user has reset their password or there has been inactivity of over 90 days, the user is required to reauthenticate with all required factors (first and second factor). A user might see multiple MFA prompts on a device that doesn't have an identity in Azure AD. Multiple prompts result when each application has its own OAuth Refresh Token that isn't shared with other client apps. In this scenario, MFA prompts multiple times as each application requests an OAuth Refresh Token to be validated with MFA. This setting allows configuration of lifetime for token issued by Azure Active D Now that you understand how different settings works and the recommended configuration, it's time to check your tenants. You can start by looking at the sign-in logs to understand which session lifetime policies were applied during sign-in. -Under each sign-in log, go to the **Authentication Details** tab and explore **Session Lifetime Policies Applied**. For more information, see [Authentication details](../reports-monitoring/concept-sign-ins.md#authentication-details). +Under each sign-in log, go to the **Authentication Details** tab and explore **Session Lifetime Policies Applied**. For more information, see the [Learn about the sign-in log activity details](../reports-monitoring/concept-sign-in-log-activity-details.md) article. ![Screenshot of authentication details.](./media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/details.png) |
active-directory | Fido2 Compatibility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/fido2-compatibility.md | The following tables show which transports are supported for each platform. Supp |||--|--| | Edge | ❌ | ❌ | ❌ | | Chrome | ✅ | ❌ | ❌ |-| Firefox | ❌ | ❌ | ❌ | +| Firefox | ✅ | ❌ | ❌ | ### iOS |
active-directory | How To Authentication Find Coverage Gaps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md | There are different ways to check if your admins are covered by an MFA policy. ![Screenshot of the sign-in log.](./media/how-to-authentication-find-coverage-gaps/auth-requirement.png) - Click **Authentication details** for [details about the MFA requirements](../reports-monitoring/concept-sign-ins.md#authentication-details). + When viewing the details of a specific sign-in, select the **Authentication details** tab for details about the MFA requirements. For more information, see [Sign-in log activity details](../reports-monitoring/concept-sign-in-log-activity-details.md). ![Screenshot of the authentication activity details.](./media/how-to-authentication-find-coverage-gaps/details.png) |
active-directory | How To Certificate Based Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-certificate-based-authentication.md | |
active-directory | How To Mfa Authenticator Lite | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-authenticator-lite.md | Microsoft Authenticator Lite is another surface for Azure Active Directory (Azur Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in. >[!NOTE]->This is an important security enhancement for users authenticating via telecom transports. On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ. If you no longer wish for this feature to be enabled, move the state from 'default' toΓÇÿdisabledΓÇÖ or set users to include and exclude groups. +>These are important security enhancements for users authenticating via telecom transports: +>- On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ in the Authentication methods policy. If you no longer wish for this feature to be enabled, move the state from 'default' to ΓÇÿdisabledΓÇÖ or scope it to only a group of users. +>- Starting September 18, Authenticator Lite will be enabled as part of the *Notification through mobile app* verification option in the per-user MFA policy. If you don't want this feature enabled, you can disable it in the Authentication methods policy following the steps below. ## Prerequisites -- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the modern Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server or that have not started migration from per-user MFA are not eligible for this feature.+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for all users or select groups. We recommend enabling Microsoft Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server are not eligible for this feature. >[!TIP] >We recommend that you also enable [system-preferred multifactor authentication (MFA)](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred MFA enabled, users try to sign-in with Authenticator Lite before they try less secure telephony methods like SMS or voice call. Users receive a notification in Outlook mobile to approve or deny sign-in, or th ## Enable Authenticator Lite -By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings). On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ +By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) in the Authentication methods policy. On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ. Authenticator Lite is also included as part of the *Notification through mobile app* verification option in the per-user MFA policy. ### Disabling Authenticator Lite in Azure portal UX To disable Authenticator Lite in the Azure portal, complete the following steps: 1. In the Azure portal, click Azure Active Directory > Security > Authentication methods > Microsoft Authenticator. In the Entra admin center, on the sidebar select Azure Active Directory > Protect & Secure > Authentication methods > Microsoft Authenticator. - 2. On the Enable and Target tab, click Yes and All users to enable the Authenticator policy for everyone or add selected users and groups. Set the Authentication mode for these users/groups to Any or Push. + 2. On the Enable and Target tab, click Enable and All users to enable the Authenticator policy for everyone or add select groups. Set the Authentication mode for these users/groups to Any or Push. - Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application. +Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application. -<img width="1112" alt="Entra portal Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png"> +<img width="1112" alt="Microsoft Entra admin center Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png"> 3. On the Configure tab, for **Microsoft Authenticator on companion applications**, change Status to Disabled, and click Save. <img width="664" alt="Authenticator Lite configuration settings" src="https://user-images.githubusercontent.com/108090297/228603364-53f2581f-a4e0-42ee-8016-79b23e5eff6c.png"> +>[!NOTE] +> If your organization still manages authentication methods in the per-user MFA policy, you'll need to disable *Notification through mobile app* as a verification option there in addition to the steps above. We recommend doing this only after you've enabled Microsoft Authenticator in the Authentication methods policy. You can contine to manage the remainder of your authentication methods in the per-user MFA policy while Microsoft Authenticator is managed in the modern Authentication methods policy. However, we recommend [migrating](how-to-authentication-methods-manage.md) management of all authentication methods to the modern Authentication methods policy. The ability to manage authentication methods in the per-user MFA policy will be retired September 30, 2024. + ### Enable Authenticator Lite via Graph APIs | Property | Type | Description | |
active-directory | How To Mfa Server Migration Utility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md | Take a look at our video for an overview of the MFA Server Migration Utility and ## Limitations and requirements -- The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You donΓÇÖt have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically.+- The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You don't have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically. - The MFA Server Migration Utility copies the data from the database file onto the user objects in Azure AD. During migration, users can be targeted for Azure AD MFA for testing purposes using [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). Staged migration lets you test without making any changes to your domain federation settings. Once migrations are complete, you must finalize your migration by making changes to your domain federation settings. - AD FS running Windows Server 2016 or higher is required to provide MFA authentication on any AD FS relying parties, not including Azure AD and Office 365. - Review your AD FS access control policies and make sure none requires MFA to be performed on-premises as part of the authentication process. A few important points: During the previous phases, you can remove users from the Staged Rollout folders to take them out of scope of Azure AD MFA and route them back to your on-premises Azure MFA server for all MFA requests originating from Azure AD. -**Phase 3** requires moving all clients that authenticate to the on-premises MFA Server (VPNs, password managers, and so on) to Azure AD federation via SAML/OAUTH. If modern authentication standards arenΓÇÖt supported, you're required to stand up NPS server(s) with the Azure AD MFA extension installed. Once dependencies are migrated, users should no longer use the User portal on the MFA Server, but rather should manage their authentication methods in Azure AD ([aka.ms/mfasetup](https://aka.ms/mfasetup)). Once users begin managing their authentication data in Azure AD, those methods won't be synced back to MFA Server. If you roll back to the on-premises MFA Server after users have made changes to their Authentication Methods in Azure AD, those changes will be lost. After user migrations are complete, change the [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) domain federation setting. The change tells Azure AD to no longer perform MFA on-premises and to perform _all_ MFA requests with Azure AD MFA, regardless of group membership. +**Phase 3** requires moving all clients that authenticate to the on-premises MFA Server (VPNs, password managers, and so on) to Azure AD federation via SAML/OAUTH. If modern authentication standards aren't supported, you're required to stand up NPS server(s) with the Azure AD MFA extension installed. Once dependencies are migrated, users should no longer use the User portal on the MFA Server, but rather should manage their authentication methods in Azure AD ([aka.ms/mfasetup](https://aka.ms/mfasetup)). Once users begin managing their authentication data in Azure AD, those methods won't be synced back to MFA Server. If you roll back to the on-premises MFA Server after users have made changes to their Authentication Methods in Azure AD, those changes will be lost. After user migrations are complete, change the [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) domain federation setting. The change tells Azure AD to no longer perform MFA on-premises and to perform _all_ MFA requests with Azure AD MFA, regardless of group membership. The following sections explain the migration steps in more detail. Open MFA Server, click **Company Settings**: |OATH Token tab|Not applicable; Azure AD MFA uses a default message for OATH tokens| |Reports|[Azure AD Authentication Methods Activity reports](howto-authentication-methods-activity.md)| -<sup>*</sup>When a PIN is used to provide proof-of-presence functionality, the functional equivalent is provided above. PINs that arenΓÇÖt cryptographically tied to a device don't sufficiently protect against scenarios where a device has been compromised. To protect against these scenarios, including [SIM swap attacks](https://wikipedia.org/wiki/SIM_swap_scam), move users to more secure methods according to Microsoft authentication methods [best practices](concept-authentication-methods.md). +<sup>*</sup>When a PIN is used to provide proof-of-presence functionality, the functional equivalent is provided above. PINs that aren't cryptographically tied to a device don't sufficiently protect against scenarios where a device has been compromised. To protect against these scenarios, including [SIM swap attacks](https://wikipedia.org/wiki/SIM_swap_scam), move users to more secure methods according to Microsoft authentication methods [best practices](concept-authentication-methods.md). <sup>**</sup>The default SMS MFA experience in Azure AD MFA sends users a code, which they're required to enter in the login window as part of authentication. The requirement to roundtrip the SMS code provides proof-of-presence functionality. Open MFA Server, click **User Portal**: |Use OATH token for fallback|See [OATH token documentation](howto-mfa-mfasettings.md#oath-tokens)| |Session Timeout|| |**Security Questions tab** |Security questions in MFA Server were used to gain access to the User portal. Azure AD MFA only supports security questions for self-service password reset. See [security questions documentation](concept-authentication-security-questions.md).|-|**Passed Sessions tab**|All authentication method registration flows are managed by Azure AD and donΓÇÖt require configuration| +|**Passed Sessions tab**|All authentication method registration flows are managed by Azure AD and don't require configuration| |**Trusted IPs**|[Azure AD trusted IPs](howto-mfa-mfasettings.md#trusted-ips)| Any MFA methods available in MFA Server must be enabled in Azure AD MFA by using [MFA Service settings](howto-mfa-mfasettings.md#mfa-service-settings). Users can't try their newly migrated MFA methods unless they're enabled. #### Authentication services Azure MFA Server can provide MFA functionality for third-party solutions that use RADIUS or LDAP by acting as an authentication proxy. To discover RADIUS or LDAP dependencies, click **RADIUS Authentication** and **LDAP Authentication** options in MFA Server. For each of these dependencies, determine if these third parties support modern authentication. If so, consider federation directly with Azure AD. -For RADIUS deployments that canΓÇÖt be upgraded, youΓÇÖll need to deploy an NPS Server and install the [Azure AD MFA NPS extension](howto-mfa-nps-extension.md). +For RADIUS deployments that can't be upgraded, you'll need to deploy an NPS Server and install the [Azure AD MFA NPS extension](howto-mfa-nps-extension.md). -For LDAP deployments that canΓÇÖt be upgraded or moved to RADIUS, [determine if Azure Active Directory Domain Services can be used](../architecture/auth-ldap.md). In most cases, LDAP was deployed to support in-line password changes for end users. Once migrated, end users can manage their passwords by using [self-service password reset in Azure AD](tutorial-enable-sspr.md). +For LDAP deployments that can't be upgraded or moved to RADIUS, [determine if Azure Active Directory Domain Services can be used](../architecture/auth-ldap.md). In most cases, LDAP was deployed to support in-line password changes for end users. Once migrated, end users can manage their passwords by using [self-service password reset in Azure AD](tutorial-enable-sspr.md). -If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfaserver-adfs-windows-server.md#secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server) on any relying party trusts except for the Office 365 relying party trust, youΓÇÖll need to upgrade to [AD FS 3.0](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server) or federate those relying parties directly to Azure AD if they support modern authentication methods. Determine the best plan of action for each of the dependencies. +If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfaserver-adfs-windows-server.md#secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server) on any relying party trusts except for the Office 365 relying party trust, you'll need to upgrade to [AD FS 3.0](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server) or federate those relying parties directly to Azure AD if they support modern authentication methods. Determine the best plan of action for each of the dependencies. ### Backup Azure AD MFA Server datafile Make a backup of the MFA Server data file located at %programfiles%\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata (default location) on your primary MFA Server. Make sure you have a copy of the installer for your currently installed version in case you need to roll back. If you no longer have a copy, contact Customer Support Services. The **Settings** option allows you to change the settings for the migration proc - User Match ΓÇô Allows you to specify a different on-premises Active Directory attribute for matching Azure AD UPN instead of the default match to userPrincipalName: - The migration utility tries direct matching to UPN before using the on-premises Active Directory attribute. - If no match is found, it calls a Windows API to find the Azure AD UPN and get the SID, which it uses to search the MFA Server user list. - - If the Windows API doesnΓÇÖt find the user or the SID isnΓÇÖt found in the MFA Server, then it will use the configured Active Directory attribute to find the user in the on-premises Active Directory, and then use the SID to search the MFA Server user list. + - If the Windows API doesn't find the user or the SID isn't found in the MFA Server, then it will use the configured Active Directory attribute to find the user in the on-premises Active Directory, and then use the SID to search the MFA Server user list. - Automatic synchronization ΓÇô Starts a background service that will continually monitor any authentication method changes to users in the on-premises MFA Server, and write them to Azure AD at the specified time interval defined. - Synchronization server ΓÇô Allows the MFA Server Migration Sync service to run on a secondary MFA Server rather than only run on the primary. To configure the Migration Sync service to run on a secondary server, the `Configure-MultiFactorAuthMigrationUtility.ps1` script must be run on the server to register a certificate with the MFA Server Migration Utility app registration. The certificate is used to authenticate to Microsoft Graph. The manual process steps are: 1. To begin the migration process for a user or selection of multiple users, press and hold the Ctrl key while selecting each of the user(s) you wish to migrate. 1. After you select the desired users, click **Migrate Users** > **Selected users** > **OK**. 1. To migrate all users in the group, click **Migrate Users** > **All users in AAD group** > **OK**.-1. You can migrate users even if they are unchanged. By default, the utility is set to **Only migrate users that have changed**. Click **Migrate all users** to re-migrate previously migrated users that are unchanged. Migrating unchanged users can be useful during testing if an administrator needs to reset a userΓÇÖs Azure MFA settings and wants to re-migrate them. +1. You can migrate users even if they are unchanged. By default, the utility is set to **Only migrate users that have changed**. Click **Migrate all users** to re-migrate previously migrated users that are unchanged. Migrating unchanged users can be useful during testing if an administrator needs to reset a user's Azure MFA settings and wants to re-migrate them. :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/migrate-users.png" alt-text="Screenshot of Migrate users dialog."::: The following table lists the sync logic for the various methods. |**Mobile App**|Maximum of five devices will be migrated or only four if the user also has a hardware OATH token.<br>If there are multiple devices with the same name, only migrate the most recent one.<br>Devices will be ordered from newest to oldest.<br>If devices already exist in Azure AD, match on OATH Token Secret Key and update.<br>- If there's no match on OATH Token Secret Key, match on Device Token<br>-- If found, create a Software OATH Token for the MFA Server device to allow OATH Token method to work. Notifications will still work using the existing Azure AD MFA device.<br>-- If not found, create a new device.<br>If adding a new device will exceed the five-device limit, the device will be skipped. | |**OATH Token**|If devices already exist in Azure AD, match on OATH Token Secret Key and update.<br>- If not found, add a new Hardware OATH Token device.<br>If adding a new device will exceed the five-device limit, the OATH token will be skipped.| -MFA Methods will be updated based on what was migrated and the default method will be set. MFA Server will track the last migration timestamp and only migrate the user again if the userΓÇÖs MFA settings change or an admin modifies what to migrate in the **Settings** dialog. +MFA Methods will be updated based on what was migrated and the default method will be set. MFA Server will track the last migration timestamp and only migrate the user again if the user's MFA settings change or an admin modifies what to migrate in the **Settings** dialog. During testing, we recommend doing a manual migration first, and test to ensure a given number of users behave as expected. Once testing is successful, turn on automatic synchronization for the Azure AD group you wish to migrate. As you add users to this group, their information will be automatically synchronized to Azure AD. MFA Server Migration Utility targets one Azure AD group, however that group can encompass both users and nested groups of users. Once complete, a confirmation will inform you of the tasks completed: As mentioned in the confirmation message, it can take several minutes for the migrated data to appear on user objects within Azure AD. Users can view their migrated methods by navigating to [aka.ms/mfasetup](https://aka.ms/mfasetup). +#### View migration details ++You can use Audit logs or Log Analytics to view details of MFA Server to Azure MFA user migrations. ++##### Use Audit logs +To access the Audit logs in the Azure portal to view details of MFA Server to Azure MFA user migrations, follow these steps: ++1. Click **Azure Active Directory** > **Audit logs**. To filter the logs, click **Add filters**. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/add-filter.png" alt-text="Screenshot of how to add filters."::: ++1. Select **Initiated by (actor)** and click **Apply**. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/actor.png" alt-text="Screenshot of Initiated by Actor option."::: ++1. Type _Azure MFA Management_ and click **Apply**. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/apply-actor.png" alt-text="Screenshot of MFA management option."::: ++1. This filter displays only MFA Server Migration Utility logs. To view details for a user migration, click a row, and then choose the **Modified Properties** tab. This tab shows changes to registered MFA methods and phone numbers. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/changes.png" alt-text="Screenshot of user migration details."::: ++ The following table lists the authentication method for each code. ++ | Code | Method | + |:--|:| + | 0 | Voice mobile | + | 2 | Voice office | + | 3 | Voice alternate mobile | + | 5 | SMS | + | 6 | Microsoft Authenticator push notification | + | 7 | Hardware or software token OTP | ++1. If any user devices were migrated, there is a separate log entry. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/migrated-device.png" alt-text="Screenshot of a migrated device."::: +++##### Use Log Analytics ++The details of MFA Server to Azure MFA user migrations can also be queried using Log Analytics. + +```kusto +AuditLogs +| where ActivityDateTime > ago(7d) +| extend InitiatedBy = tostring(InitiatedBy["app"]["displayName"]) +| where InitiatedBy == "Azure MFA Management" +| extend UserObjectId = tostring(TargetResources[0]["id"]) +| extend Upn = tostring(TargetResources[0]["userPrincipalName"]) +| extend ModifiedProperties = TargetResources[0]["modifiedProperties"] +| project ActivityDateTime, InitiatedBy, UserObjectId, Upn, ModifiedProperties +| order by ActivityDateTime asc +``` ++This screenshot shows changes for user migration: +++This screenshot shows changes for device migration: +++Log Analytics can also be used to summarize user migration activity. ++```kusto +AuditLogs +| where ActivityDateTime > ago(7d) +| extend InitiatedBy = tostring(InitiatedBy["app"]["displayName"]) +| where InitiatedBy == "Azure MFA Management" +| extend UserObjectId = tostring(TargetResources[0]["id"]) +| summarize UsersMigrated = dcount(UserObjectId) by InitiatedBy, bin(ActivityDateTime, 1d) +``` ++ ### Validate and test Once you've successfully migrated user data, you can validate the end-user experience using Staged Rollout before making the global tenant change. The following process will allow you to target specific Azure AD group(s) for Staged Rollout for MFA. Staged Rollout tells Azure AD to perform MFA by using Azure AD MFA for users in the targeted groups, rather than sending them on-premises to perform MFA. You can validate and testΓÇöwe recommend using the Azure portal, but if you prefer, you can also use Microsoft Graph. Once you've successfully migrated user data, you can validate the end-user exper 1. Are users able to authenticate successfully using Hardware OATH tokens? ### Educate users-Ensure users know what to expect when they're moved to Azure MFA, including new authentication flows. You may also wish to instruct users to use the Azure AD Combined Registration portal ([aka.ms/mfasetup](https://aka.ms/mfasetup)) to manage their authentication methods rather than the User portal once migrations are complete. Any changes made to authentication methods in Azure AD won't propagate back to your on-premises environment. In a situation where you had to roll back to MFA Server, any changes users have made in Azure AD wonΓÇÖt be available in the MFA Server User portal. +Ensure users know what to expect when they're moved to Azure MFA, including new authentication flows. You may also wish to instruct users to use the Azure AD Combined Registration portal ([aka.ms/mfasetup](https://aka.ms/mfasetup)) to manage their authentication methods rather than the User portal once migrations are complete. Any changes made to authentication methods in Azure AD won't propagate back to your on-premises environment. In a situation where you had to roll back to MFA Server, any changes users have made in Azure AD won't be available in the MFA Server User portal. -If you use third-party solutions that depend on Azure MFA Server for authentication (see [Authentication services](#authentication-services)), youΓÇÖll want users to continue to make changes to their MFA methods in the User portal. These changes will be synced to Azure AD automatically. Once you've migrated these third party solutions, you can move users to the Azure AD combined registration page. +If you use third-party solutions that depend on Azure MFA Server for authentication (see [Authentication services](#authentication-services)), you'll want users to continue to make changes to their MFA methods in the User portal. These changes will be synced to Azure AD automatically. Once you've migrated these third party solutions, you can move users to the Azure AD combined registration page. ### Complete user migration Repeat migration steps found in [Migrate user data](#migrate-user-data) and [Validate and test](#validate-and-test) sections until all user data is migrated. Repeat migration steps found in [Migrate user data](#migrate-user-data) and [Val Using the data points you collected in [Authentication services](#authentication-services), begin carrying out the various migrations necessary. Once this is completed, consider having users manage their authentication methods in the combined registration portal, rather than in the User portal on MFA server. ### Update domain federation settings-Once you've completed user migrations, and moved all of your [Authentication services](#authentication-services) off of MFA Server, itΓÇÖs time to update your domain federation settings. After the update, Azure AD no longer sends MFA request to your on-premises federation server. +Once you've completed user migrations, and moved all of your [Authentication services](#authentication-services) off of MFA Server, it's time to update your domain federation settings. After the update, Azure AD no longer sends MFA request to your on-premises federation server. To configure Azure AD to ignore MFA requests to your on-premises federation server, install the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-&preserve-view=true) and set [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) to `rejectMfaByFederatedIdp`, as shown in the following example. Content-Type: application/json } ``` -Users will no longer be redirected to your on-premises federation server for MFA, whether theyΓÇÖre targeted by the Staged Rollout tool or not. Note this can take up to 24 hours to take effect. +Users will no longer be redirected to your on-premises federation server for MFA, whether they're targeted by the Staged Rollout tool or not. Note this can take up to 24 hours to take effect. >[!NOTE] >The update of the domain federation setting can take up to 24 hours to take effect. |
active-directory | How To Migrate Mfa Server To Azure Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md | description: Step-by-step guidance to migrate from MFA Server on-premises to Azu + Last updated 01/29/2023 |
active-directory | How To Migrate Mfa Server To Mfa With Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md | Title: Migrate to Azure AD MFA with federations description: Step-by-step guidance to move from MFA Server on-premises to Azure AD MFA with federation + Last updated 05/23/2023 |
active-directory | Howto Authentication Passwordless Phone | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-phone.md | description: Enable passwordless sign-in to Azure AD using Microsoft Authenticat + Last updated 05/16/2023 |
active-directory | Howto Authentication Use Email Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md | description: Learn how to enable users to sign in to Azure Active Directory with + Last updated 06/01/2023 -> Sign-in to Azure AD with email as an alternate login ID is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Sign-in to Azure AD with email as an alternate login ID is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). Many organizations want to let users sign in to Azure Active Directory (Azure AD) using the same credentials as their on-premises directory environment. With this approach, known as hybrid authentication, users only need to remember one set of credentials. |
active-directory | Howto Mfa Getstarted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-getstarted.md | Title: Deployment considerations for Azure AD Multi-Factor Authentication description: Learn about deployment considerations and strategy for successful implementation of Azure AD Multi-Factor Authentication + Last updated 03/06/2023 |
active-directory | Howto Mfa Mfasettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-mfasettings.md | To unblock a user, complete the following steps: Users who report an MFA prompt as suspicious are set to **High User Risk**. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the **Fraud Alert** automatic blocking feature and don't have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in. For more information about using risk-based policies, see [Risk-based access policies](../identity-protection/concept-identity-protection-policies.md). -To enable **Report suspicious activity** from the Authentication Methods Settings: +To enable **Report suspicious activity** from the Authentication methods **Settings**: 1. In the Azure portal, click **Azure Active Directory** > **Security** > **Authentication Methods** > **Settings**. -1. Set **Report suspicious activity** to **Enabled**. +1. Set **Report suspicious activity** to **Enabled**. The feature remains disabled if you choose **Microsoft managed**. For more information about Microsoft managed values, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md). 1. Select **All users** or a specific group. +1. Select a **Reporting code**. +1. Click **Save**. ++>[!NOTE] +>If you enable **Report suspicious activity** and specify a custom voice reporting value while the tenant still has **Fraud Alert** enabled in parallel with a custom voice reporting number configured, the **Report suspicious activity** value will be used instead of **Fraud Alert**. ### View suspicious activity events OATH TOTP hardware tokens typically come with a secret key, or seed, pre-program Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow. -OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms). +OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). ![Screenshot that shows the OATH tokens section.](media/concept-authentication-methods/mfa-server-oath-tokens-azure-ad.png) The following table lists more numbers for different countries. | Sri Lanka | +94 117750440 | | Sweden | +46 701924176 | | Taiwan | +886 277515260 |-| Turkey | +90 8505404893 | +| T├╝rkiye | +90 8505404893 | | Ukraine | +380 443332393 | | United Arab Emirates | +971 44015046 | | Vietnam | +84 2039990161 | |
active-directory | Howto Mfa Nps Extension Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-errors.md | If you encounter errors with the NPS extension for Azure AD Multi-Factor Authent | **REQUEST_FORMAT_ERROR** <br> Radius Request missing mandatory Radius userName\Identifier attribute.Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension does not work when installed over such installations and errors out since it cannot read the details from the authentication request. | | **REQUEST_MISSING_CODE** | Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. **PAP** supports all the authentication methods of Azure AD MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. **CHAPV2** and **EAP** support phone call and mobile app notification. | | **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you are using cross-forest trusts, [contact support](#contact-microsoft-support) for further help. |+| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP will observe user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). | ### Alternate login ID errors |
active-directory | Howto Mfa Nps Extension Rdg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md | description: Integrate your Remote Desktop Gateway infrastructure with Azure AD + Last updated 01/29/2023 |
active-directory | Howto Mfa Nps Extension Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md | description: Integrate your VPN infrastructure with Azure AD MFA by using the Ne + Last updated 01/29/2023 |
active-directory | Howto Mfa Nps Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md | |
active-directory | Howto Mfa Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-reporting.md | |
active-directory | Howto Mfa Userdevicesettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md | Install the Microsoft.Graph.Identity.Signins PowerShell module using the followi ```powershell Install-module Microsoft.Graph.Identity.Signins-Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All +Connect-MgGraph -Scopes "User.Read.all","UserAuthenticationMethod.Read.All","UserAuthenticationMethod.ReadWrite.All" Select-MgProfile -Name beta ``` |
active-directory | Howto Mfa Userstates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userstates.md | |
active-directory | Howto Password Smart Lockout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-password-smart-lockout.md | Based on your organizational requirements, you can customize the Azure AD smart To check or modify the smart lockout values for your organization, complete the following steps: -1. Sign in to the [Entra portal](https://entra.microsoft.com/#home). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**. 1. Set the **Lockout threshold**, based on how many failed sign-ins are allowed on an account before its first lockout. |
active-directory | Howto Registration Mfa Sspr Combined Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md | description: Troubleshoot Azure AD Multi-Factor Authentication and self-service + Last updated 01/29/2023 |
active-directory | Howto Sspr Authenticationdata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-authenticationdata.md | |
active-directory | V1 Permissions Consent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/v1-permissions-consent.md | |
active-directory | Faqs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md | This article answers frequently asked questions (FAQs) about Microsoft Entra Per Microsoft Entra Permissions Management (Permissions Management) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle. - ## What are the prerequisites to use Permissions Management? Permissions Management supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use Permissions Management. Permissions Management currently supports the three major public clouds: Amazon Permissions Management currently doesn't support hybrid environments. -## What types of identities are supported by Permissions Management? +## What types of identities does Permissions Management support? Permissions Management supports user identities (for example, employees, customers, external partners) and workload identities (for example, virtual machines, containers, web apps, serverless functions). The Permissions Creep Index (PCI) is a quantitative measure of risk associated w ## How can customers use Permissions Management to delete unused or excessive permissions? -Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. +Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size the permissions of that identity to permissions that are only being used for day-to-day operations. All unused and other risky permissions can be automatically removed. ## How can customers grant permissions on-demand with Permissions Management? No, Permissions Management doesn't have access to sensitive personal data. You can read our [blog](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/bg-p/Identity) and visit our [web page](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-permissions-management). You can also get in touch with your Microsoft point of contact to schedule a demo. -## What is the data destruction/decommission process? +## What is the data destruction/decommission process? ++If a customer initiates a free Permissions Management 45-day trial and does not convert to a paid license within 45 days of the trial expiration, all collected data is deleted within 30 days of the trial expiration date. ++If a customer decides to discontinue licensing the service, all previously collected data is deleted within 30 days of license termination. ++Customers can also remove, export or modify specific data if a Global Administrator using the Permissions Management service files an official Data Subject Request. To file a request: -If a customer initiates a free Permissions Management 45-day trial, but does not follow up and convert to a paid license within 45 days of the free trial expiration, we will delete all collected data on or just before 45 days. +If you're an enterprise customer, you can contact your Microsoft representative, account team, or tenant admin to file a high-priority IcM support ticket requesting a Data Subject Request. Do not include details or any personally identifiable information in the IcM request. We'll reach out to you for these details only after an IcM is filed. -If a customer decides to discontinue licensing the service, we will also delete all previously collected data within 45 days of license termination. +If you're a self-service customer (you set up a trial or paid license in the Microsoft 365 admin center) you can contact the Permissions Management privacy team by selecting your profile drop-down menu, then **Account Settings** in Permissions Management. Follow the instructions to make a Data Subject Access Request. -We also have the ability to remove, export or modify specific data should the Global Administrator using the Entra Permissions Management service file an official Data Subject Request. This can be initiated by opening a ticket in the Azure portal [New support request - Microsoft Entra admin center](https://entra.microsoft.com/#blade/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical), or alternately contacting your local Microsoft representative. +Learn more about [Azure Data Subject Requests](https://go.microsoft.com/fwlink/?linkid=2245178). ## Do I require a license to use Entra Permissions Management? |
active-directory | Onboard Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md | This option detects all AWS accounts that are accessible through OIDC role acces On the **Data Collectors** dashboard, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** - You have now completed onboarding AWS, and Permissions Management has started collecting and processing your data. + The status column in your Permissions Management UI shows you which step of data collection you're at: + + - **Pending**: Permissions Management has not started detecting or onboarding yet. + - **Discovering**: Permissions Management is detecting the authorization systems. + - **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. + - **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ### 7. View the data |
active-directory | Onboard Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md | To view status of onboarding after saving the configuration: ### 2. Review and save. -- In **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.+1. In **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration.** On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** - You have now completed onboarding Azure, and Permissions Management has started collecting and processing your data. + The status column in your Permissions Management UI shows you which step of data collection you're at: + + - **Pending**: Permissions Management has not started detecting or onboarding yet. + - **Discovering**: Permissions Management is detecting the authorization systems. + - **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. + - **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ### 3. View the data. -- To view the data, select the **Authorization Systems** tab.+1. To view the data, select the **Authorization Systems** tab. The **Status** column in the table displays **Collecting Data.** |
active-directory | Onboard Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md | The required commands to run in Google Cloud Shell are listed in the Manage Auth ### 3. Review and save. -- In the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.+1. In the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration**. On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**-- You've completed onboarding GCP, and Permissions Management has started collecting and processing your data. + + The status column in your Permissions Management UI shows you which step of data collection you're at: + + - **Pending**: Permissions Management has not started detecting or onboarding yet. + - **Discovering**: Permissions Management is detecting the authorization systems. + - **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. + - **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ### 4. View the data. -- To view the data, select the **Authorization Systems** tab.+1. To view the data, select the **Authorization Systems** tab. The **Status** column in the table displays **Collecting Data.** |
active-directory | Permissions Management Quickstart Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/permissions-management-quickstart-guide.md | + + Title: Microsoft Entra Permissions Management Quickstart Guide +description: Quickstart guide - How to quickly onboard your Microsoft Entra Permissions Management product +# CustomerIntent: As a security administrator, I want to successfully onboard Permissions Management so that I can enable identity security in my cloud environment as efficiently as possible.' +++++++ Last updated : 08/24/2023++++# Quickstart guide to Microsoft Entra Permissions Management ++Welcome to the Quickstart Guide for Microsoft Entra Permissions Management. ++Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. These identities include over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permissions Management helps your organization effectively secure and manage cloud permissions by detecting, automatically right-sizing, and continuously monitoring unused and excessive permissions. ++With this quickstart guide, youΓÇÖll set up your multicloud environment(s), configure data collection, and enable permissions access to ensure your cloud identities are managed and secure. ++## Prerequisites ++Before you begin, you need access to these tools for the onboarding process: ++- Access to a local BASH shell with the Azure CLI or Azure Cloud Shell using BASH environment (Azure CLI is included). +- Access to AWS, Azure, and GCP consoles. +- A user must have *Global Administrator* or *Permissions Management Administrator* role assignments to create a new app registration in Entra ID tenant is required for AWS and GCP onboarding. +++## Step 1: Set-up Permissions Management ++To enable Permissions Management, you must have a Microsoft Entra ID tenant (example, Entra admin center). +- If you have an Azure account, you automatically have an Entra admin center tenant. +- If you donΓÇÖt already have one, create a free account at [entra.microsoft.com.](https://entra.microsoft.com) ++If the above points are met, continue with: ++[Enable Microsoft Entra Permissions Management in your organization](onboard-enable-tenant.md) ++Ensure you're a *Global Administrator* or *Permissions Management Administrator*. Learn more about [Permissions Management roles and permissions](product-roles-permissions.md). ++ +## Step 2: Onboard your multicloud environment ++So far youΓÇÖve, ++1. Been assigned the *Permissions Management Administrator* role in your Entra admin center tenant. +2. Purchased licenses or activated your 45-day free trial for Permissions Management. +3. Successfully launched Permissions Management. ++Now, you're going to learn about the role and settings of the Controller and Data collection modes in Permissions Management. ++### Set the controller +The controller gives you the choice to determine the level of access you grant to users in Permissions Management. ++- Enabling the controller during onboarding grants Permissions Management admin access, or read and write access, so users can right-size permissions and remediate directly through Permissions Management (instead of going to the AWS, Azure, or GCP consoles).ΓÇ» ++- Disabling the controller during onboarding, or never enabling it, grants a Permissions Management user read-only access to your environment(s). ++> [!NOTE] +> If you don't enable the controller during onboarding, you have the option to enable it after onboarding is complete. To set the controller in Permissions Management after onboarding, see [Enable or disable the controller after onboarding](onboard-enable-controller-after-onboarding.md). +> For AWS environments, once you have enabled the controller, you *cannot* disable it. ++To set the controller settings during onboarding: +1. Select **Enable** to give read and write access to Permissions Management. +2. Select **Disable** to give read-only access to Permissions Management. ++### Configure data collection ++There are three modes to choose from in order to collect data in Permissions Management. ++- **Automatic (recommended)** +Permissions Management automatically discovers, onboards, and monitors all current and future subscriptions. ++- **Manual** +Manually enter individual subscriptions for Permissions Management to discover, onboard, and monitor. You can enter up to 100 subscriptions per data collection. ++- **Select** +Permissions Management automatically discovers all current subscriptions. Once discovered, you select which subscriptions to onboard and monitor. ++> [!NOTE] +> To use **Automatic** or **Select** modes, the controller must be enabled while configuring data collection. ++To configure data collection: +1. In Permissions Management, navigate to the data collectors page. +2. Select a cloud environment: AWS, Azure, or GCP. +3. Click **Create configuration**. ++### Onboard Amazon Web Services (AWS) +Since Permissions Management is hosted on Microsoft Entra, there are more steps to take to onboard your AWS environment. ++To connect AWS to Permissions Management, you must create an Entra ID application in the Entra admin center tenant where Permissions Management is enabled. This Entra ID application is used to set up an OIDC connection to your AWS environment. ++*OpenID Connect (OIDC) is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.* ++### Prerequisites ++A user must have *Global Administrator* or *Permissions Management Administrator* role assignments to create a new app registration in Entra ID. ++Account IDs and roles for: +- AWS OIDC account: An AWS member account designated by you to create and host the OIDC connection through an OIDC IdP +- AWS Logging account (optional but recommended) +- AWS Management account (optional but recommended) +- AWS member accounts monitored and managed by Permissions Management (for manual mode) ++To use **Automatic** or **Select** data collection modes, you must connect your AWS Management account. ++During this step, you can enable the controller by entering the name of the S3 bucket with AWS CloudTrail activity logs (found on AWS Trails). ++To onboard your AWS environment and configure data collection, see [Onboard an Amazon Web Services (AWS) account](onboard-aws.md). ++### Onboard Microsoft Azure +When you enabled Permissions Management in the Entra ID tenant, an enterprise application for CIEM was created. To onboard your Azure environment, you grant permissions to this application for Permissions management. ++1. In the Entra ID tenant where Permissions management is enabled, locate the **Cloud Infrastructure Entitlement Management (CIEM)** enterprise application. ++2. Assign the *Reader* role to the CIEM application to allow Permissions management to read the Entra subscriptions in your environment. ++### Prerequisites +- A user with ```Microsoft.Authorization/roleAssignments/write``` permissions at the subscription or management group scope. ++- To use **Automatic** or **Select** data collection modes, you must assign the *Reader* role at the Management group scope. ++- To enable the controller, you must assign the *User Access Administrator* role to the CIEM application. ++To onboard your Azure environment and configure data collection, see [Onboard a Microsoft Azure subscription](onboard-azure.md). +++### Onboard Google Cloud Platform (GCP) +Because Permissions Management is hosted on Microsoft Azure, there are additional steps to take to onboard your GCP environment. ++To connect GCP to Permissions Management, you must create an Entra admin center application in the Entra ID tenant where Permissions Management is enabled. This Entra admin center application is used to set up an OIDC connection to your GCP environment. ++*OpenID Connect (OIDC) is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.* ++ +### Prerequisites +A user with the ability to create a new app registration in Entra (needed to facilitate the OIDC connection) is needed for AWS and GCP onboarding. + +ID details for: +- GCP OIDC project: a GCP project designated by you to create and host the OIDC connection through an OIDC IdP. + - Project number and project ID +- GCP OIDC Workload identity + - Pool ID, pool provider ID +- GCP OIDC service account + - G-suite IdP Secret name and G-suite IdP user email (optional) + - IDs for the GCP projects you wish to onboard (optional, for manual mode) ++Assign the *Viewer* and *Security Reviewer* roles to the GCP service account at the organization, folder, or project levels to grant Permissions management read access to your GCP environment. ++During this step, you have the option to **Enable** controller mode by assigning the *Role Administrator* and *Security Administrator* roles to the GCP service account at the organization, folder, or project levels. ++> [!NOTE] +> The Permissions Management default scope is at the project level. ++To onboard your GCP environment and configure data collection, see [Onboard a GCP project](onboard-gcp.md). ++## Summary ++Congratulations! You have finished configuring data collection for your environment(s), and the data collection process has begun. ++The status column in your Permissions Management UI shows you which step of data collection you're at. ++ +- **Pending**: Permissions Management has not started detecting or onboarding yet. +- **Discovering**: Permissions Management is detecting the authorization systems. +- **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. +- **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ++> [!NOTE] +> Data collection might take time depending on the amount of authorization systems you've onboarded. While the data collection process continues, you can begin setting up [users and groups in Permissions Management](how-to-add-remove-user-to-group.md). ++## Next steps ++- [Enable or disable the controller after onboarding](onboard-enable-controller-after-onboarding.md) +- [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md) +- [Create folders to organize your authorization systems](how-to-create-folders.md) ++References: +- [Permissions Management Glossary](multi-cloud-glossary.md) +- [Permissions Management FAQs](faqs.md) |
active-directory | Product Roles Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-roles-permissions.md | + + Title: Microsoft Entra Permissions Management roles and permissions +description: Review roles and the level of permissions assigned in Microsoft Entra Permissions Management. +# customerintent: As a cloud administer, I want to understand Permissions Management role assignments, so that I can effectively assign the correct permissions to users. +++++++ Last updated : 08/24/2023+++++# Microsoft Entra Permissions Management roles and permissions levels ++In Microsoft Azure and Microsoft Entra Permissions Management role assignments grant users permissions to monitor and take action in multicloud environments. ++- **Global Administrator**: Manages all aspects of Entra Admin Center and Microsoft services that use Entra Admin Center identities. +- **Billing Administrator**: Performs common billing related tasks like updating payment information. +- **Permissions Management Administrator**: Manages all aspects of Entra Permissions Management. ++See [Microsoft Entra ID built-in roles to learn more.](product-privileged-role-insights.md) ++## Enabling Permissions Management +- To activate a trial or purchase a license, you must have *Global Administrator* or *Billing Administrator* permissions. ++## Onboarding your Amazon Web Service (AWS), Microsoft Entra, or Google Cloud Platform (GCP) environments ++- To configure data collection, you must have *Permissions Management Administrator* or *Global Administrator* permissions. +- A user with *Global Administrator* or *Permissions Management Administrator* role assignments is required for AWS and GCP onboarding. ++## Notes on permissions and roles in Permissions Management ++- Users can have the following permissions: + - Admin for all authorization system types + - Admin for selected authorization system types + - Fine-grained permissions for all or selected authorization system types +- If a user isn't an admin, they're assigned Microsoft Entra ID security group-based, fine-grained permissions for all or selected authorization system types: + - Viewers: View the specified AWS accounts, Azure subscriptions, and GCP projects + - Controller: Modify Cloud Infrastructure Entitlement Management (CIEM) properties and use the Remediation dashboard. + - Approvers: Able to approve permission requests + - Requestors: Request permissions in the specified AWS accounts, Entra subscriptions, and GCP projects. ++## Permissions Management actions and required roles ++Remediation +- To view the **Remediation** tab, you must have *Viewer*, *Controller*, or *Approver* permissions. +- To make changes in the **Remediation** tab, you must have *Controller* or *Approver* permissions. ++Autopilot +- To view and make changes in the **Autopilot** tab, you must be a *Permissions Management Administrator*. ++Alert +- Any user (admin, nonadmin) can create an alert. +- Only the user who creates the alert can edit, rename, deactivate, or delete the alert. ++Manage users or groups +- Only the owner of a group can add or remove a user from the group. +- Managing users and groups is only done in the Entra Admin Center. +++## Next steps ++For information about managing roles, policies and permissions requests in your organization, see [View roles/policies and requests for permission in the Remediation dashboard](ui-remediation.md). |
active-directory | Block Legacy Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/block-legacy-authentication.md | The following messaging protocols support legacy authentication: - Universal Outlook - Used by the Mail and Calendar app for Windows 10. - Other clients - Other protocols identified as utilizing legacy authentication. -For more information about these authentication protocols and services, see [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities). +For more information about these authentication protocols and services, see [Sign-in log activity details](../reports-monitoring/concept-sign-in-log-activity-details.md). ### Identify legacy authentication use Before you can block legacy authentication in your directory, you need to first #### Sign-in log indicators -1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Add the **Client App** column if it isn't shown by clicking on **Columns** > **Client App**. 1. Select **Add filters** > **Client App** > choose all of the legacy authentication protocols and select **Apply**. 1. If you've activated the [new sign-in activity reports preview](../reports-monitoring/concept-all-sign-ins.md), repeat the above steps also on the **User sign-ins (non-interactive)** tab. |
active-directory | Concept Condition Filters For Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-condition-filters-for-devices.md | There are multiple scenarios that organizations can now enable using filter for ## Create a Conditional Access policy -Filter for devices is an option when creating a Conditional Access policy in the Azure portal or using the Microsoft Graph API. +Filter for devices is an optional control when creating a Conditional Access policy. The following steps will help create two Conditional Access policies to support the first scenario under [Common scenarios](#common-scenarios). Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Concept Conditional Access Cloud Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md | description: What are cloud apps, actions, and authentication context in an Azur + Previously updated : 06/27/2023 Last updated : 08/31/2023 -Target resources (formerly Cloud apps, actions, and authentication context) are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, actions, or authentication context. +Target resources (formerly Cloud apps, actions, and authentication context) are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, services, actions, or authentication context. -- Administrators can choose from the list of applications that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../app-proxy/what-is-application-proxy.md).+- Administrators can choose from the list of applications or services that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../app-proxy/what-is-application-proxy.md). - Administrators may choose to define policy not based on a cloud application but on a [user action](#user-actions) like **Register security information** or **Register or join devices**, allowing Conditional Access to enforce controls around those actions. - Administrators can target [traffic forwarding profiles](#traffic-forwarding-profiles) from Global Secure Access for enhanced functionality. - Administrators can use [authentication context](#authentication-context) to provide an extra layer of security in applications. -![Define a Conditional Access policy and specify cloud apps](./media/concept-conditional-access-cloud-apps/conditional-access-cloud-apps-or-actions.png) ## Microsoft cloud applications Targeting this group of applications helps to avoid issues that may arise becaus Administrators can exclude the entire Office 365 suite or specific Office 365 cloud apps from the Conditional Access policy. -The following key applications are affected by the Office 365 cloud app: --- Exchange Online-- Microsoft 365 Search Service-- Microsoft Forms-- Microsoft Planner (ProjectWorkManagement)-- Microsoft Stream-- Microsoft Teams-- Microsoft To-Do-- Microsoft Flow-- Microsoft Office 365 Portal-- Microsoft Office client application-- Microsoft To-Do WebApp-- Microsoft Whiteboard Services-- Office Delve-- Office Online-- OneDrive-- Power Apps-- Power Automate-- Security & compliance portal-- SharePoint Online-- Skype for Business Online-- Skype and Teams Tenant Admin API-- Sway-- Yammer- A complete list of all services included can be found in the article [Apps included in Conditional Access Office 365 app suite](reference-office-365-application-contents.md). ### Microsoft Azure Management Because the policy is applied to the Azure management portal and API, services, - Azure Data Factory portal - Azure Event Hubs - Azure Service Bus -- [Azure SQL Database](/azure/azure-sql/database/conditional-access-configure)+- Azure SQL Database - SQL Managed Instance - Azure Synapse - Visual Studio subscriptions administrator portal -- [Microsoft IoT Central](https://apps.azureiotcentral.com/)+- Microsoft IoT Central > [!NOTE] > The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](../../azure-resource-manager/management/overview.md). It does not apply to [Azure AD PowerShell](/powershell/azure/active-directory/overview), which calls the [Microsoft Graph API](/graph/overview). For more information on how to set up a sample policy for Microsoft Azure Manage When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals: -- Microsoft 365 Admin Center-- Exchange admin center - Azure portal+- Exchange admin center +- Microsoft 365 admin center +- Microsoft 365 Defender portal - Microsoft Entra admin center-- Security and Microsoft Purview compliance portal+- Microsoft Intune admin center +- Microsoft Purview compliance portal -Other Microsoft admin portals will be added over time. +We're continually adding more administrative portals to the list. > [!IMPORTANT]-> Microsoft Admin Poratls (preview) is not currently supported in Government clouds. +> Microsoft Admin Portals (preview) is not currently supported in Government clouds. > [!NOTE] > The Microsoft Admin Portals app applies to interactive sign-ins to the listed admin portals only. Sign-ins to the underlying resources or services like Microsoft Graph or Azure Resource Manager APIs are not covered by this application. Those resources are protected by the [Microsoft Azure Management](#microsoft-azure-management) app. This enables customers to move along the MFA adoption journey for admins without impacting automation that relies on APIs and PowerShell. When you are ready, Microsoft recommends using a [policy requiring administrators perform MFA always](howto-conditional-access-policy-admin-mfa.md) for comprehensive protection. User actions are tasks that can be performed by a user. Currently, Conditional A ## Traffic forwarding profiles -Traffic forwarding profiles in Global Secure Access enable administrators to define and control how traffic is routed through Microsoft Entra Internet Access and Microsoft Entra Private Access. Traffic forwarding profiles can be assigned to devices and remote networks. For an example of how to configure these traffic profiles in Conditional Access policy, see the article [How to require a compliant network check](../../global-secure-access/how-to-compliant-network.md). +Traffic forwarding profiles in Global Secure Access enable administrators to define and control how traffic is routed through Microsoft Entra Internet Access and Microsoft Entra Private Access. Traffic forwarding profiles can be assigned to devices and remote networks. For an example of how to apply a Conditional Access policy to these traffic profiles, see the article [How to apply Conditional Access policies to the Microsoft 365 traffic profile](../../global-secure-access/how-to-target-resource-microsoft-365-profile.md). For more information about these profiles, see the article [Global Secure Access traffic forwarding profiles](../../global-secure-access/concept-traffic-forwarding.md). For example, an organization may keep files in SharePoint sites like the lunch m ### Configure authentication contexts -Authentication contexts are managed in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Authentication context**. +Authentication contexts are managed under **Azure Active Directory** > **Security** > **Conditional Access** > **Authentication context**. -![Manage authentication context in the Azure portal](./media/concept-conditional-access-cloud-apps/conditional-access-authentication-context-get-started.png) -Create new authentication context definitions by selecting **New authentication context** in the Azure portal. Organizations are limited to a total of 25 authentication context definitions. Configure the following attributes: +Create new authentication context definitions by selecting **New authentication context**. Organizations are limited to a total of 25 authentication context definitions. Configure the following attributes: - **Display name** is the name that is used to identify the authentication context in Azure AD and across applications that consume authentication contexts. We recommend names that can be used across resources, like "trusted devices", to reduce the number of authentication contexts needed. Having a reduced set limits the number of redirects and provides a better end to end-user experience. - **Description** provides more information about the policies it's used by Azure AD administrators and those applying authentication contexts to resources. Create new authentication context definitions by selecting **New authentication Administrators can select published authentication contexts in their Conditional Access policies under **Assignments** > **Cloud apps or actions** and selecting **Authentication context** from the **Select what this policy applies to** menu. #### Delete an authentication context |
active-directory | Concept Conditional Access Conditions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-conditions.md | This setting has an effect on access attempts made from the following mobile app | Outlook mobile app | Exchange Online | Android, iOS | | Power BI app | Power BI service | Windows 10, Windows 8.1, Windows 7, Android, and iOS | | Skype for Business | Exchange Online| Android, iOS |-| Visual Studio Team Services app | Visual Studio Team Services | Windows 10, Windows 8.1, Windows 7, iOS, and Android | +| Azure DevOps Services (formerly Visual Studio Team Services, or VSTS) app | Azure DevOps Services (formerly Visual Studio Team Services, or VSTS) | Windows 10, Windows 8.1, Windows 7, iOS, and Android | ### Exchange ActiveSync clients |
active-directory | Concept Conditional Access Policy Common | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-policy-common.md | Policies in this category provide new ways to protect against compromise. -Find these templates in the **[Microsoft Entra admin center](https://entra.microsoft.com)** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category. +Find these templates in the [Microsoft Entra admin center](https://entra.microsoft.com) > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category. :::image type="content" source="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png" alt-text="Screenshot that shows how to create a Conditional Access policy from a preconfigured template in the Microsoft Entra admin center." lightbox="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png"::: > [!IMPORTANT]-> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. Simply navigate to **Microsoft Entra admin center** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Policies**, select the policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. +> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. You can find these policies in the [Microsoft Entra admin center](https://entra.microsoft.com) > **Protection** > **Conditional Access** > **Policies**. Select a policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. By default, each policy is created in [report-only mode](concept-conditional-access-report-only.md), we recommended organizations test and monitor usage, to ensure intended result, before turning on each policy. |
active-directory | Concept Conditional Access Session | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-session.md | For more information, see the article [Configure authentication session manageme - **Disable** only work when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy. You can choose to disable all users or specific users and groups. ## Disable resilience defaults |
active-directory | Concept Conditional Access Users Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-users-groups.md | By default the policy provides an option to exclude the current user from the po ![Warning, don't lock yourself out!](./media/concept-conditional-access-users-groups/conditional-access-users-and-groups-lockout-warning.png) -If you do find yourself locked out, see [What to do if you're locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal) +If you do find yourself locked out, see [What to do if you're locked out?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out) ### External partner access |
active-directory | Concept Continuous Access Evaluation Strict Enforcement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-strict-enforcement.md | Repeat steps 2 and 3 with expanding groups of users until Strictly Enforce Locat Administrators can investigate the Sign-in logs to find cases with **IP address (seen by resource)**. -1. Sign in to the **Azure portal** as at least a Global Reader. -1. Browse to **Azure Active Directory** > **Sign-ins**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Find events to review by adding filters and columns to filter out unnecessary information. 1. Add the **IP address (seen by resource)** column and filter out any blank items to narrow the scope. The **IP address (seen by resource)** is blank when that IP seen by Azure AD matches the IP address seen by the resource. |
active-directory | Concept Continuous Access Evaluation Workload | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md | Last updated 07/22/2022 -+ When a clientΓÇÖs access to a resource is blocked due to CAE being triggered, th The following steps detail how an admin can verify sign in activity in the sign-in logs: -1. Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process. 1. Select an entry to see activity details. The **Continuous access evaluation** field indicates whether a CAE token was issued in a particular sign-in attempt. ## Next steps The following steps detail how an admin can verify sign in activity in the sign- - [Register an application with Azure AD and create a service principal](../develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) - [How to use Continuous Access Evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md) - [Sample application using continuous access evaluation](https://github.com/Azure-Samples/ms-identity-dotnetcore-daemon-graph-cae)+- [Securing workload identities with Azure AD Identity Protection](../identity-protection/concept-workload-identity-risk.md) - [What is continuous access evaluation?](../conditional-access/concept-continuous-access-evaluation.md) |
active-directory | Concept Continuous Access Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md | The CAE setting has been moved to under the Conditional Access blade. New CAE cu #### Migration -Customers who have configured CAE settings under Security before have to migrate settings to a new Conditional Access policy. Use the steps that follow to migrate your CAE settings to a Conditional Access policy. ---1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Continuous access evaluation**. -1. You have the option to **Migrate** your policy. This action is the only one that you have access to at this point. -1. Browse to **Conditional Access** and you find a new policy named **Conditional Access policy created from CAE settings** with your settings configured. Administrators can choose to customize this policy or create their own to replace it. +Customers who have configured CAE settings under Security before have to migrate settings to a new Conditional Access policy. The following table describes the migration experience of each customer group based on previously configured CAE settings. Changes made to Conditional Access policies and group membership made by adminis When Conditional Access policy or group membership changes need to be applied to certain users immediately, you have two options. - Run the [revoke-mgusersign PowerShell command](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession) to revoke all refresh tokens of a specified user.-- Select "Revoke Session" on the user profile page in the Azure portal to revoke the user's session to ensure that the updated policies are applied immediately.+- Select "Revoke Session" on the user profile page to revoke the user's session to ensure that the updated policies are applied immediately. ### IP address variation and networks with IP address shared or unknown egress IPs |
active-directory | Concept Filter For Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-filter-for-applications.md | Application filters are a new feature for Conditional Access that allows organiz In this document, you create a custom attribute set, assign a custom security attribute to your application, and create a Conditional Access policy to secure the application. > [!IMPORTANT]-> Filter for applications is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Filter for applications is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Assign roles Custom security attributes are security sensitive and can only be managed by del 1. Assign the appropriate role to the users who will manage or report on these attributes at the directory scope. - For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). + For detailed steps, see [Assign Azure roles](../../role-based-access-control/role-assignments-portal.md). ## Create custom security attributes Follow the instructions in the article, [Add or deactivate custom security attri :::image type="content" source="media/concept-filter-for-applications/edit-filter-for-applications.png" alt-text="A screenshot showing a Conditional Access policy with the edit filter window showing an attribute of require MFA." lightbox="media/concept-filter-for-applications/edit-filter-for-applications.png"::: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Set up a sample application that, demonstrates how a job or a Windows service ca When you don't have a service principal listed in your tenant, it can't be targeted. The Office 365 suite is an example of one such service principal. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Select the service principal you want to apply a custom security attribute to. 1. Under **Manage** > **Custom security attributes (preview)**, select **Add assignment**. 1. Under **Attribute set**, select **ConditionalAccessTest**. |
active-directory | Concept Token Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-token-protection.md | Token protection (sometimes referred to as token binding in the industry) attemp Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means: A policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource. > [!IMPORTANT]-> Token protection is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -+> Token protection is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). With this preview, we're giving you the ability to create a Conditional Access policy to require token protection for sign-in tokens (refresh tokens) for specific services. We support token protection for sign-in tokens in Conditional Access for desktop applications accessing Exchange Online and SharePoint Online on Windows devices. > [!IMPORTANT] Users who perform specialized roles like those described in [Privileged access s The steps that follow help create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Monitoring Conditional Access enforcement of token protection before and after e Use Azure AD sign-in log to verify the outcome of a token protection enforcement policy in report only mode or in enabled mode. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Sign-in logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Select a specific request to determine if the policy is applied or not. 1. Go to the **Conditional Access** or **Report-Only** pane depending on its state and select the name of your policy requiring token protection. 1. Under **Session Controls** check to see if the policy requirements were satisfied or not. |
active-directory | How To App Protection Policy Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md | The following policy is put in to [Report-only mode](howto-conditional-access-in The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [Preview: App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | How To Policy Mfa Admin Portals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-policy-mfa-admin-portals.md | Microsoft recommends securing access to any Microsoft admin portals like Microso ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | How To Policy Phish Resistant Admin Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-policy-phish-resistant-admin-mfa.md | Organizations can choose to include or exclude roles as they see fit. ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-apis.md | description: Using the Azure AD Conditional Access APIs and PowerShell to manage + Last updated 09/10/2020 |
active-directory | Howto Conditional Access Insights Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md | If you haven't integrated Azure AD logs with Azure Monitor logs, you need to tak To access the insights and reporting workbook: -1. Sign in to the **Azure portal**. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Insights and reporting**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Insights and reporting**. ### Get started: Select parameters You can also investigate the sign-ins of a specific user by searching for sign-i To configure a Conditional Access policy in report-only mode: -1. Sign into the **Azure portal** as a Conditional Access Administrator, security administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select an existing policy or create a new policy. 1. Under **Enable policy** set the toggle to **Report-only** mode. 1. Select **Save** To configure a Conditional Access policy in report-only mode: ### Why are queries failing due to a permissions error? -In order to access the workbook, you need the proper Azure AD permissions and Log Analytics workspace permissions. To test whether you have the proper workspace permissions by running a sample log analytics query: +In order to access the workbook, you need the proper permissions in Azure AD and Log Analytics. To test whether you have the proper workspace permissions by running a sample log analytics query: -1. Sign in to the **Azure portal**. -1. Browse to **Azure Active Directory** > **Log Analytics**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Log Analytics**. 1. Type `SigninLogs` into the query box and select **Run**. 1. If the query doesn't return any results, your workspace may not have been configured correctly. |
active-directory | Howto Conditional Access Policy Admin Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md | Organizations can choose to include or exclude roles as they see fit. The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multifactor authentication. Some organizations may be ready to move to stronger authentication methods for their administrators. These organizations may choose to implement a policy like the one described in the article [Require phishing-resistant multifactor authentication for administrators](how-to-policy-phish-resistant-admin-mfa.md). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy All Users Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md | Organizations that use [Subscription Activation](/windows/deployment/windows-10- The following steps help create a Conditional Access policy to require all users do multifactor authentication. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Authentication Strength External | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-authentication-strength-external.md | The authentication methods that external users can use to satisfy MFA requiremen Determine if one of the built-in authentication strengths will work for your scenario or if you'll need to create a custom authentication strength. -1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator. -1. Browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Authentication methods** > **Authentication strengths**. 1. Review the built-in authentication strengths to see if one of them meets your requirements. 1. If you want to enforce a different set of authentication methods, [create a custom authentication strength](https://aka.ms/b2b-auth-strengths). Determine if one of the built-in authentication strengths will work for your sce Use the following steps to create a Conditional Access policy that applies an authentication strength to external users. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Azure Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md | The following steps will help create a Conditional Access policy to require user > [!CAUTION] > Make sure you understand how Conditional Access works before setting up a policy to manage access to Microsoft Azure Management. Make sure you don't create conditions that could block your own access to the portal. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Block Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-access.md | -> Misconfiguration of a block policy can lead to organizations being locked out of the Azure portal. +> Misconfiguration of a block policy can lead to organizations being locked out. Policies like these can have unintended side effects. Proper testing and validation are vital before enabling. Administrators should utilize tools such as [Conditional Access report-only mode](concept-conditional-access-report-only.md) and [the What If tool in Conditional Access](what-if-tool.md) when making changes. The following steps will help create Conditional Access policies to block access The first policy blocks access to all apps except for Microsoft 365 applications if not on a trusted location. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Block Legacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md | Organizations can choose to deploy this policy using the steps outlined below or The following steps will help create a Conditional Access policy to block legacy authentication requests. This policy is put in to [Report-only mode](howto-conditional-access-insights-reporting.md) to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policy applies as they intend, they can switch to **On** or stage the deployment by adding specific groups and excluding others. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Compliant Device Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device-admin.md | Organizations can choose to include or exclude roles as they see fit. The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Compliant Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md | Requiring a hybrid Azure AD joined device is dependent on your devices already b The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Location | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-location.md | With the location condition in Conditional Access, you can control access to you ## Define locations -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Named locations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Named locations**. 1. Choose the type of location to create. 1. **Countries location** or **IP ranges location**. 1. Give your location a name. More information about the location condition in Conditional Access can be found ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md | Organizations can choose to deploy this policy using the steps outlined below or The following policy applies to the selected users, who attempt to register using the combined registration experience. The policy requires users to be in a trusted network location, do multifactor authentication or use Temporary Access Pass credentials. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration with TAP**. 1. Under **Assignments**, select **Users or workload identities**. Organizations may choose to require other grant controls with or in place of **R For [guest users](../external-identities/what-is-b2b.md) who need to register for multifactor authentication in your directory you may choose to block registration from outside of [trusted network locations](concept-conditional-access-conditions.md#locations) using the following guide. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Risk User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk-user.md | Organizations can choose to deploy this policy using the steps outlined below or ## Enable with Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk.md | Organizations can choose to deploy this policy using the steps outlined below or ## Enable with Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md | description: Customize Azure AD authentication session configuration including u + Last updated 07/18/2023 To make sure that your policy works as expected, the recommended best practice i ### Policy 1: Sign-in frequency control -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Choose all required conditions for customerΓÇÖs environment, including the target cloud apps. To make sure that your policy works as expected, the recommended best practice i ### Policy 2: Persistent browser session -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Choose all required conditions. To make sure that your policy works as expected, the recommended best practice i 1. Select **Persistent browser session**. > [!NOTE]- > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane in the Azure portal for the same user if you have configured both policies. + > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane for the same user if you have configured both policies. 1. Select a value from dropdown. 1. Save your policy. ### Policy 3: Sign-in frequency control every time risky user -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Continuous Access Evaluation Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot.md | Administrators can monitor and troubleshoot sign in events where [continuous acc Administrators can monitor user sign-ins where continuous access evaluation (CAE) is applied. This information is found in the Azure AD sign-in logs: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Sign-in logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Apply the **Is CAE Token** filter. [ ![Screenshot showing how to add a filter to the Sign-ins log to see where CAE is being applied or not.](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png) ](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png#lightbox) The continuous access evaluation insights workbook allows administrators to view Log Analytics integration must be completed before workbooks are displayed. For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Workbooks**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Workbooks**. 1. Under **Public Templates**, search for **Continuous access evaluation insights**. The **Continuous access evaluation insights** workbook contains the following table: Admins can view records filtered by time range and application. Admins can compa To unblock users, administrators can add specific IP addresses to a trusted named location. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations. > [!NOTE] > Before adding an IP address as a trusted named location, confirm that the IP address does in fact belong to the intended organization. |
active-directory | Howto Policy App Enforced Restriction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-app-enforced-restriction.md | Block or limit access to SharePoint, OneDrive, and Exchange content from unmanag ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Approved App Or App Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-approved-app-or-app-protection.md | The following steps will help create a Conditional Access policy requiring an ap Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. After administrators confirm the settings using [report-only mode](howto-conditi This policy will block all Exchange ActiveSync clients using basic authentication from connecting to Exchange Online. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Guest Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-guest-mfa.md | Require guest users perform multifactor authentication when accessing your organ ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Persistent Browser Session | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-persistent-browser-session.md | Protect user access on unmanaged devices by preventing browser sessions from rem ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Unknown Unsupported Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-unknown-unsupported-device.md | Users will be blocked from accessing company resources when the device type is u ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Location Condition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/location-condition.md | The location found using the public IP address a client provides to Azure Active ## Named locations -Locations exist in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. +Locations exist under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. > [!VIDEO https://www.youtube.com/embed/P80SffTIThY] To define a named location by IPv4/IPv6 address ranges, you need to provide: - One or more IP ranges. - Optionally **Mark as trusted location**. -![New IP locations in the Azure portal](./media/location-condition/new-trusted-location.png) +![New IP locations](./media/location-condition/new-trusted-location.png) Named locations defined by IPv4/IPv6 address ranges are subject to the following limitations: To define a named location by country/region, you need to provide: - Add one or more countries/regions. - Optionally choose to **Include unknown countries/regions**. -![Country as a location in the Azure portal](./media/location-condition/new-named-location-country-region.png) +![Country as a location](./media/location-condition/new-named-location-country-region.png) If you select **Determine location by IP address**, the system collects the IP address of the device the user is signing into. When a user signs in, Azure AD resolves the user's IPv4 or [IPv6](/troubleshoot/azure/active-directory/azure-ad-ipv6-support) address (starting April 3, 2023) to a country or region, and the mapping updates periodically. Organizations can use named locations defined by countries/regions to block traffic from countries/regions where they don't do business. Some IP addresses don't map to a specific country or region. To capture these IP ## Define locations 1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator.-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. +1. Browse to **Protection** > **Conditional Access** > **Named locations**. 1. Choose **New location**. 1. Give your location a name. 1. Choose **IP ranges** if you know the specific externally accessible IPv4 address ranges that make up that location or **Countries/Regions**. |
active-directory | Migrate Approved Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/migrate-approved-client-app.md | The following steps make an existing Conditional Access policy require an approv Organizations can choose to update their policies using the following steps. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select a policy that uses the approved client app grant. 1. Under **Access controls** > **Grant**, select **Grant access**. 1. Select **Require approved client app** and **Require app protection policy** The following steps help create a Conditional Access policy requiring an approve Organizations can choose to deploy this policy using the following steps. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/overview.md | Title: What is Conditional Access in Azure Active Directory? -description: Learn how Conditional Access is at the heart of the new identity-driven control plane. +description: Conditional Access is the Zero Trust policy engine at the heart of the new identity-driven control plane. Previously updated : 06/20/2023 Last updated : 08/24/2023 -Microsoft is providing Conditional Access templates to organizations in report-only mode starting in January of 2023. We may add more policies as new threats emerge. - The modern security perimeter extends beyond an organization's network perimeter to include user and device identity. Organizations now use identity-driven signals as part of their access control decisions. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4MwZs] +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4MwZs] Azure AD Conditional Access brings signals together, to make decisions, and enforce organizational policies. Conditional Access is Microsoft's [Zero Trust policy engine](/security/zero-trust/deploy/identity) taking signals from various sources into account when enforcing policy decisions. :::image type="content" source="media/overview/conditional-access-signal-decision-enforcement.png" alt-text="Diagram showing concept of Conditional Access signals plus decision to enforce organizational policy."::: -Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multifactor authentication to access it. +Conditional Access policies at their simplest are if-then statements; **if** a user wants to access a resource, **then** they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access. Administrators are faced with two primary goals: These signals include: - Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies. - Use filters for devices to target policies to specific devices like privileged access workstations. - Application- - Users attempting to access specific applications can trigger different Conditional Access policies. + - Users attempting to access specific applications can trigger different Conditional Access policies. - Real-time and calculated risk detection- - Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify and remediate risky users and sign-in behavior. + - Signals integration with [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify and remediate risky users and sign-in behavior. - [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps) - Enables user application access and sessions to be monitored and controlled in real time. This integration increases visibility and control over access to and activities done within your cloud environment. Many organizations have [common access concerns that Conditional Access policies - Requiring multifactor authentication for users with administrative roles - Requiring multifactor authentication for Azure management tasks - Blocking sign-ins for users attempting to use legacy authentication protocols-- Requiring trusted locations for Azure AD Multifactor Authentication registration+- Requiring trusted locations for security information registration - Blocking or granting access from specific locations - Blocking risky sign-in behaviors - Requiring organization-managed devices for specific applications Administrators can create policies from scratch or start from a template policy ## Administrator experience -Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies in Azure AD. +Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies. -Conditional Access is found in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access**. +Conditional Access is found in the [Microsoft Entra admin center](https://entra.microsoft.com) under **Protection** > **Conditional Access**. - The **Overview** page provides a summary of policy state, users, devices, and applications as well as general and security alerts with suggestions. - The **Coverage** page provides a synopsis of applications with and without Conditional Access policy coverage over the last seven days. Conditional Access is found in the Azure portal under **Azure Active Directory** Customers with [Microsoft 365 Business Premium licenses](/office365/servicedescriptions/office-365-service-descriptions-technet-library) also have access to Conditional Access features. -Risk-based policies require access to [Identity Protection](../identity-protection/overview-identity-protection.md), which is an Azure AD P2 feature. +Risk-based policies require access to [Identity Protection](../identity-protection/overview-identity-protection.md), which requires P2 licenses. Other products and features that may interact with Conditional Access policies require appropriate licensing for those products and features. |
active-directory | Plan Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/plan-conditional-access.md | Taking into account our learnings in the use of Conditional Access and supportin **Ensure that every app has at least one Conditional Access policy applied**. From a security perspective it's better to create a policy that encompasses **All cloud apps**, and then exclude applications that you don't want the policy to apply to. This practice ensures you don't need to update Conditional Access policies every time you onboard a new application. > [!TIP]-> Be very careful in using block and all apps in a single policy. This could lock admins out of the Azure portal, and exclusions cannot be configured for important endpoints such as Microsoft Graph. +> Be very careful in using block and all apps in a single policy. This could lock admins out, and exclusions cannot be configured for important endpoints such as Microsoft Graph. ### Minimize the number of Conditional Access policies |
active-directory | Policy Migration Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/policy-migration-mfa.md | -This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies in the Azure portal](policy-migration.md) before you start migrating your classic policies. +This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies](policy-migration.md) before you start migrating your classic policies. ![Classic policy details requiring MFA for Salesforce app](./media/policy-migration/33.png) The migration process consists of the following steps: ## Open a classic policy -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Navigate to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Browse to **Protection** > **Conditional Access**. 1. Select, **Classic policies**. The migration process consists of the following steps: 1. In the list of classic policies, select the policy you wish to migrate. Document the configuration settings so that you can re-create with a new Conditional Access policy. -For examples of common policies and their configuration in the Azure portal, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md). +For examples of common policies and their configuration, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md). ## Disable the classic policy |
active-directory | Require Tou | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/require-tou.md | In this quickstart, you'll configure a Conditional Access policy in Azure Active To complete the scenario in this quickstart, you need: - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. You can sign up for a trial in the Azure portal.+- Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. - A test account to sign-in with - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users.md#add-a-new-user). ## Sign-in without terms of use - The goal of this step is to get an impression of the sign-in experience without a Conditional Access policy. -1. Sign in to the [Azure portal](https://portal.azure.com) as your test user. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as your test user. 1. Sign out. ## Create your terms of use This section provides you with the steps to create a sample ToU. When you create 1. In Microsoft Word, create a new document. 1. Type **My terms of use**, and then save the document on your computer as **mytou.pdf**.-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or a Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. - :::image type="content" source="media/require-tou/terms-of-use-azure-ad-conditional-access.png" alt-text="Screenshot of terms of use shown in the Azure portal highlighting the new terms button." lightbox="media/require-tou/terms-of-use-azure-ad-conditional-access.png"::: + :::image type="content" source="media/require-tou/terms-of-use-azure-ad-conditional-access.png" alt-text="Screenshot of terms of use highlighting the new terms button." lightbox="media/require-tou/terms-of-use-azure-ad-conditional-access.png"::: 1. In the menu on the top, select **New terms**. - :::image type="content" source="media/require-tou/new-terms-of-use-creation.png" alt-text="Screenshot that shows creating a new terms of use policy in the Azure portal." lightbox="media/require-tou/new-terms-of-use-creation.png"::: + :::image type="content" source="media/require-tou/new-terms-of-use-creation.png" alt-text="Screenshot that shows creating a new terms of use policy." lightbox="media/require-tou/new-terms-of-use-creation.png"::: 1. In the **Name** textbox, type **My TOU**. 1. Upload your terms of use PDF file. |
active-directory | Resilience Defaults | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/resilience-defaults.md | You can configure Conditional Access resilience defaults from the Azure portal, ### Azure portal -1. Navigate to the **Azure portal** > **Security** > **Conditional Access** +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Create a new policy or select an existing policy 1. Open the Session control settings 1. Select Disable resilience defaults to disable the setting for this policy. Sign-ins in scope of the policy will be blocked during an Azure AD outage |
active-directory | Terms Of Use | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/terms-of-use.md | Azure AD terms of use policies use the PDF format to present content. The PDF fi Once you've completed your terms of use policy document, use the following procedure to add it. -1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select, **New terms**. ![New term of use pane to specify your terms of use settings](./media/terms-of-use/new-tou.png) -1. In the **Name** box, enter a name for the terms of use policy used in the Azure portal. +1. In the **Name** box, enter a name for the terms of use policy. 1. For **Terms of use document**, browse to your finalized terms of use policy PDF and select it. 1. Select the language for your terms of use policy document. The language option allows you to upload multiple terms of use policies, each with a different language. The version of the terms of use policy that an end user sees is based on their browser preferences. 1. In the **Display name** box, enter a title that users see when they sign in. Once you've completed your terms of use policy document, use the following proce The Terms of use blade shows a count of the users who have accepted and declined. These counts and who accepted/declined are stored for the life of the terms of use policy. -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. ![Terms of use blade listing the number of user show have accepted and declined](./media/terms-of-use/view-tou.png) If you want to view more activity, Azure AD terms of use policies include audit To get started with Azure AD audit logs, use the following procedure: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select a terms of use policy. 1. Select **View audit logs**. 1. On the Azure AD audit logs screen, you can filter the information using the provided lists to target specific audit log information. Users can review and see the terms of use policies that they've accepted by usin You can edit some details of terms of use policies, but you can't modify an existing document. The following procedure describes how to edit the details. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit terms**. 1. In the Edit terms of use pane, you can change the following options: You can edit some details of terms of use policies, but you can't modify an exis ## Update the version or pdf of an existing terms of use -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit terms**. 1. For the language that you would like to update a new version, select **Update** under the action column You can edit some details of terms of use policies, but you can't modify an exis ## View previous versions of a ToU -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy for which you want to view a version history. 1. Select **Languages and version history** 1. Select **See previous versions.** You can edit some details of terms of use policies, but you can't modify an exis ## See who has accepted each version -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. To see who has currently accepted the ToU, select the number under the **Accepted** column for the ToU you want. 1. By default, the next page will show you the current state of each user's acceptance to the ToU 1. If you would like to see the previous consent events, you can select **All** from the **Current State** drop-down. Now you can see each user's events in details about each version and what happened. You can edit some details of terms of use policies, but you can't modify an exis The following procedure describes how to add a ToU language. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit Terms** 1. Select **Add language** at the bottom of the page. If a user is using browser that isn't supported, they're asked to use a differen You can delete old terms of use policies using the following procedure. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to remove. 1. Select **Delete terms**. 1. In the message that appears asking if you want to continue, select **Yes**. |
active-directory | Troubleshoot Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access.md | Organizations should avoid the following configurations: **For all users, all cloud apps:** - **Block access** - This configuration blocks your entire organization.-- **Require device to be marked as compliant** - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.+- **Require device to be marked as compliant** - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back in to change the policy. - **Require Hybrid Azure AD domain joined device** - This policy block access has also the potential to block access for all users in your organization if they don't have a hybrid Azure AD joined device. - **Require app protection policy** - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. If you're an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure. More information can be found about the problem by clicking **More Details** in To find out which Conditional Access policy or policies applied and why do the following. -1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Global Reader. -1. Browse to **Azure Active Directory** > **Sign-ins**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Find the event for the sign-in to review. Add or remove filters and columns to filter out unnecessary information. 1. Add filters to narrow the scope: 1. **Correlation ID** when you have a specific event to investigate. To determine the service dependency, check the sign-ins log for the application :::image type="content" source="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png" alt-text="Screenshot that shows an example sign-in log showing an Application calling a Resource. This scenario is also known as a service dependency." lightbox="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png"::: -## What to do if you're locked out of the Azure portal? +## What to do if you're locked out? -If you're locked out of the Azure portal due to an incorrect setting in a Conditional Access policy: +If you're locked out of the due to an incorrect setting in a Conditional Access policy: -- Check is there are other administrators in your organization that aren't blocked yet. An administrator with access to the Azure portal can disable the policy that is impacting your sign-in. +- Check is there are other administrators in your organization that aren't blocked yet. An administrator with access can disable the policy that is impacting your sign-in. - If none of the administrators in your organization can update the policy, submit a support request. Microsoft support can review and upon confirmation update the Conditional Access policies that are preventing access. ## Next steps - [Use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md)-- [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md)+- [Sign-in activity reports](../reports-monitoring/concept-sign-ins.md) - [Troubleshooting Conditional Access using the What If tool](troubleshoot-conditional-access-what-if.md) |
active-directory | Troubleshoot Policy Changes Audit Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-policy-changes-audit-log.md | Find these options in the **Azure portal** > **Azure Active Directory**, **Diagn ## Use the audit log -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Audit logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Audit logs**. 1. Select the **Date** range you want to query. 1. From the **Service** filter, select **Conditional Access** and select the **Apply** button. |
active-directory | What If Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/what-if-tool.md | When the evaluation has finished, the tool generates a report of the affected po ## Running the tool -You can find the **What If** tool in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**. +You can find the **What If** tool under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**. Before you can run the What If tool, you must provide the conditions you want to evaluate. Before you can run the What If tool, you must provide the conditions you want to The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions, see the article [Building a Conditional Access policy](concept-conditional-access-policies.md). ## Evaluation |
active-directory | Workload Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/workload-identity.md | -Conditional Access policies have historically applied only to users when they access apps and services like SharePoint online or the Azure portal. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. +Conditional Access policies have historically applied only to users when they access apps and services like SharePoint Online. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. A [workload identity](../workload-identities/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they: Conditional Access for workload identities enables blocking service principals f Create a location based Conditional Access policy that applies to service principals. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Create a risk-based Conditional Access policy that applies to service principals :::image type="content" source="media/workload-identity/conditional-access-workload-identity-risk-policy.png" alt-text="Creating a Conditional Access policy with a workload identity and risk as a condition." lightbox="media/workload-identity/conditional-access-workload-identity-risk-policy.png"::: -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Create a risk-based Conditional Access policy that applies to service principals 1. Set the **Configure** toggle to **Yes**. 1. Select the levels of risk where you want this policy to trigger. 1. Select **Done**.-1. Under **Grant**, **Block access** is the only available option. Access is blocked when a token request is made from outside the allowed range. +1. Under **Grant**, **Block access** is the only available option. Access is blocked when the specified risk levels are seen. 1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**. 1. Select **Create** to complete your policy. If you wish to roll back this feature, you can delete or disable any created pol The sign-in logs are used to review how policy is enforced for service principals or the expected affects of policy when using report-only mode. -1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service principal sign-ins**. +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs** > **Service principal sign-ins**. 1. Select a log entry and choose the **Conditional Access** tab to view evaluation information. Failure reason when Service Principal is blocked by Conditional Access: ΓÇ£Access has been blocked due to Conditional Access policies.ΓÇ¥ To view results of a risk-based policy, refer to the **Report-only** tab of even You can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations canΓÇÖt be used. This identifier is the Object ID of the app registration, not of the service principal. -1. Browse to the **Azure portal** > **Azure Active Directory** > **Enterprise Applications**, find the application you registered. +1. Browse to **Identity** > **Applications** > **Enterprise Applications**, find the application you registered. 1. From the **Overview** tab, copy the **Object ID** of the application. This identifier is the unique to the service principal, used by Conditional Access policy to find the calling app. ### Microsoft Graph |
active-directory | Api Find An Api How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/api-find-an-api-how-to.md | - Title: Find an API for a custom-developed app -description: How to configure the permissions you need to access a particular API in your custom developed Azure AD application -------- Previously updated : 09/27/2021-----# How to find a specific API needed for a custom-developed application --Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. --## Configuring a resource application to expose web APIs --When you expose your web API, the API be displayed in the **Select an API** list when adding permissions to an app registration. To add access scopes, follow the steps outlined in [Configure an application to expose web APIs](quickstart-configure-app-expose-web-apis.md). --## Configuring a client application to access web APIs --When you add permissions to your app registration, you can **add API access** to exposed web APIs. To access web APIs, follow the steps outlined in [Configure a client application to access web APIs](quickstart-configure-app-access-web-apis.md). --## Next steps --- [Understanding the Azure Active Directory application manifest](./reference-app-manifest.md) |
active-directory | App Objects And Service Principals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/app-objects-and-service-principals.md | |
active-directory | Application Consent Experience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/application-consent-experience.md | The following diagram and table provide information about the building blocks of | 5 | Publisher name and verification | The blue "verified" badge means that the app publisher has verified their identity using a Microsoft Partner Network account and has completed the verification process. If the app is publisher verified, the publisher name is displayed. If the app isn't publisher verified, "Unverified" is displayed instead of a publisher name. For more information, read about [Publisher Verification](publisher-verification-overview.md). Selecting the publisher name displays more app info as available, such as the publisher name, publisher domain, date created, certification details, and reply URLs. | | 6 | Microsoft 365 Certification | The Microsoft 365 Certification logo means that an app has been vetted against controls derived from leading industry standard frameworks, and that strong security and compliance practices are in place to protect customer data. For more information, read about [Microsoft 365 Certification](/microsoft-365-app-certification/docs/enterprise-app-certification-guide).| | 7 | Publisher information | Displays whether the application is published by Microsoft. |-| 8 | Permissions | This list contains the permissions being requested by the client application. Users should always evaluate the types of permissions being requested to understand what data the client application will be authorized to access on their behalf if they accept. As an application developer it's best to request access, to the permissions with the least privilege. | +| 8 | Permissions | This list contains the permissions being requested by the client application. Users should always evaluate the types of permissions being requested to understand what data the client application will be authorized to access on their behalf if they accept. As an application developer, it's best to request access to the permissions with the least privilege. | | 9 | Permission description | This value is provided by the service exposing the permissions. To see the permission descriptions, you must toggle the chevron next to the permission. | | 10 | https://myapps.microsoft.com | This is the link where users can review and remove any non-Microsoft applications that currently have access to their data. | | 11 | Report it here | This link is used to report a suspicious app if you don't trust the app, if you believe the app is impersonating another app, if you believe the app will misuse your data, or for some other reason. | |
active-directory | Authentication Flows App Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-flows-app-scenarios.md | Title: Microsoft identity platform authentication flows & app scenarios + Title: Microsoft identity platform app types and authentication flows description: Learn about application scenarios for the Microsoft identity platform, including authenticating identities, acquiring tokens, and calling protected APIs. Previously updated : 05/05/2022 Last updated : 08/11/2023 -#Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform. +# Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform. -# Authentication flows and application scenarios +# Microsoft identity platform app types and authentication flows The Microsoft identity platform supports authentication for different kinds of modern application architectures. All of the architectures are based on the industry-standard protocols [OAuth 2.0 and OpenID Connect](./v2-protocols.md). By using the [authentication libraries for the Microsoft identity platform](reference-v2-libraries.md), applications authenticate identities and acquire tokens to access protected APIs. This article describes authentication flows and the application scenarios that t ## Application categories -Tokens can be acquired from several types of applications, including: +[Security tokens](./security-tokens.md) can be acquired from several types of applications, including: - Web apps - Mobile apps The following sections describe the categories of applications. Authentication scenarios involve two activities: -- **Acquiring security tokens for a protected web API**: We recommend that you use the [Microsoft Authentication Library (MSAL)](reference-v2-libraries.md), developed and supported by Microsoft.+- **Acquiring security tokens for a protected web API**: We recommend that you use the [Microsoft Authentication Library (MSAL)](msal-overview.md), developed and supported by Microsoft. - **Protecting a web API or a web app**: One challenge of protecting these resources is validating the security token. On some platforms, Microsoft offers [middleware libraries](reference-v2-libraries.md). ### With users or without users The available authentication flows differ depending on the sign-in audience. Som For more information, see [Supported account types](v2-supported-account-types.md#account-type-support-in-authentication-flows). -## Application scenarios +## Application types The Microsoft identity platform supports authentication for these app architectures: For a desktop app to call a web API that signs in users, use the interactive tok There's another possibility for Windows-hosted applications on computers joined either to a Windows domain or by Azure Active Directory (Azure AD). These applications can silently acquire a token by using [integrated Windows authentication](https://aka.ms/msal-net-iwa). -Applications running on a device without a browser can still call an API on behalf of a user. To authenticate, the user must sign in on another device that has a web browser. This scenario requires that you use the [device code flow](https://aka.ms/msal-net-device-code-flow). +Applications running on a device without a browser can still call an API on behalf of a user. To authenticate, the user must sign in on another device that has a web browser. This scenario requires that you use the [device code flow](v2-oauth2-device-code.md). ![Device code flow](media/scenarios/device-code-flow-app.svg) Similar to a desktop app, a mobile app calls the interactive token-acquisition m MSAL iOS and MSAL Android use the system web browser by default. However, you can direct them to use the embedded web view instead. There are specificities that depend on the mobile platform: Universal Windows Platform (UWP), iOS, or Android. -Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL can now interact with brokers. For more information about brokers, see [Leveraging brokers on Android and iOS](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS). +Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL can now interact with brokers. For more information about brokers, see [Leveraging brokers on Android and iOS](msal-net-use-brokers-with-xamarin-apps.md). For more information, see [Mobile app that calls web APIs](scenario-mobile-overview.md). |
active-directory | Authentication National Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-national-cloud.md | Including the global Azure cloud, Azure Active Directory (Azure AD) is deplo - Microsoft Azure operated by 21Vianet - Azure Germany ([Closed on October 29, 2021](https://www.microsoft.com/cloud-platform/germany-cloud-regions)). Learn more about [Azure Germany migration](#azure-germany-microsoft-cloud-deutschland). -The individual national clouds and the global Azure cloud are cloud _instances_. Each cloud instance is separate from the others and has its own environment and _endpoints_. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment, like the Azure portal. +The individual national clouds and the global Azure cloud are cloud _instances_. Each cloud instance is separate from the others and has its own environment and _endpoints_. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment. As you develop your apps, use the endpoints for the cloud instance where you'll deploy the application. The following table lists the base URLs for the Azure AD endpoints used to regis ## Application endpoints -You can find the authentication endpoints for your application in the Azure portal. +You can find the authentication endpoints for your application. -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. Select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **Endpoints** in the top menu. - The **Endpoints** page is displayed showing the authentication endpoints for the application registered in your Azure AD tenant. + The **Endpoints** page is displayed showing the authentication endpoints for the application. Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application. |
active-directory | Authentication Protocols | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-protocols.md | - Title: Microsoft identity platform authentication protocols -description: An overview of the authentication protocols supported by the Microsoft identity platform -------- Previously updated : 09/27/2021-------# Microsoft identity platform authentication protocols --The Microsoft identity platform supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Microsoft identity platform. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section. --## Authentication protocols articles and reference --* [Important Information About Signing Key Rollover in Microsoft identity platform](./signing-key-rollover.md) ΓÇô Learn about Microsoft identity platformΓÇÖs signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios. -* [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that the Microsoft identity platform issues. -* [OAuth 2.0 in Microsoft identity platform](v2-oauth2-auth-code-flow.md) - Learn about the implementation of OAuth 2.0 in Microsoft identity platform. -* [OpenID Connect 1.0](v2-protocols-oidc.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication. -* [Service to Service Calls with Client Credentials](v2-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls. -* [Service to Service Calls with On-Behalf-Of Flow](v2-oauth2-on-behalf-of-flow.md) - Learn how to use OAuth 2.0 On-Behalf-Of flow for service to service calls. -* [SAML Protocol Reference](./saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Microsoft identity platform. --## See also --* [Microsoft identity platform overview](v2-overview.md) -* [Active Directory Code Samples](sample-v2-code.md) |
active-directory | Configure App Multi Instancing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/configure-app-multi-instancing.md | The IDP initiated SSO feature exposes the following settings for each applicatio ### Configure IDP initiated SSO +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Open any SSO enabled enterprise app and navigate to the SAML single sign-on blade. 1. Select **Edit** on the **User Attributes & Claims** panel. 1. Select **Edit** to open the advanced options blade. |
active-directory | Consent Framework Links | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/consent-framework-links.md | - Title: How application consent works -description: Learn more about how the Azure AD consent framework works to see how you can use it when developing applications on Azure AD --------- Previously updated : 09/27/2021-----# How application consent works --This article is to help you learn more about how the Azure AD consent framework works so you can develop applications more effectively. --## Recommended documents --- Get a general understanding of [how consent allows a resource owner to govern an application's access to resources](./developer-glossary.md#consent).-- Get a step-by-step overview of [how the Azure AD consent framework implements consent](./quickstart-register-app.md).-- For more depth, learn [how a multi-tenant application can use the consent framework](./howto-convert-app-to-be-multi-tenant.md) to implement "user" and "admin" consent, supporting more advanced multi-tier application patterns.-- For more depth, learn [how consent is supported at the OAuth 2.0 protocol layer during the authorization code grant flow.](v2-oauth2-auth-code-flow.md#request-an-authorization-code)--## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Custom Extension Configure Saml App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-extension-configure-saml-app.md | Title: Source claims from an external store (SAML app) description: Use a custom claims provider to augment tokens with claims from an external identity system. Configure a SAML app to receive tokens with external claims. -+ The following steps are for registering a demo [XRayClaims](https://adfshelp.mic Add a new, non-gallery SAML application in your tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). -1. Go to **Azure Active Directory** and then **Enterprise applications**. Select **New application** and then **Create your own application**. +1. Browse to **Identity** > **Applications** > **Enterprise applications**. ++1. Select **New application** and then **Create your own application**. 1. Add a name for the app. For example, **AzureADClaimsXRay**. Select the **Integrate any other application you don't find in the gallery (Non-gallery)** option and select **Create**. |
active-directory | Custom Extension Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-extension-get-started.md | Title: Get started with custom claims providers (preview) description: Learn how to develop and register an Azure Active Directory custom authentication extensions REST API. The custom authentication extension allows you to source claims from a data store that is external to Azure Active Directory. -+ Previously updated : 05/23/2023 Last updated : 08/16/2023 -This article describes how to configure and setup a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token. +This article describes how to configure and set up a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token. This how-to guide demonstrates the token issuance start event with a REST API running in Azure Functions and a sample OpenID Connect application. Before you start, take a look at following video, which demonstrates how to configure Azure AD custom claims provider with Function App: The following screenshot demonstrates how to configure the Azure HTTP trigger fu In this step, you configure a custom authentication extension, which will be used by Azure AD to call your Azure function. The custom authentication extension contains information about your REST API endpoint, the claims that it parses from your REST API, and how to authenticate to your REST API. Follow these steps to register a custom authentication extension: -# [Azure portal](#tab/azure-portal) +# [Microsoft Entra admin center](#tab/entra-admin-center) -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Under **Azure services**, select **Azure Active Directory**. -1. Ensure your user account has the Global Administrator or Application Administrator and Authentication Extensibility Administrator role. Otherwise, learn how to [assign a role](../roles/manage-roles-portal.md). -1. From the menu, select **Enterprise applications**. -1. Under **Manage**, select the **Custom authentication extensions**. -1. Select **Create a custom authentication extension**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-developer) and [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. +1. Select **Custom authentication extensions**, and then select **Create a custom authentication extension**. 1. In **Basics**, select the **tokenIssuanceStart** event and select **Next**. 1. In **Endpoint Configuration**, fill in the following properties: In this step, you configure a custom authentication extension, which will be use # [Microsoft Graph](#tab/microsoft-graph) -Create an Application Registration to authenticate your custom authentication extension to your Azure Function. +Register an application to authenticate your custom authentication extension to your Azure Function. -1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/applications` -1. Select **Request Body** and paste the following JSON: +1. Sign in to [Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. The account must have the privileges to create and manage an application registration in the tenant. +2. Run the following request. - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/applications + Content-type: application/json + {- "displayName": "authenticationeventsAPI" + "displayName": "authenticationeventsAPI" } ``` -1. Select **Run Query** to submit the request. --1. Copy the **Application ID** value (*appId*) from the response. You need this value later, which is referred to as the `{authenticationeventsAPI_AppId}`. Also get the object ID of the app (*ID*), which is referred to as `{authenticationeventsAPI_ObjectId}` from the response. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/csharp/v1/tutorial-application-basics-create-app-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/go/v1/tutorial-application-basics-create-app-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/javascript/v1/tutorial-application-basics-create-app-javascript-snippets.md)] + + # [PHP](#tab/php) + Snippet not available. + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/powershell/v1/tutorial-application-basics-create-app-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/python/v1/tutorial-application-basics-create-app-python-snippets.md)] + + -Create a service principal in the tenant for the authenticationeventsAPI app registration: +3. From the response, record the value of **id** and **appId** of the newly created app registration. These values will be referenced in this article as `{authenticationeventsAPI_ObjectId}` and `{authenticationeventsAPI_AppId}` respectively. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals` -1. Select **Request Body** and paste the following JSON: +Create a service principal in the tenant for the authenticationeventsAPI app registration. - ```json - { - "appId": "{authenticationeventsAPI_AppId}" - } - ``` +Still in Graph Explorer, run the following request. Replace `{authenticationeventsAPI_AppId}` with the value of **appId** that you recorded from the previous step. -1. Select **Run Query** to submit the request. +```http +POST https://graph.microsoft.com/v1.0/servicePrincipals +Content-type: application/json + +{ + "appId": "{authenticationeventsAPI_AppId}" +} +``` ### Set the App ID URI, access token version, and required resource access Update the newly created application to set the application ID URI value, the access token version, and the required resource access. -1. Set the HTTP method to **PATCH**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId}` -1. Select **Request Body** and paste the following JSON: +In Graph Explorer, run the following request. + - Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier. + - Set the `{authenticationeventsAPI_AppId}` value with the **appId** that you recorded earlier. + - An example value is `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as you'll use it later in this article in place of `{functionApp_IdentifierUri}`. - Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier. - - Set the `{authenticationeventsAPI_AppId}` value with the App ID generated from the app registration created in the previous step. - - An example value would be `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as it is used in following steps and is referenced as `{functionApp_IdentifierUri}`. - - ```json +```http +POST https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId} +Content-type: application/json ++{ +"identifierUris": [ + "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}" +], +"api": { + "requestedAccessTokenVersion": 2, + "acceptMappedClaims": null, + "knownClientApplications": [], + "oauth2PermissionScopes": [], + "preAuthorizedApplications": [] +}, +"requiredResourceAccess": [ {- "identifierUris": [ - "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}" - ], - "api": { - "requestedAccessTokenVersion": 2, - "acceptMappedClaims": null, - "knownClientApplications": [], - "oauth2PermissionScopes": [], - "preAuthorizedApplications": [] - }, - "requiredResourceAccess": [ + "resourceAppId": "00000003-0000-0000-c000-000000000000", + "resourceAccess": [ {- "resourceAppId": "00000003-0000-0000-c000-000000000000", - "resourceAccess": [ - { - "id": "214e810f-fda8-4fd7-a475-29461495eb00", - "type": "Role" - } - ] + "id": "214e810f-fda8-4fd7-a475-29461495eb00", + "type": "Role" } ] }- ``` --1. Select **Run Query** to submit the request. +] +} +``` ### Register a custom authentication extension -Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the App Registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`. +Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the app registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/beta/identity/customAuthenticationExtensions` -1. Select **Request Body** and paste the following JSON: +1. In Graph Explorer, run the following request. Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step. + - You'll need the *CustomAuthenticationExtension.ReadWrite.All* delegated permission. - Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step. + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/beta/identity/customAuthenticationExtensions + Content-type: application/json - ```json { "@odata.type": "#microsoft.graph.onTokenIssuanceStartCustomExtension", "displayName": "onTokenIssuanceStartCustomExtension", Next, you register the custom authentication extension. You register the custom ] } ```+ # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] -1. Select **Run Query** to submit the request. + -Record the ID value of the created custom claims provider object. The ID is needed in a later step and is referred to as the `{customExtensionObjectId}`. +1. Record the **id** value of the created custom claims provider object. You'll use the value later in this tutorial in place of `{customExtensionObjectId}`. ### 2.2 Grant admin consent -After your custom authentication extension is created, you'll be taken to the **Overview** tab of the new custom authentication extension. +After your custom authentication extension is created, open the **Overview** tab of the new custom authentication extension. From the **Overview** page, select the **Grant permission** button to give admin consent to the registered app, which allows the custom authentication extension to authenticate to your API. The custom authentication extension uses `client_credentials` to authenticate to the Azure Function App using the `Receive custom authentication extension HTTP requests` permission. Follow these steps to register the **jwt.ms** web application: ### 3.1 Register a test web application -1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Active Directory**. -1. Select **App registrations**, and then select **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application. For example, **My Test application**. 1. Under **Supported account types**, select **Accounts in this organizational directory only**. 1. In the **Select a platform** dropdown in **Redirect URI**, select **Web** and then enter `https://jwt.ms` in the URL text box. The following screenshot shows how to register the *My Test application*. ### 3.1 Get the application ID -In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps. +In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps. In Microsoft Graph, it's referenced by the **appId** propety. :::image type="content" border="false"source="media/custom-extension-get-started/get-the-test-application-id.png" alt-text="Screenshot that shows how to copy the application ID."::: For tokens to be issued with claims incoming from the custom authentication exte Follow these steps to connect the *My Test application* with your custom authentication extension: -# [Azure portal](#tab/azure-portal) +# [Microsoft Entra admin center](#tab/entra-admin-center) First assign the custom authentication extension as a custom claims provider source: -1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Active Directory**. -1. Select **App registrations**, and find the *My Test application* registration you created. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. 1. In the **Overview** page, under **Managed application in local directory**, select **My Test application**. 1. Under **Manage**, select **Single sign-on**. 1. Under **Attributes & Claims**, select **Edit**. Next, assign the attributes from the custom claims provider, which should be iss # [Microsoft Graph](#tab/microsoft-graph) -First create an event listener to trigger a custom authentication extension using the token issuance start event: --1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/beta/identity/authenticationEventListeners` -1. Select **Request Body** and paste the following JSON: +First create an event listener to trigger a custom authentication extension for the *My Test application* using the token issuance start event. - Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier. +1. Sign in to [Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. +1. Run the following request. Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier. + - You'll need the *EventListener.ReadWrite.All* delegated permission. - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/beta/identity/authenticationEventListeners + Content-type: application/json + { "@odata.type": "#microsoft.graph.onTokenIssuanceStartListener", "conditions": { First create an event listener to trigger a custom authentication extension usin } ``` -1. Select **Run Query** to submit the request. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + +++Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider. -Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider: +1. Still in Graph Explorer, run the following request. You'll need the *Policy.ReadWrite.ApplicationConfiguration* delegated permission. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/policies/claimsmappingpolicies` -1. Select **Request Body** and paste the following JSON: - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies + Content-type: application/json + { "definition": [ "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"CustomClaimsProvider\",\"ID\":\"DateOfBirth\",\"JwtClaimType\":\"dob\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"CustomRoles\",\"JwtClaimType\":\"my_roles\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"CorrelationId\",\"JwtClaimType\":\"correlationId\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"ApiVersion\",\"JwtClaimType\":\"apiVersion \"},{\"Value\":\"tokenaug_V2\",\"JwtClaimType\":\"policy_version\"}]}}" Next, create the claims mapping policy, which describes which claims can be issu "isOrganizationDefault": false } ```+ # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/csharp/create-claimsmappingpolicy-from-claimsmappingpolicies-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/go/create-claimsmappingpolicy-from-claimsmappingpolicies-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/javascript/create-claimsmappingpolicy-from-claimsmappingpolicies-javascript-snippets.md)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/php/create-claimsmappingpolicy-from-claimsmappingpolicies-php-snippets.md)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/powershell/create-claimsmappingpolicy-from-claimsmappingpolicies-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/python/create-claimsmappingpolicy-from-claimsmappingpolicies-python-snippets.md)] + + -1. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`. -1. Select **Run Query** to submit the request. +2. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`. ++Get the service principal object ID: ++1. Run the following request in Graph Explorer. Replace `{App_to_enrich_ID}` with the **appId** of *My Test Application*. ++ ```http + GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}') + ``` -Get the `servicePrincipal` objectId: +Record the value of **id**. -1. Set the HTTP method to **GET**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}')/claimsMappingPolicies/$ref`. Replace `{App_to_enrich_ID}` with *My Test Application* App ID. -1. Record the `id` value, later it's referred to as `{test_App_Service_Principal_ObjectId}`. +Assign the claims mapping policy to the service principal of *My Test Application*. -Assign the claims mapping policy to the `servicePrincipal` of *My Test Application*: +1. Run the following request in Graph Explorer. You'll need the *Policy.ReadWrite.ApplicationConfiguration* and *Application.ReadWrite.All* delegated permission. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref` -1. Select **Request Body** and paste the following JSON: + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref + Content-type: application/json - ```json { "@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/{claims_mapping_policy_ID}" } ``` -1. Select **Run Query** to submit the request. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/csharp/create-claimsmappingpolicy-from-serviceprincipal-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/go/create-claimsmappingpolicy-from-serviceprincipal-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/javascript/create-claimsmappingpolicy-from-serviceprincipal-javascript-snippets.md)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/php/create-claimsmappingpolicy-from-serviceprincipal-php-snippets.md)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/powershell/create-claimsmappingpolicy-from-serviceprincipal-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/python/create-claimsmappingpolicy-from-serviceprincipal-python-snippets.md)] + + If you configured the [Microsoft identity provider](#step-5-protect-your-azure-f 1. Under the **App registration**, enter the application ID (client ID) of the *Azure Functions authentication events API* app registration [you created previously](#step-2-register-a-custom-authentication-extension). -1. Go to your Azure AD tenant in which your custom authentication extension is registered, and select **Azure Active Directory** > **App registrations**. +1. In the Microsoft Entra admin center: 1. Select the *Azure Functions authentication events API* app registration [you created previously](#step-2-register-a-custom-authentication-extension). 1. Select **Certificates & secrets** > **Client secrets** > **New client secret**. 1. Add a description for your client secret. |
active-directory | Custom Extension Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-extension-troubleshoot.md | Title: Troubleshoot a custom claims provider description: Troubleshoot and monitor your custom claims provider API. Learn how to use logging and Azure AD sign-in logs to find errors and issues in your custom claims provider API. -+ Azure AD sign-in logs also integrate with [Azure Monitor](../../azure-monitor/in To access the Azure AD sign-in logs: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the **Enterprise apps** experience for your given application, select on the **Sign-in** logs tab. -1. Select the latest sign-in log. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. +1. Select **Sign-in logs**, and then select the latest sign-in log. 1. For more details, select the **Authentication Events** tab. Information related to the custom authentication extension REST API call is displayed, including any [error codes](#error-codes-reference). :::image type="content" source="media/custom-extension-troubleshoot/authentication-events.png" alt-text="Screenshot that shows the authentication events information." ::: Use the following table to diagnose an error code. Your REST API is protected by Azure AD access token. You can test your API by obtaining an access token with the [application registration](custom-extension-get-started.md#22-grant-admin-consent) associated with the custom authentiction extensions. After you acquire an access token, pass it the HTTP `Authorization` header. To obtain an access token, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure administrator account. -1. Select **Azure Active Directory** > **App registrations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. 1. Select the *Azure Functions authentication events API* app registration [you created previously](custom-extension-get-started.md#step-2-register-a-custom-authentication-extension). 1. Copy the [application ID](custom-extension-get-started.md#22-grant-admin-consent). 1. If you haven't created an app secret, follow these steps: |
active-directory | Delegated And App Perms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/delegated-and-app-perms.md | - Title: Differences between delegated and app permissions -description: Learn about delegated and application permissions, how they are used by clients and exposed by resources for applications you are developing with Azure AD --------- Previously updated : 11/10/2022-----# How to recognize differences between delegated and application permissions --## Recommended documents --- Learn more about how client applications use [delegated and application permission requests](developer-glossary.md#permissions) to access resources.-- Learn about [delegated and application permissions](permissions-consent-overview.md).-- See step-by-step instructions on how to [configure a client application's permission requests](quickstart-configure-app-access-web-apis.md)-- For more depth, learn how resource applications expose [scopes](developer-glossary.md#scopes) and [application roles](developer-glossary.md#roles) to client applications, which manifest as delegated and application permissions respectively in the Azure portal. --## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Developer Support Help Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-support-help-options.md | If you need an answer to a question or help in solving a problem not covered in <img alt='Azure support' src='./media/common/logo_azure.svg'> </div> -Explore the range of [Azure support options and choose the plan](https://azure.microsoft.com/support/plans) that best fits you. There are two options to create and manage support requests in the Azure portal: +Explore the range of [Azure support options and choose the plan](https://azure.microsoft.com/support/plans) that best fits you. There are two options to create and manage support requests in the Microsoft Entra admin center: -- If you already have an Azure Support Plan, [open a support request here](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).+- If you already have an Azure Support Plan, [open a support request here](https://entra.microsoft.com/#view/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical). -- If you're using Azure AD for customers (preview), the support request feature is currently unavailable in customer tenants. However, you can use the **Give Feedback** link on the **New support request** page to provide feedback. Or, you can switch to your Azure AD workforce tenant and [open a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).+- If you're using Azure AD for customers (preview), the support request feature is currently unavailable in customer tenants. However, you can use the **Give Feedback** link on the **New support request** page to provide feedback. Or, you can switch to your Azure AD workforce tenant and [open a support request](https://entra.microsoft.com/#view/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical). - If you're not an Azure customer, you can open a support request with [Microsoft Support for business](https://support.serviceshub.microsoft.com/supportforbusiness). |
active-directory | Enterprise App Role Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/enterprise-app-role-management.md | You can customize the role claim in the access token that is received after an a Use the following steps to locate the enterprise application: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the left pane, select **Azure Active Directory**. -1. Select **Enterprise applications**, and then select **All applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. 1. Enter the name of the existing application in the search box, and then select the application from the search results. 1. After the application is selected, copy the object ID from the overview pane. - :::image type="content" source="media/enterprise-app-role-management/record-objectid.png" alt-text="Screenshot that shows how to locate and record the object identifier for the application."::: - ## Add roles Use the Microsoft Graph Explorer to add roles to an enterprise application. Use the Microsoft Graph Explorer to add roles to an enterprise application. Update the attributes to define the role claim that is included in the token. -1. Locate the application in the Azure portal, and then select **Single sign-on** in the left menu. +1. Locate the application in the Microsoft Entra admin center, and then select **Single sign-on** in the left menu. 1. In the **Attributes & Claims** section, select **Edit**. 1. Select **Add new claim**. 1. In the **Name** box, type the attribute name. This example uses **Role Name** as the claim name. Update the attributes to define the role claim that is included in the token. 1. From the **Source attribute** list, select **user.assignedroles**. 1. Select **Save**. The new **Role Name** attribute should now appear in the **Attributes & Claims** section. The claim should now be included in the access token when signing into the application. - :::image type="content" source="media/enterprise-app-role-management/attributes-summary.png" alt-text="Screenshot that shows a display of the list of attributes and claims defined for the application."::: - ## Assign roles After the service principal is patched with more roles, you can assign users to the respective roles. -1. In the Azure portal, locate the application to which the role was added. +1. Locate the application to which the role was added in the Microsoft Entra admin center. 1. Select **Users and groups** in the left menu and then select the user that you want to assign the new role. 1. Select **Edit assignment** at the top of the pane to change the role. 1. Select **None Selected**, select the role from the list, and then select **Select**. 1. Select **Assign** to assign the role to the user. - :::image type="content" source="media/enterprise-app-role-management/assign-role.png" alt-text="Screenshot that shows how to assign a role to a user of an application."::: - ## Update roles To update an existing role, perform the following steps: |
active-directory | How Applications Are Added | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-applications-are-added.md | |
active-directory | Howto Call A Web Api With Curl | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-call-a-web-api-with-curl.md | zone_pivot_groups: web-api-howto-prereq ::: zone pivot="no-api" -This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using cURL. +This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. In this article, you'll register a web app and a web API in a tenant. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using cURL. ::: zone-end The Microsoft identity platform requires your application to be registered befor Follow these steps to create the web API registration: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as *NewWebAPI1*. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option. 1. Select **Register**. Follow these steps to create the web app registration: ::: zone pivot="no-api" -1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Select **Home** to return to the home page. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone pivot="api" -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a Name for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone-end -When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. +When registration is complete, the app registration is displayed on the **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. #### Add a client secret A client secret is a string value your app can use to identity itself, and is so Follow these steps to configure a client secret: -1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. +1. From the **Overview** pane, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. 1. Add a description for your client secret, for example *My client secret*. 1. Select an expiration for the secret or specify a custom lifetime. By specifying a web API's scopes in the web app registration, the web app can ob Follow these steps to configure the web app permissions to the web API: -1. From the **Overview** pane of your web application in the Azure portal (*web-app-that-calls-web-api*), under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. +1. From the **Overview** pane of your web application (*web-app-that-calls-web-api*), under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. 1. Select **NewWebAPI1** or the API that you wish to add permissions to. 1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user. 1. Select **Add permissions** to complete the process. After adding these permissions to your API, you should see the selected permissions under **Configured permissions**. -You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal. +You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app. ::: zone pivot="no-api" You may also notice the **User.Read** permission for the Microsoft Graph API. Th 1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `./appsettings.json` file, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with: - - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal. - - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal. + - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations**. + - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations**. 1. Execute the following command to start the app: The authorization code flow begins with the client directing the user to the `/a ``` 1. Copy the URL, replace the following parameters and paste it into your browser: - - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal. - - `{web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web app's (*web-app-calls-web-api*) **Overview** pane in the Azure portal. - - `{web_API_application_client_id}` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal. + - `{tenant_id}` is the web app **Directory (tenant) ID**. + - `{web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web app's (*web-app-calls-web-api*) **Overview** pane. + - `{web_API_application_client_id}` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane. 1. Sign in as a user in the Azure AD tenant in which the apps are registered. Consent to any requests for access, if necessary. 1. Your browser will be redirected to `http://localhost/`. Refer to your browser's navigation bar and copy the `{authorization_code}` to use in the following steps. The URL takes the form of the following snippet: cURL can now be used to request an access token from the Microsoft identity plat -d 'grant_type=authorization_code' \ -d 'client_secret={client_secret}' ``` - - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal. - - `client_id={web-app-calls-web-api_application_client_id}`, and `session_state={web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web application's (*web-app-calls-web-api*) **Overview** pane in the Azure portal. - - `api://{web_API_application_client_id}/Forecast.Read` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal. + - `{tenant_id}` is the web app **Directory (tenant) ID**. + - `client_id={web-app-calls-web-api_application_client_id}`, and `session_state={web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web application's (*web-app-calls-web-api*) **Overview** pane. + - `api://{web_API_application_client_id}/Forecast.Read` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane. - `code={authorization_code}` is the authorization code that was received in [Request an authorization code](#request-an-authorization-code). This enables the cURL tool to request an access token. - `client_secret={client_secret}` is the client secret **Value** recorded in [Add a client secret](#add-a-client-secret). |
active-directory | Howto Call A Web Api With Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-call-a-web-api-with-postman.md | zone_pivot_groups: web-api-howto-prereq ::: zone pivot="no-api" -This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using Postman. +This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. In this article, you'll register a web app and a web API in a tenant. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using Postman. ::: zone-end The Microsoft identity platform requires your application to be registered befor Follow these steps to create the web API registration: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as _NewWebAPI1_. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option. 1. Select **Register**. Follow these steps to create the web app registration: ::: zone pivot="no-api" -1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +Select **Home** to return to the home page. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone pivot="api" -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a Name for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone-end -When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. +The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. #### Add a client secret A client secret is a string value your app can use to identity itself, and is so Follow these steps to configure a client secret: -1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. +1. From the **Overview** pane, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. 1. Add a description for your client secret, for example _My client secret_. 1. Select an expiration for the secret or specify a custom lifetime. By specifying a web API's scopes, the web app can obtain an access token contain Follow these steps to configure client's permissions to the web API: -1. From the **Overview** pane of your application in the Azure portal, under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. +1. From the **Overview** pane of your application, under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. 1. Select **NewWebAPI1** or the API that you wish to add permissions to. 1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user. 1. Select **Add permissions** to complete the process. After adding these permissions to your API, you should see the selected permissions under **Configured permissions**. -You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal. +You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app. ::: zone pivot="no-api" You may also notice the **User.Read** permission for the Microsoft Graph API. Th 1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `appsettings.json`, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with: - - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal. - - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal. + - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane. + - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane. 1. Execute the following command to start the app: |
active-directory | Howto Configure App Instance Property Locks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-configure-app-instance-property-locks.md | -# How to configure app instance property lock for your applications (Preview) +# How to configure app instance property lock for your applications Application instance lock is a feature in Azure Active Directory (Azure AD) that allows sensitive properties of a multi-tenant application object to be locked for modification after the application is provisioned in another tenant. This feature provides application developers with the ability to lock certain properties if the application doesn't support scenarios that require configuring those properties. The following property usage scenarios are considered as sensitive: - Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Verify`. In this scenario, your application supports an OIDC client credentials flow. - `TokenEncryptionKeyId` which specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key to which this property points. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. +> [!NOTE] +> App instance lock is enabled by default for all new applications created using the Microsoft Entra admin center. + ## Configure an app instance lock [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To configure an app instance lock using the Azure portal: +To configure an app instance lock: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration you want to configure. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, and then select the application you want to configure. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select the application you want to configure. 1. Select **Authentication**, and then select **Configure** under the *App instance property lock* section. - :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock in the Azure portal."::: + :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock."::: 2. In the **App instance property lock** pane, enter the settings for the lock. The table following the image describes each setting and their parameters. - :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane in the Azure portal."::: + :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane."::: | Field | Description | | - | -- | |
active-directory | Howto Create Self Signed Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-self-signed-certificate.md | To customize the start and expiry date and other properties of the certificate, Use the certificate you create using this method to authenticate from an application running from your machine. For example, authenticate from Windows PowerShell. -In an elevated PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate. +In a PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate. ```powershell $certname = "{certificateName}" ## Replace {certificateName} |
active-directory | Identity Videos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/identity-videos.md | ___ <!-- IMAGES -->-[auth-fund-01-img]: ./media/identity-videos/aad-auth-fund-01.jpg -[auth-fund-02-img]: ./media/identity-videos/aad-auth-fund-02.jpg -[auth-fund-03-img]: ./media/identity-videos/aad-auth-fund-03.jpg -[auth-fund-04-img]: ./media/identity-videos/aad-auth-fund-04.jpg -[auth-fund-05-img]: ./media/identity-videos/aad-auth-fund-05.jpg -[auth-fund-06-img]: ./media/identity-videos/aad-auth-fund-06.jpg +[auth-fund-01-img]: ./media/identity-videos/auth-fund-01.jpg +[auth-fund-02-img]: ./media/identity-videos/auth-fund-02.jpg +[auth-fund-03-img]: ./media/identity-videos/auth-fund-03.jpg +[auth-fund-04-img]: ./media/identity-videos/auth-fund-04.jpg +[auth-fund-05-img]: ./media/identity-videos/auth-fund-05.jpg +[auth-fund-06-img]: ./media/identity-videos/auth-fund-06.jpg <!-- VIDEOS --> [auth-fund-01-vid]: https://www.youtube.com/watch?v=fbSVgC8nGz4&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=1 |
active-directory | Jwt Claims Customization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/jwt-claims-customization.md | These JSON Web tokens (JWT) used by OIDC and OAuth applications contain pieces o [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To view or edit the claims issued in the JWT to the application, open the application in Azure portal. Then select **Single sign-on** blade in the left-hand menu and open the **Attributes & Claims** section. +To view or edit the claims issued in the JWT to the application: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. +1. Select the application, select **Single sign-on** in the left-hand menu, and then select **Edit** in the **Attributes & Claims** section. An application may need claims customization for various reasons. For example, when an application requires a different set of claim URIs or claim values. Using the **Attributes & Claims** section, you can add or remove a claim for your application. You can also create a custom claim that is specific for an application based on the use case. The following steps describe how to assign a constant value: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the **Attributes & Claims** section, Select **Edit** to edit the claims. -1. Select the required claim that you want to modify. +1. Select the claim that you want to modify. 1. Enter the constant value without quotes in the **Source attribute** as per your organization, and then select **Save**. - The Attributes overview displays the constant value. - ## Special claims transformations You can use the following special claims transformations functions. To apply a transformation to a user attribute: 1. **Treat source as multivalued** indicates whether the transform is applied to all values or just the first. By default, the first element in a multi-value claim is applied the transformations. When you check this box, it ensures it's applied to all. This checkbox is only enabled for multi-valued attributes. For example, `user.proxyaddresses`. 1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case. - :::image type="content" source="./media/jwt-claims-customization/sso-saml-multiple-claims-transformation.png" alt-text="Screenshot of claims transformation."::: - You can use the following functions to transform claims. | Function | Description | You can use the following functions to transform claims. | **ToLowercase()** | Converts the characters of the selected attribute into lowercase characters. | | **ToUppercase()** | Converts the characters of the selected attribute into uppercase characters. | | **Contains()** | Outputs an attribute or constant if the input matches the specified value. Otherwise, you can specify another output if there's no match. <br/>For example, if you want to emit a claim where the value is the user's email address if it contains the domain `@contoso.com`, otherwise you want to output the user principal name. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.email<br/>*Value*: "@contoso.com"<br/>Parameter 2 (output): user.email<br/>Parameter 3 (output if there's no match): user.userprincipalname |-| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with "000", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.employeeid<br/>*Value*: "000"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | -| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with "US", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.country<br/>*Value*: "US"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | +| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with `000`, otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.employeeid<br/>*Value*: "000"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | +| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with `US`, otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.country<br/>*Value*: "US"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | | **Extract() - After matching** | Returns the substring after it matches the specified value.<br/>For example, if the input's value is `Finance_BSimon`, the matching value is `Finance_`, then the claim's output is `BSimon`. | | **Extract() - Before matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is `BSimon_US`, the matching value is `_US`, then the claim's output is `BSimon`. | | **Extract() - Between matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is `Finance_BSimon_US`, the first matching value is `Finance_`, the second matching value is `_US`, then the claim's output is `BSimon`. | For example, Britta Simon is a guest user in the Contoso tenant. Britta belongs First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta. - As another example, consider when Britta Simon tries to sign in using the following configuration. Azure AD first evaluates all conditions with source `Attribute`. The source for the claim is `user.mail` when Britta's user type is **AAD guests**. Next, Azure AD evaluates the transformations. Because Britta is a guest, `user.extensionattribute1` is the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is the new source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta. - As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. The claim falls back to `user.extensionattribute1` ignoring the condition entry in both cases. ## Security considerations-Applications that receive tokens rely on claim values that are authoritatively issued by Azure AD and can't be tampered with. When you modify the token contents through claims customization, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the customization to protect themselves from customizations created by malicious actors. This can be done in one the following ways: +Applications that receive tokens rely on claim values that can't be tampered with. When you modify the token contents through claims customization, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified to protect themselves from customizations created by malicious actors. Protect from inappropriate customizations in one the following ways: - [Configure a custom signing key](#configure-a-custom-signing-key) - [update the application manifest to accept mapped claims](#update-the-application-manifest). Applications that receive tokens rely on claim values that are authoritatively i Without this, Azure AD returns an [AADSTS50146 error code](./reference-error-codes.md#aadsts-error-codes). ## Configure a custom signing key-For multi-tenant apps, a custom signing key should be used. Don't set `acceptMappedClaims` in the app manifest. when setting up an app in the Azure portal, you get an app registration object and a service principal in your tenant. That app is using the Azure global sign-in key, which can't be used for customizing claims in tokens. To get custom claims in tokens, create a custom sign-in key from a certificate and add it to service principal. For testing purposes, you can use a self-signed certificate. After configuring the custom signing key, your application code needs to validate the token signing key. +For multi-tenant apps, a custom signing key should be used. Don't set `acceptMappedClaims` in the app manifest. when setting up an app in the Azure portal, you get an app registration object and a service principal in your tenant. That app is using the Azure global sign-in key, which can't be used for customizing claims in tokens. To get custom claims in tokens, create a custom sign-in key from a certificate and add it to service principal. For testing purposes, you can use a self-signed certificate. After you configure the custom signing key, your application code needs to validate the token signing key. Add the following information to the service principal: Add the following information to the service principal: Extract the private and public key base-64 encoded from the PFX file export of your certificate. Make sure that the `keyId` for the `keyCredential` used for "Sign" matches the `keyId` of the `passwordCredential`. You can generate the `customkeyIdentifier` by getting the hash of the cert's thumbprint. ## Request-The following example shows the format of the HTTP PATCH request to add a custom signing key to a service principal. The "key" value in the `keyCredentials` property is shortened for readability. The value is base-64 encoded. For the private key, the property usage is "Sign". For the public key, the property usage is "Verify". +The following example shows the format of the HTTP PATCH request to add a custom signing key to a service principal. The "key" value in the `keyCredentials` property is shortened for readability. The value is base-64 encoded. For the private key, the property usage is `Sign`. For the public key, the property usage is `Verify`. ``` PATCH https://graph.microsoft.com/v1.0/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e Authorization: Bearer {token} ``` ## Configure a custom signing key using PowerShell-Use PowerShell to [instantiate an MSAL Public Client Application](msal-net-initializing-client-applications.md#initializing-a-public-client-application-from-code) and use the [Authorization Code Grant](v2-oauth2-auth-code-flow.md) flow to obtain a delegated permission access token for Microsoft Graph. Use the access token to call Microsoft Graph and configure a custom signing key for the service principal. After configuring the custom signing key, your application code needs to [validate the token signing key](#validate-token-signing-key). +Use PowerShell to [instantiate an MSAL Public Client Application](msal-net-initializing-client-applications.md#initializing-a-public-client-application-from-code) and use the [Authorization Code Grant](v2-oauth2-auth-code-flow.md) flow to obtain a delegated permission access token for Microsoft Graph. Use the access token to call Microsoft Graph and configure a custom signing key for the service principal. After you configure the custom signing key, your application code needs to [validate the token signing key](#validate-token-signing-key). -To run this script you need: +To run this script, you need: - The object ID of your application's service principal, found in the Overview blade of your application's entry in Enterprise Applications in the Azure portal. - An app registration to sign in a user and get an access token to call Microsoft Graph. Get the application (client) ID of this app in the Overview blade of the application's entry in App registrations in the Azure portal. The app registration should have the following configuration: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration ``` ## Update the application manifest-For single tenant apps, you can set the `acceptMappedClaims` property to `true` in the [application manifest](reference-app-manifest.md). As documented on the [apiApplication resource type](/graph/api/resources/apiapplication?view=graph-rest-1.0&preserve-view=true#properties), this allows an application to use claims mapping without specifying a custom signing key. +For single tenant apps, you can set the `acceptMappedClaims` property to `true` in the [application manifest](reference-app-manifest.md). As documented on the [apiApplication resource type](/graph/api/resources/apiapplication?view=graph-rest-1.0&preserve-view=true#properties). Setting the property allows an application to use claims mapping without specifying a custom signing key. >[!WARNING] >Do not set the acceptMappedClaims property to true for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app. |
active-directory | Mark App As Publisher Verified | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/mark-app-as-publisher-verified.md | Title: Mark an app as publisher verified -description: Describes how to mark an app as publisher verified. When an application is marked as publisher verified, it means that the publisher (application developer) has verified the authenticity of their organization using a Microsoft Partner Network (MPN) account that has completed the verification process and has associated this MPN account with that application registration. +description: Describes how to mark an app as publisher verified. When an application is marked as publisher verified, it means that the publisher (application developer) has verified the authenticity of their organization using a Cloud Partner Program (CPP) account that has completed the verification process and has associated this CPP account with that application registration. -When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process. +When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Cloud Partner Program (CPP) account and has associated this CPP account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process. ## Quickstart-If you are already enrolled in the Microsoft Partner Network (MPN) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: +If you are already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: 1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) 1. Choose an app and click **Branding & properties**. -1. Click **Add MPN ID to verify publisher** and review the listed requirements. +1. Click **Add Partner One ID to verify publisher** and review the listed requirements. -1. Enter your MPN ID and click **Verify and save**. +1. Enter your Partner One ID and click **Verify and save**. For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md). ## Mark your app as publisher verified Make sure you meet the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified. -1. Sign in using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) to an organizational (Azure AD) account authorized to make changes to the app you want to mark as Publisher Verified and on the MPN Account in Partner Center. +1. Sign in using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) to an organizational (Azure AD) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center. - The Azure AD user must have one of the following [roles](../roles/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. - - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): MPN Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Azure AD). + - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): CPP Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Azure AD). 1. Navigate to the **App registrations** blade: Make sure you meet the [pre-requisites](publisher-verification-overview.md#requi 1. Ensure the appΓÇÖs [publisher domain](howto-configure-publisher-domain.md) is set. -1. Ensure that either the publisher domain or a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your MPN account. +1. Ensure that either the publisher domain or a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your CPP account. -1. Click **Add MPN ID to verify publisher** near the bottom of the page. +1. Click **Add Partner One ID to verify publisher** near the bottom of the page. -1. Enter the **MPN ID** for: +1. Enter the **Partner One ID** for: - - A valid Microsoft Partner Network account that has completed the verification process. + - A valid Cloud Partner Program account that has completed the verification process. - The Partner global account (PGA) for your organization. |
active-directory | Msal Android Single Sign On | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-single-sign-on.md | In this how-to, you'll learn how to configure the SDKs used by your application This how-to assumes you know how to: -- Provision your app using the Azure portal. For more information, see the instructions for creating an app in [the Android tutorial](./tutorial-v2-android.md#create-a-project)+- Provision your app. For more information, see the instructions for creating an app in [the Android tutorial](./tutorial-v2-android.md#create-a-project) - Integrate your application with the [MSAL for Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) ## Methods for SSO You must register a redirect URI that is compatible with the broker. The redirec The format of the redirect URI is: `msauth://<yourpackagename>/<base64urlencodedsignature>` -You can use [keytool](https://manpages.debian.org/buster/openjdk-11-jre-headless/keytool.1.en.html) to generate a Base64-encoded signature hash using your app's signing keys, and then use the Azure portal to generate your redirect URI using that hash. +You can use [keytool](https://manpages.debian.org/buster/openjdk-11-jre-headless/keytool.1.en.html) to generate a Base64-encoded signature hash using your app's signing keys, and then generate your redirect URI using that hash. Linux and macOS: keytool -exportcert -alias androiddebugkey -keystore %HOMEPATH%\.android\debug.k Once you've generated a signature hash with _keytool_, use the Azure portal to generate the redirect URI: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="/azure/active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you registered your application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. -1. Under **Manage**, select **App registrations**, then select your application. -1. Under **Manage**, select **Authentication** > **Add a platform** > **Android**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select your application, and then select **Authentication** > **Add a platform** > **Android**. 1. In the **Configure your Android app** pane that opens, enter the **Signature hash** that you generated earlier and a **Package name**. 1. Select the **Configure** button. -The Azure portal generates the redirect URI for you and displays it in the **Android configuration** pane's **Redirect URI** field. +The redirect URI is generated for you and is displayed in the **Android configuration** pane's **Redirect URI** field. For more information about signing your app, see [Sign your app](https://developer.android.com/studio/publish/app-signing) in the Android Studio User Guide. If the application uses a `WebView` strategy without integrating Microsoft Authe If the application uses MSAL with a broker like Microsoft Authenticator or Intune Company Portal, then users can have SSO experience across applications if they have an active sign-in with one of the apps. +> [!NOTE] +> MSAL with broker utilizes WebViews instead of Custom Tabs. As a result, the Single Sign-On (SSO) state is not extended to other apps that use Custom Tabs. + ### WebView To use the in-app WebView, put the following line in the app configuration JSON that is passed to MSAL: |
active-directory | Msal Client Application Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-client-application-configuration.md | The authority you specify in your code needs to be consistent with the **Support The authority can be: - An Azure AD cloud authority.-- An Azure AD B2C authority. See [B2C specifics](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics).-- An Active Directory Federation Services (AD FS) authority. See [AD FS support](https://aka.ms/msal-net-adfs-support).+- An Azure AD B2C authority. See [B2C specifics](msal-net-b2c-considerations.md). +- An Active Directory Federation Services (AD FS) authority. See [AD FS support](msal-net-adfs-support.md). Azure AD cloud authorities have two parts: You can override the redirect URI by using the `RedirectUri` property (for examp - `RedirectUriOnAndroid` = "msauth-5a434691-ccb2-4fd1-b97b-b64bcfbc03fc://com.microsoft.identity.client.sample"; - `RedirectUriOnIos` = $"msauth.{Bundle.ID}://auth"; -For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Leveraging-the-broker-on-iOS). +For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](msal-net-use-brokers-with-xamarin-apps.md). For more Android details, see [Brokered auth in Android](msal-android-single-sign-on.md). ### Redirect URI for confidential client apps |
active-directory | Msal Error Handling Js | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-error-handling-js.md | The following error types are available: - `AuthError`: Base error class for the MSAL.js library, also used for unexpected errors. -- `ClientAuthError`: Error class, which denotes an issue with Client authentication. Most errors that come from the library will be ClientAuthErrors. These errors result from things like calling a login method when login is already in progress, the user cancels the login, and so on.+- `ClientAuthError`: Error class which denotes an issue with Client authentication. Most errors that come from the library are ClientAuthErrors. These errors result from things like calling a login method when login is already in progress, the user cancels the login, and so on. - `ClientConfigurationError`: Error class, extends `ClientAuthError` thrown before requests are made when the given user config parameters are malformed or missing. -- `ServerError`: Error class, represents the error strings sent by the authentication server. These may be errors such as invalid request formats or parameters, or any other errors that prevent the server from authenticating or authorizing the user.+- `ServerError`: Error class, represents the error strings sent by the authentication server. These errors may be invalid request formats or parameters, or any other errors that prevent the server from authenticating or authorizing the user. - `InteractionRequiredAuthError`: Error class, extends `ServerError` to represent server errors, which require an interactive call. This error is thrown by `acquireTokenSilent` if the user is required to interact with the server to provide credentials or consent for authentication/authorization. Error codes include `"interaction_required"`, `"login_required"`, and `"consent_required"`. myMSALObj.handleRedirectPromise() myMSALObj.acquireTokenRedirect(request); ``` -The methods for pop-up experience (`loginPopup`, `acquireTokenPopup`) return promises, so you can use the promise pattern (.then and .catch) to handle them as shown: +The methods for pop-up experience (`loginPopup`, `acquireTokenPopup`) return promises, so you can use the promise pattern (`.then` and `.catch`) to handle them as shown: ```javascript myMSALObj.acquireTokenPopup(request).then( When calling an API requiring Conditional Access, you can receive a claims chall See [How to use Continuous Access Evaluation enabled APIs in your applications](./app-resilience-continuous-access-evaluation.md) for more detail. +### Using other frameworks ++Using toolkits like Tauri for registered single page applications (SPAs) with the identity platform are not recognized for production apps. SPAs only support URLs that start with `https` for production apps and `http://localhost` for local development. Prefixes like `tauri://localhost` cannot be used for browser apps. This format can only be supported for mobile or web apps as they have a confidential component unlike browser apps. + [!INCLUDE [Active directory error handling retries](./includes/error-handling-and-tips/error-handling-retries.md)] ## Next steps |
active-directory | Msal Ios Shared Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-ios-shared-devices.md | These Microsoft applications support Azure AD's shared device mode: - [Microsoft Teams](/microsoftteams/platform/) (in Public Preview) > [!IMPORTANT]-> Public preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Public preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see [Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Next steps |
active-directory | Msal Net Use Brokers With Xamarin Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-use-brokers-with-xamarin-apps.md | public static string redirectUriOnIos = "msauth.com.yourcompany.XForms://auth"; Notice that the redirect URI matches the `CFBundleURLSchemes` name that you included in the *Info.plist* file. -Add the redirect URI to the app's registration in the [Azure portal](https://portal.azure.com). To generate a properly formatted redirect URI, use **App registrations** in the Azure portal to generate the brokered redirect URI from the bundle ID. +Add the redirect URI to the app's registration. To generate a properly formatted redirect URI, use **App registrations** to generate the brokered redirect URI from the bundle ID. **To generate the redirect URI:** -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. Select **Azure Active Directory** > **App registrations** > your registered app +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Search for and select the application. 1. Select **Authentication** > **Add a platform** > **iOS / macOS** 1. Enter your bundle ID, and then select **Configure**. Copy the generated redirect URI that appears in the **Redirect URI** text box for inclusion in your code: - :::image type="content" source="media/msal-net-use-brokers-with-xamarin-apps/portal-01-ios-platform-settings.png" alt-text="iOS platform settings with generated redirect URI in Azure portal"::: + :::image type="content" source="media/msal-net-use-brokers-with-xamarin-apps/portal-01-ios-platform-settings.png" alt-text="iOS platform settings with generated redirect URI"::: 1. Select **Done** to complete generation of the redirect URI. ## Brokered authentication for Android result = await app.AcquireTokenInteractive(scopes) ### Step 4: Add a redirect URI to your app registration -MSAL uses URLs to invoke the broker and then return to your app. To complete that round trip, register a **Redirect URI** for your app by using the [Azure portal](https://portal.azure.com). +MSAL uses URLs to invoke the broker and then return to your app. To complete that round trip, register a **Redirect URI** for your app. The format of the redirect URI for your application depends on the certificate used to sign the APK. For example: The format of the redirect URI for your application depends on the certificate u msauth://com.microsoft.xforms.testApp/hgbUYHVBYUTvuvT&Y6tr554365466= ``` -The last part of the URI, `hgbUYHVBYUTvuvT&Y6tr554365466=`, is the Base64-encoded version of the signature that the APK is signed with. While developing your app in Visual Studio, if you're debugging your code without signing the APK with a specific certificate, Visual Studio signs the APK for you for debugging purposes. When Visual Studio signs the APK for you in this way, it gives it a unique signature for the machine it's built on. Thus, each time you build your app on a different machine, you'll need to update the redirect URI in the application's code and the application's registration in the Azure portal in order to authenticate with MSAL. +The last part of the URI, `hgbUYHVBYUTvuvT&Y6tr554365466=`, is the Base64-encoded version of the signature that the APK is signed with. While developing your app in Visual Studio, if you're debugging your code without signing the APK with a specific certificate, Visual Studio signs the APK for you for debugging purposes. When Visual Studio signs the APK for you in this way, it gives it a unique signature for the machine it's built on. Thus, each time you build your app on a different machine, you'll need to update the redirect URI in the application's code and the application's registration in order to authenticate with MSAL. -While debugging, you may encounter an MSAL exception (or log message) stating the redirect URI provided is incorrect. **The exception or log message also indicates the redirect URI you should be using** with the current machine you're debugging on. You can use the provided redirect URI to continue developing your app as long as you update redirect URI in code and add the provided redirect URI to the app's registration in the Azure portal. +While debugging, you may encounter an MSAL exception (or log message) stating the redirect URI provided is incorrect. **The exception or log message also indicates the redirect URI you should be using** with the current machine you're debugging on. You can use the provided redirect URI to continue developing your app as long as you update redirect URI in code and add the provided redirect URI to the app's registration. -Once you're ready to finalize your code, update the redirect URI in the code and the application's registration in the Azure portal to use the signature of the certificate you sign the APK with. +Once you're ready to finalize your code, update the redirect URI in the code and the application's registration to use the signature of the certificate you sign the APK with. In practice, this means you should consider adding a redirect URI for each member of your development team, *plus* a redirect URI for the production signed version of the APK. As an alternative, you can configure MSAL to fall back to the embedded browser, Here are a few tips on avoiding issues when you implement brokered authentication on Android: -- **Redirect URI** - Add a redirect URI to your application registration in the [Azure portal](https://portal.azure.com). A missing or incorrect redirect URI is a common issue encountered by developers.+- **Redirect URI** - Add a redirect URI to your application registration. A missing or incorrect redirect URI is a common issue encountered by developers. - **Broker version** - Install the minimum required version of the broker apps. Either of these two apps can be used for brokered authentication on Android. - [Intune Company Portal](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) (version 5.0.4689.0 or greater) - [Microsoft Authenticator](https://play.google.com/store/apps/details?id=com.azure.authenticator) (version 6.2001.0140 or greater). |
active-directory | Msal Net User Gets Consent For Multiple Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources.md | -The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopeToConsent` builder method. +The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the *scopes* parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopesToConsent` builder method. > [!NOTE] > Getting consent for several resources works for Microsoft identity platform, but not for Azure AD B2C. Azure AD B2C supports only admin consent, not user consent. For example, if you have two resources that have 2 scopes each: - https:\//mytenant.onmicrosoft.com/customerapi (with 2 scopes `customer.read` and `customer.write`) - https:\//mytenant.onmicrosoft.com/vendorapi (with 2 scopes `vendor.read` and `vendor.write`) -You should use the `.WithExtraScopeToConsent` modifier which has the *extraScopesToConsent* parameter as shown in the following example: +You should use the `.WithExtraScopesToConsent` method which has the *extraScopesToConsent* parameter as shown in the following example: ```csharp string[] scopesForCustomerApi = new string[] string[] scopesForVendorApi = new string[] var accounts = await app.GetAccountsAsync(); var result = await app.AcquireTokenInteractive(scopesForCustomerApi) .WithAccount(accounts.FirstOrDefault())- .WithExtraScopeToConsent(scopesForVendorApi) + .WithExtraScopesToConsent(scopesForVendorApi) .ExecuteAsync(); ``` -This will get you an access token for the first web API. Then, to access the second web API you can silently acquire the token from the token cache: +`AcquireTokenInteractive` will return an access token for the first web API. Along with that access token, a refresh token will also be retrieved from Azure AD and cached. Then, to access the second web API, you can silently acquire the token using `AcquireTokenSilent`. MSAL will use the cached refresh token to retrieve from Azure AD the access token for the second web API. ```csharp-AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync(); +var result = await AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync(); ``` |
active-directory | Optional Claims | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/optional-claims.md | -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Choose the application for which you want to configure optional claims based on your scenario and desired outcome. 1. Under **Manage**, select **Token configuration**. - The UI option **Token configuration** blade isn't available for apps registered in an Azure AD B2C tenant, which can be configured by modifying the application manifest. For more information, see [Add claims and customize user input using custom policies in Azure Active Directory B2C](../../active-directory-b2c/configure-user-input.md) This section covers the configuration options under optional claims for changing Complete the following steps to configure groups optional claims using the Azure portal: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. -1. Select the application you want to configure optional claims for in the list. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Token configuration**. 1. Select **Add groups claim**. 1. Select the group types to return (**Security groups**, or **Directory roles**, **All groups**, and/or **Groups assigned to the application**): Complete the following steps to configure groups optional claims using the Azure Complete the following steps to configure groups optional claims through the application manifest: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Select the application you want to configure optional claims for in the list. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Manifest**. 1. Add the following entry using the manifest editor: Complete the following steps to configure groups optional claims through the app Multiple token types can be listed: - - idToken for the OIDC ID token - - accessToken for the OAuth access token - - Saml2Token for SAML tokens. + - `idToken` for the OIDC ID token + - `accessToken` for the OAuth access token + - `Saml2Token` for SAML tokens. - The Saml2Token type applies to both SAML1.1 and SAML2.0 format tokens. + The `Saml2Token` type applies to both SAML1.1 and SAML2.0 format tokens. For each relevant token type, modify the groups claim to use the `optionalClaims` section in the manifest. The `optionalClaims` schema is as follows: In the following example, the Azure portal and manifest are used to add optional Configure claims in the Azure portal: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. -1. Find the application you want to configure optional claims for in the list and select it. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Token configuration**. 1. Select **Add optional claim**, select the **ID** token type, select **upn** from the list of claims, and then select **Add**. 1. Select **Add optional claim**, select the **Access** token type, select **auth_time** from the list of claims, then select **Add**. Configure claims in the Azure portal: Configure claims in the manifest: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Find the application you want to configure optional claims for in the list and select it. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Manifest** to open the inline manifest editor. 1. You can directly edit the manifest using this editor. The manifest follows the schema for the [Application entity](./reference-app-manifest.md), and automatically formats the manifest once saved. New elements are added to the `optionalClaims` property. |
active-directory | Permissions Consent Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/permissions-consent-overview.md | Depending on the permissions they require, some applications might require an ad Preauthorization allows a resource application owner to grant permissions without requiring users to see a consent prompt for the same set of permissions that have been preauthorized. This way, an application that has been preauthorized won't ask users to consent to permissions. Resource owners can preauthorize client apps in the Azure portal or by using PowerShell and APIs, like Microsoft Graph. -## Next steps +## See also - [Delegated access scenario](delegated-access-primer.md) - [User and admin consent overview](../manage-apps/user-admin-consent-overview.md) - [OpenID connect scopes](scopes-oidc.md)+-- [Making your application multi-tenant](./howto-convert-app-to-be-multi-tenant.md) +- [AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Perms For Given Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/perms-for-given-api.md | - Title: Select permissions for a given API -description: Learn about how permissions requests work for client and resource applications for applications you are developing --------- Previously updated : 11/10/2022-----# How to select permissions for a given API --## Recommended documents --- Learn more about how client applications use [delegated and application permission requests](./developer-glossary.md#permissions) to access resources.-- Learn about [scopes and permissions in the Microsoft identity platform](scopes-oidc.md)-- See step-by-step instructions on how to [configure a client application's permission requests](./quickstart-configure-app-access-web-apis.md)-- For more depth, learn how resource applications expose [scopes](./developer-glossary.md#scopes) and [application roles](./developer-glossary.md#roles) to client applications, which manifest as delegated and application permissions respectively in the Azure portal.--## Next steps --[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Publisher Verification Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/publisher-verification-overview.md | -When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (MCPP), formerly known as Microsoft Partner Network (MPN), account that's been [verified](/partner-center/verification-responses) and associating the verified PartnerID with an app registration. +When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (CPP), formerly known as Microsoft Partner Network (MPN), account that's been [verified](/partner-center/verification-responses) and associating the verified PartnerID with an app registration. When the publisher of an app has been verified, a blue *verified* badge appears in the Azure Active Directory (Azure AD) consent prompt for the app and on other webpages: Publisher verification for an app has the following benefits: App developers must meet a few requirements to complete the publisher verification process. Many Microsoft partners will have already satisfied these requirements. -- The developer must have an MPN ID for a valid [Microsoft Cloud Partner Program](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process. The MPN account must be the [partner global account (PGA)](/partner-center/account-structure#the-top-level-is-the-partner-global-account-pga) for the developer's organization.+- The developer must have an Partner One ID for a valid [Microsoft Cloud Partner Program](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process. The CPP account must be the [partner global account (PGA)](/partner-center/account-structure#the-top-level-is-the-partner-global-account-pga) for the developer's organization. > [!NOTE]- > The MPN account you use for publisher verification can't be your partner location MPN ID. Currently, location MPN IDs aren't supported for the publisher verification process. + > The CPP account you use for publisher verification can't be your partner location Partner One ID. Currently, location Partner One IDs aren't supported for the publisher verification process. - The app that's to be publisher verified must be registered by using an Azure AD work or school account. Apps that are registered by using a Microsoft account can't be publisher verified. -- The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the MPN PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account).+- The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the CPP PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account). - The app must be registered in an Azure AD tenant and have a [publisher domain](howto-configure-publisher-domain.md) set. The feature is not supported in Azure AD B2C tenant. -- The domain of the email address that's used during MPN account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) +- The domain of the email address that's used during CPP account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) -- The user who initiates verification must be authorized to make changes both to the app registration in Azure AD and to the MPN account in Partner Center. The user who initiates the verification must have one of the required roles in both Azure AD and Partner Center.+- The user who initiates verification must be authorized to make changes both to the app registration in Azure AD and to the CPP account in Partner Center. The user who initiates the verification must have one of the required roles in both Azure AD and Partner Center. - In Azure AD, this user must be a member of one of the following [roles](../roles/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. - - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): MPN Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD). + - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): CPP Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD). - The user who initiates verification must sign in by using [Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md). |
active-directory | Quickstart Configure App Access Web Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-access-web-apis.md | By specifying a web API's scopes in your client app's registration, the client a [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] +Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. + In the first scenario, you grant a client app access to your own web API, both of which you should have registered as part of the prerequisites. If you don't yet have both a client app and a web API registered, complete the steps in the two [Prerequisites](#prerequisites) articles. This diagram shows how the two app registrations relate to one another. In this section, you add permissions to the client app's registration. |
active-directory | Quickstart Configure App Expose Web Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-expose-web-apis.md | In this quickstart, you'll register a web API with the Microsoft identity platfo ## Register the web API +Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. + To provide scoped access to the resources in your web API, you first need to register the API with the Microsoft identity platform. Perform the steps in the **Register an application** section of [Quickstart: Register an app with the Microsoft identity platform](quickstart-register-app.md). |
active-directory | Quickstart Daemon App Java Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-daemon-app-java-acquire-token.md | To run this sample, you need: - [Java Development Kit (JDK)](https://openjdk.java.net/) 8 or greater - [Maven](https://maven.apache.org/) - ## Register and download your quickstart app -You have two options to start your quickstart application: Express (Option 1 below), and Manual (Option 2) --### Option 1: Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/JavaDaemonQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application and select **Register**. -1. Follow the instructions to download and automatically configure your new application with just one click. --### Option 2: Register and manually configure your application and code sample --#### Step 1: Register your application - [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] +### Step 1: Register the application + To register your application and add the app's registration information to your solution manually, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application, for example `Daemon-console`. Users of your app might see this name, and you can change it later. 1. Select **Register**. 1. Under **Manage**, select **Certificates & secrets**. To register your application and add the app's registration information to your 1. Select **Application permissions**. 1. Under **User** node, select **User.Read.All**, then select **Add permissions**. -#### Step 2: Download the Java project +### Step 2: Download the Java project [Download the Java daemon project](https://github.com/Azure-Samples/ms-identity-java-daemon/archive/master.zip) -#### Step 3: Configure the Java project +### Step 3: Configure the Java project 1. Extract the zip file to a local folder close to the root of the disk, for example, *C:\Azure-Samples*. 1. Navigate to the sub folder **msal-client-credential-secret**. To register your application and add the app's registration information to your - `Enter_the_Client_Secret_Here` - replace this value with the client secret created on step 1. >[!TIP]->To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal. To generate a new key, go to **Certificates & secrets** page. +>To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page. To generate a new key, go to **Certificates & secrets** page. -#### Step 4: Admin consent +### Step 4: Admin consent If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires Admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role: -##### Global tenant administrator +#### Global tenant administrator -If you are a global tenant administrator, go to **API Permissions** page in **App registrations** in the Azure portal and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory). +If you are a global tenant administrator, go to **API Permissions** page in **App registrations** and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory). -##### Standard user +#### Standard user If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator: https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_i * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered. -#### Step 5: Run the application +### Step 5: Run the application You can test the sample directly by running the main method of ClientCredentialGrant.java from your IDE. ConfidentialClientApplication cca = | Where: |Description | |||-| `CLIENT_SECRET` | Is the client secret created for the application in Azure portal. | -| `CLIENT_ID` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. | +| `CLIENT_SECRET` | Is the client secret created for the application. | +| `CLIENT_ID` | Is the **Application (client) ID** for the registered application. You can find this value in the app's **Overview** page. | | `AUTHORITY` | The STS endpoint for user to authenticate. Usually `https://login.microsoftonline.com/{tenant}` for public cloud, where {tenant} is the name of your tenant or your tenant ID.| ### Requesting tokens IAuthenticationResult result; |Where:| Description | |||-| `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations** in the Azure portal.| +| `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations**.| [!INCLUDE [Help and support](includes/error-handling-and-tips/help-support-include.md)] |
active-directory | Quickstart Mobile App Ios Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-mobile-app-ios-sign-in.md | The quickstart applies to both iOS and macOS apps. Some steps are needed only fo ![Diagram showing how the sample app generated by this quickstart works.](media/quickstart-v2-ios/ios-intro.svg) -## Register and download your quickstart app -You have two options to start your quickstart application: -* [Express] [Option 1: Register and auto configure your app and then download your code sample](#option-1-register-and-auto-configure-your-app-and-then-download-the-code-sample) -* [Manual] [Option 2: Register and manually configure your application and code sample](#option-2-register-and-manually-configure-your-application-and-code-sample) --### Option 1: Register and auto configure your app and then download the code sample -#### Step 1: Register your application -To register your app, -1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/IosQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application and select **Register**. -1. Follow the instructions to download and automatically configure your new application with just one click. --### Option 2: Register and manually configure your application and code sample --#### Step 1: Register your application +## Register your quickstart app [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] To register your application and add the app's registration information to your solution manually, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Select **Register**. 1. Under **Manage**, select **Authentication** > **Add Platform** > **iOS**. To register your application and add the app's registration information to your #### Step 4: Configure your project If you selected Option 1 above, you can skip these steps. 1. Open the project in XCode.-1. Edit **ViewController.swift** and replace the line starting with 'let kClientID' with the following code snippet. Remember to update the value for `kClientID` with the clientID that you saved when you registered your app in the portal earlier in this quickstart: +1. Edit **ViewController.swift** and replace the line starting with 'let kClientID' with the following code snippet. Remember to update the value for `kClientID` with the clientID that you saved when you registered your app earlier in this quickstart: ```swift let kClientID = "Enter_the_Application_Id_Here" If you selected Option 1 above, you can skip these steps. let kAuthority = "https://login.microsoftonline.de/common" ``` -3. Open the project settings. In the **Identity** section, enter the **Bundle Identifier** that you entered into the portal. +3. Open the project settings. In the **Identity** section, enter the **Bundle Identifier**. 4. Right-click **Info.plist** and select **Open As** > **Source Code**. 5. Under the dict root node, replace `Enter_the_bundle_Id_Here` with the ***Bundle Id*** that you used in the portal. Notice the `msauth.` prefix in the string. |
active-directory | Quickstart Single Page App Angular Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-angular-sign-in.md | This quickstart uses MSAL Angular v2 with the authorization code flow. * [Node.js](https://nodejs.org/en/download/) * [Visual Studio Code](https://code.visualstudio.com/download) or another code editor --## Register and download your quickstart application +## Register your quickstart application [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To start your quickstart application, use either of the following options. --### Option 1 (Express): Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Select **Register**. -1. Go to the quickstart pane and follow the instructions to download and automatically configure your new application. --### Option 2 (Manual): Register and manually configure your application and code sample --#### Step 1: Register your application --1. Sign in to the [Azure portal](https://portal.azure.com/). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use. Modify the values in the `auth` section as described here: - `Enter_the_Application_Id_Here` is the **Application (client) ID** for the application you registered. - To find the value of **Application (client) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Application (client) ID**, go to the app registration's **Overview** page. - `Enter_the_Cloud_Instance_Id_Here` is the instance of the Azure cloud. For the main or global Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), see [National clouds](authentication-national-cloud.md). - `Enter_the_Tenant_info_here` is set to one of the following: - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`. - To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page. - If your application supports *accounts in any organizational directory*, replace this value with `organizations`. - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`. - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`. - To find the value of **Supported account types**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Supported account types**, go to the app registration's **Overview** page. - `Enter_the_Redirect_Uri_Here` is `http://localhost:4200/`. The `authority` value in your *app.module.ts* should be similar to the following if you're using the main (global) Azure cloud: |
active-directory | Quickstart Single Page App Javascript Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-javascript-sign-in.md | See [How the sample works](#how-the-sample-works) for an illustration. [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To start your quickstart application, use either of the following options. +### Step 1: Register your application -### Option 1 (Express): Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Select **Register**. -1. Go to the quickstart pane and follow the instructions to download and automatically configure your new application. --### Option 2 (Manual): Register and manually configure your application and code sample --#### Step 1: Register your application --1. Sign in to the [Azure portal](https://portal.azure.com/). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use. To start your quickstart application, use either of the following options. 1. Set the **Redirect URI** value to `http://localhost:3000/`. 1. Select **Configure**. -#### Step 2: Download the project +### Step 2: Download the project To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-v2/archive/master.zip). --#### Step 3: Configure your JavaScript app +### Step 3: Configure your JavaScript app In the *app* folder, open the *authConfig.js* file, and then update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object. Modify the values in the `msalConfig` section: - `Enter_the_Application_Id_Here` is the **Application (client) ID** for the application you registered. - To find the value of **Application (client) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Application (client) ID**, go to the app registration's **Overview** page. - `Enter_the_Cloud_Instance_Id_Here` is the Azure cloud instance. For the main or global Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), see [National clouds](authentication-national-cloud.md). - `Enter_the_Tenant_info_here` is one of the following: - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`. - To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page. - If your application supports *accounts in any organizational directory*, replace this value with `organizations`. - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`. - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`. - To find the value of **Supported account types**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Supported account types**, go to the app registration's **Overview** page. - `Enter_the_Redirect_Uri_Here` is `http://localhost:3000/`. The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud: graphMeEndpoint: "https://graph.microsoft.com/v1.0/me", graphMailEndpoint: "https://graph.microsoft.com/v1.0/me/messages" ``` -#### Step 4: Run the project +### Step 4: Run the project Run the project with a web server by using Node.js. |
active-directory | Quickstart Single Page App React Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-react-sign-in.md | See [How the sample works](#how-the-sample-works) for an illustration. [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To start your quickstart application, use either of the following options. +### Step 1: Register your application -### Option 1 (Express): Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Select **Register**. -1. Go to the quickstart pane and follow the instructions to download and automatically configure your new application. --### Option 2 (Manual): Register and manually configure your application and code sample --#### Step 1: Register your application ---1. Sign in to the [Azure portal](https://portal.azure.com/). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. When the **Register an application** page appears, enter a name for your application. 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use. Under **Manage**, select **App registrations** > **New registration**. 1. Under **Platform Configurations** expand **Single-page application**. 1. Confirm that under **Grant types** ![Already configured](media/quickstart-v2-javascript/green-check.png) Your Redirect URI is eligible for the Authorization Code Flow with PKCE. -#### Step 2: Download the project -+### Step 2: Download the project To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-react-spa/archive/main.zip). -#### Step 3: Configure your JavaScript app +### Step 3: Configure your JavaScript app In the *src* folder, open the *authConfig.js* file and update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object. Modify the values in the `msalConfig` section as described here: - `Enter_the_Application_Id_Here` is the **Application (client) ID** for the application you registered. - To find the value of **Application (client) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Application (client) ID**, go to the app registration's **Overview** page. - `Enter_the_Cloud_Instance_Id_Here` is the instance of the Azure cloud. For the main or global Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), see [National clouds](authentication-national-cloud.md). - `Enter_the_Tenant_info_here` is set to one of the following: - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`. - To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page. - If your application supports *accounts in any organizational directory*, replace this value with `organizations`. - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`. - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`. - To find the value of **Supported account types**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Supported account types**, go to the app registration's **Overview** page. - `Enter_the_Redirect_Uri_Here` is `http://localhost:3000/`. The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud: Scroll down in the same file and update the `graphMeEndpoint`. }; ``` -#### Step 4: Run the project +### Step 4: Run the project Run the project with a web server by using Node.js: |
active-directory | Reference Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-error-codes.md | The `error` field has several possible values - review the protocol documentatio | AADSTS50015 | ViralUserLegalAgeConsentRequiredState - The user requires legal age group consent. | | AADSTS50017 | CertificateValidationFailed - Certification validation failed, reasons for the following reasons:<ul><li>Cannot find issuing certificate in trusted certificates list</li><li>Unable to find expected CrlSegment</li><li>Cannot find issuing certificate in trusted certificates list</li><li>Delta CRL distribution point is configured without a corresponding CRL distribution point</li><li>Unable to retrieve valid CRL segments because of a timeout issue</li><li>Unable to download CRL</li></ul>Contact the tenant admin. | | AADSTS50020 | UserUnauthorized - Users are unauthorized to call this endpoint. User account '{email}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appid}'({appName}) in that tenant. This account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. If this user should be a member of the tenant, they should be invited via the [B2B system](/azure/active-directory/b2b/add-users-administrator). For additional information, visit [AADSTS50020](/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist). |+| AADSTS500208 | The domain is not a valid login domain for the account type - This situation occurs when the user's account does not match the expected account type for the given tenant.. For instance, if the tenant is configured to allow only work or school accounts, and the user tries to sign in with a personal Microsoft account, they will receive this error. | AADSTS500212 | NotAllowedByOutboundPolicyTenant - The user's administrator has set an outbound access policy that doesn't allow access to the resource tenant. | | AADSTS500213 | NotAllowedByInboundPolicyTenant - The resource tenant's cross-tenant access policy doesn't allow this user to access this tenant. | | AADSTS50027 | InvalidJwtToken - Invalid JWT token because of the following reasons:<ul><li>doesn't contain nonce claim, sub claim</li><li>subject identifier mismatch</li><li>duplicate claim in idToken claims</li><li>unexpected issuer</li><li>unexpected audience</li><li>not within its valid time range </li><li>token format isn't proper</li><li>External ID token from issuer failed signature verification.</li></ul> | |
active-directory | Reference V2 Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-v2-libraries.md | For more information about the Microsoft Authentication Library, see the [Overvi <!--Reference-style links --> [AAD-App-Model-V2-Overview]: v2-overview.md [Microsoft-SDL]: https://www.microsoft.com/securityengineering/sdl/-[preview-tos]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/ +[preview-tos]: https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all |
active-directory | Registration Config How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-how-to.md | - Title: Get the endpoints for an Azure AD app registration -description: How to find the authentication endpoints for a custom application you're developing or registering with Azure AD. --------- Previously updated : 11/09/2022-----# How to discover endpoints --You can find the authentication endpoints for your application in the [Azure portal](https://portal.azure.com). --1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. Select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu. -- The **Endpoints** page is displayed, showing the authentication endpoints for your tenant. - - Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application. --**National clouds** (for example Azure AD China, Germany, and US Government) have their own app registration portal and Azure AD authentication endpoints. Learn more in the [National clouds overview](authentication-national-cloud.md). --## Next steps --For more information about endpoints in the different Azure environments, see the [National clouds overview](authentication-national-cloud.md). |
active-directory | Registration Config Specific Application Property How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-specific-application-property-how-to.md | - Title: Azure portal registration fields for custom-developed apps -description: Guidance for registering a custom developed application with Azure AD --------- Previously updated : 09/27/2021-----# Azure portal registration fields for custom-developed apps --This article gives you a brief description of all the available fields in the application registration form in the [Azure portal](https://portal.azure.com). --## Register a new application --- To register a new application, sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.--- From the left navigation pane, click **Azure Active Directory.**--- Choose **App registrations** and click **Add**.--- This open up the application registration form.--## Fields in the application registration form --| Field | Description | -||| -| Name | The name of the application. It should have a minimum of four characters. | -| Supported account types| Select which accounts you would like your application to support: accounts in this organizational directory only, accounts in any organizational directory, or accounts in any organizational directory and personal Microsoft accounts. | -| Redirect URI (optional) | Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application. For web applications, provide the base URL of your app. For example, http://localhost:31544 might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as myapp://auth. To see specific examples for web applications or native applications, check out our [quickstarts](./index.yml).| --Once you have filled the above fields, the application is registered in the Azure portal, and you are redirected to the application overview page. The settings pages in the left pane under **Manage** have more fields for you to customize your application. The tables below describe all the fields. You would only see a subset of these fields, depending on whether you created a web application or a public client application. --### Overview --| Field | Description | -|--|--| -| Application ID | When you register an application, Azure AD assigns your application an Application ID. The application ID can be used to uniquely identify your application in authentication requests to Azure AD, as well as to access resources like the Graph API. | -| App ID URI | This should be a unique URI, usually of the form **https://<tenant\_name>/<application\_name>.** This is used during the authorization grant flow, as a unique identifier to specify the resource that the token should be issued for. It also becomes the 'aud' claim in the issued access token. | --### Branding --| Field | Description | -|--|--| -| Upload new logo | You can use this to upload a logo for your application. The logo must be in .bmp, .jpg or .png format, and the file size should be less than 100 KB. The dimensions for the image should be 215x215 pixels, with central image dimensions of 94x94 pixels.| -| Home page URL | This is the sign-on URL specified during application registration.| --### Authentication --| Field | Description | -|--|--| -| Front-channel logout URL | This is the single sign-out logout URL. Azure AD sends a logout request to this URL when the user clears their session with Azure AD using any other registered application.| -| Supported account types | This switch specifies whether the application can be used by multiple tenants. Typically, this means that external organizations can use your application by registering it in their tenant and granting access to their organization's data.| -| Redirect URLs | The redirect, or reply, URLs are the endpoints where Azure AD returns any tokens that your application requests. For native applications, this is where the user is sent after successful authorization. Azure AD checks that the redirect URI your application supplies in the OAuth 2.0 request matches one of the registered values in the portal.| --### Certificates and secrets --| Field | Description | -|--|--| -| Client secrets | You can create client secrets, or keys, to programmatically access web APIs secured by Azure AD without any user interaction. From the **New client secret** page, enter a key description and the expiration date and save to generate the key. Make sure to save it somewhere secure, as you won't be able to access it later. | --## Next steps --[Managing Applications with Azure Active Directory](../manage-apps/what-is-application-management.md) |
active-directory | Registration Config Sso How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-sso-how-to.md | - Title: Configure application single sign-on -description: How to configure single sign-on for a custom application you are developing and registering with Azure AD. --------- Previously updated : 07/15/2019-----# How to configure single sign-on for an application --Enabling federated single sign-on (SSO) in your app is automatically enabled when federating through Azure AD for OpenID Connect, SAML 2.0, or WS-Fed. If your end users are having to sign in despite already having an existing session with Azure AD, itΓÇÖs likely your app may be misconfigured. --* If youΓÇÖre using Microsoft Authentication Library (MSAL), make sure you have **PromptBehavior** set to **Auto** rather than **Always**. --* If youΓÇÖre building a mobile app, you may need additional configurations to enable brokered or non-brokered SSO. --For Android, see [Enabling Cross App SSO in Android](msal-android-single-sign-on.md). --For iOS, see [Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md). --## Next steps --[Azure AD SSO](../manage-apps/what-is-single-sign-on.md)<br> --[Enabling Cross App SSO in Android](msal-android-single-sign-on.md)<br> --[Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md)<br> --[Integrating Apps to AzureAD](./quickstart-register-app.md)<br> --[Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md)<br> --[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Reply Url | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reply-url.md | This table shows the maximum number of redirect URIs you can add to an app regis | Microsoft work or school accounts in any organization's Azure Active Directory (Azure AD) tenant | 256 | `signInAudience` field in the application manifest is set to either *AzureADMyOrg* or *AzureADMultipleOrgs* | | Personal Microsoft accounts and work and school accounts | 100 | `signInAudience` field in the application manifest is set to *AzureADandPersonalMicrosoftAccount* | -The maximum number of redirect URIS can't be raised for [security reasons](#restrictions-on-wildcards-in-redirect-uris). If your scenario requires more redirect URIs than the maximum limit allowed, consider the following [state parameter approach](#use-a-state-parameter) as the solution. +The maximum number of redirect URIs can't be raised for [security reasons](#restrictions-on-wildcards-in-redirect-uris). If your scenario requires more redirect URIs than the maximum limit allowed, consider the following [state parameter approach](#use-a-state-parameter) as the solution. ## Maximum URI length |
active-directory | Saml Claims Customization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/saml-claims-customization.md | By default, the Microsoft identity platform issues a SAML token to an applicatio ## View or edit claims -To view or edit the claims issued in the SAML token to the application, open the application in Azure portal. Then open the **Attributes & Claims** section. -+To view or edit the claims issued in the SAML token to the application: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. +1. Select the application, select **Single sign-on** in the left-hand menu, and then select **Edit** in the **Attributes & Claims** section. You might need to edit the claims issued in the SAML token for the following reasons: To edit the name identifier value claim: 1. Open the **Name identifier value** page. 1. Select the attribute or transformation that you want to apply to the attribute. Optionally, you can specify the format that you want the `nameID` claim to have. - :::image type="content" source="./media/saml-claims-customization/saml-sso-manage-user-claims.png" alt-text="Screenshot of editing the nameID (name identifier) value in the Azure portal."::: - ### NameID format If the SAML request contains the element `NameIDPolicy` with a specific format, then the Microsoft identity platform honors the format in the request. For more information about identifier values, see the table that lists the valid Any constant (static) value can be assigned to any claim. Use the following steps to assign a constant value: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the **User Attributes & Claims** section, select **Edit** to edit the claims. -1. Select the required claim that you want to modify. -1. Enter the constant value without quotes in the **Source attribute** as per your organization and select **Save**. -- :::image type="content" source="./media/saml-claims-customization/organization-attribute.png" alt-text="Screenshot of the organization Attributes & Claims section in the Azure portal."::: --1. The constant value is displayed as shown in the following image. -- :::image type="content" source="./media/saml-claims-customization/edit-attributes-claims.png" alt-text="Screenshot of editing in the Attributes & Claims section in the Azure portal."::: +1. On the **Attributes & Claims** blade, select the required claim that you want to modify. +1. Enter the constant value without quotes in the **Source attribute** as per your organization and select **Save**. The constant value is displayed. ### Directory Schema extensions (Preview) You can also configure directory schema extension attributes as non-conditional/conditional attributes. Use the following steps to configure the single or multi-valued directory schema extension attribute as a claim: -1. Sign in to the [Azure portal](https://portal.azure.com). --1. In the **User Attributes & Claims** section, select **Edit** to edit the claims. -1. Select **Add new claim** or edit an existing claim. -- :::image type="content" source="./media/saml-claims-customization/mv-extension-1.jpg" alt-text="Screenshot of the MultiValue extension configuration section in the Azure portal."::: -+1. On the **Attributes & Claims** blade, select **Add new claim** or edit an existing claim. 1. Select source application from application picker where extension property is defined. - :::image type="content" source="./media/saml-claims-customization/mv-extension-2.jpg" alt-text="Screenshot of the source application selection in MultiValue extension configuration section in the Azure portal."::: - 1. Select **Add** to add the selection to the claims. 1. Click **Save** to commit the changes. You can use the following special claims transformations functions. To add application-specific claims: -1. In **User Attributes & Claims**, select **Add new claim** to open the **Manage user claims** page. +1. On the **Attributes & Claims** blade, select **Add new claim** to open the **Manage user claims** page. 1. Enter the **name** of the claims. The value doesn't strictly need to follow a URI pattern, per the SAML spec. If you need a URI pattern, you can put that in the **Namespace** field. 1. Select the **Source** where the claim is going to retrieve its value. You can select a user attribute from the source attribute dropdown or apply a transformation to the user attribute before emitting it as a claim. To apply a transformation to a user attribute: 1. In **Manage claim**, select *Transformation* as the claim source to open the **Manage transformation** page. 1. Select the function from the transformation dropdown. Depending on the function selected, provide parameters and a constant value to evaluate in the transformation. 1. Select the source of the attribute by clicking on the appropriate radio button. Directory schema extension source is in preview currently.-- :::image type="content" source="./media/saml-claims-customization/mv-extension-4.png" alt-text="Screenshot of claims transformation."::: - 1. Select the attribute name from the dropdown.- 1. **Treat source as multivalued** is a checkbox indicating whether the transform should be applied to all values or just the first. By default, transformations are only applied to the first element in a multi-value claim, by checking this box it ensures it's applied to all. This checkbox is only be enabled for multi-valued attributes, for example `user.proxyaddresses`.- 1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case. For example, Britta Simon is a guest user in the Contoso tenant. Britta belongs First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta. - As another example, consider when Britta Simon tries to sign in and the following configuration is used. All conditions are first evaluated with the source of `Attribute`. Because Britta's user type is **AAD guests**, `user.mail` is assigned as the source for the claim. Next, the transformations are evaluated. Because Britta is a guest, `user.extensionattribute1` is now the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is now the source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta. - As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. In both cases the condition entry is ignored, and the claim falls back to `user.extensionattribute1` instead. ## Advanced SAML claims options |
active-directory | Scenario Mobile App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-mobile-app-registration.md | For more information, see [Scenarios and supported authentication flows](authent ### Interactive authentication -When you build a mobile app that uses interactive authentication, the most critical registration step is the redirect URI. You can set interactive authentication through the [platform configuration on the **Authentication** blade](https://aka.ms/MobileAppReg). +When you build a mobile app that uses interactive authentication, the most critical registration step is the redirect URI. This experience enables your app to get single sign-on (SSO) through Microsoft Authenticator (and Intune Company Portal on Android). It also supports device management policies. -This experience will enable your app to get single sign-on (SSO) through Microsoft Authenticator (and Intune Company Portal on Android). It will also support device management policies. --The app registration portal provides a preview experience to help you compute the brokered reply URI for iOS and Android applications: --1. In the app registration portal, select **Authentication** > **Try out the new experience**. -- ![The Authentication blade, where you choose a new experience](https://user-images.githubusercontent.com/13203188/60799285-2d031b00-a173-11e9-9d28-ac07a7ae894a.png) --2. Select **Add a platform**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. +1. Enter a **Name** for the application. +1. For **Supported account types**, select **Accounts in this organizational directory only**. +1. Select **Register**. +1. Select **Authentication** and then select **Add a platform**. ![Add a platform](https://user-images.githubusercontent.com/13203188/60799366-4c01ad00-a173-11e9-934f-f02e26c9429e.png) -3. When the list of platforms is supported, select **iOS**. +1. When the list of platforms is supported, select **iOS / macOS**. ![Choose a mobile application](https://user-images.githubusercontent.com/13203188/60799411-60de4080-a173-11e9-9dcc-d39a45826d42.png) -4. Enter your bundle ID, and then select **Register**. +1. Enter your bundle ID, and then select **Configure**. ![Enter your bundle ID](https://user-images.githubusercontent.com/13203188/60799477-7eaba580-a173-11e9-9f8b-431f5b09344e.png) If your app uses only username-password authentication, you don't need to regist However, identify your application as a public client application. To do so: -1. Still in the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, select your app in **App registrations**, and then select **Authentication**. +1. Still in the Microsoft Entra admin center, select your app in **App registrations**, and then select **Authentication**. 1. In **Advanced settings** > **Allow public client flows** > **Enable the following mobile and desktop flows:**, select **Yes**. :::image type="content" source="media/scenarios/default-client-type.png" alt-text="Enable public client setting on Authentication pane in Azure portal"::: |
active-directory | Scenario Web App Call Api Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-call-api-acquire-token.md | These advanced steps are covered in chapter 3 of the [3-WebApp-multi-APIs](https The code for ASP.NET is similar to the code shown for ASP.NET Core: -- A controller action, protected by an [Authorize] attribute, extracts the tenant ID and user ID of the `ClaimsPrincipal` member of the controller. (ASP.NET uses `HttpContext.User`.)-*Microsoft.Identity.Web* adds extension methods to the Controller that provide convenience services to call Microsoft Graph or a downstream web API, or to get an authorization header, or even a token. The methods used to call an API directly are explained in detail in [A web app that calls web APIs: Call an API](scenario-web-app-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token. +- A controller action, protected by an `[Authorize]` attribute, extracts the tenant ID and user ID of the `ClaimsPrincipal` member of the controller (ASP.NET uses `HttpContext.User`). This ensures that only authenticated users can use the app. +**Microsoft.Identity.Web** adds extension methods to the Controller that provide convenience services to call Microsoft Graph or a downstream web API, or to get an authorization header, or even a token. The methods used to call an API directly are explained in detail in [A web app that calls web APIs: Call an API](scenario-web-app-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token. -If, however, you do want to manually acquire a token or build an authorization header, the following code shows how to use *Microsoft.Identity.Web* to do so in a controller. It calls an API (Microsoft Graph) using the REST API instead of the Microsoft Graph SDK. +If, however, you do want to manually acquire a token or build an authorization header, the following code shows how to use Microsoft.Identity.Web to do so in a controller. It calls an API (Microsoft Graph) using the REST API instead of the Microsoft Graph SDK. To get an authorization header, you get an `IAuthorizationHeaderProvider` service from the controller using an extension method `GetAuthorizationHeaderProvider`. To get an authorization header to call an API on behalf of the user, use `CreateAuthorizationHeaderForUserAsync`. To get an authorization header to call a downstream API on behalf of the application itself, in a daemon scenario, use `CreateAuthorizationHeaderForAppAsync`. -The controller methods are protected by an `[Authorize]` attribute that ensures only authenticated users can use the web app. -- The following snippet shows the action of the `HomeController`, which gets an authorization header to call Microsoft Graph as a REST API: - ```csharp [Authorize] public class HomeController : Controller public class HomeController : Controller # [Java](#tab/java) -In the Java sample, the code that calls an API is in the getUsersFromGraph method in [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62). +In the Java sample, the code that calls an API is in the `getUsersFromGraph` method in [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62). The method attempts to call `getAuthResultBySilentFlow`. If the user needs to consent to more scopes, the code processes the `MsalInteractionRequiredException` object to challenge the user. public ModelAndView getUserFromGraph(HttpServletRequest httpRequest, HttpServlet # [Node.js](#tab/nodejs) -In the Node.js sample, the code that acquires a token is in the *acquireToken* method of the **AuthProvider** class. +In the Node.js sample, the code that acquires a token is in the `acquireToken` method of the `AuthProvider` class. :::code language="js" source="~/ms-identity-node/App/auth/AuthProvider.js" range="79-121"::: This access token is then used to handle requests to the `/profile` endpoint: # [Python](#tab/python) -In the Python sample, the code that calls the API is in `app.py`. +In the Python sample, the code that calls the API is in *app.py*. The code attempts to get a token from the token cache. If it can't get a token, it redirects the user to the sign-in route. Otherwise, it can proceed to call the API. Move on to the next article in this scenario, Move on to the next article in this scenario, [Call a web API](scenario-web-app-call-api-call-api.md?tabs=python). -+ |
active-directory | Setup Multi Tenant App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/setup-multi-tenant-app.md | - Title: Configure a new multi-tenant application -description: Learn how to configure an application as multi-tenant, and how multi-tenant applications work --------- Previously updated : 11/10/2022-----# How to configure a new multi-tenant application --Here is a list of recommended topics to learn more about multi-tenant applications: --- Get a general understanding of [what it means to be a multi-tenant application](./developer-glossary.md#multi-tenant-application)-- Learn about [tenancy in Azure Active Directory](single-and-multi-tenant-apps.md)-- Get a general understanding of [how to configure an application to be multi-tenant](./howto-convert-app-to-be-multi-tenant.md)-- Get a step-by-step overview of [how the Azure AD consent framework is used to implement consent](./quickstart-register-app.md), which is required for multi-tenant applications-- For more depth, learn [how a multi-tenant application is configured and coded end-to-end](./howto-convert-app-to-be-multi-tenant.md), including how to register, use the "common" endpoint, implement "user" and "admin" consent, how to implement more advanced multi-tier scenarios--## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Single Sign On Saml Protocol | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-sign-on-saml-protocol.md | Title: Azure single sign-on SAML protocol + Title: Single sign-on SAML protocol description: This article describes the single sign-on (SSO) SAML protocol in Azure Active Directory documentationcenter: .net To request a user authentication, cloud services send an `AuthnRequest` element | Parameter | Type | Description | | | | |-| ID | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. | -| Version | Required | This parameter should be set to **2.0**. | -| IssueInstant | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. | -| AssertionConsumerServiceURL | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. | -| ForceAuthn | Optional | This is a boolean value. If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Azure AD. | -| IsPassive | Optional | This is a boolean value that specifies whether Azure AD should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Azure AD will attempt to authenticate the user using the session cookie. | --All other `AuthnRequest` attributes, such as Consent, Destination, AssertionConsumerServiceIndex, AttributeConsumerServiceIndex, and ProviderName are **ignored**. +| `ID` | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. | +| `Version` | Required | This parameter should be set to `2.0`. | +| `IssueInstant` | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. | +| `AssertionConsumerServiceURL` | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. | +| `ForceAuthn` | Optional | This is a boolean value. If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Azure AD. | +| `IsPassive` | Optional | This is a boolean value that specifies whether Azure AD should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Azure AD will attempt to authenticate the user using the session cookie. | ++All other `AuthnRequest` attributes, such as `Consent`, `Destination`, `AssertionConsumerServiceIndex`, `AttributeConsumerServiceIndex`, and `ProviderName` are **ignored**. Azure AD also ignores the `Conditions` element in `AuthnRequest`. |
active-directory | Supported Accounts Validation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/supported-accounts-validation.md | See the following table for the validation differences of various properties for | Certificates (`keyCredentials`) | Symmetric signing key | Symmetric signing key | Encryption and asymmetric signing key | | Client secrets (`passwordCredentials`) | No limit\* | No limit\* | If liveSDK is enabled: Maximum of two client secrets | | Redirect URIs (`replyURLs`) | See [Redirect URI/reply URL restrictions and limitations](reply-url.md) for more info. | | |-| API permissions (`requiredResourceAccess`) | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs. | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs. | Maximum of 50 resources per application and 30 permissions per resource (for example, Microsoft Graph). Total limit of 200 per application (resources x permissions). | +| API permissions (`requiredResourceAccess`) | No more than 50 total APIs (resource apps), with no more than 10 APIs from other tenants. No more than 400 permissions total across all APIs. | No more than 50 total APIs (resource apps), with no more than 10 APIs from other tenants. No more than 400 permissions total across all APIs. | No more than 50 total APIs (resource apps), with no more than 10 APIs from other tenants. No more than 200 permissions total across all APIs. Maximum of 30 permissions per resource (for example, Microsoft Graph). | | Scopes defined by this API (`oauth2Permissions`) | Maximum scope name length of 120 characters <br><br> No limit\* on the number of scopes defined | Maximum scope name length of 120 characters <br><br> No limit\* on the number of scopes defined | Maximum scope name length of 40 characters <br><br> Maximum of 100 scopes defined | | Authorized client applications (`preAuthorizedApplications`) | No limit\* | No limit\* | Total maximum of 500 <br><br> Maximum of 100 client apps defined <br><br> Maximum of 30 scopes defined per client | | appRoles | Supported <br> No limit\* | Supported <br> No limit\* | Not supported | |
active-directory | Test Setup Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/test-setup-environment.md | You can [manually create a tenant](quickstart-create-new-tenant.md), which will For convenience, you may want to invite yourself and other members of your development team to be guest users in the tenant. This will create separate guest objects in the test tenant, but means you only have to manage one set of credentials for your corporate account and your test account. -1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. -2. Go to **Users**. -3. Click on **New guest user** and invite your work account email address. -4. Repeat for other members of the development and/or testing team for your application. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Invite external user** and invite your work account email address. +1. Repeat for other members of the development and/or testing team for your application. You can also create test users in your test tenant. If you used one of the Microsoft 365 sample packs, you may already have some test users in your tenant. If not, you should be able to create some yourself as the tenant administrator. -1. Sign in to the [Azure portal](https://portal.azure.com), then select on **Azure Active Directory**. -2. Go to **Users**. -3. Click **New user** and create some new test users in your directory. +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user** and create some new test users in your directory. ### Get an Azure AD subscription (optional) Replicating Conditional Access policies ensures you don't encounter unexpected b Viewing your production tenant Conditional Access policies may need to be performed by a company administrator. -1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account. 1. Go to **Azure Active Directory** > **Enterprise applications** > **Conditional Access**. 1. View the list of policies in your tenant. Click the first one. 1. Navigate to **Cloud apps or actions**. Viewing your production tenant Conditional Access policies may need to be perfor In a new tab or browser session, sign in to the [Azure portal](https://portal.azure.com) to access your test tenant. -1. Go to **Azure Active Directory** > **Enterprise applications** > **Conditional Access**. -1. Click on **New policy** +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Conditional Access**. +1. Select **Create new policy** 1. Copy the settings from the production tenant policy, identified through the previous steps. #### Permission grant policies Replicating permission grant policies ensures you don't encounter unexpected prompts for admin consent when moving to production. -1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account. -1. Click on **Azure Active Directory**. -1. Go to **Enterprise applications**. -1. From your production tenant, go to **Azure Active Directory** > **Enterprise applications** > **Consent and permissions** > **User consent** settings. Copy the settings there to your test tenant. +Browse to **Identity** > **Applications** > **Enterprise applications** > **Consent and permissions** > **User consent** settings. Copy the settings there to your test tenant. #### Token lifetime policies You'll need to create an app registration to use in your test environment. This You'll need to create some test users with associated test data to use while testing your scenarios. This step might need to be performed by an admin. -1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. -2. Go to **Users**. -3. Select **New user** and create some new test users in your directory. +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user** and create some new test users in your directory. ### Add the test users to a group (optional) For convenience, you can assign all these users to a group, which makes other assignment operations easier. -1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. -2. Go to **Groups**. -3. Click **New group**. -4. Select either **Security** or **Microsoft 365** for group type. -5. Name your group. -6. Add the test users created in the previous step. +1. Browse to **Identity** > **Groups** > **All groups**. +1. Select **New group**. +1. Select either **Security** or **Microsoft 365** for group type. +1. Name your group. +1. Add the test users created in the previous step. ### Restrict your test application to specific users |
active-directory | Troubleshoot Publisher Verification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/troubleshoot-publisher-verification.md | -2. Review the instructions to [mark an app as publisher verified](mark-app-as-publisher-verified.md) and ensure all steps have been performed successfully. --3. Review the list of [common issues](#common-issues). --4. Reproduce the request using [Graph Explorer](#making-microsoft-graph-api-calls) to gather more info and rule out any issues in the UI. +1. Review the instructions to [mark an app as publisher verified](mark-app-as-publisher-verified.md) and ensure all steps have been performed successfully. +1. Review the list of [common issues](#common-issues). +1. Reproduce the request using [Graph Explorer](#making-microsoft-graph-api-calls) to gather more info and rule out any issues in the UI. ## Common Issues Below are some common issues that may occur during the process. -- **I donΓÇÖt know my Microsoft Partner Network ID (MPN ID) or I donΓÇÖt know who the primary contact for the account is.** - 1. Navigate to the [MPN enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new). - 2. Sign in with a user account in the org's primary Azure AD tenant. - 3. If an MPN account already exists, this is recognized and you are added to the account. - 4. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed. +- **I donΓÇÖt know my Cloud Partner Program ID (Partner One ID) or I donΓÇÖt know who the primary contact for the account is.** + 1. Navigate to the [Cloud Partner Program enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new). + 1. Sign in with a user account in the org's primary Azure AD tenant. + 1. If an Cloud Partner Program account already exists, this is recognized and you are added to the account. + 1. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the Partner One ID and primary account contact will be listed. - **I donΓÇÖt know who my Azure AD Global Administrator (also known as company admin or tenant admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?**- 1. Sign in to the [Azure portal](https://portal.azure.com) using a user account in your organization's primary tenant. - 1. Browse to **Azure Active Directory** > [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators). - 3. Select the desired admin role. - 4. The list of users assigned that role will be displayed. + 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Adminstrator](../roles/permissions-reference.md#cloud-application-administrator). + 1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. + 1. Select the desired admin role. + 1. The list of users assigned that role will be displayed. -- **I don't know who the admin(s) for my MPN account are**- Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles. +- **I don't know who the admin(s) for my CPP account are** + Go to the [CPP User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles. -- **I am getting an error saying that my MPN ID is invalid or that I do not have access to it.**+- **I am getting an error saying that my Partner One ID is invalid or that I do not have access to it.** Follow the [remediation guidance](#mpnaccountnotfoundornoaccess). - **When I sign in to the Azure portal, I do not see any apps registered. Why?** Response 204 No Content ``` > [!NOTE]-> *verifiedPublisherID* is your MPN ID. +> *verifiedPublisherID* is your Partner One ID. ### Unset Verified Publisher The following is a list of the potential error codes you may receive, either whe ### MPNAccountNotFoundOrNoAccess -The MPN ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid Partner One ID and try again. -Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Partner Center- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. Can also be caused by the tenant the app is registered in not being added to the MPN account, or an invalid MPN ID. +Most commonly caused by the signed-in user not being a member of the proper role for the CPP account in Partner Center- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. Can also be caused by the tenant the app is registered in not being added to the CPP account, or an invalid Partner One ID. **Remediation Steps** 1. Go to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) and verify that: - - The MPN ID is correct. - - There are no errors or ΓÇ£pending actionsΓÇ¥ shown, and the verification status under Legal business profile and Partner info both say ΓÇ£authorizedΓÇ¥ or ΓÇ£successΓÇ¥. -2. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the [multi-tenant-account instructions](/partner-center/multi-tenant-account). All Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account. -3. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions for [creating user accounts and setting permissions](/partner-center/create-user-accounts-and-set-permissions). + - The Partner One ID is correct. + - There are no errors or "pending actions" shown, and the verification status under Legal business profile and Partner info both say "authorized" or "success". +1. Go to the [CPP tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the [multi-tenant-account instructions](/partner-center/multi-tenant-account). All Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account. +1. Go to the [CPP User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions for [creating user accounts and setting permissions](/partner-center/create-user-accounts-and-set-permissions). ### MPNGlobalAccountNotFound -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused when an MPN ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. +Most commonly caused when an Partner One ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### MPNAccountInvalid -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### MPNAccountNotVetted -The MPN ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again. +The Partner One ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again. -Most commonly caused by when the MPN account hasn't completed the [verification](/partner-center/verification-responses) process. +Most commonly caused by when the CPP account hasn't completed the [verification](/partner-center/verification-responses) process. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) and verify that there are no errors or **pending actions** shown, and that the verification status under Legal business profile and Partner info both say **authorized** or **success**.-2. If not, view pending action items in Partner Center and troubleshoot with [here](/partner-center/verification-responses) +1. If not, view pending action items in Partner Center and troubleshoot with [here](/partner-center/verification-responses). ### NoPublisherIdOnAssociatedMPNAccount -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### MPNIdDoesNotMatchAssociatedMPNAccount -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### ApplicationNotFound -The target application (`AppId`) canΓÇÖt be found. Provide a valid application ID and try again. +The target application (`AppId`) can't be found. Provide a valid application ID and try again. Most commonly caused when verification is being performed via Graph API, and the ID of the application provided is incorrect. **Remediation Steps**-1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application) -2. Log in to [Azure Active Directory](https://aad.portal.azure.com/) with a user account in your organization's primary tenant > Azure Active Directory > App Registrations blade -3. Find your app's registration to view the Object ID +1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Find your app's registration to view the Object ID. ### ApplicationObjectisInvalid The target application's object ID is invalid. Please provide a valid ID and try Most commonly caused when the verification is being performed via Graph API, and the ID of the application provided does not exist. **Remediation Steps**-1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application) -2. Log in to [Azure Active Directory](https://aad.portal.azure.com/) with a user account in your organization's primary tenant > Azure Active Directory > App Registrations blade -3. Find your app's registration to view the Object ID +1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Find your app's registration to view the Object ID. ### B2CTenantNotAllowed The target application (`AppId`) must have a Publisher Domain set. Set a Publish Occurs when a [Publisher Domain](howto-configure-publisher-domain.md) isn't configured on the app. **Remediation Steps**-1. Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain +Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain. ### PublisherDomainMismatch See [requirements](publisher-verification-overview.md) for a list of allowed dom **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile), and view the email listed as Primary Contact-2. The domain used to perform email verification in Partner Center is the portion after the ΓÇ£@ΓÇ¥ in the Primary ContactΓÇÖs email -3. Log in to [Azure Active Directory](https://aad.portal.azure.com/) > Azure Active Directory > App Registrations blade > (`Your App`) > Branding and Properties -4. Select **Update Publisher Domain** and follow the instructions to **Verify a New Domain**. -5. Add the domain used to perform email verification in Partner Center as a New Domain +1. The domain used to perform email verification in Partner Center is the portion after the "@" in the Primary Contact's email +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations** > **Branding and Properties**. +1. Select **Update Publisher Domain** and follow the instructions to **Verify a New Domain**. +1. Add the domain used to perform email verification in Partner Center as a New Domain. ### NotAuthorizedToVerifyPublisher You aren't authorized to set the verified publisher property on application (<`AppId`). -Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. +Most commonly caused by the signed-in user not being a member of the proper role for the CPP account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. **Remediation Steps**-1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant. -2. Navigate to [Role Management](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators). -3. Select the desired admin role and click ΓÇ£Add AssignmentΓÇ¥ if you have sufficient permissions. -4. If you do not have sufficient permissions, contact an admin role for assistance +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Roles & admins** > **Roles & admins**. +1. Select the desired admin role and select **Add Assignment** if you have sufficient permissions. +1. If you do not have sufficient permissions, contact an admin role for assistance. ### MPNIdWasNotProvided -The MPN ID wasn't provided in the request body or the request content type wasn't "application/json". +The Partner One ID wasn't provided in the request body or the request content type wasn't "application/json". -Most commonly caused when the verification is being performed via Graph API, and the MPN ID wasnΓÇÖt provided in the request. +Most commonly caused when the verification is being performed via Graph API, and the Partner One ID wasnΓÇÖt provided in the request. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal in the request +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal in the request. ### MSANotSupported The error message displayed will be: "Due to a configuration change made by your **Remediation Steps** 1. Ensure [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) is enabled and **required** for the user you're signing in with and for this scenario-2. Retry Publisher Verification +1. Retry Publisher Verification ### UserUnableToAddPublisher If you've reviewed all of the previous information and are still receiving an er - ObjectId of target application - AppId of target application - TenantId where app is registered-- MPN ID+- Partner One ID - REST request being made - Error code and message being returned |
active-directory | Tutorial Blazor Webassembly | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-blazor-webassembly.md | We also have a [tutorial for Blazor Server](tutorial-blazor-server.md). - [.NET Core 7.0 SDK](https://dotnet.microsoft.com/download/dotnet-core/7.0) - An Azure AD tenant where you can register an app. If you don't have access to an Azure AD tenant, you can get one by registering with the [Microsoft 365 Developer Program](https://developer.microsoft.com/microsoft-365/dev-program) or by creating an [Azure free account](https://azure.microsoft.com/free). -## Register the app in the Azure portal +## Register the app Every app that uses Azure AD for authentication must be registered with Azure AD. Follow the instructions in [Register an application](quickstart-register-app.md) with these specifications: To create the application, run the following command. Replace the placeholders i dotnet new blazorwasm --auth SingleOrg --calls-graph -o {APP NAME} --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}" -f net7.0 ``` -| Placeholder | Azure portal name | Example | -| - | -- | -- | -| `{APP NAME}` | — | `BlazorWASMSample` | +| Placeholder | Name | Example | +| -- | - |-- | +| `{APP NAME}` | — | `BlazorWASMSample` | | `{CLIENT ID}` | Application (client) ID | `41451fa7-0000-0000-0000-69eff5a761fd` |-| `{TENANT ID}` | Directory (tenant) ID | `e86c78e2-0000-0000-0000-918e0565a45e` | +| `{TENANT ID}` | Directory (tenant) ID | `e86c78e2-0000-0000-0000-918e0565a45e` | ## Test the app Now you'll update your app's registration and code to pull a user's emails and d First, add the `Mail.Read` API permission to the app's registration so that Azure AD is aware that the app will request to access its users' email. -1. In the Azure portal, select your app in **App registrations**. +1. In the Microsoft Entra admin center, select your app in **App registrations**. 1. Under **Manage**, select **API permissions**. 1. Select **Add a permission** > **Microsoft Graph**. 1. Select **Delegated Permissions**, then search for and select the **Mail.Read** permission. |
active-directory | Tutorial V2 Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-android.md | In this tutorial: > [!div class="checklist"] > > - Create an Android app project in _Android Studio_-> - Register the app in the Azure portal +> - Register the app in the Microsoft Entra admin center > - Add code to support user sign-in and sign-out > - Add code to call the Microsoft Graph API > - Test the app Follow these steps to create a new project if you don't already have an Android 1. Open Android Studio, and select **Start a new Android Studio project**. 2. Select **Basic Activity** and select **Next**. 3. Enter a name for the application, such as _MSALAndroidapp_.-4. Record the package name to be used in the Azure portal in later steps. +4. Record the package name to be used in later steps. 5. Change the language from **Kotlin** to **Java**. 6. Set the **Minimum SDK API level** to **API 19** or higher, and select **Finish**. Follow these steps to create a new project if you don't already have an Android [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. For **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. For information on different account types, select the **Help me choose** option. 1. Select **Register**. Follow these steps to create a new project if you don't already have an Android </activity> ``` - - Use your Azure portal **Package name** to replace `android:host=.` value. It should look like `com.azuresamples.msalandroidapp`. - - Use your Azure portal **Signature Hash** to replace `android:path=` value. Ensure that there's a leading `/` at the beginning of your Signature Hash. It should look like `/1wIqXSqBj7w+h11ZifsnqwgyKrY=`. + - Use the **Package name** to replace `android:host=.` value. It should look like `com.azuresamples.msalandroidapp`. + - Use the **Signature Hash** to replace `android:path=` value. Ensure that there's a leading `/` at the beginning of your Signature Hash. It should look like `/1wIqXSqBj7w+h11ZifsnqwgyKrY=`. You can find these values in the Authentication blade of your app registration as well. |
active-directory | Tutorial V2 Angular Auth Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-angular-auth-code.md | In this tutorial: > [!div class="checklist"] >-> - Register the application in the Azure portal +> - Register the application in the Microsoft Entra admin center > - Create an Angular project with `npm` > - Add code to support user sign-in and sign-out > - Add code to call Microsoft Graph API To continue with the tutorial and build the application yourself, move on to the To complete registration, provide the application a name, specify the supported account types, and add a redirect URI. Once registered, the application **Overview** pane displays the identifiers needed in the application source code. -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as _Angular-SPA-auth-code_. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, use the drop-down menu to select **Single-page-application (SPA)** and enter `http://localhost:4200` into the text box. To complete registration, provide the application a name, specify the supported export class AppModule {} ``` -1. Replace the following values with the values obtained from the Azure portal. For more information about available configurable options, see [Initialize client applications](msal-js-initializing-client-applications.md). +1. Replace the following values with the values obtained from the Microsoft Entra admin center. For more information about available configurable options, see [Initialize client applications](msal-js-initializing-client-applications.md). - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application. - `authority` - This is composed of two parts: MSAL Angular provides an `Interceptor` class that automatically acquires tokens ## Add scopes and delegated permissions -The Microsoft Graph API requires the _User.Read_ scope to read a user's profile. The _User.Read_ scope is added automatically to every app registration you create in the Azure portal. Other APIs for Microsoft Graph, and custom APIs for your back-end server, might require other scopes. For example, the Microsoft Graph API requires the _Mail.Read_ scope in order to list the user's email. +The Microsoft Graph API requires the _User.Read_ scope to read a user's profile. The _User.Read_ scope is added automatically to every app registration. Other APIs for Microsoft Graph, and custom APIs for your back-end server, might require other scopes. For example, the Microsoft Graph API requires the _Mail.Read_ scope in order to list the user's email. As you add scopes, your users might be prompted to provide extra consent for the added scopes. |
active-directory | Tutorial V2 Aspnet Daemon Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md | In this tutorial: > * Get an access token to call the Microsoft Graph API > * Call the Microsoft Graph API. -If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. ## Prerequisites - [Visual Studio 2017 or 2019](https://visualstudio.microsoft.com/downloads/). - An Azure AD tenant. For more information, see [How to get an Azure AD tenant](quickstart-create-new-tenant.md).-- One or more user accounts in your Azure AD tenant. This sample won't work with a Microsoft account. If you signed in to the [Azure portal](https://portal.azure.com) with a Microsoft account and have never created a user account in your directory, do that now.+- One or more user accounts in your tenant. This sample won't work with a Microsoft account. If you signed in with a Microsoft account and have never created a user account in your directory, do that now. ## Scenario Or [download the sample in a zip file](https://github.com/Azure-Samples/ms-ident This sample has one project. To register the application with your Azure AD tenant, you can either: -- Follow the steps in [Register the sample with your Azure Active Directory tenant](#register-the-client-app-dotnet-web-daemon-v2) and [Configure the sample to use your Azure AD tenant](#choose-the-azure-ad-tenant).+- Follow the steps in [Choose the tenant](#choose-the-tenant) and [Configure the sample to use your tenant](#configure-the-sample-to-use-your-tenant). - Use PowerShell scripts that: - *Automatically* create the Azure AD applications and related objects (passwords, permissions, dependencies) for you. - Modify the Visual Studio projects' configuration files. If you want to use the automation: If you don't want to use the automation, use the steps in the following sections. -### Choose the Azure AD tenant +### Choose the tenant [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. ---### Register the client app (dotnet-web-daemon-v2) --1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application, for example `dotnet-web-daemon-v2`. Users of your app might see this name, and you can change it later. 1. In the **Supported account types** section, select **Accounts in any organizational directory**. 1. In the **Redirect URI (optional)** section, select **Web** in the combo box and enter `https://localhost:44316/` and `https://localhost:44316/Account/GrantPermissions` as Redirect URIs. If you don't want to use the automation, use the steps in the following sections 1. In the **Application permissions** section, ensure that the right permissions are selected: **User.Read.All**. 1. Select **Add permissions**. -## Configure the sample to use your Azure AD tenant +## Configure the sample to use your tenant In the following steps, **ClientID** is the same as "application ID" or **AppId**. Open the solution in Visual Studio to configure the projects. If you used the setup scripts, the following changes will have been applied for you. 1. Open the **UserSync\Web.Config** file.-1. Find the app key **ida:ClientId**. Replace the existing value with the application ID of the **dotnet-web-daemon-v2** application copied from the Azure portal. -1. Find the app key **ida:ClientSecret**. Replace the existing value with the key that you saved during the creation of the **dotnet-web-daemon-v2** app in the Azure portal. +1. Find the app key **ida:ClientId**. Replace the existing value with the application ID of the **dotnet-web-daemon-v2** application that was previously recorded. +1. Find the app key **ida:ClientSecret**. Replace the existing value with the key that you saved during the creation of the **dotnet-web-daemon-v2** app. ## Run the sample Visual Studio will publish the project and automatically open a browser to the p ### Update the Azure AD tenant application registration for dotnet-web-daemon-v2 -1. Go back to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. In the left pane, select the **Azure Active Directory** service, and then select **App registrations**. -1. Select the **dotnet-web-daemon-v2** application. +1. Go back to the Microsoft Entra admin center, and then select the **dotnet-web-daemon-v2** application in **App registrations**. 1. On the **Authentication** page for your application, update the **Front-channel logout URL** fields with the address of your service. For example, use `https://dotnet-web-daemon-v2-contoso.azurewebsites.net/Account/EndSession`. 1. From the **Branding** menu, update the **Home page URL** to the address of your service. For example, use `https://dotnet-web-daemon-v2-contoso.azurewebsites.net`. 1. Save the configuration. |
active-directory | Tutorial V2 Ios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-ios.md | In this tutorial: > [!div class="checklist"] > > - Create an iOS or macOS app project in _Xcode_-> - Register the app in the Azure portal +> - Register the app in the Microsoft Entra admin center > - Add code to support user sign-in and sign-out > - Add code to call the Microsoft Graph API > - Test the app If you'd like to download a completed version of the app you build in this tutor 5. Set the **Language** to **Swift** and select **Next**. 6. Select a folder to create your app and select **Create**. -## Register your application +## Register the application [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)** under **Supported account types**. 1. Select **Register**. carthage update --platform macOS You can also use Git Submodule, or check out the latest release to use as a framework in your application. -## Add your app registration +## Add the app registration Next, we add your app registration to your code. import MSAL Next, add the following code to _ViewController.swift_ before to `viewDidLoad()`: ```swift-// Update the below to your client ID you received in the portal. The below is for running the demo only +// Update the below to your client ID. The below is for running the demo only let kClientID = "Your_Application_Id_Here" let kGraphEndpoint = "https://graph.microsoft.com/" // the Microsoft Graph endpoint let kAuthority = "https://login.microsoftonline.com/common" // this authority allows a personal Microsoft account and a work or school account in any organization's Azure AD tenant to sign in var webViewParameters : MSALWebviewParameters? var currentAccount: MSALAccount? ``` -The only value you modify is the value assigned to `kClientID` to be your [Application ID](./developer-glossary.md#application-client-id). This value is part of the MSAL Configuration data that you saved during the step at the beginning of this tutorial to register the application in the Azure portal. +The only value you modify is the value assigned to `kClientID` to be your [Application ID](./developer-glossary.md#application-client-id). This value is part of the MSAL Configuration data that you saved during the step at the beginning of this tutorial to register the application. ## Configure Xcode project settings Add a new keychain group to your project **Signing & Capabilities**. The keychai In this step, you'll register `CFBundleURLSchemes` so that the user can be redirected back to the app after sign in. By the way, `LSApplicationQueriesSchemes` also allows your app to make use of Microsoft Authenticator. -In Xcode, open _Info.plist_ as a source code file, and add the following inside of the `<dict>` section. Replace `[BUNDLE_ID]` with the value you used in the Azure portal. If you downloaded the code, the bundle identifier is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section. +In Xcode, open _Info.plist_ as a source code file, and add the following inside of the `<dict>` section. Replace `[BUNDLE_ID]` with the value you previously used. If you downloaded the code, the bundle identifier is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section. ```xml <key>CFBundleURLTypes</key> This app is built for a single account scenario. MSAL also supports multi-accoun Build and deploy the app to a test device or simulator. You should be able to sign in and get tokens for Azure AD or personal Microsoft accounts. -The first time a user signs into your app, they'll be prompted by Microsoft identity to consent to the permissions requested. While most users are capable of consenting, some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, register your app's scopes in the Azure portal. +The first time a user signs into your app, they'll be prompted by Microsoft identity to consent to the permissions requested. While most users are capable of consenting, some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, register your app's scopes. After you sign in, the app will display the data returned from the Microsoft Graph `/me` endpoint. |
active-directory | Tutorial V2 Shared Device Mode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-shared-device-mode.md | In this tutorial: > - Enable and detect shared-device mode > - Detect single or multiple account mode > - Detect a user switch, and enable global sign-in and sign-out-> - Set up tenant and register the application in the Azure portal +> - Set up tenant and register the application > - Set up an Android device in shared-device mode > - Run the sample app private void registerAccountChangeBroadcastReceiver(){ ## Administrator guide -The following steps describe setting up your application in the Azure portal and putting your device into shared-device mode. +The following steps describe setting up your application and putting your device into shared-device mode. -### Register your application in Azure Active Directory +### Register the application -First, register your application within your organizational tenant. Then provide these values below in auth_config.json in order for your application to run correctly. +First, register the application within your organizational tenant. Then provide these values below in auth_config.json in order for your application to run correctly. -For information on how to do this, refer to [Register your application](./tutorial-v2-android.md#register-your-application-with-azure-ad). +For information on how to do this, refer to [Register your application](./tutorial-v2-android.md). > [!NOTE] > When you register your app, please use the quickstart guide on the left-hand side and then select **Android**. This will lead you to a page where you'll be asked to provide the **Package Name** and **Signature Hash** for your app. These are very important to ensure your app configuration will work. You'll then receive a configuration object that you can use for your app that you'll cut and paste into your auth_config.json file. -You should select **Make this change for me** and then provide the values the quickstart asks for in the Azure portal. When that's done, we'll generate all the configuration files you need. +You should select **Make this change for me** and then provide the values the quickstart asks for. When that's done, we'll generate all the configuration files you need. ## Set up a tenant -For testing purposes, set up the following in your tenant: at least two employees, one Cloud Device Administrator, and one Global Administrator. In the Azure portal, set the Cloud Device Administrator by modifying Organizational Roles. In the Azure portal, access your Organizational Roles by selecting **Azure Active Directory** > **Roles and Administrators** > **Cloud Device Administrator**. Add the users that can put a device into shared mode. +For testing purposes, set up the following in your tenant: at least two employees, one Cloud Device Administrator, and one Global Administrator. Set the Cloud Device Administrator by modifying Organizational Roles. Access your Organizational Roles by selecting **Identity** > **Roles & admins** > **Roles & admins** > **All roles**, and then select **Cloud Device Administrator**. Add the users that can put a device into shared mode. ## Set up an Android device in shared mode The device is now in shared mode. Any sign-ins and sign-outs on the device will be global, meaning they apply to all apps that are integrated with MSAL and Microsoft Authenticator on the device. You can now deploy applications to the device that use shared-device mode features. -## View the shared device in the Azure portal +## View the shared device -Once you've put a device in shared-mode, it becomes known to your organization and is tracked in your organizational tenant. You can view your shared devices by looking at the **Join Type** in the Azure Active Directory blade of your Azure portal. +Once you've put a device in shared-mode, it becomes known to your organization and is tracked in your organizational tenant. You can view your shared devices by looking at the **Join Type**. ## Running the sample app |
active-directory | Tutorial V2 Windows Uwp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-windows-uwp.md | private async Task DisplayMessageAsync(string message) Now, register your application: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application, for example `UWP-App-calling-MSGraph`. Users of your app might see this name, and you can change it later. 1. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. 1. Select **Register**. Now, register your application: Configure authentication for your application: -1. Back in the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, under **Manage**, select **Authentication** > **Add a platform**, and then select **Mobile and desktop applications**. +1. In to the Microsoft Entra admin center, select **Authentication** > **Add a platform**, and then select **Mobile and desktop applications**. 1. In the **Redirect URIs** section, enter `https://login.microsoftonline.com/common/oauth2/nativeclient`. 1. Select **Configure**. Configure API permissions for your application: -1. Under **Manage**, select **API permissions** > **Add a permission**. +1. Select **API permissions** > **Add a permission**. 1. Select **Microsoft Graph**. 1. Select **Delegated permissions**, search for *User.Read*, and verify that **User.Read** is selected. 1. If you made any changes, select **Add permissions** to save them. In the current sample, the `WithRedirectUri("https://login.microsoftonline.com/c You can then remove the line of code because it's required only once, to fetch the value. -3. In the app registration portal, add the returned value in **RedirectUri** in the **Authentication** pane. +3. In the Microsoft Entra admin center, add the returned value in **RedirectUri** in the **Authentication** pane. ## Test your code |
active-directory | V2 App Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-app-types.md | -The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios). +The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-types). ## The basics |
active-directory | V2 Oauth Ropc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth-ropc.md | Title: Sign in with resource owner password credentials grant + Title: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials description: Support browser-less authentication flows using the resource owner password credential (ROPC) grant. The Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password > [!WARNING] > Microsoft recommends you do _not_ use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable. - > [!IMPORTANT] > > * The Microsoft identity platform only supports the ROPC grant within Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint. |
active-directory | V2 Oauth2 Implicit Grant Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md | Title: OAuth 2.0 implicit grant flow - The Microsoft identity platform + Title: Microsoft identity platform and OAuth 2.0 implicit grant flow description: Secure single-page apps using Microsoft identity platform implicit flow. -# Microsoft identity platform and implicit grant flow +# Microsoft identity platform and OAuth 2.0 implicit grant flow The Microsoft identity platform supports the OAuth 2.0 implicit grant flow as described in the [OAuth 2.0 Specification](https://tools.ietf.org/html/rfc6749#section-4.2). The defining characteristic of the implicit grant is that tokens (ID tokens or access tokens) are returned directly from the /authorize endpoint instead of the /token endpoint. This is often used as part of the [authorization code flow](v2-oauth2-auth-code-flow.md), in what is called the "hybrid flow" - retrieving the ID token on the /authorize request along with an authorization code. The following diagram shows what the entire implicit sign-in flow looks like and To initially sign the user into your app, you can send an [OpenID Connect](v2-protocols-oidc.md) authentication request and get an `id_token` from the Microsoft identity platform. > [!IMPORTANT]-> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned: `The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'` +> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned: +> +> `The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'` ``` // Line breaks for legibility only client_id=6731de76-14a6-49ae-97bc-6eba6914391e | | | | | `tenant` | required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](./v2-protocols.md#endpoints).Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.| | `client_id` | required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |-| `response_type` | required |Must include `id_token` for OpenID Connect sign-in. It may also include the response_type `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, user.read on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This id_token+code response is sometimes called the hybrid flow. | -| `redirect_uri` | recommended |The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be URL-encoded. | -| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (id_tokens), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | +| `response_type` | required | Must include `id_token` for OpenID Connect sign-in. It may also include the `response_type`, `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, `user.read` on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This `id_token`+`code` response is sometimes called the hybrid flow. | +| `redirect_uri` | recommended |The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except it must be URL-encoded. | +| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (`id_tokens`), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | | `response_mode` | optional |Specifies the method that should be used to send the resulting token back to your app. Defaults to query for just an access token, but fragment if the request includes an id_token. | | `state` | recommended |A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. |-| `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | -| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | +| `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting ID token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | +| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, `select_account`, and `consent`. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via SSO, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | | `login_hint` | optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](./optional-claims.md) from an earlier sign-in. | | `domain_hint` | optional |If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. This parameter is commonly used for Line of Business apps that operate in a single tenant, where they'll provide a domain name within a given tenant, forwarding the user to the federation provider for that tenant. This hint prevents guests from signing into this application, and limits the use of cloud credentials like FIDO. | code=0.AgAAktYV-sfpYESnQynylW_UKZmH-C9y_G1A | | | | `code` | Included if `response_type` includes `code`. It's an authorization code suitable for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). | | `access_token` |Included if `response_type` includes `token`. The access token that the app requested. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. |-| `token_type` |Included if `response_type` includes `token`. Will always be `Bearer`. | +| `token_type` |Included if `response_type` includes `token`. This will always be `Bearer`. | | `expires_in`|Included if `response_type` includes `token`. Indicates the number of seconds the token is valid, for caching purposes. | | `scope` |Included if `response_type` includes `token`. Indicates the scope(s) for which the access_token will be valid. May not include all the requested scopes if they weren't applicable to the user. For example, Azure AD-only scopes requested when logging in using a personal account. |-| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token reference`](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested and `response_type` included `id_tokens`. | +| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about ID tokens, see the [`id_token reference`](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested and `response_type` included `id_tokens`. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | [!INCLUDE [remind-not-to-validate-access-tokens](includes/remind-not-to-validate-access-tokens.md)] For details on the query parameters in the URL, see [send the sign in request](# > [!TIP] > Try copy & pasting the request below into a browser tab! (Don't forget to replace the `login_hint` values with the correct value for your user) >->`https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=fragment&state=12345&nonce=678910&prompt=none&login_hint={your-username}` +> ``` +> https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=fragment&state=12345&nonce=678910&prompt=none&login_hint={your-username} +> ``` > > Note that this will work even in browsers without third party cookie support, since you're entering this directly into a browser bar as opposed to opening it within an iframe. access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q.. | Parameter | Description | | | | | `access_token` |Included if `response_type` includes `token`. The access token that the app requested, in this case for the Microsoft Graph. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. |-| `token_type` | Will always be `Bearer`. | +| `token_type` | This will always be `Bearer`. | | `expires_in` | Indicates the number of seconds the token is valid, for caching purposes. |-| `scope` | Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | +| `scope` | Indicates the scope(s) for which the access token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | | `id_token` | A signed JSON Web Token (JWT). Included if `response_type` includes `id_token`. The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token` reference](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | If you receive this error in the iframe request, the user must interactively sig ## Refreshing tokens -The implicit grant does not provide refresh tokens. Both `id_token`s and `access_token`s will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new `id_token`, be sure to use `id_token` in the `response_type` and `scope=openid`, as well as a `nonce` parameter. +The implicit grant does not provide refresh tokens. Both ID tokens and access tokens will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new ID token, be sure to use `id_token` in the `response_type` and `scope=openid`, as well as a `nonce` parameter. In browsers that do not support third party cookies, this will result in an error indicating that no user is signed in. |
active-directory | V2 Oauth2 On Behalf Of Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md | This access token is a v1.0-formatted token for Microsoft Graph. This is because An error response is returned by the token endpoint when trying to acquire an access token for the downstream API, if the downstream API has a Conditional Access policy (such as [multifactor authentication](../authentication/concept-mfa-howitworks.md)) set on it. The middle-tier service should surface this error to the client application so that the client application can provide the user interaction to satisfy the Conditional Access policy. +To [surface this error back](https://datatracker.ietf.org/doc/html/rfc6750#section-3.1) to the client, the middle-tier service will reply with HTTP 401 Unauthorized and with a WWW-Authenticate HTTP header containing the error and the claim challenge. The client must parse this header and acquire a new token from the token issuer, by presenting the claims challenge if one exists. Clients should not retry to access the middle-tier service using a cached access token. + ```json { "error":"interaction_required", |
active-directory | Web Api Tutorial 01 Register App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-tutorial-01-register-app.md | In this tutorial: To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as *NewWebAPI1*. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option. 1. Select **Register**. |
active-directory | Web App Tutorial 01 Register Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-tutorial-01-register-application.md | In this tutorial: To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as *NewWebApp1*. 1. For Supported account types, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. - The **Redirect URI (optional)** will be configured at a later stage. |
active-directory | Assign Local Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md | When you connect a Windows device with Azure AD using an Azure AD join, Azure AD - The Azure AD joined device local administrator role - The user performing the Azure AD join -By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been *only* assigned the device administrator role to manage a device. +By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to users with the Global Administrator role, you can also enable users that have been *only* assigned the Azure AD Joined Device Local Administrator role to manage a device. -## Manage the global administrators role +## Manage the Global Administrator role -To view and update the membership of the Global Administrator role, see: +To view and update the membership of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) role, see: - [View all members of an administrator role in Azure Active Directory](../roles/manage-roles-portal.md) - [Assign a user to administrator roles in Azure Active Directory](../fundamentals/how-subscriptions-associated-directory.md) -## Manage the device administrator role +## Manage the Azure AD Joined Device Local Administrator role +You can manage the [Azure AD Joined Device Local Administrator](/azure/active-directory/roles/permissions-reference#azure-ad-joined-device-local-administrator) role from **Device settings**. -In the Azure portal, you can manage the device administrator role from **Device settings**. --1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator. -1. Browse to **Azure Active Directory** > **Devices** > **Device settings**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Browse to **Identity** > **Devices** > **All devices** > **Device settings**. 1. Select **Manage Additional local administrators on all Azure AD joined devices**. 1. Select **Add assignments** then choose the other administrators you want to add and select **Add**. -To modify the device administrator role, configure **Additional local administrators on all Azure AD joined devices**. +To modify the Azure AD Joined Device Local Administrator role, configure **Additional local administrators on all Azure AD joined devices**. > [!NOTE] > This option requires Azure AD Premium licenses. -Device administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: +Azure AD Joined Device Local Administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope this role to a specific set of devices. Updating the Azure AD Joined Device Local Administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: - Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges. - User signs out and signs back in, not lock/unlock, to refresh their profile. -Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token. +Users aren't directly listed in the local administrator group, the permissions are received through the Primary Refresh Token. > [!NOTE] > The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the administrator privileges are applied immediately after their first sign-in to the device. ## Manage administrator privileges using Azure AD groups (preview) -Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices. +Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you with the granularity to configure distinct administrators for different groups of devices. Organizations can use Intune to manage these policies using [Custom OMA-URI Settings](/mem/intune/configuration/custom-settings-windows-10) or [Account protection policy](/mem/intune/protect/endpoint-security-account-protection-policy). A few considerations for using this policy: -- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID is defined by the property `securityIdentifier` in the API response.+- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID equates to the property `securityIdentifier` in the API response. - Administrator privileges using this policy are evaluated only for the following well-known groups on a Windows 10 or newer device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users. By default, Azure AD adds the user performing the Azure AD join to the administr - [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by [creating an Autopilot profile](/intune/enrollment-autopilot#create-an-autopilot-deployment-profile).-- [Bulk enrollment](/intune/windows-bulk-enroll) - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined aren't added to the administrators group. +- [Bulk enrollment](/intune/windows-bulk-enroll) - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device has been joined aren't added to the administrators group. ## Manually elevate a user on a device Additionally, you can also add users using the command prompt: ## Considerations -- You can only assign role based groups to the device administrator role.-- Device administrators are assigned to all Azure AD Joined devices. They can't be scoped to a specific set of devices.+- You can only assign role based groups to the Azure AD Joined Device Local Administrator role. +- The Azure AD Joined Device Local Administrator role is assigned to all Azure AD Joined devices. This role can't be scoped to a specific set of devices. - Local administrator rights on Windows devices aren't applicable to [Azure AD B2B guest users](../external-identities/what-is-b2b.md).-- When you remove users from the device administrator role, changes aren't instant. Users still have local administrator privilege on a device as long as they're signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours.+- When you remove users from the Azure AD Joined Device Local Administrator role, changes aren't instant. Users still have local administrator privilege on a device as long as they're signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours. ## Next steps -- To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).+- To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md). - To learn more about device-based Conditional Access, see [Conditional Access: Require compliant or hybrid Azure AD joined device](../conditional-access/howto-conditional-access-policy-compliant-device.md). |
active-directory | Concept Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-primary-refresh-token.md | The following diagrams illustrate the underlying details in issuing, renewing, a > [!NOTE] > In Azure AD joined devices, Azure AD PRT issuance (steps A-F) happens synchronously before the user can logon to Windows. In hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. So, the user is able to login hybrid Azure AD joined Windows after they can acquire a TGT to login, while the PRT issuance happens asynchronously. This scenario does not apply to Azure AD registered devices as logon does not use Azure AD credentials. +> [!NOTE] +> In a Hybrid Azure AD joined Windows environment, the issuance of the PRT occurs asynchronously. The issuance of the PRT may fail due to issues with the federation provider. This failure can result in sign on issues when users try to access cloud resources. It is important to troubleshoot this scenario with the federation provider. + | Step | Description | | :: | | | A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. | |
active-directory | Device Join Out Of Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-join-out-of-box.md | Your device may restart several times as part of the setup process. Your device :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-device-sign-in-info.png" alt-text="Screenshot of Windows 11 out-of-box experience showing the sign-in experience."::: 1. Continue to follow the prompts to set up your device. 1. Azure AD checks if an enrollment in mobile device management is required and starts the process.- 1. Windows registers the device in the organizationΓÇÖs directory in Azure AD and enrolls it in mobile device management, if applicable. + 1. Windows registers the device in the organizationΓÇÖs directory and enrolls it in mobile device management, if applicable. 1. If you sign in with a managed user account, Windows takes you to the desktop through the automatic sign-in process. Federated users are directed to the Windows sign-in screen to enter your credentials. :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-complete-automatic-sign-in-desktop.png" alt-text="Screenshot of Windows 11 at the desktop after first run experience Azure AD joined."::: To verify whether a device is joined to your Azure AD, review the **Access work ## Next steps -- For more information about managing devices in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).+- For more information about managing devices, see [managing devices using the Azure portal](manage-device-identities.md). - [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune) - [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) - [Passwordless authentication options for Azure Active Directory](../authentication/concept-authentication-passwordless.md) |
active-directory | Enterprise State Roaming Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-enable.md | Enterprise State Roaming provides users with a unified experience across their W ## To enable Enterprise State Roaming --1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Devices** > **Enterprise State Roaming**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Browse to **Identity** > **Devices** > **Overview** > **Enterprise State Roaming**. 1. Select **Users may sync settings and app data across devices**. For more information, see [how to configure device settings](./manage-device-identities.md). For a Windows 10 or newer device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the userΓÇÖs primary sign-in identity is their Azure AD identity, so no other configuration is required. For devices that use on-premises Active Directory, the IT admin must [Configure hybrid Azure Active Directory joined devices](./hybrid-join-plan.md). The country/region value is set as part of the Azure AD directory creation proce Follow these steps to view a per-user device sync status report. -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Browse to **Identity** > **Users** > **All users**. 1. Select the user, and then select **Devices**. 1. Select **View devices syncing settings and app data** to show sync status. 1. Devices syncing for the user are shown and can be downloaded. |
active-directory | Enterprise State Roaming Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md | Enterprise State Roaming requires the device to be registered with Azure AD. Alt **Potential issue**: **WamDefaultSet** and **AzureAdJoined** both have ΓÇ£NOΓÇ¥ in the field value, the device was domain-joined and registered with Azure AD, and the device doesn't sync. If it's showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Azure AD. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. -**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. +**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. ## Enterprise State Roaming and multifactor authentication |
active-directory | How To Hybrid Join Verify | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/how-to-hybrid-join-verify.md | description: Verify configurations for hybrid Azure AD joined devices + Last updated 02/27/2023 For downlevel devices, see the article [Troubleshooting hybrid Azure Active Dire ## Using the Azure portal -1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices). -2. Information on how to locate a device can be found in [How to manage device identities using the Azure portal](./manage-device-identities.md). -3. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle. -4. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com)ntra.microsoft.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Browse to **Identity** > **Devices** > **All devices**. +1. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle. +1. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed. ## Using PowerShell |
active-directory | Howto Manage Local Admin Passwords | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-manage-local-admin-passwords.md | -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +> For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). Every Windows device comes with a built-in local administrator account that you must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) product for local administrator password management of their domain joined Windows machines. With Azure AD support for Windows LAPS, we're providing a consistent experience for both Azure AD joined and hybrid Azure AD joined devices. Other than the built-in Azure AD roles of Cloud Device Administrator, Intune Adm To enable Windows LAPS with Azure AD, you must take actions in Azure AD and the devices you wish to manage. We recommend organizations [manage Windows LAPS using Microsoft Intune](/mem/intune/protect/windows-laps-policy). However, if your devices are Azure AD joined but you're not using Microsoft Intune or Microsoft Intune isn't supported (like for Windows Server 2019/2022), you can still deploy Windows LAPS for Azure AD manually. For more information, see the article [Configure Windows LAPS policy settings](/windows-server/identity/laps/laps-management-policy-settings). -1. Sign in to the **Azure portal** as a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). -1. Browse to **Azure Active Directory** > **Devices** > **Device settings** +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Browse to **Identity** > **Devices** > **Overview** > **Device settings** 1. Select **Yes** for the Enable Local Administrator Password Solution (LAPS) setting and select **Save**. You may also use the Microsoft Graph API [Update deviceRegistrationPolicy](/graph/api/deviceregistrationpolicy-update?view=graph-rest-beta&preserve-view=true). 1. Configure a client-side policy and set the **BackUpDirectory** to be Azure AD. |
active-directory | Howto Vm Sign In Azure Ad Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md | There are two ways to enable Azure AD login for your Linux VM: ### Azure portal - You can enable Azure AD login for any of the [supported Linux distributions](#supported-linux-distributions-and-azure-regions) by using the Azure portal. For example, to create an Ubuntu Server 18.04 Long Term Support (LTS) VM in Azure with Azure AD login: To configure role assignments for your Azure AD-enabled Linux VMs: | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** | | Assign access to | User, group, service principal, or managed identity | - ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) + ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) After a few moments, the security principal is assigned the role at the selected scope. The application that appears in the Conditional Access policy is called *Azure L If the Azure Linux VM Sign-In application is missing from Conditional Access, make sure the application isn't in the tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Remove the filters to see all applications, and search for **Virtual Machine**. If you don't see Microsoft Azure Linux Virtual Machine Sign-In as a result, the service principal is missing from the tenant. Another way to verify it is via Graph PowerShell: |
active-directory | Howto Vm Sign In Azure Ad Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md | There are two ways to enable Azure AD login for your Windows VM: - Azure Cloud Shell, when you're creating a Windows VM or using an existing Windows VM. > [!NOTE]-> If a device object with the same displayMame as the hostname of a VM where an extension is installed exists, the VM fails to join Azure AD with a hostname duplication error. Avoid duplication by [modifying the hostname](../../virtual-network/virtual-networks-viewing-and-modifying-hostnames.md#modify-a-hostname). +> If a device object with the same displayName as the hostname of a VM where an extension is installed exists, the VM fails to join Azure AD with a hostname duplication error. Avoid duplication by [modifying the hostname](../../virtual-network/virtual-networks-viewing-and-modifying-hostnames.md#modify-a-hostname). ### Azure portal - You can enable Azure AD login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later. To create a Windows Server 2019 Datacenter VM in Azure with Azure AD login: To configure role assignments for your Azure AD-enabled Windows Server 2019 Data | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** | | Assign access to | User, group, service principal, or managed identity | - ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) + ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) ### Azure Cloud Shell Exit code -2145648607 translates to `DSREG_AUTOJOIN_DISC_FAILED`. The extension - `curl https://pas.windows.net/ -D -` > [!NOTE]- > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID** in the Azure portal. + > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID**. > > Attempts to connect to `enterpriseregistration.windows.net` might return 404 Not Found, which is expected behavior. Attempts to connect to `pas.windows.net` might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable. Share your feedback about this feature or report problems with using it on the [ If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application is in the tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Remove the filters to see all applications, and search for **VM**. If you don't see **Azure Windows VM Sign-In** as a result, the service principal is missing from the tenant. Another way to verify it is via Graph PowerShell: |
active-directory | Hybrid Join Manual | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-manual.md | description: Learn how to manually configure hybrid Azure Active Directory join + Last updated 07/05/2022 The following script helps you with the creation of the issuance transform rules #### Remarks * This script appends the rules to the existing rules. Don't run the script twice, because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.-* If you have multiple verified domain names (as shown in the Azure portal or via the **Get-MsolDomain** cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule: +* If you have multiple verified domain names, set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule: ``` c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] |
active-directory | Hybrid Join Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-plan.md | When you're using AD FS, you need to enable the following WS-Trust endpoints: > [!WARNING] > Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. -Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. If installing the required version of Azure AD Connect isn't an option for you, see [how to manually configure device registration](hybrid-join-manual.md). +Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. If installing the required version of Azure AD Connect isn't an option for you, see [how to manually configure device registration](hybrid-join-manual.md). If contoso.com is registered as a confirmed custom domain, users can get a PRT even if their syncronized on-premises AD DS UPN suffix is in a subdomain like test.contoso.com. ## Review on-premises AD users UPN support for hybrid Azure AD join |
active-directory | Manage Device Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md | -[![Screenshot that shows the devices overview in the Azure portal.](./media/manage-device-identities/devices-azure-portal.png)](./media/manage-device-identities/devices-azure-portal.png#lightbox) +[![Screenshot that shows the devices overview.](./media/manage-device-identities/devices-azure-portal.png)](./media/manage-device-identities/devices-azure-portal.png#lightbox) You can access the devices overview by completing these steps: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). 1. Go to **Azure Active Directory** > **Devices**. In the devices overview, you can view the number of total devices, stale devices, noncompliant devices, and unmanaged devices. You'll also find links to Intune, Conditional Access, BitLocker keys, and basic monitoring. From there, you can go to **All devices** to: - Review device-related audit logs. - Download devices. -[![Screenshot that shows the All devices view in the Azure portal.](./media/manage-device-identities/all-devices-azure-portal.png)](./media/manage-device-identities/all-devices-azure-portal.png#lightbox) +[![Screenshot that shows the All devices view.](./media/manage-device-identities/all-devices-azure-portal.png)](./media/manage-device-identities/all-devices-azure-portal.png#lightbox) > [!TIP] > - Hybrid Azure AD joined Windows 10 or newer devices don't have an owner. If you're looking for a device by owner and don't find it, search by the device ID. To view or copy BitLocker keys, you need to be the owner of the device or have o ## View and filter your devices (preview) - In this preview, you have the ability to infinitely scroll, reorder columns, and select all devices. You can filter the device list by these device attributes: - Enabled state In this preview, you have the ability to infinitely scroll, reorder columns, and To enable the preview in the **All devices** view: -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Go to **Azure Active Directory** > **Devices** > **All devices**. -3. Select the **Preview features** button. -4. Turn on the toggle that says **Enhanced devices list experience**. Select **Apply**. -5. Refresh your browser. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). +1. Browse to **Identity** > **Devices** > **All devices**. +1. Select the **Preview features** button. +1. Turn on the toggle that says **Enhanced devices list experience**. Select **Apply**. +1. Refresh your browser. You can now experience the enhanced **All devices** view. The exported list includes these device identity attributes: If you want to manage device identities by using the Azure portal, the devices need to be either [registered or joined](overview.md) to Azure AD. As an administrator, you can control the process of registering and joining devices by configuring the following device settings. -You must be assigned one of the following roles to view device settings in the Azure portal: +You must be assigned one of the following roles to view device settings: - Global Administrator - Global Reader You must be assigned one of the following roles to view device settings in the A - Windows 365 Administrator - Directory Reviewer -You must be assigned one of the following roles to manage device settings in the Azure portal: +You must be assigned one of the following roles to manage device settings: - Global Administrator - Cloud Device Administrator |
active-directory | Manage Stale Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md | description: Learn how to remove stale devices from your database of registered + Last updated 09/27/2022 -#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data. - +#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data. # How To: Manage stale devices in Azure AD If the delta between the existing value of the activity timestamp and the curren You have two options to retrieve the value of the activity timestamp: -- The **Activity** column on the [devices page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices) in the Azure portal+- The **Activity** column on the [devices page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices). - :::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot of a page in the Azure portal listing the name, owner, and other information on devices. One column lists the activity time stamp." border="false"::: + :::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot listing the name, owner, and other information of devices. One column lists the activity time stamp." border="false"::: -- The [Get-AzureADDevice](/powershell/module/azuread/Get-AzureADDevice) cmdlet+- The [Get-AzureADDevice](/powershell/module/azuread/Get-AzureADDevice) cmdlet. :::image type="content" source="./media/manage-stale-devices/02.png" alt-text="Screenshot showing command-line output. One line is highlighted and lists a time stamp for the ApproximateLastLogonTimeStamp value." border="false"::: Any authentication where a device is being used to authenticate to Azure AD are Devices managed with Intune can be retired or wiped, for more information see the article [Remove devices by using wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe). -To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md) +To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md) |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/overview.md | Getting devices in to Azure AD can be done in a self-service manner or a control - Learn more about [Azure AD registered devices](concept-device-registration.md) - Learn more about [Azure AD joined devices](concept-directory-join.md) - Learn more about [hybrid Azure AD joined devices](concept-hybrid-join.md)-- To get an overview of how to manage device identities in the Azure portal, see [Managing device identities using the Azure portal](manage-device-identities.md).+- To get an overview of how to manage device identities, see [Managing device identities using the Azure portal](manage-device-identities.md). - To learn more about device-based Conditional Access, see [Configure Azure Active Directory device-based Conditional Access policies](../conditional-access/concept-conditional-access-grant.md). |
active-directory | Plan Device Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/plan-device-deployment.md | Administrators can also [deploy virtual desktop infrastructure (VDI) platforms]( ## Next steps +* [Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune](/mem/intune/configuration/group-policy-analytics) * [Plan your Azure AD join implementation](device-join-plan.md) * [Plan your hybrid Azure AD join implementation](hybrid-join-plan.md) * [Manage device identities](manage-device-identities.md) |
active-directory | Troubleshoot Device Windows Joined | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-windows-joined.md | -1. Sign in to the **Azure portal**. -1. Browse to **Azure Active Directory** > **Devices** > **Diagnose and solve problems**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). +1. Browse to **Identity** > **Devices** > **All devices** > **Diagnose and solve problems**. 1. Select **Troubleshoot** under the **Windows 10+ related issue** troubleshooter. :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane of the Azure portal." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png"::: 1. Select **instructions** and follow the steps to download, run, and collect the required logs for the troubleshooter to analyze. |
active-directory | Troubleshoot Hybrid Join Windows Current | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md | Use Event Viewer to look for the log entries that are logged by the Azure AD Clo | Error code | Reason | Resolution | | | | |-| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled in the Azure portal. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. | +| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. | | **AADSTS50034: The user account `Account` does not exist in the `tenant id` directory** | Azure AD is unable to find the user account in the tenant. | <li>Ensure that the user is typing the correct UPN.<li>Ensure that the on-premises user account is being synced with Azure AD.<li>Event 1144 (Azure AD analytics logs) will contain the UPN provided. | | **AADSTS50126: Error validating credentials due to invalid username or password.** | <li>The username and password entered by the user in the Windows LoginUI are incorrect.<li>If the tenant has password hash sync enabled, the device is hybrid-joined, and the user just changed the password, it's likely that the new password hasn't synced with Azure AD. | To acquire a fresh PRT with the new credentials, wait for the Azure AD password sync to finish. | | | | |
active-directory | Troubleshoot Hybrid Join Windows Legacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-legacy.md | This article provides you with troubleshooting guidance on how to resolve potent - Hybrid Azure AD join for downlevel Windows devices works slightly differently than it does in Windows 10 or newer. Many customers don't realize that they need AD FS (for federated domains) or Seamless SSO configured (for managed domains). - Seamless SSO doesn't work in private browsing mode on Firefox and Microsoft Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode or if Enhanced Security Configuration is enabled.-- For customers with federated domains, if the Service Connection Point (SCP) was configured such that it points to the managed domain name (for example, contoso.onmicrosoft.com, instead of contoso.com), then Hybrid Azure AD Join for downlevel Windows devices won't work.+- For customers with federated domains, if the Service Connection Point (SCP) was configured such that it points to the managed domain name (for example, contoso.onmicrosoft.com, instead of contoso.com), then Hybrid Azure AD Join for downlevel Windows devices doesn't work. - The same physical device appears multiple times in Azure AD when multiple domain users sign-in the downlevel hybrid Azure AD joined devices. For example, if *jdoe* and *jharnett* sign-in to a device, a separate registration (DeviceID) is created for each of them in the **USER** info tab. - You can also get multiple entries for a device on the user info tab because of a reinstallation of the operating system or a manual re-registration. - The initial registration / join of devices is configured to perform an attempt at either sign-in or lock / unlock. There could be 5-minute delay triggered by a task scheduler task. This command displays a dialog box that provides you with details about the join ## Step 2: Evaluate the hybrid Azure AD join status -If the device wasn't hybrid Azure AD joined, you can attempt to do hybrid Azure AD join by clicking on the "Join" button. If the attempt to do hybrid Azure AD join fails, the details about the failure will be shown. +If the device wasn't hybrid Azure AD joined, you can attempt to do hybrid Azure AD join by clicking on the "Join" button. If the attempt to do hybrid Azure AD join fails, the details about the failure are shown. **The most common issues are:** If the device wasn't hybrid Azure AD joined, you can attempt to do hybrid Azure - It could be that AD FS and Azure AD URLs are missing in IE's intranet zone on the client. - Network connectivity issues may be preventing **autoworkplace.exe** from reaching AD FS or the Azure AD URLs. - **Autoworkplace.exe** requires the client to have direct line of sight from the client to the organization's on-premises AD domain controller, which means that hybrid Azure AD join succeeds only when the client is connected to organization's intranet.- - If your organization uses Azure AD Seamless Single Sign-On, `https://autologon.microsoftazuread-sso.com` or `https://aadg.windows.net.nsatc.net` aren't present on the device's IE intranet settings. + - If your organization uses Azure AD Seamless Single Sign-On, `https://autologon.microsoftazuread-sso.com` isn't present on the device's IE intranet settings. + - The internet setting `Do not save encrypted pages to disk` is checked. - You aren't signed on as a domain user :::image type="content" source="./media/troubleshoot-hybrid-join-windows-legacy/03.png" alt-text="Screenshot of the Workplace Join for Windows dialog box. Text reports that an error occurred during account verification." border="false"::: |
active-directory | Troubleshoot Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-primary-refresh-token.md | You can find a full list and description of server error codes in [Azure AD auth - Azure AD can't authenticate the device to issue a PRT. -- The device might have been deleted or disabled in the Azure portal. (For more information, see [Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10/11 devices?](./faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices))+- The device might have been deleted or disabled. (For more information, see [Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10/11 devices?](./faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices)) ##### Solution -Re-register the device based on the device join type. For instructions, see [I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on the device says it's still registered. What should I do?](./faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do). +Re-register the device based on the device join type. For instructions, see [I disabled or deleted my device. But the local state on the device says it's still registered. What should I do?](./faq.yml#i-disabled-or-deleted-my-device--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do). </details> <details> |
active-directory | Directory Delete Howto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md | |
active-directory | Directory Self Service Signup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-self-service-signup.md | |
active-directory | Domains Admin Takeover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-admin-takeover.md | The key and templates aren't moved over when the unmanaged organization is in a Although RMS for individuals is designed to support Azure AD authentication to open protected content, it doesn't prevent users from also protecting content. If users did protect content with the RMS for individuals subscription, and the key and templates weren't moved over, that content isn't accessible after the domain takeover. ### Azure AD PowerShell cmdlets for the ForceTakeover option+ You can see these cmdlets used in [PowerShell example](#powershell-example). cmdlet | Usage |
active-directory | Domains Verify Custom Subdomain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-verify-custom-subdomain.md | |
active-directory | Groups Assign Sensitivity Labels | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md | |
active-directory | Groups Change Type | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-change-type.md | |
active-directory | Groups Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-lifecycle.md | |
active-directory | Groups Naming Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-naming-policy.md | |
active-directory | Groups Restore Deleted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-restore-deleted.md | |
active-directory | Groups Self Service Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-self-service-management.md | |
active-directory | Groups Settings Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-cmdlets.md | |
active-directory | Groups Settings V2 Cmdlets | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-settings-v2-cmdlets.md | Microsoft 365 groups are created and managed in the cloud. The writeback capabil For more details, please refer to documentation for the [Azure AD Connect sync service](../hybrid/connect/how-to-connect-syncservice-features.md). -Microsoft 365 group writeback is a public preview feature of Azure Active Directory (Azure AD) and is available with any paid Azure AD license plan. For some legal information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +Microsoft 365 group writeback is a public preview feature of Azure Active Directory (Azure AD) and is available with any paid Azure AD license plan. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Next steps |
active-directory | Licensing Group Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-group-advanced.md | |
active-directory | Licensing Groups Assign | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-assign.md | Title: Assign licenses to a group -description: How to assign licenses to users by means of Azure Active Directory group licensing +description: How to assign licenses to users with Azure Active Directory group licensing keywords: Azure AD licensing documentationcenter: '' |
active-directory | Licensing Groups Resolve Problems | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md | To see which users and groups are consuming licenses, select a product. Under ** **Problem:** One of the products that's specified in the group contains a service plan that conflicts with another service plan that's already assigned to the user via a different product. Some service plans are configured in a way that they can't be assigned to the same user as another, related service plan. > [!TIP]-> Exchange Online Plan1 and Plan2 were previously non-duplicable service plans. However, now they are service plans that can be duplicated. -> If you are experiencing conflicts with these service plans, please try reprocessing them. +> Previously, Exchange Online Plan1 and Plan2 were unique and couldn't be duplicated. Now, both service plans have been updated to allow duplication. +> If you are experiencing conflicts with these service plans, try reprocessing them. The decision about how to resolve conflicting product licenses always belongs to the administrator. Azure AD doesn't automatically resolve license conflicts. Updating license assignment on a user causes the proxy address calculation to be ## LicenseAssignmentAttributeConcurrencyException in audit logs **Problem:** User has LicenseAssignmentAttributeConcurrencyException for license assignment in audit logs.-When group-based licensing tries to process concurrent license assignment of same license to a user, this exception is recorded on the user. This usually happens when a user is a member of more than one group with same assigned license. Azure AD will retry processing the user license and will resolve the issue. There is no action required from the customer to fix this issue. +When group-based licensing tries to process concurrent license assignment of same license to a user, this exception is recorded on the user. This usually happens when a user is a member of more than one group with same assigned license. Azure AD retries processing the user license until the issue is resolved. There is no action required from the customer to fix this issue. ## More than one product license assigned to a group |
active-directory | Licensing Powershell Graph Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-powershell-graph-examples.md | The purpose of this script is to remove unnecessary direct licenses from users w ```powershell-Import-Module Microsoft.Graph +# Import the Microsoft.Graph.Users and Microsoft.Graph.Groups modules +Import-Module Microsoft.Graph.Users -Force +Import-Module Microsoft.Graph.Authentication -Force +Import-Module Microsoft.Graph.Users.Actions -Force +Import-Module Microsoft.Graph.Groups -Force -# Connect to the Microsoft Graph -Connect-MgGraph +Clear-Host -# Get the group to be processed -$groupId = "48ca647b-7e4d-41e5-aa66-40cab1e19101" --# Get the license to be removed - Office 365 E3 -$skuId = "contoso:ENTERPRISEPACK" --# Minimum set of service plans we know are inherited by this group -$expectedDisabledPlans = @("Exchange Online", "SharePoint Online", "Lync Online") --# Get the users in the group -$users = Get-MgUser -GroupObjectId $groupId --# For each user, get the license for the specified SKU -foreach ($user in $users) { - $license = GetUserLicense $user $skuId -- # If the user has the license assigned directly, continue to the next user - if (UserHasLicenseAssignedDirectly $user $skuId) { - continue - } -- # If the user is inheriting the license from the specified group, continue to the next user - if (UserHasLicenseAssignedFromThisGroup $user $skuId $groupId) { - continue - } +if ($null -eq (Get-MgContext)) { + Connect-MgGraph -Scopes "Directory.Read.All, User.Read.All, Group.Read.All, Organization.Read.All" -NoWelcome +} - # Get the list of disabled service plans for the SKU - $disabledPlans = GetDisabledPlansForSKU $skuId $expectedDisabledPlans +# Get all groups with licenses assigned +$groupsWithLicenses = Get-MgGroup -All -Property AssignedLicenses, DisplayName, Id | Where-Object { $_.assignedlicenses } | Select-Object DisplayName, Id -ExpandProperty AssignedLicenses | Select-Object DisplayName, Id, SkuId - # Get the list of unexpected enabled plans for the user - $extraPlans = GetUnexpectedEnabledPlansForUser $user $skuId $expectedDisabledPlans +$output = @() - # If there are any unexpected enabled plans, print them to the console - if ($extraPlans.Count -gt 0) { - Write-Warning "The user $user has the following unexpected enabled plans for the $skuId SKU: $extraPlans" +# Check if there is any group that has licenses assigned or not +if ($null -ne $groupsWithLicenses) { + # Loop through each group + foreach ($group in $groupsWithLicenses) { + # Get the group's licenses + $groupLicenses = $group.SkuId + + # Get the group's members + $groupMembers = Get-MgGroupMember -GroupId $group.Id -All ++ # Check if the group member list is empty or not + if ($groupMembers) { + # Loop through each member + foreach ($member in $groupMembers) { + # Check if the member is a user + if ($member.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.user') { + # Get the user's direct licenses + Write-Host "Fetching license details for $($member.AdditionalProperties.displayName)" -ForegroundColor Yellow + + # Get User With Directly Assigned Licenses Only + $user = Get-MgUser -UserId $member.Id -Property AssignedLicenses, LicenseAssignmentStates, DisplayName | Select-Object DisplayName, AssignedLicenses -ExpandProperty LicenseAssignmentStates | Select-Object DisplayName, AssignedByGroup, State, Error, SkuId | Where-Object { $_.AssignedByGroup -eq $null } ++ $licensesToRemove = @() + if($user) + { + if ($user.count -ge 2) { + foreach ($u in $user) { + $userLicenses = $u.SkuId + $licensesToRemove += $userLicenses | Where-Object { $_ -in $groupLicenses } + } + } + else { + $userLicenses = $user.SkuId + $licensesToRemove = $userLicenses | Where-Object { $_ -in $groupLicenses } + } + } else { + Write-Host "No conflicting licenses found for the user $($member.AdditionalProperties.displayName)" -ForegroundColor Green + } + + + + # Remove the licenses from the user + if ($licensesToRemove) { + Write-Host "Removing the license $($licensesToRemove) from user $($member.AdditionalProperties.displayName) as inherited from group $($group.DisplayName)" -ForegroundColor Green + $result = Set-MgUserLicense -UserId $member.Id -AddLicenses @() -RemoveLicenses $licensesToRemove + $obj = [PSCustomObject]@{ + User = $result.DisplayName + Id = $result.Id + LicensesRemoved = $licensesToRemove + LicenseInheritedFromGroup = $group.DisplayName + GroupId = $group.Id + } ++ $output += $obj ++ } + else { + Write-Host "No action required for $($member.AdditionalProperties.displayName)" -ForegroundColor Green + } + + } + } + } + else { + Write-Host "The licensed group $($group.DisplayName) has no members, exiting now!!" -ForegroundColor Yellow + } + }+ + $output | Format-Table -AutoSize +} +else { + Write-Host "No groups found with licenses assigned." -ForegroundColor Cyan } ``` |
active-directory | Licensing Ps Examples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-ps-examples.md | |
active-directory | Linkedin Integration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/linkedin-integration.md | |
active-directory | Users Bulk Restore | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-bulk-restore.md | |
active-directory | Users Custom Security Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-custom-security-attributes.md | -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +> For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). [Custom security attributes](../fundamentals/custom-security-attributes-overview.md) in Azure Active Directory (Azure AD), part of Microsoft Entra, are business-specific attributes (key-value pairs) that you can define and assign to Azure AD objects. For example, you can assign custom security attribute to filter your employees or to help determine who gets access to resources. This article describes how to assign, update, list, or remove custom security attributes for Azure AD. |
active-directory | Users Restrict Guest Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-restrict-guest-permissions.md | |
active-directory | Users Revoke Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/users-revoke-access.md | As an administrator in Azure Active Directory, open PowerShell, run ``Connect-Az >[!NOTE] > For information on specific roles that can perform these steps review [Azure AD built-in roles](../roles/permissions-reference.md)+ ## When access is revoked Once admins have taken the above steps, the user can't gain new tokens for any application tied to Azure Active Directory. The elapsed time between revocation and the user losing their access depends on how the application is granting access: |
active-directory | Add Users Administrator | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/add-users-administrator.md | After you add a guest user to the directory, you can either send the guest user > [!IMPORTANT] > You should follow the steps in [How-to: Add your organization's privacy info in Azure Active Directory](../fundamentals/properties-area.md) to add the URL of your organization's privacy statement. As part of the first time invitation redemption process, an invited user must consent to your privacy terms to continue. -The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). Instructions for the legacy create user process can be found in the [Add or delete users](../fundamentals/add-users.md) article. |
active-directory | Authentication Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/authentication-conditional-access.md | description: Learn how to enforce multi-factor authentication policies for Azure + Last updated 04/17/2023 |
active-directory | B2b Quickstart Add Guest Users Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md | In this quickstart, you'll learn how to add a new guest user to your Azure AD di If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. -The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). Instructions for the legacy create user process can be found in the [Add or delete users](../fundamentals/add-users.md) article. |
active-directory | Bulk Invite Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/bulk-invite-powershell.md | Last updated 07/31/2023 ---# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user. + +# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user. # Tutorial: Use PowerShell to bulk invite Azure AD B2B collaboration users |
active-directory | Claims Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/claims-mapping.md | There are two possible reasons why you might need to edit the claims that are is For information about how to add and edit claims, see [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/saml-claims-customization.md). -For B2B collaboration users, mapping NameID and UPN cross-tenant are prevented for security reasons. +## UPN claims behavior for B2B users ++If you need to issue the UPN value as an application token claim, the actual claim mapping may behave differently for B2B users. If the B2B user authenticates with an external Azure AD identity and you issue user.userprincipalname as the source attribute, Azure AD instead issues the mail attribute. ++For example, letΓÇÖs say you invite an external user whose email is `james@contoso.com` and whose identity exists in an external Azure AD tenant. JamesΓÇÖ UPN in the inviting tenant is created from the invited email and the inviting tenant's original default domain. So, letΓÇÖs say JamesΓÇÖ UPN becomes `James_contoso.com#EXT#@fabrikam.onmicrosoft.com`. For the SAML application that issues user.userprincipalname as the NameID, the value passed for James is `james@contoso.com`. ++All [other external identity types](redemption-experience.md#invitation-redemption-flow) such as SAML/WS-Fed, Google, Email OTP issues the UPN value rather than the email value when you issue user.userprincipalname as a claim. If you want the actual UPN to be issued in the token claim for all B2B users, you can set user.localuserprincipalname as the source attribute instead. ++>[!NOTE] +>The behavior mentioned in this section is same for both cloud-only B2B users and synced users who were [invited/converted to B2B collaboration](invite-internal-users.md). ## Next steps |
active-directory | Code Samples | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/code-samples.md | Last updated 04/06/2023 -+ # Customer intent: As a tenant administrator, I want to bulk-invite external users to an organization from email addresses that I've stored in a .csv file. |
active-directory | Cross Tenant Access Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-overview.md | +> [!IMPORTANT] +> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add. ## Manage external access with inbound and outbound settings |
active-directory | Cross Tenant Access Settings B2b Collaboration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md | +> [!IMPORTANT] +> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add. + ## Before you begin > [!CAUTION] With inbound settings, you select which external users and groups will be able t - In the menu next to the search box, choose either **user** or **group**. - Select **Add**. - ![Screenshot showing adding users and groups.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-add.png) + > [!NOTE] + > You cannot target users or groups in inbound default settings. ++ ![Screenshot showing adding users and groups.](media/cross-tenant-access-settings-b2b-collaboration/generic-inbound-external-users-groups-add-new.png) 1. When you're done adding users and groups, select **Submit**. |
active-directory | Cross Tenant Access Settings B2b Direct Connect | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md | Use cross-tenant access settings to manage how you collaborate with other Azure Learn more about using cross-tenant access settings to [manage B2B direct connect](b2b-direct-connect-overview.md#managing-cross-tenant-access-for-b2b-direct-connect). +> [!IMPORTANT] +> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add. + ## Before you begin - Review the [Important considerations](cross-tenant-access-overview.md#important-considerations) section in the [cross-tenant access overview](cross-tenant-access-overview.md) before configuring your cross-tenant access settings. With inbound settings, you select which external users and groups will be able t - In the menu next to the search box, choose either **user** or **group**. - Select **Add**. + > [!NOTE] + > You cannot target users or groups in inbound default settings. + ![Screenshot showing adding external users for inbound b2b direct connect](media/cross-tenant-access-settings-b2b-direct-connect/b2b-direct-connect-inbound-external-users-groups-add.png) 1. When you're done adding users and groups, select **Submit**. |
active-directory | Faq Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/faq-customers.md | Opt for the next generation Microsoft Entra External ID platform if: - YouΓÇÖre starting fresh building identities into apps or you're in the early stages of product discovery. - The benefits of rapid innovation, new features and capabilities are a priority. +### Why is Azure AD B2C not part of Entra ID/External ID? ++Microsoft Entra External ID and Azure AD B2C are two separate platforms powered by ESTS and IEF respectively. Entra External ID is our new converged platform which is future proof and developer friendly to meet all your identity needs ΓÇô B2E, B2B and B2C. At the same time, we will still continue to support Azure AD B2C as a separate product offering with no change in SLA, and weΓÇÖll continue investments in the product to ensure security, availability, and reliability. + ## Next steps -[Learn more about Microsoft Entra External ID for customers](index.yml) +[Learn more about Microsoft Entra External ID for customers](index.yml) |
active-directory | How To Add Attributes To Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-add-attributes-to-token.md | You can specify which built-in or custom attributes you want to include as claim ## Add built-in or custom attributes to the token -1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**. -1. Select **Applications** > **App registrations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select your application in the list to open the application's **Overview** page. :::image type="content" source="media/how-to-add-attributes-to-token/select-app.png" alt-text="Screenshot of the overview page of the app registration."::: You can specify which built-in or custom attributes you want to include as claim ### Update the application manifest to accept mapped claims -1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**. -1. Select **Applications** > **App registrations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select your application in the list to open the application's **Overview** page. 1. In the left menu, under **Manage**, select **Manifest** to open the application manifest. 1. Find the **acceptMappedClaims** key and set its value to **true**. |
active-directory | How To Create Customer Tenant Portal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-create-customer-tenant-portal.md | In this article, you learn how to: ## Create a new customer tenant -1. Sign in to your organization's [Microsoft Entra admin center](https://entra.microsoft.com/). -1. From the left menu, select **Azure Active Directory** > **Overview**. -1. On the overview page, select **Manage tenants** +1. Sign in to your organization's [Microsoft Entra admin center](https://entra.microsoft.com/) as at least a [Contributor](/azure/role-based-access-control/built-in-roles#contributor). +1. Browse to **Identity** > **Overview** > **Manage tenants**. 1. Select **Create**. :::image type="content" source="media/how-to-create-customer-tenant-portal/create-tenant.png" alt-text="Screenshot of the create tenant option."::: |
active-directory | How To Customize Branding Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-customize-branding-customers.md | The following image displays the neutral default branding of the customer tenant Before you customize any settings, the neutral default branding will appear in your sign-in and sign-up pages. You can customize this default experience with a custom background image or color, favicon, layout, header, and footer. You can also upload a [custom CSS](/azure/active-directory/fundamentals/reference-company-branding-css-template). -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.-1. In the search bar, type and select **Company branding**. -1. Under **Default sign-in** select **Edit**. +1. Browse to **Company Branding** > **Default sign-in** > **Edit**. :::image type="content" source="media/how-to-customize-branding-customers/company-branding-default-edit-button.png" alt-text="Screenshot of the company branding edit button."::: Your customer tenant name replaces the Microsoft banner logo in the neutral defa When no longer needed, you can remove the sign-in customization from your customer tenant via the Azure portal. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). -1.If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier. -1. In the search bar, type and select **Company branding**. -1. Under **Default sign-in experience**, select **Edit**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier. +1. Browse to **Company branding** > **Default sign-in experience** > **Edit**. 1. Remove the elements you no longer need. 1. Once finished select **Review + save**. 1. Wait a few minutes for the changes to take effect. |
active-directory | How To Customize Languages Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-customize-languages-customers.md | You can create a personalized sign-in experience for users who sign in using a s ## Add browser language under Company branding -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.-1. In the search bar, type and select **Company branding**. -1. Under **Browser language customizations**, select **Add browser language**. +1. Browse to **Company branding** > **Browser language customizations** > **Add browser language**. :::image type="content" source="media/how-to-customize-languages-customers/company-branding-add-browser-language.png" alt-text="Screenshot of the browser language customizations tab." lightbox="media/how-to-customize-languages-customers/company-branding-add-browser-language.png"::: The following languages are supported in the customer tenant: - Spanish (Spain) - Swedish (Sweden) - Thai (Thailand)- - Turkish (Turkey) + - Turkish (T├╝rkiye) - Ukrainian (Ukraine) 6. Customize the elements on the **Basics**, **Layout**, **Header**, **Footer**, **Sign-in form**, and **Text** tabs. For detailed instructions, see [Customize the branding and end-user experience](how-to-customize-branding-customers.md). The following languages are supported in the customer tenant: Language customization in the customer tenant allows your user flow to accommodate different languages to suit your customer's needs. You can use languages to modify the strings displayed to your customers as part of the attribute collection process during sign-up. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 2. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.-3. In the left menu, select **Azure Active Directory** > **External Identities**. -4. Select **User flows**. +3. Browse to **Identity** > **External Identities** > **User flows**. 5. Select the user flow that you want to enable for translations. 6. Select **Languages**. 7. On the **Languages** page for the user flow, select the language that you want to customize. |
active-directory | How To Define Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-define-custom-attributes.md | User attributes are values collected from the user during self-service sign-up. - Street Address - Surname -If you want to collect information beyond the built-in attributes, you can create *custom user attributes* and add them to your sign-up user flow. Custom attributes are also known as directory extension attributes because they extend the user profile information stored in your customer directory. All extension attributes for your customer tenant are stored in an app named *b2c-extensions-app*. After a user enters a value for the custom attribute during sign-up, it's added to the user object and can be called via the Microsoft Graph API. +If you want to collect information beyond the built-in attributes, you can create *custom user attributes* and add them to your sign-up user flow. Custom attributes are also known as directory extension attributes because they extend the user profile information stored in your customer directory. All extension attributes for your customer tenant are stored in an app named *b2c-extensions-app*. After a user enters a value for the custom attribute during sign-up, it's added to the user object and can be called via the Microsoft Graph API using the naming convention `extension_<b2c-extensions-app-id>_attributename`. If your application relies on certain built-in or custom user attributes, you can [include these attributes in the token](how-to-add-attributes-to-token.md) that is sent to your application. + ## Create custom attributes -1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**. -1. Select **External Identities** > **Overview**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Browse to **Identity** > **External Identities** > **Overview**. 1. Select **Custom user attributes**. The available user attributes are listed. 1. To add an attribute, select **Add**. In the **Add an attribute** pane, enter the following values: If your application relies on certain built-in or custom user attributes, you ca :::image type="content" source="media/how-to-define-custom-attributes/add-attribute.png" alt-text="Screenshot of the pane for adding an attribute." lightbox="media/how-to-define-custom-attributes/add-attribute.png"::: -1. Select **Create**. The custom attribute is now available in the list of user attributes and can be added to your user flows. +1. Select **Create**. The custom attribute is now available in the list of user attributes and can be [added to your user flows](#include-custom-attributes-in-a-sign-up-flow). ++### About referencing custom attributes ++The custom attributes you create are added to the *b2c-extensions-app* registered in your customer tenant. If you want to call a custom attribute from an application or manage it via Microsoft Graph, use the naming convention `extension_<b2c-extensions-app-id>_<custom-attribute-name>` where: ++- `<b2c-extensions-app-id>` is the *b2c-extensions-app* application ID with no hyphens. +- `<custom-attribute-name>` is the name you assigned to the custom attribute. ++To find the application ID for the *b2c-extensions-app* registered in your customer tenant: ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Browse to **Identity** > **App registrations** > **All applications**. +1. Select the application **b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.** +2. On the **Overview** page, use the **Application (client) ID** value, for example: `12345678-abcd-1234-1234-ab123456789`, but remove the hyphens. ++**Example**: If you created a custom attribute named **loyaltyNumber**, refer to it as follows: ++`extension_12345678abcd12341234ab123456789_loyaltyNumber` -## Include the attributes in a sign-up flow +## Include custom attributes in a sign-up flow -Follow these steps to add sign-up attributes to a user flow you've already created. (For a new user flow, see [Create a sign-up and sign-in user flow for customers](how-to-user-flow-sign-up-sign-in-customers.md).) +Follow these steps to add custom attributes to a user flow you've already created. (For a new user flow, see [Create a sign-up and sign-in user flow for customers](how-to-user-flow-sign-up-sign-in-customers.md).) -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. -1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**. +1. Browse to **Identity** > **External Identities** > **User flows**. 1. Select the user flow from the list. Follow these steps to add sign-up attributes to a user flow you've already creat You can choose the order in which the attributes are displayed on the sign-up page. -1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**. +1. Browse to **Identity** > **External Identities** > **User flows**. 1. From the list, select your user flow. |
active-directory | How To Enable Password Reset Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-enable-password-reset-customers.md | The following screenshots show the self-service password rest flow. From the app ## Enable self-service password reset for customers -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.-1. In the navigation pane, select **Azure Active Directory**. -1. Select **External Identities** > **User flows**. +1. Browse to **Identity** > **External Identities** > **User flows**. 1. From the list of **User flows**, select the user flow you want to enable SSPR. 1. Make sure that the sign-up user flow registers **Email with password** as an authentication method under **Identity providers**. The following screenshots show the self-service password rest flow. From the app To enable self-service password reset, you need to enable the email one-time passcode (Email OTP) authentication method for all users in your tenant. To ensure that the Email OTP feature is enabled follow the steps below: - 1. Select **Protect & secure** from the sidebar under **Azure Active Directory** and then **Authentication methods** > **Policies**. + 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). + + 1. Browse to **Identity** > **Protection** > **Authentication methods**. - 1. Under **Method** select **Email OTP (preview)**. + 1. Under **Policies** > **Method** select **Email OTP (preview)**. :::image type="content" source="media/how-to-enable-password-reset-customers/authentication-methods.png" alt-text="Screenshot that shows authentication methods."::: |
active-directory | How To Facebook Federation Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-facebook-federation-customers.md | If you don't already have a Facebook account, sign up at [https://www.facebook.c - `https://<tenant-name>.ciamlogin.com/<tenant-ID>/federation/oauth2` - `https://<tenant-name>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2` > [!NOTE]- > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**. + > To find your customer tenant ID, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). Browse to **Identity** > **Overview**. Then select the **Overview** tab and copy the **Tenant ID**. 1. Select **Save changes** at the bottom of the page. 1. At this point, only Facebook application owners can sign in. Because you registered the app, you can sign in with your Facebook account. To make your Facebook application available to your users, from the menu, select **Go live**. Follow all of the steps listed to complete all requirements. You'll likely need to complete the business verification to verify your identity as a business entity or organization. For more information, see [Meta App Development](https://developers.facebook.com/docs/development/release). If you don't already have a Facebook account, sign up at [https://www.facebook.c After you create the Facebook application, in this step you set the Facebook client ID and client secret in Azure AD. You can use the Azure portal or PowerShell to do so. To configure Facebook federation in the Microsoft Entra admin center, follow these steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as the global administrator of your customer tenant. -1. Go to **Azure Active Directory** > **External Identities** > **All identity providers**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Browse to **Identity** > **External Identities** > **All identity providers**. 2. Select **+ Facebook**. <!-- ![Screenshot that shows how to add Facebook identity provider in Azure AD.](./media/sign-in-with-facebook/configure-facebook-idp.png)--> To configure Facebook federation by using PowerShell, follow these steps: At this point, the Facebook identity provider has been set up in your customer tenant, but it's not yet available in any of the sign-in pages. To add the Facebook identity provider to a user flow: -1. In your customer tenant, go to **Azure Active Directory** > **External Identities** > **User flows**. +1. Browse to **Identity** > **External Identities** > **User flows**. 1. Select the user flow where you want to add the Facebook identity provider. 1. Under Settings, select **Identity providers** 1. Under **Other Identity Providers**, select **Facebook**. At this point, the Facebook identity provider has been set up in your customer t ## Next steps - [Add Google as an identity provider](how-to-google-federation-customers.md)-- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md)+- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md) |
active-directory | How To Google Federation Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-google-federation-customers.md | To enable sign-in for customers with a Google account, you need to create an app - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2` - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2` > [!NOTE]- > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**. + > To find your customer tenant ID, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). Browse to **Identity** > **Overview** and copy the **Tenant ID**. 2. Select **Create**. 3. Copy the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant. **Client secret** is an important security credential. To enable sign-in for customers with a Google account, you need to create an app After you create the Google application, in this step you set the Google client ID and client secret in Azure AD. You can use the Microsoft Entra admin center or PowerShell to do so. To configure Google federation in the Microsoft Entra admin center, follow these steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) as the global administrator of your customer tenant. -1. Go to **Azure Active Directory** > **External Identities** > **All identity providers**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).  +1. Browse to **Identity** > **External Identities** > **All identity providers**. 2. Select **+ Google**. <!-- ![Screenshot that shows how to add Google identity provider in Azure AD.](./media/sign-in-with-google/configure-google-idp.png)--> To configure Google federation by using PowerShell, follow these steps: At this point, the Google identity provider has been set up in your Azure AD, but it's not yet available in any of the sign-in pages. To add the Google identity provider to a user flow: -1. In your customer tenant, go to **Azure Active Directory** > **External Identities** > **User flows**. +1. In your customer tenant, browse to **Identity** > **External Identities** > **User flows**. 1. Select the user flow where you want to add the Facebook identity provider. 1. Under Settings, select **Identity providers** 1. Under **Other Identity Providers**, select **Google**. At this point, the Google identity provider has been set up in your Azure AD, bu ## Next steps - [Add Facebook as an identity provider](how-to-facebook-federation-customers.md)-- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md)+- [Customize the branding for customer sign-in experiences](how-to-customize-branding-customers.md) |
active-directory | How To Identity Protection Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-identity-protection-customers.md | An administrator can choose to dismiss a user's risk in the Microsoft Entra admi 1. Make sure you're using the directory that contains your Azure AD customer tenant: Select the Directories + subscriptions icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar and find your customer tenant in the list. If it's not the current directory, select **Switch**. -1. Browse to **Azure Active Directory** > **Protect & secure** > **Security Center**. +1. Browse to **Identity** > **Protection** > **Security Center**. 1. Select **Identity Protection**. Administrators can then choose to return to the user's risk or sign-ins report t ### Navigating the risk detections report -1. In the [Microsoft Entra admin center](https://entra.microsoft.com), browse to **Azure Active Directory** > **Protect & secure** > **Security Center**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). + +1. Browse to **Identity** > **Protection** > **Security Center**. 1. Select **Identity Protection**. |
active-directory | How To Manage Admin Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-manage-admin-accounts.md | In Azure Active Directory (Azure AD) for customers, a customer tenant represents To create a new admin account, follow these steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Select **New user** > **Create new user**. 1. Enter information for this admin: The admin is created and added to your customer tenant. It's preferable to have You can also invite a new guest user to manage your tenant. To invite an admin, follow these steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Select **New user** > **Invite external user**. 1. On the **New user** page, enter information for the admin: An invitation email is sent to the user. The user needs to accept the invitation You can assign a role when you create a user or invite a guest user. You can add a role, change the role, or remove a role for a user: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Select the user you want to change the roles for. Then select **Assigned roles**. 1. Select **Add assignments**, select the role to assign (for example, *Application administrator*), and then choose **Add**. You can assign a role when you create a user or invite a guest user. You can add If you need to remove a role assignment from a user, follow these steps: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Select the user you want to change the roles for. Then select **Assigned roles**. 1. Select the role you want to remove, for example *Application administrator*, and then select **Remove assignment**. If you need to remove a role assignment from a user, follow these steps: As part of an auditing process, you typically review which users are assigned to specific roles in your customer directory. Use the following steps to audit which users are currently assigned privileged roles. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Roles & admins** > **Roles & admins**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. 2. Select a role, such as **Global administrator**. The **Assignments** page lists the users with that role. ## Delete an administrator account To delete an existing user, you must have a *Global administrator* role assignment. Global admins can delete any user, including other admins. *User administrators* can delete any non-admin user. -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Select the user you want to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. |
active-directory | How To Manage Customer Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-manage-customer-accounts.md | To add or delete users, your account must be assigned the *User administrator* o ## Create a customer account -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Select **New user** > **Create new user**. 1. Select **Create a customer**. 1. Under **Identity**, select a **Sign in method** and enter the **Value**: As an administrator, you can reset a user's password, if the user forgets their To reset a customer's password: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Search for and select the user that needs the reset, and then select **Reset Password**. 1. In the **Reset password** page, select **Reset password**. 1. Copy the password and give it to the user. The user will be required to change the password during the next sign-in process. ## Delete a customer account -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) with Global Administrator or Privileged Role Administrator permissions. -1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar. -1. On the **Portal settings | Directories + subscriptions** page, find your customer tenant in the **Directory name** list, and then select **Switch**. -1. Under **Azure Active Directory**, select **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) with Global Administrator or Privileged Role Administrator permissions. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Users** > **All users**. 1. Search for and select the user to delete. 1. Select **Delete**, and then **Yes** to confirm the deletion. |
active-directory | How To Multifactor Authentication Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-multifactor-authentication-customers.md | Create a Conditional Access policy in your customer tenant that prompts users fo 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Make sure you're using the directory that contains your Azure AD customer tenant: Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar and find your customer tenant in the list. If it's not the current directory, select **Switch**. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. -1. Browse to **Azure Active Directory** > **Protect & secure** > **Security Center**. +1. Browse to **Identity** > **Protection** > **Security Center**. 1. Select **Conditional Access** > **Policies**, and then select **New policy**. Create a Conditional Access policy in your customer tenant that prompts users fo Enable the email one-time passcode authentication method in your customer tenant for all users. -1. Sign in to your customer tenant in the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. Browse to **Azure Active Directory** > **Protect & secure** > **Authentication Methods**. +1. Browse to **Identity** > **Protection** > **Authentication methods**. 1. In the **Method** list, select **Email OTP**. |
active-directory | How To Register Ciam App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-register-ciam-app.md | Azure AD for customers supports authentication for Single-page apps (SPAs). The following steps show you how to register your SPA in the Microsoft Entra admin center: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant: - - 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar. - - 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**. --1. On the sidebar menu, select **Azure Active Directory**. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. -1. Select **Applications**, then select **App Registrations**. +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select **+ New registration**. Azure AD for customers supports authentication for web apps. The following steps show you how to register your web app in the Microsoft Entra admin center: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant: - - 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar. - - 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. -1. On the sidebar menu, select **Azure Active Directory**. --1. Select **Applications**, then select **App Registrations**. +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select **+ New registration**. If your web app needs to call an API, you must grant your web app API permission The following steps show you how to register your app in the Microsoft Entra admin center: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). --1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant: - - 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar. - - 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. On the sidebar menu, select **Azure Active Directory**. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. -1. Select **Applications**, then select **App Registrations**. +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select **+ New registration**. |
active-directory | How To Single Page App Vanillajs Configure Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-single-page-app-vanillajs-configure-authentication.md | - Title: Tutorial - Handle authentication flows in a vanilla JavaScript single-page app -description: Learn how to configure authentication for a vanilla JavaScript single-page app (SPA) with your Azure Active Directory (AD) for customers tenant. --------- Previously updated : 06/09/2023-#Customer intent: As a developer, I want to learn how to configure vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. ---# Tutorial: Handle authentication flows in a vanilla JavaScript single-page app --In the [previous article](./how-to-single-page-app-vanillajs-prepare-app.md), you created a vanilla JavaScript (JS) single-page application (SPA) and a server to host it. This tutorial demonstrates how to configure the application to authenticate and authorize users to access protected resources. --In this tutorial; --> [!div class="checklist"] -> * Configure the settings for the application -> * Add code to *authRedirect.js* to handle the authentication flow -> * Add code to *authPopup.js* to handle the authentication flow --## Prerequisites --* Completion of the prerequisites and steps in [Prepare a single-page application for authentication](how-to-single-page-app-vanillajs-prepare-app.md). --## Edit the authentication configuration file --The application uses the [Implicit Grant Flow](../../develop/v2-oauth2-implicit-grant-flow.md) to authenticate users. The Implicit Grant Flow is a browser-based flow that doesn't require a back-end server. The flow redirects the user to the sign-in page, where the user signs in and consents to the permissions that are being requested by the application. The purpose of *authConfig.js* is to configure the authentication flow. --1. Open *public/authConfig.js* and add the following code snippet: -- ```javascript - /** - * Configuration object to be passed to MSAL instance on creation. - * For a full list of MSAL.js configuration parameters, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md - */ - const msalConfig = { - auth: { - clientId: 'Enter_the_Application_Id_Here', // This is the ONLY mandatory field that you need to supply. - authority: 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace "Enter_the_Tenant_Subdomain_Here" with your tenant subdomain - redirectUri: '/', // You must register this URI on Azure Portal/App Registration. Defaults to window.location.href e.g. http://localhost:3000/ - navigateToLoginRequestUrl: true, // If "true", will navigate back to the original request location before processing the auth code response. - }, - cache: { - cacheLocation: 'sessionStorage', // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO. - storeAuthStateInCookie: false, // set this to true if you have to support IE - }, - system: { - loggerOptions: { - loggerCallback: (level, message, containsPii) => { - if (containsPii) { - return; - } - switch (level) { - case msal.LogLevel.Error: - console.error(message); - return; - case msal.LogLevel.Info: - console.info(message); - return; - case msal.LogLevel.Verbose: - console.debug(message); - return; - case msal.LogLevel.Warning: - console.warn(message); - return; - } - }, - }, - }, - }; - - /** - * An optional silentRequest object can be used to achieve silent SSO - * between applications by providing a "login_hint" property. - */ - - // const silentRequest = { - // scopes: ["openid", "profile"], - // loginHint: "example@domain.net" - // }; - - // exporting config object for jest - if (typeof exports !== 'undefined') { - module.exports = { - msalConfig: msalConfig, - loginRequest: loginRequest, - }; - } - ``` --1. Replace the following values with the values from the Azure portal: - - Find the `Enter_the_Application_Id_Here` value and replace it with the **Application ID (clientId)** of the app you registered in the Microsoft Entra admin center. - - In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, [learn how to read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details). -2. Save the file. --## Adding code to the redirection file --A redirection file is required to handle the response from the sign-in page. It is used to extract the access token from the URL fragment and use it to call the protected API. It is also used to handle errors that occur during the authentication process. --1. Open *public/authRedirect.js* and add the following code snippet: -- ```javascript - // Create the main myMSALObj instance - // configuration parameters are located at authConfig.js - const myMSALObj = new msal.PublicClientApplication(msalConfig); - - let username = ""; - - /** - * A promise handler needs to be registered for handling the - * response returned from redirect flow. For more information, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/initialization.md#redirect-apis - */ - myMSALObj.handleRedirectPromise() - .then(handleResponse) - .catch((error) => { - console.error(error); - }); - - function selectAccount() { - - /** - * See here for more info on account retrieval: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md - */ - - const currentAccounts = myMSALObj.getAllAccounts(); - - if (!currentAccounts) { - return; - } else if (currentAccounts.length > 1) { - // Add your account choosing logic here - console.warn("Multiple accounts detected."); - } else if (currentAccounts.length === 1) { - welcomeUser(currentAccounts[0].username); - updateTable(currentAccounts[0]); - } - } - - function handleResponse(response) { - - /** - * To see the full list of response object properties, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response - */ - - if (response !== null) { - welcomeUser(response.account.username); - updateTable(response.account); - } else { - selectAccount(); - } - } - - function signIn() { - - /** - * You can pass a custom request object below. This will override the initial configuration. For more information, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request - */ - - myMSALObj.loginRedirect(loginRequest); - } - - function signOut() { - - /** - * You can pass a custom request object below. This will override the initial configuration. For more information, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request - */ - - // Choose which account to logout from by passing a username. - const logoutRequest = { - account: myMSALObj.getAccountByUsername(username), - postLogoutRedirectUri: '/signout', // remove this line if you would like navigate to index page after logout. - - }; - - myMSALObj.logoutRedirect(logoutRequest); - } - ``` --1. Save the file. --## Adding code to the *authPopup.js* file --The application uses *authPopup.js* to handle the authentication flow when the user signs in using the pop-up window. The pop-up window is used when the user is already signed in and the application needs to get an access token for a different resource. --1. Open *public/authPopup.js* and add the following code snippet: -- ```javascript - // Create the main myMSALObj instance - // configuration parameters are located at authConfig.js - const myMSALObj = new msal.PublicClientApplication(msalConfig); - - let username = ""; - - function selectAccount () { - - /** - * See here for more info on account retrieval: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md - */ - - const currentAccounts = myMSALObj.getAllAccounts(); - - if (!currentAccounts || currentAccounts.length < 1) { - return; - } else if (currentAccounts.length > 1) { - // Add your account choosing logic here - console.warn("Multiple accounts detected."); - } else if (currentAccounts.length === 1) { - username = currentAccounts[0].username - welcomeUser(currentAccounts[0].username); - updateTable(currentAccounts[0]); - } - } - - function handleResponse(response) { - - /** - * To see the full list of response object properties, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response - */ - - if (response !== null) { - username = response.account.username - welcomeUser(username); - updateTable(response.account); - } else { - selectAccount(); - } - } - - function signIn() { - - /** - * You can pass a custom request object below. This will override the initial configuration. For more information, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request - */ - - myMSALObj.loginPopup(loginRequest) - .then(handleResponse) - .catch(error => { - console.error(error); - }); - } - - function signOut() { - - /** - * You can pass a custom request object below. This will override the initial configuration. For more information, visit: - * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request - */ - - // Choose which account to logout from by passing a username. - const logoutRequest = { - account: myMSALObj.getAccountByUsername(username), - mainWindowRedirectUri: '/signout' - }; - - myMSALObj.logoutPopup(logoutRequest); - } - - selectAccount(); - ``` --1. Save the file. --## Next steps --> [!div class="nextstepaction"] -> [Sign in and sign out of the vanilla JS SPA](./how-to-single-page-app-vanillajs-sign-in-sign-out.md) |
active-directory | How To Single Page App Vanillajs Prepare App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-single-page-app-vanillajs-prepare-app.md | - Title: Tutorial - Prepare a vanilla JavaScript single-page app (SPA) for authentication in a customer tenant -description: Learn how to prepare a vanilla JavaScript single-page app (SPA) for authentication and authorization with your Azure Active Directory (AD) for customers tenant. --------- Previously updated : 06/09/2023-#Customer intent: As a developer, I want to learn how to configure vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure AD for customers tenant. ---# Tutorial: Prepare a vanilla JavaScript single-page app for authentication in a customer tenant --In the [previous article](./how-to-single-page-app-vanillajs-prepare-tenant.md), you registered an application and configured user flows in your Azure Active Directory (AD) for customers tenant. This article shows you how to create a vanilla JavaScript (JS) single-page app (SPA) and configure it to sign in and sign out users with your customer tenant. --In this tutorial; --> [!div class="checklist"] -> * Create a vanilla JavaScript project in Visual Studio Code -> * Install required packages -> * Add code to *server.js* to create a server --## Prerequisites --* Completion of the prerequisites and steps in [Prepare your customer tenant to authenticate a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-prepare-tenant.md). -* Although any integrated development environment (IDE) that supports vanilla JS applications can be used, **Visual Studio Code** is recommended for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page. -* [Node.js](https://nodejs.org/en/download/). --## Create a new vanilla JS project and install dependencies --1. Open Visual Studio Code, select **File** > **Open Folder...**. Navigate to and select the location in which to create your project. -1. Open a new terminal by selecting **Terminal** > **New Terminal**. -1. Run the following command to create a new vanilla JS project: -- ```powershell - npm init -y - ``` -1. Create additional folders and files to achieve the following project structure: -- ``` - ΓööΓöÇΓöÇ public - ΓööΓöÇΓöÇ authConfig.js - ΓööΓöÇΓöÇ authPopup.js - ΓööΓöÇΓöÇ authRedirect.js - ΓööΓöÇΓöÇ https://docsupdatetracker.net/index.html - ΓööΓöÇΓöÇ signout.html - ΓööΓöÇΓöÇ styles.css - ΓööΓöÇΓöÇ ui.js - ΓööΓöÇΓöÇ server.js - ``` - -## Install app dependencies --1. In the **Terminal**, run the following command to install the required dependencies for the project: -- ```powershell - npm install express morgan @azure/msal-browser - ``` --## Edit the *server.js* file --**Express** is a web application framework for **Node.js**. It's used to create a server that hosts the application. **Morgan** is the middleware that logs HTTP requests to the console. The server file is used to host these dependencies and contains the routes for the application. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview/). --1. Add the following code snippet to the *server.js* file: -- ```javascript - const express = require('express'); - const morgan = require('morgan'); - const path = require('path'); - - const DEFAULT_PORT = process.env.PORT || 3000; - - // initialize express. - const app = express(); - - // Configure morgan module to log all requests. - app.use(morgan('dev')); - - // serve public assets. - app.use(express.static('public')); - - // serve msal-browser module - app.use(express.static(path.join(__dirname, "node_modules/@azure/msal-browser/lib"))); - - // set up a route for signout.html - app.get('/signout', (req, res) => { - res.sendFile(path.join(__dirname + '/public/signout.html')); - }); - - // set up a route for redirect.html - app.get('/redirect', (req, res) => { - res.sendFile(path.join(__dirname + '/public/redirect.html')); - }); - - // set up a route for https://docsupdatetracker.net/index.html - app.get('/', (req, res) => { - res.sendFile(path.join(__dirname + '/https://docsupdatetracker.net/index.html')); - }); - - app.listen(DEFAULT_PORT, () => { - console.log(`Sample app listening on port ${DEFAULT_PORT}!`); - }); -- ``` --In this code, the **app** variable is initialized with the **express** module and **express** is used to serve the public assets. **Msal-browser** is served as a static asset and is used to initiate the authentication flow. --## Next steps --> [!div class="nextstepaction"] -> [Configure SPA for authentication](how-to-single-page-app-vanillajs-configure-authentication.md) |
active-directory | How To Single Page App Vanillajs Prepare Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-single-page-app-vanillajs-prepare-tenant.md | - Title: Tutorial - Prepare your customer tenant to authenticate users in a Vanilla JavaScript single-page application -description: Learn how to configure your Azure Active Directory (AD) for customers tenant for authentication with a Vanilla JavaScript single-page app (SPA). --------- Previously updated : 06/09/2023-#Customer intent: As a developer, I want to learn how to configure a vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. ---# Tutorial: Prepare your customer tenant to authenticate a vanilla JavaScript single-page app --This tutorial series demonstrates how to build a vanilla JavaScript single-page application (SPA) and prepare it for authentication using the Microsoft Entra admin center. You'll use the [Microsoft Authentication Library for JavaScript](/javascript/api/overview/msal-overview) library to authenticate your app with your Azure Active Directory (Azure AD) for customers tenant. Finally, you'll run the application and test the sign-in and sign-out experiences. --In this tutorial; --> [!div class="checklist"] -> * Register a SPA in the Microsoft Entra admin center, and record its identifiers -> * Define the platform and URLs -> * Grant permissions to the SPA to access the Microsoft Graph API -> * Create a sign in and sign out user flow in the Microsoft Entra admin center -> * Associate your SPA with the user flow --## Prerequisites --- An Azure subscription. If you don't have one, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.-- This Azure account must have permissions to manage applications. Any of the following Azure AD roles include the required permissions:-- * Application administrator - * Application developer - * Cloud application administrator --- An Azure AD for customers tenant. If you haven't already, [create one now](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl). You can use an existing customer tenant if you have one.--## Register the SPA and record identifiers ---## Add a platform redirect URL ---## Grant API permissions ---## Create a user flow ---## Associate the SPA with the user flow ---## Next steps --> [!div class="nextstepaction"] -> [Prepare your Vanilla JS SPA](how-to-single-page-app-vanillajs-prepare-app.md) |
active-directory | How To Single Page App Vanillajs Sign In Sign Out | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-single-page-app-vanillajs-sign-in-sign-out.md | - Title: Tutorial - Add sign-in and sign-out to a Vanilla JavaScript single-page app (SPA) for a customer tenant -description: Learn how to configure a Vanilla JavaScript single-page app (SPA) to sign in and sign out users with your Azure Active Directory (AD) for customers tenant. -------- Previously updated : 05/25/2023-#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. ---# Tutorial: Add sign-in and sign-out to a vanilla JavaScript single-page app for a customer tenant --In the [previous article](how-to-single-page-app-vanillajs-configure-authentication.md), you edited the popup and redirection files that handle the sign-in page response. This tutorial demonstrates how to build a responsive user interface (UI) that contains a **Sign-In** and **Sign-Out** button and run the project to test the sign-in and sign-out functionality. --In this tutorial; --> [!div class="checklist"] -> * Add code to the *https://docsupdatetracker.net/index.html* file to create the user interface -> * Add code to the *signout.html* file to create the sign-out page -> * Sign in and sign out of the application --## Prerequisites --* Completion of the prerequisites and steps in [Create components for authentication and authorization](how-to-single-page-app-vanillajs-configure-authentication.md). --## Add code to the *https://docsupdatetracker.net/index.html* file --The main page of the SPA, *https://docsupdatetracker.net/index.html*, is the first page that is loaded when the application is started. It's also the page that is loaded when the user selects the **Sign-Out** button. --1. Open *public/https://docsupdatetracker.net/index.html* and add the following code snippet: -- ```html - <!DOCTYPE html> - <html lang="en"> - - <head> - <meta charset="UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no"> - <title>Microsoft identity platform</title> - <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon"> - <link rel="stylesheet" href="./styles.css"> - - <!-- adding Bootstrap 5 for UI components --> - <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/css/bootstrap.min.css" rel="stylesheet" - integrity="sha384-Zenh87qX5JnK2Jl0vWa8Ck2rdkQ2Bzep5IDxbcnCeuOxjzrPF/et3URy9Bv1WTRi" crossorigin="anonymous"> - - <!-- msal.min.js can be used in the place of msal-browser.js --> - <script src="/msal-browser.min.js"></script> - </head> - - <body> - <nav class="navbar navbar-expand-sm navbar-dark bg-primary navbarStyle"> - <a class="navbar-brand" href="/">Microsoft identity platform</a> - <div class="navbar-collapse justify-content-end"> - <button type="button" id="signIn" class="btn btn-secondary" onclick="signIn()">Sign-in</button> - <button type="button" id="signOut" class="btn btn-success d-none" onclick="signOut()">Sign-out</button> - </div> - </nav> - <br> - <h5 id="title-div" class="card-header text-center">Vanilla JavaScript single-page application secured with MSAL.js - </h5> - <h5 id="welcome-div" class="card-header text-center d-none"></h5> - <br> - <div class="table-responsive-ms" id="table"> - <table id="table-div" class="table table-striped d-none"> - <thead id="table-head-div"> - <tr> - <th>Claim Type</th> - <th>Value</th> - <th>Description</th> - </tr> - </thead> - <tbody id="table-body-div"> - </tbody> - </table> - </div> - <!-- importing bootstrap.js and supporting js libraries --> - <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" - integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"> - </script> - <script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.6/dist/umd/popper.min.js" - integrity="sha384-oBqDVmMz9ATKxIep9tiCxS/Z9fNfEXiDAYTujMAeBAsjFuCZSmKbSSUnQlmh/jp3" - crossorigin="anonymous"></script> - <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.2.2/dist/js/bootstrap.bundle.min.js" - integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3" - crossorigin="anonymous"></script> - - <!-- importing app scripts (load order is important) --> - <script type="text/javascript" src="./authConfig.js"></script> - <script type="text/javascript" src="./ui.js"></script> - <script type="text/javascript" src="./claimUtils.js"></script> - <!-- <script type="text/javascript" src="./authRedirect.js"></script> --> - <!-- uncomment the above line and comment the line below if you would like to use the redirect flow --> - <script type="text/javascript" src="./authPopup.js"></script> - </body> - - </html> - ``` --1. Save the file. --## Add code to the *signout.html* file --1. Open *public/signout.html* and add the following code snippet: -- ```html - <!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1.0"> - <title>Azure AD | Vanilla JavaScript SPA</title> - <link rel="SHORTCUT ICON" href="./favicon.svg" type="image/x-icon"> - - <!-- adding Bootstrap 4 for UI components --> - <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous"> - </head> - <body> - <div class="jumbotron" style="margin: 10%"> - <h1>Goodbye!</h1> - <p>You have signed out and your cache has been cleared.</p> - <a class="btn btn-primary" href="/" role="button">Take me back</a> - </div> - </body> - </html> - ``` --1. Save the file. --## Add code to the *ui.js* file --When authorization has been configured, the user interface can be created to allow users to sign in and sign out when the project is run. To build the user interface (UI) for the application, [Bootstrap](https://getbootstrap.com/) is used to create a responsive UI that contains a **Sign-In** and **Sign-Out** button. --1. Open *public/ui.js* and add the following code snippet: -- ```javascript - // Select DOM elements to work with - const signInButton = document.getElementById('signIn'); - const signOutButton = document.getElementById('signOut'); - const titleDiv = document.getElementById('title-div'); - const welcomeDiv = document.getElementById('welcome-div'); - const tableDiv = document.getElementById('table-div'); - const tableBody = document.getElementById('table-body-div'); - - function welcomeUser(username) { - signInButton.classList.add('d-none'); - signOutButton.classList.remove('d-none'); - titleDiv.classList.add('d-none'); - welcomeDiv.classList.remove('d-none'); - welcomeDiv.innerHTML = `Welcome ${username}!`; - }; - - function updateTable(account) { - tableDiv.classList.remove('d-none'); - - const tokenClaims = createClaimsTable(account.idTokenClaims); - - Object.keys(tokenClaims).forEach((key) => { - let row = tableBody.insertRow(0); - let cell1 = row.insertCell(0); - let cell2 = row.insertCell(1); - let cell3 = row.insertCell(2); - cell1.innerHTML = tokenClaims[key][0]; - cell2.innerHTML = tokenClaims[key][1]; - cell3.innerHTML = tokenClaims[key][2]; - }); - }; - ``` --1. Save the file. --## Add code to the *styles.css* file --1. Open *public/styles.css* and add the following code snippet: -- ```css - .navbarStyle { - padding: .5rem 1rem !important; - } - - .table-responsive-ms { - max-height: 39rem !important; - padding-left: 10%; - padding-right: 10%; - } - ``` --1. Save the file. --## Run your project and sign in --Now that all the required code snippets have been added, the application can be called and tested in a web browser. --1. Open a new terminal and run the following command to start your express web server. - ```powershell - npm start - ``` -1. Open a new private browser, and enter the application URI into the browser, `http://localhost:3000/`. -1. Select **No account? Create one**, which starts the sign-up flow. -1. In the **Create account** window, enter the email address registered to your Azure Active Directory (AD) for customers tenant, which starts the sign-up flow as a user for your application. -1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed. -- 1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**. --1. The SPA will now display a button saying **Request Profile Information**. Select it to display profile data. -- :::image type="content" source="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png" alt-text="Screenshot of sign in into a vanilla JS SPA." lightbox="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png"::: --## Sign out of the application --1. To sign out of the application, select **Sign out** in the navigation bar. -1. A window appears asking which account to sign out of. -1. Upon successful sign out, a final window appears advising you to close all browser windows. --## Next steps --- [Enable self-service password reset](./how-to-enable-password-reset-customers.md) |
active-directory | How To User Flow Add Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-user-flow-add-application.md | Because you might want the same sign-in experience for all of your customer-faci If you already registered your application in your customer tenant, you can add it to the new user flow. This step activates the sign-up and sign-in experience for users who visit your application. An application can have only one user flow, but a user flow can be used by multiple applications. -1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory** > **External Identities** > **User flows**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). ++1. Browse to **Identity** > **External Identities** > **User flows**. 1. From the list, select your user flow. |
active-directory | How To User Flow Sign Up Sign In Customers | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-user-flow-sign-up-sign-in-customers.md | Follow these steps to create a user flow a customer can use to sign in or sign u ### To add a new user flow -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. -1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**. +1. Browse to **Identity** > **External Identities** > **User flows**. 1. Select **New user flow**. Follow these steps to create a user flow a customer can use to sign in or sign u You can choose the order in which the attributes are displayed on the sign-up page. -1. In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Azure Active Directory**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. In the left pane, select **Azure Active Directory** > **External Identities** > **User flows**. +1. Browse to **Identity** > **External Identities** > **User flows**. 1. From the list, select your user flow. |
active-directory | How To Web App Node Use Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-web-app-node-use-certificate.md | -In production, you should purchase a certificate signed by a well-known certificate authority, and use [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) to manage certificate access and lifetime for you. However, for testing purposes, you can create a self-signed certificate and configure your apps to authenticate with it. +In production, you should purchase a certificate signed by a well-known certificate authority, and use [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) to manage certificate access and lifetime for you. However, for testing purposes, you can create a self-signed certificate and configure your apps to authenticate with it. -In this article, you learn to generate a self-signed certificate by using [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) on the Azure portal, OpenSSL or Windows PowerShell. +In this article, you learn to generate a self-signed certificate by using [Azure Key Vault](https://azure.microsoft.com/products/key-vault/) on the Azure portal, OpenSSL or Windows PowerShell. If you have a client secret already, you'll learn how to safely delete it. When needed, you can also create a self-signed certificate programmatically by using [.NET](/azure/key-vault/certificates/quick-create-net), [Node.js](/azure/key-vault/certificates/quick-create-node), [Go](/azure/key-vault/certificates/quick-create-go), [Python](/azure/key-vault/certificates/quick-create-python) or [Java](/azure/key-vault/certificates/quick-create-java) client libraries. After the command finishes execution, you should have a *.crt* and a *.key* file [!INCLUDE [active-directory-customers-app-integration-add-user-flow](./includes/register-app/add-client-app-certificate.md)] + ## Configure your Node.js app to use certificate Once you associate your app registration with the certificate, you need to update your app code to start using the certificate: -1. Locate the file that contains your MSAL configuration object, such as `msalConfig` in *authConfig.js*, then update it to look similar to the following code: +1. Locate the file that contains your MSAL configuration object, such as `msalConfig` in *authConfig.js*, then update it to look similar to the following code. If you have a client secret present, make sure you remove it: ```javascript require('dotenv').config(); Once you associate your app registration with the certificate, you need to updat auth: { clientId: process.env.CLIENT_ID || 'Enter_the_Application_Id_Here', // 'Application (client) ID' of app registration in Azure portal - this value is a GUID authority: process.env.AUTHORITY || `https://${TENANT_SUBDOMAIN}.ciamlogin.com/`, - //clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app registration in Azure portal clientCertificate: { thumbprint: "YOUR_CERT_THUMBPRINT", // replace with thumbprint obtained during step 2 above privateKey: privateKey Once you associate your app registration with the certificate, you need to updat You can use your existing certificate directly from Azure Key Vault: -1. Locate the file that contains your MSAL configuration object, such as `msalConfig` in *authConfig.js*, then comment the `clientSecret` property: +1. Locate the file that contains your MSAL configuration object, such as `msalConfig` in *authConfig.js*, then remove the `clientSecret` property: ```java const msalConfig = { auth: { clientId: process.env.CLIENT_ID || 'Enter_the_Application_Id_Here', // 'Application (client) ID' of app registration in Azure portal - this value is a GUID authority: process.env.AUTHORITY || `https://${TENANT_SUBDOMAIN}.ciamlogin.com/`, - //clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app registration in Azure portal }, //... }; |
active-directory | Microsoft Graph Operations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/microsoft-graph-operations.md | During registration, you'll specify a **Redirect URI** which redirects the user The following steps show you how to register your app in the Microsoft Entra admin center: -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. If you have access to multiple tenants, make sure you use the directory that contains your Azure AD for customers tenant: +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. - 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar. -- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD for customers directory in the **Directory name** list, and then select **Switch**. --1. On the sidebar menu, select **Azure Active Directory**. --1. Select **Applications**, then select **App Registrations**. +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select **+ New registration**. |
active-directory | Quickstart Get Started Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/quickstart-get-started-guide.md | + + Title: Quickstart - Get started guide +description: Use our quickstart guide to customize your tenant in just a few steps. +++++++ Last updated : 08/25/2023++++#Customer intent: As a dev, devops, or IT admin, I want to personalize the customer tenant. ++# Quickstart: Get started with our guide to run a sample app and sign in your users (preview) ++In this quickstart, we'll guide you through customizing the look and feel of your apps in the customer tenant, setting up a user and configuring a sample app in only a few minutes. With these built-in customer configuration features, Azure AD for customers can serve as the identity provider and access management service for your customers. ++## Prerequisites ++- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a> or [create a tenant with customer configurations in the Microsoft Entra admin center](quickstart-tenant-setup.md). ++## Customize your sign-in experience ++You can customize your customer's sign-in and sign-up experience in the Azure AD for customers tenant. Follow the guide that will help you set up the tenant in three easy steps. First you must specify how would you like your customer to sign in. At this step you can choose between two options: **Email and password** or **Email and one-time passcode**. You can configure social accounts later, which would allow your customers to sign in using their [Google](how-to-google-federation-customers.md) or [Facebook](how-to-facebook-federation-customers.md) account. You can also [define custom attributes](how-to-define-custom-attributes.md) to collect from the user during sign-up. ++If you prefer, you can add your company logo, change the background color or adjust the sign-in layout. These optional changes will apply to the look and feel of all your apps in this tenant with customer configurations. After you have the created tenant, additional branding options are available. You can [customize the default branding](how-to-customize-branding-customers.md) and [add languages](how-to-customize-languages-customers.md). Once you're finished with the customization, select **Continue**. +++## Try out the sign-up experience and create your first user ++1. The guide will configure your tenant with the options you have selected. Once the configuration is complete, the button will change its text from **Setting up...** to **Run it now**. +1. Select the **Run it now** button. A new browser tab will open with the sign-in page for your tenant that can be used to create and sign in users. +1. Select **No account? Create one** to create a new user in the tenant. +1. Add your new user's email address and select **Next**. Don't use the same email you used to create your trial. +1. Complete the sign-up steps on the screen. Typically, once the user has signed in, they're redirected back to your app. However, since you havenΓÇÖt set up an app at this step, you'll be redirected to JWT.ms instead, where you can view the contents of the token issued during the sign-in process. +1. Go back to the guide tab. At this stage, you can either exit the guide and go to the admin center to explore the full range of configuration options for your tenant. Or you can **Continue** and set up a sample app. We recommend setting up the sample app, so that you can use it to test any further configuration changes you make ++ :::image type="content" source="media/quickstart-trial-setup/successful-trial-setup.png" alt-text="Screenshot that shows the successful creation of the sign-up experience."::: ++## Set up a sample app ++The get started guide will automatically configure sample apps for the below app types and languages: ++- Single Page Application (SPA): JavaScript, React, Angular +- Web app: Node.js (Express), ASP.NET Core ++Follow the steps below, to download and run the sample app. ++1. Proceed to set up the sample app by selecting the app type. +1. Select your language and **Download sample app** on your machine. +1. Follow the instructions to install and run the app. Sign into the sample app. ++ :::image type="content" source="media/quickstart-trial-setup/sample-app-setup.png" alt-text="Screenshot of the sample app setup."::: ++1. You've completed the process of creating a trial tenant, configuring the sign-in experience, creating your first user, and setting up a sample app. Select **Continue** to go to the summary page, where you can either go to the admin center or you can restart the guide to choose different options. ++## Explore Azure AD for customers ++Follow the articles below to learn more about the configuration the guide created for you or to configure your own apps. You can always come back to the [admin center](https://entra.microsoft.com/) to customize your tenant and explore the full range of configuration options for your tenant. ++> [!NOTE] +> The next time you return to your tenant, you might be prompted to set up additional authentication factors for added security of your tenant admin account. ++## Next steps + - [Register an app in CIAM](how-to-register-ciam-app.md) + - [Customize user experience for your customers](how-to-customize-branding-customers.md) + - [Create a sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md) + - See the [Azure AD for customers Developer Center](https://aka.ms/ciam/dev) for the latest developer content and resources + |
active-directory | Quickstart Tenant Setup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/quickstart-tenant-setup.md | In this quickstart, you'll learn how to create a tenant with customer configurat ## Create a new tenant with customer configurations -1. Sign in to your organization's [Microsoft Entra admin center](https://entra.microsoft.com/). -1. From the left menu, select **Azure Active Directory** > **Overview**. -1. Select **Manage tenants** at the top of the page. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Browse to **Identity** > **Overview** > **Manage tenants**. 1. Select **Create**. :::image type="content" source="media/how-to-create-customer-tenant-portal/create-tenant.png" alt-text="Screenshot of the create tenant option."::: In this quickstart, you'll learn how to create a tenant with customer configurat :::image type="content" source="media/how-to-create-customer-tenant-portal/tenant-successfully-created.png" alt-text="Screenshot that shows the link to the new tenant."::: +## Customize your tenant with a guide ++Our guide will walk you through the process of setting up a user and configuring a sample app in just a few minutes. This means that you can quickly and easily test out different sign-in and sign-up options and set up a sample app to see what works best for you. This guide is available in any customer tenant. ++> [!NOTE] +> The guide wonΓÇÖt run automatically in customer tenants that you created with the steps above. If you want to run the guide, follow the steps below. ++1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Home** > **Go to Microsoft Entra ID** +1. On the Get started tab, select **Start the guide**. ++ :::image type="content" source="media/how-to-create-customer-tenant-portal/guide-link.png" alt-text="Screenshot that shows how to start the guide."::: ++This link will take you to the [guide](quickstart-get-started-guide.md), where you can customize your tenant in three easy steps. + ## Clean up resources If you're not going to continue to use this tenant, you can delete it using the following steps: -1. Ensure that you're signed in to the directory that you want to delete through the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the Azure portal. Switch to the target directory if needed. -1. From the left menu, select **Azure Active Directory** > **Overview**. -1. Select **Manage tenants** at the top of the page. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant. +1. Browse to **Identity** > **Overview** > **Manage tenants**. 1. Select the tenant you want to delete, and then select **Delete**. :::image type="content" source="media/how-to-create-customer-tenant-portal/delete-tenant.png" alt-text="Screenshot that shows how to delete the tenant."::: The tenant and its associated information are deleted. ## Next steps-- [Customize the sign-in experience](how-to-customize-branding-customers.md) -- [Register an app](how-to-register-ciam-app.md)-- [Create user flows](how-to-user-flow-sign-up-sign-in-customers.md)++To learn more about the set-up guide and how to customize your tenant, see the [Get started guide](quickstart-get-started-guide.md) article. |
active-directory | Quickstart Trial Setup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/quickstart-trial-setup.md | During the free trial period, you'll have access to all product features with fe :::image type="content" source="media/quickstart-trial-setup/setting-up-free-trial.png" alt-text="Screenshot of the loading page while setting up the customer tenant free trial."::: -## Customize your sign-in experience +## Get started guide -You can customize your customer's sign-in and sign-up experience in the Azure AD for customers tenant. Follow the guide that will help you set up the tenant in three easy steps. First you must specify how would you like your customer to sign in. At this step you can choose between two options: **Email and password** or **Email and one-time passcode**. You can configure social accounts later, which would allow your customers to sign in using their [Google](how-to-google-federation-customers.md) or [Facebook](how-to-facebook-federation-customers.md) account. You can also [define custom attributes](how-to-define-custom-attributes.md) to collect from the user during sign-up. --If you prefer, you can add your company logo, change the background color or adjust the sign-in layout. These optional changes will apply to the look and feel of all your apps in this tenant with customer configurations. After you have the created tenant, additional branding options are available. You can [customize the default branding](how-to-customize-branding-customers.md) and [add languages](how-to-customize-languages-customers.md). Once you're finished with the customization, select **Continue**. ---## Try out the sign-up experience and create your first user --1. The guide will configure your tenant with the options you have selected. Once the configuration is complete, the button will change its text from **Setting up...** to **Run it now**. -1. Select the **Run it now** button. A new browser tab will open with the sign-in page for your tenant that can be used to create and sign in users. -1. Select **No account? Create one** to create a new user in the tenant. -1. Add your new user's email address and select **Next**. Don't use the same email you used to create your trial. -1. Complete the sign-up steps on the screen. Typically, once the user has signed in, they're redirected back to your app. However, since you havenΓÇÖt set up an app at this step, you'll be redirected to JWT.ms instead, where you can view the contents of the token issued during the sign-in process. -1. Go back to the guide tab. At this stage, you can either exit the guide and go to the admin center to explore the full range of configuration options for your tenant. Or you can **Continue** and set up a sample app. We recommend setting up the sample app, so that you can use it to test any further configuration changes you make -- :::image type="content" source="media/quickstart-trial-setup/successful-trial-setup.png" alt-text="Screenshot that shows the successful creation of the sign-up experience."::: --## Set up a sample app --The get started guide will automatically configure sample apps for the below app types and languages: --- Single Page Application (SPA): JavaScript, React, Angular-- Web app: Node.js (Express), ASP.NET Core--Follow the steps below, to download and run the sample app. --1. Proceed to set up the sample app by selecting the app type. -1. Select your language and **Download sample app** on your machine. -1. Follow the instructions to install and run the app. Sign into the sample app. -- :::image type="content" source="media/quickstart-trial-setup/sample-app-setup.png" alt-text="Screenshot of the sample app setup."::: --1. You've completed the process of creating a trial tenant, configuring the sign-in experience, creating your first user, and setting up a sample app. Select **Continue** to go to the summary page, where you can either go to the admin center or you can restart the guide to choose different options. --## Explore Azure AD for customers --Follow the articles below to learn more about the configuration the guide created for you or to configure your own apps. You can always come back to the [admin center](https://entra.microsoft.com/) to customize your tenant and explore the full range of configuration options for your tenant. --> [!NOTE] -> The next time you return to your tenant, you might be prompted to set up additional authentication factors for added security of your tenant admin account. --## Next steps +Once your customer tenant free trial is ready, the next step is to personalize your customer's sign-in and sign-up experience, set up a user in your tenant, and configure a sample app. The get started guide will walk you through all of these steps in just a few minutes. For more information about the next steps see the [get started guide](quickstart-get-started-guide.md) article. |
active-directory | Sample Single Page App Vanillajs Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/sample-single-page-app-vanillajs-sign-in.md | Title: Sign in users in a sample vanilla JavaScript single-page application -description: Learn how to configure a sample JavaSCript single-page application (SPA) to sign in and sign out users. +description: Learn how to configure a sample JavaScript single-page application (SPA) to sign in and sign out users. If you choose to download the `.zip` file, extract the sample app file to a fold ``` 1. Open a web browser and navigate to `http://localhost:3000/`.-1. Select **No account? Create one**, which starts the sign-up flow. -1. In the **Create account** window, enter the email address registered to your customer tenant, which starts the sign-up flow as a user for your application. -1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed. -1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**. +1. Sign-in with an account registered to the customer tenant. +1. Once signed in the display name is shown next to the **Sign out** button as shown in the following screenshot. 1. The SPA will now display a button saying **Request Profile Information**. Select it to display profile data. :::image type="content" source="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png" alt-text="Screenshot of sign in into a vanilla JS SPA." lightbox="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png"::: |
active-directory | Samples Ciam All | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/samples-ciam-all.md | These samples and how-to guides demonstrate how to integrate a single-page appli > [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample guide | Build and integrate guide | > | - | -- | - |-> | JavaScript, Vanilla | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | +> | JavaScript, Vanilla | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](tutorial-single-page-app-vanillajs-prepare-tenant.md) | > | JavaScript, Angular | • [Sign in users](./sample-single-page-app-angular-sign-in.md) | | > | JavaScript, React | • [Sign in users](./sample-single-page-app-react-sign-in.md) | • [Sign in users](./tutorial-single-page-app-react-sign-in-prepare-tenant.md) | These samples and how-to guides demonstrate how to write a daemon application th > [!div class="mx-tdCol2BreakAll"] > | App type | Code sample guide | Build and integrate guide | > | - | -- | - |-> | Single-page application | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](how-to-single-page-app-vanillajs-prepare-tenant.md) | +> | Single-page application | • [Sign in users](./sample-single-page-app-vanillajs-sign-in.md) | • [Sign in users](tutorial-single-page-app-vanillajs-prepare-tenant.md) | ### JavaScript, Angular |
active-directory | Tutorial Single Page App Vanillajs Configure Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-single-page-app-vanillajs-configure-authentication.md | + + Title: Tutorial - Handle authentication flows in a Vanilla JavaScript single-page app +description: Learn how to configure authentication for a Vanilla JavaScript single-page app (SPA) with your Azure Active Directory (AD) for customers tenant. +++++++++ Last updated : 08/17/2023+#Customer intent: As a developer, I want to learn how to configure Vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant. +++# Tutorial: Handle authentication flows in a Vanilla JavaScript single-page app ++In the [previous article](./tutorial-single-page-app-vanillajs-prepare-app.md), you created a Vanilla JavaScript (JS) single-page application (SPA) and a server to host it. This tutorial demonstrates how to configure the application to authenticate and authorize users to access protected resources. ++In this tutorial; ++> [!div class="checklist"] +> * Configure the settings for the application +> * Add code to *authRedirect.js* to handle the authentication flow +> * Add code to *authPopup.js* to handle the authentication flow ++## Prerequisites ++* Completion of the prerequisites and steps in [Prepare a single-page application for authentication](tutorial-single-page-app-vanillajs-prepare-app.md). ++## Edit the authentication configuration file ++The application uses the [Implicit Grant Flow](../../develop/v2-oauth2-implicit-grant-flow.md) to authenticate users. The Implicit Grant Flow is a browser-based flow that doesn't require a back-end server. The flow redirects the user to the sign-in page, where the user signs in and consents to the permissions that are being requested by the application. The purpose of *authConfig.js* is to configure the authentication flow. ++1. Open *public/authConfig.js* and add the following code snippet: ++ ```javascript + /** + * Configuration object to be passed to MSAL instance on creation. + * For a full list of MSAL.js configuration parameters, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md + */ + const msalConfig = { + auth: { + clientId: 'Enter_the_Application_Id_Here', // This is the ONLY mandatory field that you need to supply. + authority: 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace "Enter_the_Tenant_Subdomain_Here" with your tenant subdomain + redirectUri: '/', // You must register this URI on Azure Portal/App Registration. Defaults to window.location.href e.g. http://localhost:3000/ + navigateToLoginRequestUrl: true, // If "true", will navigate back to the original request location before processing the auth code response. + }, + cache: { + cacheLocation: 'sessionStorage', // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO. + storeAuthStateInCookie: false, // set this to true if you have to support IE + }, + system: { + loggerOptions: { + loggerCallback: (level, message, containsPii) => { + if (containsPii) { + return; + } + switch (level) { + case msal.LogLevel.Error: + console.error(message); + return; + case msal.LogLevel.Info: + console.info(message); + return; + case msal.LogLevel.Verbose: + console.debug(message); + return; + case msal.LogLevel.Warning: + console.warn(message); + return; + } + }, + }, + }, + }; + + /** + * An optional silentRequest object can be used to achieve silent SSO + * between applications by providing a "login_hint" property. + */ + + // const silentRequest = { + // scopes: ["openid", "profile"], + // loginHint: "example@domain.net" + // }; + + // exporting config object for jest + if (typeof exports !== 'undefined') { + module.exports = { + msalConfig: msalConfig, + loginRequest: loginRequest, + }; + } + ``` ++1. Replace the following values with the values from the Azure portal: + - Find the `Enter_the_Application_Id_Here` value and replace it with the **Application ID (clientId)** of the app you registered in the Microsoft Entra admin center. + - In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, [learn how to read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details). +2. Save the file. ++## Adding code to the redirection file ++A redirection file is required to handle the response from the sign-in page. It is used to extract the access token from the URL fragment and use it to call the protected API. It is also used to handle errors that occur during the authentication process. ++1. Open *public/authRedirect.js* and add the following code snippet: ++ ```javascript + // Create the main myMSALObj instance + // configuration parameters are located at authConfig.js + const myMSALObj = new msal.PublicClientApplication(msalConfig); + + let username = ""; + + /** + * A promise handler needs to be registered for handling the + * response returned from redirect flow. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/initialization.md#redirect-apis + */ + myMSALObj.handleRedirectPromise() + .then(handleResponse) + .catch((error) => { + console.error(error); + }); + + function selectAccount() { + + /** + * See here for more info on account retrieval: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md + */ + + const currentAccounts = myMSALObj.getAllAccounts(); + + if (!currentAccounts) { + return; + } else if (currentAccounts.length > 1) { + // Add your account choosing logic here + console.warn("Multiple accounts detected."); + } else if (currentAccounts.length === 1) { + welcomeUser(currentAccounts[0].username); + updateTable(currentAccounts[0]); + } + } + + function handleResponse(response) { + + /** + * To see the full list of response object properties, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response + */ + + if (response !== null) { + welcomeUser(response.account.username); + updateTable(response.account); + } else { + selectAccount(); + } + } + + function signIn() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + myMSALObj.loginRedirect(loginRequest); + } + + function signOut() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + // Choose which account to logout from by passing a username. + const logoutRequest = { + account: myMSALObj.getAccountByUsername(username), + postLogoutRedirectUri: '/signout', // remove this line if you would like navigate to index page after logout. + + }; + + myMSALObj.logoutRedirect(logoutRequest); + } + ``` ++1. Save the file. ++## Adding code to the *authPopup.js* file ++The application uses *authPopup.js* to handle the authentication flow when the user signs in using the pop-up window. The pop-up window is used when the user is already signed in and the application needs to get an access token for a different resource. ++1. Open *public/authPopup.js* and add the following code snippet: ++ ```javascript + // Create the main myMSALObj instance + // configuration parameters are located at authConfig.js + const myMSALObj = new msal.PublicClientApplication(msalConfig); + + let username = ""; + + function selectAccount () { + + /** + * See here for more info on account retrieval: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-common/docs/Accounts.md + */ + + const currentAccounts = myMSALObj.getAllAccounts(); + + if (!currentAccounts || currentAccounts.length < 1) { + return; + } else if (currentAccounts.length > 1) { + // Add your account choosing logic here + console.warn("Multiple accounts detected."); + } else if (currentAccounts.length === 1) { + username = currentAccounts[0].username + welcomeUser(currentAccounts[0].username); + updateTable(currentAccounts[0]); + } + } + + function handleResponse(response) { + + /** + * To see the full list of response object properties, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#response + */ + + if (response !== null) { + username = response.account.username + welcomeUser(username); + updateTable(response.account); + } else { + selectAccount(); + } + } + + function signIn() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + myMSALObj.loginPopup(loginRequest) + .then(handleResponse) + .catch(error => { + console.error(error); + }); + } + + function signOut() { + + /** + * You can pass a custom request object below. This will override the initial configuration. For more information, visit: + * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/request-response-object.md#request + */ + + // Choose which account to logout from by passing a username. + const logoutRequest = { + account: myMSALObj.getAccountByUsername(username), + mainWindowRedirectUri: '/signout' + }; + + myMSALObj.logoutPopup(logoutRequest); + } + + selectAccount(); + ``` ++1. Save the file. ++## Next steps ++> [!div class="nextstepaction"] |