Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
active-directory-b2c | Add Api Connector | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/add-api-connector.md | See an example of a [validation-error response](#example-of-a-validation-error-r ## Before sending the token (preview) > [!IMPORTANT]-> API connectors used in this step are in preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> API connectors used in this step are in preview. For more information about previews, see [Product Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). An API connector at this step is invoked when a token is about to be issued during sign-ins and sign-ups. An API connector for this step can be used to enrich the token with claim values from external sources. |
active-directory-b2c | Cookie Definitions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/cookie-definitions.md | The following table lists the cookies used in Azure AD B2C. | `x-ms-cpim-ctx` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Context | | `x-ms-cpim-rp` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for storing membership data for the resource provider tenant. | | `x-ms-cpim-rc` | b2clogin.com, login.microsoftonline.com, branded domain | End of [browser session](session-behavior.md) | Used for storing the relay cookie. |+| `x-ms-cpim-geo` | b2clogin.com, login.microsoftonline.com, branded domain | 1 Hour | Used as a hint to determine the resource tenants home geographic location. | ## Cross-Site request forgery token |
active-directory-b2c | Custom Policy Developer Notes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/custom-policy-developer-notes.md | The following table summarizes the Security Assertion Markup Language (SAML) app |Feature |User flow |Custom policy |Notes | ||::|::||-|[API connectors](api-connectors-overview.md) | Preview | GA | | -|[Secure with basic authentication](secure-rest-api.md#http-basic-authentication) | Preview | GA | | -|[Secure with client certificate authentication](secure-rest-api.md#https-client-certificate-authentication) | Preview | GA | | +|[After federating with an identity provider during sign-up](api-connectors-overview.md?pivots=b2c-user-flow#after-federating-with-an-identity-provider-during-sign-up) | GA | GA | | +|[Before creating the user](api-connectors-overview.md?pivots=b2c-user-flow#before-creating-the-user) | GA | GA | | +|[Before including application claims in token](api-connectors-overview.md?pivots=b2c-user-flow#before-sending-the-token-preview)| Preview | GA | | +|[Secure with basic authentication](secure-rest-api.md#http-basic-authentication) | GA | GA | | +|[Secure with client certificate authentication](secure-rest-api.md#https-client-certificate-authentication) | GA | GA | | |[Secure with OAuth2 bearer authentication](secure-rest-api.md#oauth2-bearer-authentication) | NA | GA | | |[Secure API key authentication](secure-rest-api.md#api-key-authentication) | NA | GA | | |
active-directory-b2c | Force Password Reset | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/force-password-reset.md | |
active-directory-b2c | Manage Custom Policies Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/manage-custom-policies-powershell.md | |
active-directory-b2c | Openid Connect Technical Profile | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/openid-connect-technical-profile.md | The technical profile also returns claims that aren't returned by the identity p | MarkAsFailureOnStatusCode5xx | No | Indicates whether a request to an external service should be marked as a failure if the Http status code is in the 5xx range. The default is `false`. | | DiscoverMetadataByTokenIssuer | No | Indicates whether the OIDC metadata should be discovered by using the issuer in the JWT token.If you need to build the metadata endpoint URL based on Issuer, set this to `true`.| | IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |-|token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic` (public preview), `private_key_jwt` (public preview). For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). | +|token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic` (public preview), `private_key_jwt`. For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). | |token_signing_algorithm| No | Specifies the signing algorithm to use when `token_endpoint_auth_method` is set to `private_key_jwt`. Possible values: `RS256` (default) or `RS512`.| | SingleLogoutEnabled | No | Indicates whether during sign-in the technical profile attempts to sign out from federated identity providers. For more information, see [Azure AD B2C session sign-out](./session-behavior.md#sign-out). Possible values: `true` (default), or `false`. | |ReadBodyClaimsOnIdpRedirect| No| Set to `true` to read claims from response body on identity provider redirect. This metadata is used with [Apple ID](identity-provider-apple-id.md), where claims return in the response payload.| Examples: - [Add Microsoft Account (MSA) as an identity provider using custom policies](identity-provider-microsoft-account.md) - [Sign in by using Azure AD accounts](identity-provider-azure-ad-single-tenant.md) - [Allow users to sign in to a multi-tenant Azure AD identity provider using custom policies](identity-provider-azure-ad-multi-tenant.md)+ |
active-directory-b2c | Page Layout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/page-layout.md | Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Self-asserted page (selfasserted) +**2.1.26** ++- Replaced `Keypress` to `Key Down` event and avoid `Asterisk` for non-required in classic mode. ++**2.1.25** ++- Fixed content security policy (CSP) violation and remove additional request header X-Aspnetmvc-Version. ++- Introduced Captcha mechanism for Self-asserted and Unified SSP Flows (_Beta-version-Internal use only_). ++**2.1.24** ++- Fixed accessibility bugs. ++- Fixed MFA related issue and IE11 compatibility issues. ++**2.1.23** ++- Fixed accessibility bugs. ++- Reduced `min-width` value for UI viewport for default template. ++**2.1.22** ++- Fixed accessibility bugs. ++- Added logic to adopt QR Code Image generated from backend library. ++**2.1.21** ++- Additional sanitization of script tags to avoid XSS attacks. + **2.1.20**-- Fixed an XSS issue on input from textbox+- Fixed Enter event trigger on MFA. +- CSS changes rendering page text/control in vertical manner for small screens **2.1.19**-- Fixed accessibility bugs-- Handle Undefined Error message for existing user sign up-- Move Password Mismatch Error to Inline instead of Page Level+- Fixed accessibility bugs. +- Handled Undefined Error message for existing user sign up. +- Moved Password mismatch error to Inline instead of page level. - Accessibility changes related to High Contrast button display and anchor focus improvements **2.1.18** Azure AD B2C page layout uses the following versions of the [jQuery library](htt - Enforce Validation Error Update on control change and enable continue on email verified - Added additional field to error code to validation failure response + **2.1.16** - Fixed "Claims for verification control have not been verified" bug while verifying code. - Hide error message on validation succeeds and send code to verify Azure AD B2C page layout uses the following versions of the [jQuery library](htt **2.1.10** - Correcting to the tab index-- Fixing WCAG 2.1 accessibility and screen reader issues +- Fixed WCAG 2.1 accessibility and screen reader issues **2.1.9** Azure AD B2C page layout uses the following versions of the [jQuery library](htt > [!TIP] > If you localize your page to support multiple locales, or languages in a user flow. The [localization IDs](localization-string-ids.md) article provides the list of localization IDs that you can use for the page version you select. +**2.1.14** ++- Replaced `Keypress` to `Key Down` event. ++**2.1.13** ++- Fixed content security policy (CSP) violation and remove additional request header X-Aspnetmvc-Version ++- Introduced Captcha mechanism for Self-asserted and Unified SSP Flows (_Beta-version-Internal use only_) ++**2.1.12** ++- Removed `ReplaceAll` function for IE11 compatibility. ++**2.1.11** ++- Fixed accessibility bugs. ++**2.1.10** ++- Added additional sanitization of script tags to avoid XSS attacks. + **2.1.9**-- Fix accessibility bugs++- Fixed accessibility bugs. + - Accessibility changes related to High Contrast button display and anchor focus improvements- + **2.1.8** - Add descriptive error message and fixed forgotPassword link! Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## MFA page (multifactor) +**1.2.12** ++- Replaced `KeyPress` to `KeyDown` event. ++**1.2.11** ++- Removed `ReplaceAll` function for IE11 compatibility. ++**1.2.10** ++- Fixed accessibility bugs. ++**1.2.9** ++- Fixed `Enter` event trigger on MFA. ++- CSS changes render page text/control in vertical manner for small screens ++- Fixed Multifactor tab navigation bug. ++**1.2.8** ++- Passed the response status for MFA verification with error for backend to further triage. ++**1.2.7** ++- Fixed accessibility issue on label for retries code. ++- Fixed issue caused by incompatibility of default parameter on IE 11. ++- Set up `H1` heading and enable by default. ++- Updated HandlebarJS version to 4.7.7. ++**1.2.6** ++- Corrected the `autocomplete` value on verification code field from false to off. ++- Fixed a few XSS encoding issues. + **1.2.5** - Fixed a language encoding issue that is causing the request to fail. Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Exception Page (globalexception) +**1.2.5** ++- Removed `ReplaceAl`l function for IE11 compatibility. ++**1.2.4** ++- Fixed accessibility bugs. ++**1.2.3** ++- Updated HandlebarJS version to 4.7.7. ++**1.2.2** ++- Set up `H1` heading and enable by default. + **1.2.1**+ - Updated jQuery version to 3.5.1. - Updated HandlebarJS version to 4.7.6. Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Other pages (ProviderSelection, ClaimsConsent, UnifiedSSD) +**1.2.4** ++- Remove `ReplaceAll` function for IE11 compatibility. ++**1.2.3** ++- Fixed accessibility bugs. ++**1.2.2** ++- Updated HandlebarJS version to 4.7.7 + **1.2.1**+ - Updated jQuery version to 3.5.1. - Updated HandlebarJS version to 4.7.6. Azure AD B2C page layout uses the following versions of the [jQuery library](htt ## Next steps For details on how to customize the user interface of your applications in custom policies, see [Customize the user interface of your application using a custom policy](customize-ui-with-html.md).++ |
active-directory-b2c | Secure Rest Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/secure-rest-api.md | The following XML snippet is an example of a RESTful technical profile configure ## OAuth2 bearer authentication - Bearer token authentication is defined in [OAuth2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). In bearer token authentication, Azure AD B2C sends an HTTP request with a token in the authorization header. ```http A bearer token is an opaque string. It can be a JWT access token or any string t - **Bearer token**. To be able to send the bearer token in the Restful technical profile, your policy needs to first acquire the bearer token and then use it in the RESTful technical profile. - **Static bearer token**. Use this approach when your REST API issues a long-term access token. To use a static bearer token, create a policy key and make a reference from the RESTful technical profile to your policy key. - ## Using OAuth2 Bearer The following steps demonstrate how to use client credentials to obtain a bearer token and pass it into the Authorization header of the REST API calls. Add the validation technical profile reference to the sign up technical profile, ++ For example:- ```XML - <ValidationTechnicalProfiles> - .... - <ValidationTechnicalProfile ReferenceId="REST-AcquireAccessToken" /> - .... - </ValidationTechnicalProfiles> - ``` - +```ruby +```XML +<ValidationTechnicalProfiles> + .... + <ValidationTechnicalProfile ReferenceId="REST-AcquireAccessToken" /> + .... +</ValidationTechnicalProfiles> +``` +``` ::: zone-end To configure a REST API technical profile with API key authentication, create th 1. For **Key usage**, select **Encryption**. 1. Select **Create**. - ### Configure your REST API technical profile to use API key authentication After creating the necessary key, configure your REST API technical profile metadata to reference the credentials. The following XML snippet is an example of a RESTful technical profile configure ::: zone pivot="b2c-custom-policy" - Learn more about the [Restful technical profile](restful-technical-profile.md) element in the custom policy reference. ::: zone-end+ |
active-directory-b2c | Tenant Management Directory Quota | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/tenant-management-directory-quota.md | The response from the API call looks similar to the following json: { "directorySizeQuota": { "used": 211802,- "total": 300000 + "total": 50000000 } } ] If your tenant usage is higher that 80%, you can remove inactive users or reques ## Request increase directory quota size -You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) +You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md) |
active-directory-b2c | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/whats-new-docs.md | Title: "What's new in Azure Active Directory business-to-customer (B2C)" description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)." Previously updated : 08/01/2023 Last updated : 09/01/2023 +## August 2023 ++### Updated articles ++- [Page layout versions](page-layout.md) - Editorial updates +- [Secure your API used an API connector in Azure AD B2C](secure-rest-api.md) - Oauth Bearer Authentication updated to GA + ## June 2023 ### New articles Welcome to what's new in Azure Active Directory B2C documentation. This article - [Build a global identity solution with funnel-based approach](azure-ad-b2c-global-identity-funnel-based-design.md) - [Use the Azure portal to create and delete consumer users in Azure AD B2C](manage-users-portal.md) -## April 2023 --### Updated articles --- [Configure Transmit Security with Azure Active Directory B2C for passwordless authentication](partner-bindid.md) - Update partner-bindid.md-- [Tutorial: Enable secure hybrid access for applications with Azure Active Directory B2C and F5 BIG-IP](partner-f5.md) - Update partner-f5.md- |
active-directory-domain-services | Alert Service Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/alert-service-principal.md | ms.assetid: f168870c-b43a-4dd6-a13f-5cfadc5edf2c + Last updated 01/29/2023 - # Known issues: Service principal alerts in Azure Active Directory Domain Services |
active-directory-domain-services | Create Forest Trust Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/create-forest-trust-powershell.md | For more conceptual information about forest types in Azure AD DS, see [How do f [Install-Script]: /powershell/module/powershellget/install-script <!-- EXTERNAL LINKS -->-[powershell-gallery]: https://www.powershellgallery.com/ +[powershell-gallery]: https://www.powershellgallery.com/ |
active-directory-domain-services | Policy Reference | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/policy-reference.md | Title: Built-in policy definitions for Azure Active Directory Domain Services description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 08/08/2023 Last updated : 09/06/2023 |
active-directory-domain-services | Powershell Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-create-instance.md | |
active-directory-domain-services | Powershell Scoped Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/powershell-scoped-synchronization.md | foreach ($groupName in $groupsToAdd) Write-Output "****************************************************************************`n" Write-Output "`n****************************************************************************" -$currentAssignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId +$currentAssignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true Write-Output "Total current group-assignments: $($currentAssignments.Count), SP-ObjectId: $($sp.ObjectId)" $currAssignedObjectIds = New-Object 'System.Collections.Generic.HashSet[string]' |
active-directory-domain-services | Secure Your Domain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/secure-your-domain.md | |
active-directory-domain-services | Synchronization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/synchronization.md | ms.assetid: 57cbf436-fc1d-4bab-b991-7d25b6e987ef + Last updated 04/03/2023 - # How objects and credentials are synchronized in an Azure Active Directory Domain Services managed domain |
active-directory-domain-services | Template Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/template-create-instance.md | |
active-directory-domain-services | Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/troubleshoot.md | ms.assetid: 4bc8c604-f57c-4f28-9dac-8b9164a0cf0b + Last updated 01/29/2023 - # Common errors and troubleshooting steps for Azure Active Directory Domain Services |
active-directory-domain-services | Tutorial Create Instance Advanced | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/tutorial-create-instance-advanced.md | To see this managed domain in action, create and join a virtual machine to the d [availability-zones]: ../reliability/availability-zones-overview.md [concepts-sku]: administration-concepts.md#azure-ad-ds-skus -<!-- EXTERNAL LINKS --> +<!-- EXTERNAL LINKS --> |
active-directory-domain-services | Tutorial Create Instance | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-domain-services/tutorial-create-instance.md | Before you domain-join VMs and deploy applications that use the managed domain, [concepts-sku]: administration-concepts.md#azure-ad-ds-skus <!-- EXTERNAL LINKS -->-[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix +[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix |
active-directory | Customize Application Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/customize-application-attributes.md | Applications and systems that support customization of the attribute list includ > Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes). > [!NOTE]-> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. +> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory. Provisioning multi-valued directory extension attributes is not supported. When you're editing the list of supported attributes, the following properties are provided: |
active-directory | Inbound Provisioning Api Concepts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-concepts.md | -> API-driven inbound provisioning is currently in public preview and is governed by [Preview Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> API-driven inbound provisioning is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Introduction |
active-directory | Inbound Provisioning Api Configure App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md | -> API-driven inbound provisioning is currently in public preview and is governed by [Preview Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> API-driven inbound provisioning is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). This feature is available only when you configure the following Enterprise Gallery apps: * API-driven inbound user provisioning to Azure AD If you're configuring inbound user provisioning to on-premises Active Directory, ## Create your API-driven provisioning app -1. Log in to the [Microsoft Entra portal](<https://entra.microsoft.com>). +1. Log in to the [Microsoft Entra admin center](<https://entra.microsoft.com>). 2. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 3. Click on **New application** to create a new provisioning application. [![Screenshot of Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox) |
active-directory | Inbound Provisioning Api Curl Tutorial | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-curl-tutorial.md | -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Custom Attributes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-custom-attributes.md | You have configured API-driven provisioning app. You're provisioning app is succ In this step, we'll add the two attributes "HireDate" and "JobCode" that are not part of the standard SCIM schema to the provisioning app and use them in the provisioning data flow. -1. Log in to Microsoft Entra portal with application administrator role. +1. Log in to Microsoft Entra admin center with application administrator role. 1. Go to **Enterprise applications** and open your API-driven provisioning app. 1. Open the **Provisioning** blade. 1. Click on the **Edit Provisioning** button. In this step, we'll add the two attributes "HireDate" and "JobCode" that are not 1. **Save** your changes > [!NOTE]-> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra Portal to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process. +> If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra admin center to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process. ## Step 2 - Map the custom attributes |
active-directory | Inbound Provisioning Api Grant Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-grant-access.md | Depending on how your API client authenticates with Azure AD, you can select bet ## Configure a service principal This configuration registers an app in Azure AD that represents the external API client and grants it permission to invoke the inbound provisioning API. The service principal client id and client secret can be used in the OAuth client credentials grant flow. -1. Log in to Microsoft Entra portal (https://entra.microsoft.com) with global administrator or application administrator login credentials. +1. Log in to Microsoft Entra admin center (https://entra.microsoft.com) with global administrator or application administrator login credentials. 1. Browse to **Azure Active Directory** -> **Applications** -> **App registrations**. 1. Click on the option **New registration**. 1. Provide an app name, select the default options, and click on **Register**. This section describes how you can assign the necessary permissions to a managed ## Next steps - [Quick start using cURL](inbound-provisioning-api-curl-tutorial.md) - [Quick start using Postman](inbound-provisioning-api-postman.md)-- [Quick start using Postman](inbound-provisioning-api-graph-explorer.md)+- [Quick start using Graph Explorer](inbound-provisioning-api-graph-explorer.md) - [Frequently asked questions about API-driven inbound provisioning](inbound-provisioning-api-faqs.md) |
active-directory | Inbound Provisioning Api Graph Explorer | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-graph-explorer.md | This tutorial describes how you can quickly test [API-driven inbound provisionin ## Verify processing of bulk request payload -You can verify the processing either from the Microsoft Entra portal or using Graph Explorer. +You can verify the processing either from the Microsoft Entra admin center or using Graph Explorer. -### Verify processing from Microsoft Entra portal -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +### Verify processing from Microsoft Entra admin center +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-postman.md | In this step, you'll configure the Postman app and invoke the API using the conf If the API invocation is successful, you see the message `202 Accepted.` Under Headers, the **Location** attribute points to the provisioning logs API endpoint. ## Verify processing of bulk request payload-You can verify the processing either from the Microsoft Entra portal or using Postman. +You can verify the processing either from the Microsoft Entra admin center or using Postman. -### Verify processing from Microsoft Entra portal -1. Log in to [Microsoft Entra portal](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. +### Verify processing from Microsoft Entra admin center +1. Log in to [Microsoft Entra admin center](https://entra.microsoft.com) with *global administrator* or *application administrator* login credentials. 1. Browse to **Azure Active Directory -> Applications -> Enterprise applications**. 1. Under all applications, use the search filter text box to find and open your API-driven provisioning application. 1. Open the Provisioning blade. The landing page displays the status of the last run. |
active-directory | Inbound Provisioning Api Powershell | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-powershell.md | To illustrate the procedure, let's use the CSV file `Samples/csv-with-2-records. This section explains how to send the generated bulk request payload to your inbound provisioning API endpoint. -1. Log in to your Entra portal as *Application Administrator* or *Global Administrator*. +1. Log in to your Microsoft Entra admin center as *Application Administrator* or *Global Administrator*. 1. Copy the `ServicePrincipalId` associated with your provisioning app from **Provisioning App** > **Properties** > **Object ID**. :::image type="content" border="true" source="./media/inbound-provisioning-api-powershell/object-id.png" alt-text="Screenshot of the Object ID." lightbox="./media/inbound-provisioning-api-powershell/object-id.png"::: This section explains how to send the generated bulk request payload to your inb $ThumbPrint = $ClientCertificate.ThumbPrint ``` The generated certificate is stored **Current User\Personal\Certificates**. You can view it using the **Control Panel** -> **Manage user certificates** option. -1. To associate this certificate with a valid service principal, log in to your Entra portal as *Application Administrator*. +1. To associate this certificate with a valid service principal, log in to your Microsoft Entra admin center as *Application Administrator*. 1. Open [the service principal you configured](inbound-provisioning-api-grant-access.md#configure-a-service-principal) under **App Registrations**. 1. Copy the **Object ID** from the **Overview** blade. Use the value to replace the string `<AppObjectId>`. Copy the **Application (client) Id**. We will use it later and it is referenced as `<AppClientId>`. 1. Run the following command to upload your certificate to the registered service principal. PS > CSV2SCIM.ps1 -Path <path-to-csv-file> > [!NOTE] > The `AttributeMapping` and `ValidateAttributeMapping` command-line parameters refer to the mapping of CSV column attributes to the standard SCIM schema elements. -It doesn't refer to the attribute mappings that you perform in the Entra portal provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes. +It doesn't refer to the attribute mappings that you perform in the Microsoft Entra admin center provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes. | Parameter | Description | Processing remarks | |-|-|--| |
active-directory | On Premises Sap Connector Configure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-sap-connector-configure.md | Title: Azure AD Provisioning to SAP ERP Central Component (SAP ECC) 7.0 -description: This document describes how to configure Azure AD to provision users into SAP ECC 7. + Title: Azure AD Provisioning into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later. +description: This document describes how to configure Azure AD to provision users into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver AS ABAP 7.0 or later. -# Configuring Azure AD to provision users into SAP ECC 7.0 -The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC) 7.0. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning. +# Configuring Azure AD to provision users into SAP ECC with NetWeaver AS ABAP 7.0 or later +The following documentation provides configuration and tutorial information demonstrating how to provision users from Azure AD into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you are using other versions such as SAP R/3, you can still use the guides provided in the [download center](https://www.microsoft.com/download/details.aspx?id=51495) as a reference to build your own template and configure provisioning. [!INCLUDE [app-provisioning-sap.md](../../../includes/app-provisioning-sap.md)] |
active-directory | Provision On Demand | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/provision-on-demand.md | There are currently a few known limitations to on-demand provisioning. Post your ::: zone pivot="app-provisioning" > [!NOTE] > The following limitations are specific to the on-demand provisioning capability. For information about whether an application supports provisioning groups, deletions, or other capabilities, check the tutorial for that application.--* On-demand provisioning of groups supports updating up to five members at a time +* On-demand provisioning of groups supports updating up to five members at a time. Connectors for cross-tenant synchronization, Workday, etc. do not support group provisioning and as a result do not support on-demand provisioning of groups. +* On-demand provisioning of groups is not supported for cross-tenant synchronization. ::: zone-end+* On-demand provisioning supports provisioning one user at a time through the Microsoft Entra portal. * Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft-delete a user with on-demand provisioning and then restore the user, it can result in duplicate users. * On-demand provisioning of roles isn't supported. * On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Azure AD. Those users don't appear when you search for a user. |
active-directory | User Provisioning Sync Attributes For Mapping | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md | Next, if one or more of the users that will need access to the application do no The following sections outline how to create extension attributes for a tenant with cloud only users, and for a tenant with Active Directory users. ## Create an extension attribute in a tenant with cloud only users-You can use Microsoft Graph and PowerShell to extend the user schema for users in Azure AD. This is necessary if you do not have any users who need that attribute and originate in on-premises Active Directory. (If you do have Active Directory, then continue reading below in the section on how to [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect).) +You can use Microsoft Graph and PowerShell to extend the user schema for users in Azure AD. This is necessary if you have any users who need that attribute and do not originate in on-premises Active Directory. (If you do have Active Directory, then continue reading below in the section on how to [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect).) Once schema extensions are created, these extension attributes are automatically discovered when you next visit the provisioning page in the Azure portal, in most cases. Content-type: application/json "extension_inputAppId_extensionName": "extensionValue" } ```-Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get). +Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get). Note that the Graph v1.0 does not by default return any of a user's directory extension attributes, unless the attributes are specified in the request as one of the properties to return. ```json GET https://graph.microsoft.com/v1.0/users/{id}?$select=displayName,extension_inputAppId_extensionName |
active-directory | User Provisioning | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/user-provisioning.md | In Azure Active Directory (Azure AD), the term *app provisioning* refers to auto Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and many more. -Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. Your application must support [SCIM](https://aka.ms/scimoverview). Or, you must build a SCIM gateway to connect to your legacy application. If so, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support these applications as well. --App provisioning lets you: +Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. The table below provides a mapping of protocols to connectors supported. ++|Protocol |Connector| +|--|--| +| SCIM | [SCIM - SaaS](use-scim-to-provision-users-and-groups.md) <br />[SCIM - On-prem / Private network](./on-premises-scim-provisioning.md) | +| LDAP | [LDAP](./on-premises-ldap-connector-configure.md)| +| SQL | [SQL](./tutorial-ecma-sql-connector.md) | +| REST | [Web Services](./on-premises-web-services-connector.md)| +| SOAP | [Web Services](./on-premises-web-services-connector.md)| +| Flat-file| [PowerShell](./on-premises-powershell-connector.md) | +| Custom | [Custom ECMA connectors](./on-premises-custom-connector.md) <br /> [Connectors and gateways built by partners](./partner-driven-integrations.md)| - **Automate provisioning**: Automatically create new accounts in the right systems for new people when they join your team or organization. - **Automate deprovisioning**: Automatically deactivate accounts in the right systems when people leave the team or organization. |
active-directory | Application Proxy Configure Complex Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-complex-application.md | To publish complex distributed app through Application Proxy with application se 5. In the External Url field, drop down the list and select the custom domain you want to use. -6. Add CORS Rules (optional). For more information see [Configuring CORS Rule](/graph/api/resources/corsconfiguration_v2?view=graph-rest-beta). +6. Add CORS Rules (optional). For more information see [Configuring CORS Rule](/graph/api/resources/corsconfiguration_v2?view=graph-rest-beta&preserve-view=true). 7. Select Create. |
active-directory | Application Proxy Configure Cookie Settings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-cookie-settings.md | |
active-directory | Application Proxy Configure Custom Home Page | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-configure-custom-home-page.md | |
active-directory | Application Proxy Ping Access Publishing Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md | Azure Active Directory (Azure AD) Application Proxy has partnered with PingAcces With PingAccess for Azure AD, you can give users access and single sign-on (SSO) to applications that use headers for authentication. Application Proxy treats these applications like any other, using Azure AD to authenticate access and then passing traffic through the connector service. PingAccess sits in front of the applications and translates the access token from Azure AD into a header. The application then receives the authentication in the format it can read. -Your users wonΓÇÖt notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so theyΓÇÖll still balance loads automatically. +Your users won't notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so they'll still balance loads automatically. ## How do I get access? For more information, see [Azure Active Directory editions](../fundamentals/what ## Publish your application in Azure -This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If youΓÇÖve already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section. +This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If you've already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section. > [!NOTE] > Since this scenario is a partnership between Azure AD and PingAccess, some of the instructions exist on the Ping Identity site. To publish your own on-premises application: > [!NOTE] > For a more detailed walkthrough of this step, see [Add an on-premises app to Azure AD](../app-proxy/application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad). - 1. **Internal URL**: Normally you provide the URL that takes you to the appΓÇÖs sign-in page when youΓÇÖre on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess. + 1. **Internal URL**: Normally you provide the URL that takes you to the app's sign-in page when you're on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess. > [!WARNING] > For this type of single sign-on, the internal URL must use `https` and can't use `http`. Also, there is a constraint when configuring an application that no two apps should have the same internal URL as this allows App Proxy to maintain distinction between applications. To publish your own on-premises application: 1. **Translate URL in Headers**: Choose **No**. > [!NOTE]- > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener youΓÇÖve configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners). + > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener you've configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners). 1. Select **Add**. The overview page for the new application appears. In addition to the external URL, an authorize endpoint of Azure Active Directory Finally, set up your on-premises application so that users have read access and other applications have read/write access: -1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the APIs for Windows Azure Active Directory. +1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the permissions for Microsoft Graph. ![Shows the Request API permissions page](./media/application-proxy-configure-single-sign-on-with-ping-access/required-permissions.png) |
active-directory | Powershell Assign Group To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-group-to-app.md | |
active-directory | Powershell Assign User To App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-assign-user-to-app.md | |
active-directory | Powershell Display Users Group Of App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-display-users-group-of-app.md | |
active-directory | Powershell Get All App Proxy Apps Basic | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-basic.md | |
active-directory | Powershell Get All App Proxy Apps By Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-by-connector-group.md | |
active-directory | Powershell Get All App Proxy Apps Extended | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended.md | |
active-directory | Powershell Get All App Proxy Apps With Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-with-policy.md | |
active-directory | Powershell Get All Connectors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-connectors.md | |
active-directory | Powershell Get All Custom Domain No Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domain-no-cert.md | |
active-directory | Powershell Get All Custom Domains And Certs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-custom-domains-and-certs.md | |
active-directory | Powershell Get All Default Domain Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-default-domain-apps.md | |
active-directory | Powershell Get All Wildcard Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-all-wildcard-apps.md | |
active-directory | Powershell Get Custom Domain Identical Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-identical-cert.md | |
active-directory | Powershell Get Custom Domain Replace Cert | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-get-custom-domain-replace-cert.md | |
active-directory | Powershell Move All Apps To Connector Group | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/scripts/powershell-move-all-apps-to-connector-group.md | |
active-directory | Architecture Icons | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/architecture-icons.md | + + Title: Microsoft Entra architecture icons +description: Learn about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. +++++ Last updated : 08/15/2023++++# Customer intent: As a new or existing customer, I want to learn how I can use the official Microsoft Entra icons in architectural diagrams, training materials, or documentation. +++# Microsoft Entra architecture icons ++Helping our customers design and architect new solutions is core to the Microsoft Entra mission. Architecture diagrams can help communicate design decisions and the relationships between components of a given workload. This article provides information about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation. ++## General guidelines ++### Do's ++- Use the icon to illustrate how products can work together. +- In diagrams, we recommend including the product name somewhere close to the icon. ++### Don'ts ++- Don't crop, flip, or rotate icons. +- Don't distort or change the icon shape in any way. +- Don't use Microsoft product icons to represent your product or service. +- Don't use Microsoft product icons in marketing communications. ++## Icon updates ++| Month | Change description | +|-|--| +| August 2023 | Added a downloadable package that contains the Microsoft Entra architecture icons, branding playbook (which contains guidelines about the Microsoft Security visual identity), and terms of use. | ++## Icon terms ++Microsoft permits the use of these icons in architectural diagrams, training materials, or documentation. You may copy, distribute, and display the icons only for the permitted use unless granted explicit permission by Microsoft. Microsoft reserves all other rights. ++ > [!div class="button"] + > [I agree to the above terms. Download icons.](https://download.microsoft.com/download/a/4/2/a4289cad-4eaf-4580-87fd-ce999a601516/Microsoft-Entra-architecture-icons.zip?wt.mc_id=microsoftentraicons_downloadmicrosoftentraicons_content_cnl_csasci) ++## More icon sets from Microsoft ++- [Azure architecture icons](/azure/architecture/icons) +- [Microsoft 365 architecture icons and templates](/microsoft-365/solutions/architecture-icons-templates) +- [Dynamics 365 icons](/dynamics365/get-started/icons) +- [Microsoft Power Platform icons](/power-platform/guidance/icons) |
active-directory | Govern Service Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/govern-service-accounts.md | |
active-directory | Multi Tenant Common Considerations | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-common-considerations.md | Additionally, while you can use the following Conditional Access conditions, be - **Sign-in risk and user risk.** User behavior in their home tenant determines, in part, the sign-in risk and user risk. The home tenant stores the data and risk score. If resource tenant policies block an external user, a resource tenant admin might not be able to enable access. [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md) explains how Identity Protection detects compromised credentials for Azure AD users. - **Locations.** The named location definitions in the resource tenant determine the scope of the policy. The scope of the policy doesn't evaluate trusted locations managed in the home tenant. If your organization wants to share trusted locations across tenants, define the locations in each tenant where you define the resources and Conditional Access policies. -## Other access control considerations +## Securing your multi-tenant environment +Review the [security checklist](/azure/security/fundamentals/steps-secure-identity) and [best practices](/azure/security/fundamentals/operational-best-practices) for guidance on securing your tenant. Ensure these best practices are followed and review them with any tenants that you collaborate closely with. +### Conditional access The following are considerations for configuring access control. - Define [access control policies](../external-identities/authentication-conditional-access.md) to control access to resources. - Design Conditional Access policies with external users in mind. - Create policies specifically for external users.-- If your organization is using the [**all users** dynamic group](../external-identities/use-dynamic-groups.md) condition in your existing Conditional Access policy, this policy affects external users because they are in scope of **all users**. - Create dedicated Conditional Access policies for external accounts. -### Require user assignment +### Monitoring your multi-tenant environment +- Monitor for changes to cross-tenant access policies using the [audit logs UI](../reports-monitoring/concept-audit-logs.md), [API](/graph/api/resources/azure-ad-auditlog-overview), or [Azure Monitor integration](../reports-monitoring/tutorial-configure-log-analytics-workspace.md) (for proactive alerts). The audit events use the categories "CrossTenantAccessSettings" and "CrossTenantIdentitySyncSettings." By monitoring for audit events under these categories, you can identify any cross-tenant access policy changes in your tenant and take action. When creating alerts in Azure Monitor, you can create a query such as the one below to identify any cross-tenant access policy changes. ++``` +AuditLogs +| where Category contains "CrossTenant" +``` ++- Monitor application access in your tenant using the [cross-tenant access activity](../reports-monitoring/workbook-cross-tenant-access-activity.md) dashboard. This allows you to see who is accessing resources in your tenant and where those users are coming from. +++### Dynamic groups ++If your organization is using the [**all users** dynamic group](../external-identities/use-dynamic-groups.md) condition in your existing Conditional Access policy, this policy affects external users because they are in scope of **all users**. ++### Require user assignment for applications If an application has the **User assignment required?** property set to **No**, external users can access the application. Application admins must understand access control impacts, especially if the application contains sensitive information. [Restrict your Azure AD app to a set of users in an Azure AD tenant](../develop/howto-restrict-your-app-to-a-set-of-users.md) explains how registered applications in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who successfully authenticate. +### Privileged Identity Management +Minimize persistent administrator access by enabling [privileged identity management](/azure/security/fundamentals/steps-secure-identity#implement-privilege-access-management). ++### Restricted Management Units +When you're using security groups to control who is in scope for cross-tenant synchronization, you will want to limit who can make changes to the security group. Minimize the number of owners of the security groups assigned to the cross-tenant synchronization job and include the groups in a [restricted management unit](../roles/admin-units-restricted-management.md). This will limit the number of people that can add or remove group members and provision accounts across tenants. ++## Other access control considerations + ### Terms and conditions [Azure AD terms of use](../conditional-access/terms-of-use.md) provides a simple method that organizations can use to present information to end users. You can use terms of use to require external users to approve terms of use before accessing your resources. |
active-directory | Multi Tenant User Management Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multi-tenant-user-management-scenarios.md | |
active-directory | Recoverability Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/recoverability-overview.md | Create a process of predefined communications to make others aware of the issue Document the state of your tenant and its objects regularly. Then if a hard delete or misconfiguration occurs, you have a roadmap to recovery. The following tools can help you document your current state: - [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Azure AD configurations.-- [Azure AD Exporter](https://github.com/microsoft/azureadexporter) is a tool you can use to export your configuration settings.+- [Entra Exporter](https://github.com/microsoft/entraexporter) is a tool you can use to export your configuration settings. - [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) is a module of the PowerShell Desired State Configuration framework. You can use it to export configurations for reference and application of the prior state of many settings. - [Conditional Access APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) can be used to manage your Conditional Access policies as code. Microsoft Graph APIs are highly customizable based on your organizational needs. *Securely store these configuration exports with access provided to a limited number of admins. -The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you need: +The [Entra Exporter](https://github.com/microsoft/entraexporter) can provide most of the documentation you need: - Verify that you've implemented the desired configuration. - Use the exporter to capture current configurations. The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provid - Store the output in a secure location with limited access. > [!NOTE]-> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Azure AD Exporter, or with the Microsoft Graph API. +> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Entra Exporter, or with the Microsoft Graph API. The [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module uses Microsoft Graph and PowerShell to retrieve the state of many of the configurations in Azure AD. This information can be used as reference information or, by using PowerShell Desired State Configuration scripting, to reapply a known good state. Use [Conditional Access Graph APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies. |
active-directory | Resilience Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilience-client-app.md | Learn more: * [Token cache serialization](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization) * [Token cache serialization in MSAL.NET](../develop/msal-net-token-cache-serialization.md)-* [Custom token cache serialization in MSAL for Java](../develop/msal-java-token-cache-serialization.md) -* [Custom token cache serialization in MSAL for Python](../develop/msal-python-token-cache-serialization.md). +* [Custom token cache serialization in MSAL for Java](/entra/msal/java/advanced/msal-java-token-cache-serialization) +* [Custom token cache serialization in MSAL for Python](/entra/msal/python/advanced/msal-python-token-cache-serialization). ![Diagram of a device and and application using MSAL to call Microsoft Identity](media/resilience-client-app/resilience-with-microsoft-authentication-library.png) |
active-directory | Resilient External Processes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/resilient-external-processes.md | Identity experience framework (IEF) policies allow you to call an external syste - If the data that is necessary for authentication is relatively static and small, and has no other business reason to be externalized from the directory, then consider having it in the directory. -- Remove API calls from the pre-authenticated path whenever possible. If you can't, then you must place strict protections for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in front of your APIs. Attackers can load the sign-in page and try to flood your API with DoS attacks and cripple your application. For example, using CAPTCHA in your sign in, sign up flow can help.+- Remove API calls from the pre-authenticated path whenever possible. If you can't, then you must place strict protections for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in front of your APIs. Attackers can load the sign-in page and try to flood your API with DoS attacks and disable your application. For example, using CAPTCHA in your sign in, sign up flow can help. - Use [API connectors of built-in sign-up user flow](../../active-directory-b2c/api-connectors-overview.md) wherever possible to integrate with web APIs either After federating with an identity provider during sign-up or before creating the user. Since the user flows are already extensively tested, it's likely that you don't have to perform user flow-level functional, performance, or scale testing. You still need to test your applications for functionality, performance, and scale. |
active-directory | Service Accounts Managed Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/service-accounts-managed-identities.md | |
active-directory | Service Accounts Principal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/service-accounts-principal.md | |
active-directory | Certificate Based Authentication Federation Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-android.md | description: Learn about the supported scenarios and the requirements for config + Last updated 09/30/2022 |
active-directory | Certificate Based Authentication Federation Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-get-started.md | description: Learn how to configure certificate-based authentication with federa + Last updated 05/04/2022 |
active-directory | Certificate Based Authentication Federation Ios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-ios.md | description: Learn about the supported scenarios and the requirements for config + Last updated 09/30/2022 |
active-directory | Concept Authentication Authenticator App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-authenticator-app.md | To get started with passwordless sign-in, see [Enable passwordless sign-in with The Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it's legitimate, select **Verify**. Otherwise, they can select **Deny**. -![Screenshot of example web browser prompt for Authenticator app notification to complete sign-in process.](media/tutorial-enable-azure-mfa/tutorial-enable-azure-mfa-browser-prompt.png) +> [!NOTE] +> Starting in August, 2023, sign-ins from unfamiliar locations no longer generate notifications. Similar to how unfamiliar locations work in [Smart lockout](howto-password-smart-lockout.md), a location becomes "familiar" during the first 14 days of use, or the first 10 sign-ins. If the location is unfamiliar, or if the relevant Google or Apple service responsible for push notifications isn't available, users won't see their notification as usual. In that case, they should open Microsoft Authenticator, or Authenticator Lite in a relevant companion app like Outlook, refresh by either pulling down or hitting **Refresh**, and approve the request. -In some rare instances where the relevant Google or Apple service responsible for push notifications is down, users may not receive their push notifications. In these cases users should manually navigate to the Microsoft Authenticator app (or relevant companion app like Outlook), refresh by either pulling down or hitting the refresh button, and approve the request. +![Screenshot of example web browser prompt for Authenticator app notification to complete sign-in process.](media/tutorial-enable-azure-mfa/tutorial-enable-azure-mfa-browser-prompt.png) -> [!NOTE] -> If your organization has staff working in or traveling to China, the *Notification through mobile app* method on Android devices doesn't work in that country/region as Google play services(including push notifications) are blocked in the region. However iOS notification do work. For Android devices ,alternate authentication methods should be made available for those users. +In China, the *Notification through mobile app* method on Android devices doesn't work because as Google play services (including push notifications) are blocked in the region. However, iOS notifications do work. For Android devices, alternate authentication methods should be made available for those users. ## Verification code from mobile app |
active-directory | Concept Authentication Default Enablement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-default-enablement.md | The following table lists each setting that can be set to Microsoft managed and | [Application name in Microsoft Authenticator notifications](how-to-mfa-additional-context.md) | Disabled | | [System-preferred MFA](concept-system-preferred-multifactor-authentication.md) | Enabled | | [Authenticator Lite](how-to-mfa-authenticator-lite.md) | Enabled | +| [Report suspicious activity](howto-mfa-mfasettings.md#report-suspicious-activity) | Disabled | As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication. |
active-directory | Concept Authentication Oath Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-oath-tokens.md | OATH TOTP hardware tokens typically come with a secret key, or seed, pre-program Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow. -OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). :::image type="content" border="true" source="./media/concept-authentication-methods/oath-tokens.png" alt-text="Screenshot of OATH token management." lightbox="./media/concept-authentication-methods/oath-tokens.png"::: |
active-directory | Concept Authentication Passwordless | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-passwordless.md | The following providers offer FIDO2 security keys of different form factors that | [Feitian](https://shop.ftsafe.us/pages/microsoft) | ![y] | ![y]| ![y]| ![y]| ![y] | | [Fortinet](https://www.fortinet.com/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Giesecke + Devrient (G+D)](https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication) | ![y] | ![y]| ![y]| ![y]| ![n] |+| [Google](https://store.google.com/us/product/titan_security_key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [GoTrustID Inc.](https://www.gotrustid.com/idem-key) | ![n] | ![y]| ![y]| ![y]| ![n] | | [HID](https://www.hidglobal.com/products/crescendo-key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [HIDEEZ](https://hideez.com/products/hideez-key-4) | ![n] | ![y]| ![y]| ![y]| ![n] | The following providers offer FIDO2 security keys of different form factors that | [Nymi](https://www.nymi.com/nymi-band) | ![y] | ![n]| ![y]| ![n]| ![n] | | [Octatco](https://octatco.com/) | ![y] | ![y]| ![n]| ![n]| ![n] | | [OneSpan Inc.](https://www.onespan.com/products/fido) | ![n] | ![y]| ![n]| ![y]| ![n] |+| [PONE Biometrics](https://ponebiometrics.com/) | ![y] | ![n]| ![n]| ![y]| ![n] | | [Precision Biometric](https://www.innait.com/product/fido/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [RSA](https://www.rsa.com/products/securid/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Sentry](https://sentryenterprises.com/) | ![n] | ![n]| ![y]| ![n]| ![n] | |
active-directory | Concept Authentication Strengths | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-authentication-strengths.md | An authentication strength Conditional Access policy works together with [MFA tr ## Limitations -- **Conditional Access policies are only evaluated after the initial authentication** - As a result, authentication strength doesn't restrict a user's initial authentication. Suppose you are using the built-in phishing-resistant MFA strength. A user can still type in their password, but they will be required to use a phishing-resistant method such as FIDO2 security key before they can continue.+- **Conditional Access policies are only evaluated after the initial authentication** - As a result, authentication strength doesn't restrict a user's initial authentication. Suppose you are using the built-in phishing-resistant MFA strength. A user can still type in their password, but they will be required to use a phishing-resistant method such as FIDO2 security key before they can continue. - **Require multifactor authentication and Require authentication strength can't be used together in the same Conditional Access policy** - These two Conditional Access grant controls can't be used together because the built-in authentication strength **Multifactor authentication** is equivalent to the **Require multifactor authentication** grant control. An authentication strength Conditional Access policy works together with [MFA tr - **Windows Hello for Business** ΓÇô If the user signed in with Windows Hello for Business as their primary authentication method, it can be used to satisfy an authentication strength requirement that includes Windows Hello for Business. But if the user signed in with another method like password as their primary authenticating method, and the authentication strength requires Windows Hello for Business, they get prompted to sign in with Windows Hello for Business. ++## Known isssues ++The following known issues are currently being addressed: ++- **Sign-in frequency** - If both sign-in frequency and authentication strength requirements apply to a sign-in, and the user has previously signed in using a method that meets the authentication strength requirements, the sign-in frequency requirement doesn't apply. [Sign-in frequency](concepts-azure-multi-factor-authentication-prompts-session-lifetime.md) allows you to set the time interval for re-authentication of users based on their credentials, but it isn't fully integrated with authentication strength yet. It works independently and doesn't currently impact the actual sign-in procedure. Therefore, you may notice that some sign-ins using expired credentials don't prompt re-authentication and the sign-in process proceeds successfully. ++- **FIDO2 security key Advanced options** - Advanced options aren't supported for external users with a home tenant that is located in a different Microsoft cloud than the resource tenant. + ## FAQ ### Should I use authentication strength or the Authentication methods policy? Authentication strength is based on the Authentication methods policy. The Authe For example, the administrator of Contoso wants to allow their users to use Microsoft Authenticator with either push notifications or passwordless authentication mode. The administrator goes to the Microsoft Authenticator settings in the Authentication method policy, scopes the policy for the relevant users and set the **Authentication mode** to **Any**. -Then for ContosoΓÇÖs most sensitive resource, the administrator wants to restrict the access to only passwordless authentication methods. The administrator creates a new Conditional Access policy, using the built-in **Passwordless MFA strength**. +Then for Contoso's most sensitive resource, the administrator wants to restrict the access to only passwordless authentication methods. The administrator creates a new Conditional Access policy, using the built-in **Passwordless MFA strength**. As a result, users in Contoso can access most of the resources in the tenant using password + push notification from the Microsoft Authenticator OR only using Microsoft Authenticator (phone sign-in). However, when the users in the tenant access the sensitive application, they must use Microsoft Authenticator (phone sign-in). |
active-directory | Concept Certificate Based Authentication Certificateuserids | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md | |
active-directory | Concept Fido2 Hardware Vendor | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-fido2-hardware-vendor.md | The following table lists partners who are Microsoft-compatible FIDO2 security k | [Feitian](https://shop.ftsafe.us/pages/microsoft) | ![y] | ![y]| ![y]| ![y]| ![y] | | [Fortinet](https://www.fortinet.com/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Giesecke + Devrient (G+D)](https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication) | ![y] | ![y]| ![y]| ![y]| ![n] |+| [Google](https://store.google.com/us/product/titan_security_key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [GoTrustID Inc.](https://www.gotrustid.com/idem-key) | ![n] | ![y]| ![y]| ![y]| ![n] | | [HID](https://www.hidglobal.com/products/crescendo-key) | ![n] | ![y]| ![y]| ![n]| ![n] | | [HIDEEZ](https://hideez.com/products/hideez-key-4) | ![n] | ![y]| ![y]| ![y]| ![n] | The following table lists partners who are Microsoft-compatible FIDO2 security k | [Nymi](https://www.nymi.com/nymi-band) | ![y] | ![n]| ![y]| ![n]| ![n] | | [Octatco](https://octatco.com/) | ![y] | ![y]| ![n]| ![n]| ![n] | | [OneSpan Inc.](https://www.onespan.com/products/fido) | ![n] | ![y]| ![n]| ![y]| ![n] |+| [PONE Biometrics](https://ponebiometrics.com/) | ![y] | ![n]| ![n]| ![y]| ![n] | | [Precision Biometric](https://www.innait.com/product/fido/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [RSA](https://www.rsa.com/products/securid/) | ![n] | ![y]| ![n]| ![n]| ![n] | | [Sentry](https://sentryenterprises.com/) | ![n] | ![n]| ![y]| ![n]| ![n] | |
active-directory | Concept Mfa Regional Opt In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-regional-opt-in.md | For Voice verification, the following region codes require an opt-in. | 236 | Central African Republic | | 237 | Cameroon | | 238 | Cabo Verde |-| 239 | Sao Tome and Principe | +| 239 | São Tomé and Príncipe | | 240 | Equatorial Guinea | | 241 | Gabon | | 242 | Congo | |
active-directory | Concept Password Ban Bad Combined Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md | description: Learn about the combined password policy and check for weak passwor + Last updated 04/02/2023 |
active-directory | Concept Resilient Controls | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-resilient-controls.md | |
active-directory | Concept Sspr Policy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-sspr-policy.md | |
active-directory | Concepts Azure Multi Factor Authentication Prompts Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md | description: Learn about the recommended configuration for reauthentication prom + Previously updated : 03/28/2023 Last updated : 08/31/2023 Azure Active Directory (Azure AD) has multiple settings that determine how often The Azure AD default configuration for user sign-in frequency is a rolling window of 90 days. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt. -It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken). +It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions by using Microsoft Graph PowerShell](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession). This article details recommended configurations and how different settings work and interact with each other. To optimize the frequency of authentication prompts for your users, you can conf ### Evaluate session lifetime policies -Without any session lifetime settings, there are no persistent cookies in the browser session. Every time a user closes and open the browser, they get a prompt for reauthentication. In Office clients, the default time period is a rolling window of 90 days. With this default Office configuration, if the user has reset their password or there has been inactivity of over 90 days, the user is required to reauthenticate with all required factors (first and second factor). +Without any session lifetime settings, there are no persistent cookies in the browser session. Every time a user closes and opens the browser, they get a prompt for reauthentication. In Office clients, the default time period is a rolling window of 90 days. With this default Office configuration, if the user has reset their password or there has been inactivity of over 90 days, the user is required to reauthenticate with all required factors (first and second factor). A user might see multiple MFA prompts on a device that doesn't have an identity in Azure AD. Multiple prompts result when each application has its own OAuth Refresh Token that isn't shared with other client apps. In this scenario, MFA prompts multiple times as each application requests an OAuth Refresh Token to be validated with MFA. This setting allows configuration of lifetime for token issued by Azure Active D Now that you understand how different settings works and the recommended configuration, it's time to check your tenants. You can start by looking at the sign-in logs to understand which session lifetime policies were applied during sign-in. -Under each sign-in log, go to the **Authentication Details** tab and explore **Session Lifetime Policies Applied**. For more information, see [Authentication details](../reports-monitoring/concept-sign-ins.md#authentication-details). +Under each sign-in log, go to the **Authentication Details** tab and explore **Session Lifetime Policies Applied**. For more information, see the [Learn about the sign-in log activity details](../reports-monitoring/concept-sign-in-log-activity-details.md) article. ![Screenshot of authentication details.](./media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/details.png) |
active-directory | Fido2 Compatibility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/fido2-compatibility.md | The following tables show which transports are supported for each platform. Supp |||--|--| | Edge | ❌ | ❌ | ❌ | | Chrome | ✅ | ❌ | ❌ |-| Firefox | ❌ | ❌ | ❌ | +| Firefox | ✅ | ❌ | ❌ | ### iOS |
active-directory | How To Authentication Find Coverage Gaps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md | There are different ways to check if your admins are covered by an MFA policy. ![Screenshot of the sign-in log.](./media/how-to-authentication-find-coverage-gaps/auth-requirement.png) - Click **Authentication details** for [details about the MFA requirements](../reports-monitoring/concept-sign-ins.md#authentication-details). + When viewing the details of a specific sign-in, select the **Authentication details** tab for details about the MFA requirements. For more information, see [Sign-in log activity details](../reports-monitoring/concept-sign-in-log-activity-details.md). ![Screenshot of the authentication activity details.](./media/how-to-authentication-find-coverage-gaps/details.png) |
active-directory | How To Certificate Based Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-certificate-based-authentication.md | |
active-directory | How To Mfa Authenticator Lite | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-authenticator-lite.md | Microsoft Authenticator Lite is another surface for Azure Active Directory (Azur Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in. >[!NOTE]->This is an important security enhancement for users authenticating via telecom transports. On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ. If you no longer wish for this feature to be enabled, move the state from 'default' toΓÇÿdisabledΓÇÖ or set users to include and exclude groups. +>These are important security enhancements for users authenticating via telecom transports: +>- On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ in the Authentication methods policy. If you no longer wish for this feature to be enabled, move the state from 'default' to ΓÇÿdisabledΓÇÖ or scope it to only a group of users. +>- Starting September 18, Authenticator Lite will be enabled as part of the *Notification through mobile app* verification option in the per-user MFA policy. If you don't want this feature enabled, you can disable it in the Authentication methods policy following the steps below. ## Prerequisites -- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the modern Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server or that have not started migration from per-user MFA are not eligible for this feature.+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for all users or select groups. We recommend enabling Microsoft Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server are not eligible for this feature. >[!TIP] >We recommend that you also enable [system-preferred multifactor authentication (MFA)](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred MFA enabled, users try to sign-in with Authenticator Lite before they try less secure telephony methods like SMS or voice call. Users receive a notification in Outlook mobile to approve or deny sign-in, or th ## Enable Authenticator Lite -By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings). On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ +By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) in the Authentication methods policy. On June 26, the Microsoft managed value of this feature changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ. Authenticator Lite is also included as part of the *Notification through mobile app* verification option in the per-user MFA policy. ### Disabling Authenticator Lite in Azure portal UX To disable Authenticator Lite in the Azure portal, complete the following steps: 1. In the Azure portal, click Azure Active Directory > Security > Authentication methods > Microsoft Authenticator. In the Entra admin center, on the sidebar select Azure Active Directory > Protect & Secure > Authentication methods > Microsoft Authenticator. - 2. On the Enable and Target tab, click Yes and All users to enable the Authenticator policy for everyone or add selected users and groups. Set the Authentication mode for these users/groups to Any or Push. + 2. On the Enable and Target tab, click Enable and All users to enable the Authenticator policy for everyone or add select groups. Set the Authentication mode for these users/groups to Any or Push. - Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application. +Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application. -<img width="1112" alt="Entra portal Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png"> +<img width="1112" alt="Microsoft Entra admin center Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png"> 3. On the Configure tab, for **Microsoft Authenticator on companion applications**, change Status to Disabled, and click Save. <img width="664" alt="Authenticator Lite configuration settings" src="https://user-images.githubusercontent.com/108090297/228603364-53f2581f-a4e0-42ee-8016-79b23e5eff6c.png"> +>[!NOTE] +> If your organization still manages authentication methods in the per-user MFA policy, you'll need to disable *Notification through mobile app* as a verification option there in addition to the steps above. We recommend doing this only after you've enabled Microsoft Authenticator in the Authentication methods policy. You can contine to manage the remainder of your authentication methods in the per-user MFA policy while Microsoft Authenticator is managed in the modern Authentication methods policy. However, we recommend [migrating](how-to-authentication-methods-manage.md) management of all authentication methods to the modern Authentication methods policy. The ability to manage authentication methods in the per-user MFA policy will be retired September 30, 2024. + ### Enable Authenticator Lite via Graph APIs | Property | Type | Description | |
active-directory | How To Mfa Server Migration Utility | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md | Take a look at our video for an overview of the MFA Server Migration Utility and ## Limitations and requirements -- The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You donΓÇÖt have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically.+- The MFA Server Migration Utility requires a new build of the MFA Server solution to be installed on your Primary MFA Server. The build makes updates to the MFA Server data file, and includes the new MFA Server Migration Utility. You don't have to update the WebSDK or User portal. Installing the update _doesn't_ start the migration automatically. - The MFA Server Migration Utility copies the data from the database file onto the user objects in Azure AD. During migration, users can be targeted for Azure AD MFA for testing purposes using [Staged Rollout](../hybrid/connect/how-to-connect-staged-rollout.md). Staged migration lets you test without making any changes to your domain federation settings. Once migrations are complete, you must finalize your migration by making changes to your domain federation settings. - AD FS running Windows Server 2016 or higher is required to provide MFA authentication on any AD FS relying parties, not including Azure AD and Office 365. - Review your AD FS access control policies and make sure none requires MFA to be performed on-premises as part of the authentication process. A few important points: During the previous phases, you can remove users from the Staged Rollout folders to take them out of scope of Azure AD MFA and route them back to your on-premises Azure MFA server for all MFA requests originating from Azure AD. -**Phase 3** requires moving all clients that authenticate to the on-premises MFA Server (VPNs, password managers, and so on) to Azure AD federation via SAML/OAUTH. If modern authentication standards arenΓÇÖt supported, you're required to stand up NPS server(s) with the Azure AD MFA extension installed. Once dependencies are migrated, users should no longer use the User portal on the MFA Server, but rather should manage their authentication methods in Azure AD ([aka.ms/mfasetup](https://aka.ms/mfasetup)). Once users begin managing their authentication data in Azure AD, those methods won't be synced back to MFA Server. If you roll back to the on-premises MFA Server after users have made changes to their Authentication Methods in Azure AD, those changes will be lost. After user migrations are complete, change the [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) domain federation setting. The change tells Azure AD to no longer perform MFA on-premises and to perform _all_ MFA requests with Azure AD MFA, regardless of group membership. +**Phase 3** requires moving all clients that authenticate to the on-premises MFA Server (VPNs, password managers, and so on) to Azure AD federation via SAML/OAUTH. If modern authentication standards aren't supported, you're required to stand up NPS server(s) with the Azure AD MFA extension installed. Once dependencies are migrated, users should no longer use the User portal on the MFA Server, but rather should manage their authentication methods in Azure AD ([aka.ms/mfasetup](https://aka.ms/mfasetup)). Once users begin managing their authentication data in Azure AD, those methods won't be synced back to MFA Server. If you roll back to the on-premises MFA Server after users have made changes to their Authentication Methods in Azure AD, those changes will be lost. After user migrations are complete, change the [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) domain federation setting. The change tells Azure AD to no longer perform MFA on-premises and to perform _all_ MFA requests with Azure AD MFA, regardless of group membership. The following sections explain the migration steps in more detail. Open MFA Server, click **Company Settings**: |OATH Token tab|Not applicable; Azure AD MFA uses a default message for OATH tokens| |Reports|[Azure AD Authentication Methods Activity reports](howto-authentication-methods-activity.md)| -<sup>*</sup>When a PIN is used to provide proof-of-presence functionality, the functional equivalent is provided above. PINs that arenΓÇÖt cryptographically tied to a device don't sufficiently protect against scenarios where a device has been compromised. To protect against these scenarios, including [SIM swap attacks](https://wikipedia.org/wiki/SIM_swap_scam), move users to more secure methods according to Microsoft authentication methods [best practices](concept-authentication-methods.md). +<sup>*</sup>When a PIN is used to provide proof-of-presence functionality, the functional equivalent is provided above. PINs that aren't cryptographically tied to a device don't sufficiently protect against scenarios where a device has been compromised. To protect against these scenarios, including [SIM swap attacks](https://wikipedia.org/wiki/SIM_swap_scam), move users to more secure methods according to Microsoft authentication methods [best practices](concept-authentication-methods.md). <sup>**</sup>The default SMS MFA experience in Azure AD MFA sends users a code, which they're required to enter in the login window as part of authentication. The requirement to roundtrip the SMS code provides proof-of-presence functionality. Open MFA Server, click **User Portal**: |Use OATH token for fallback|See [OATH token documentation](howto-mfa-mfasettings.md#oath-tokens)| |Session Timeout|| |**Security Questions tab** |Security questions in MFA Server were used to gain access to the User portal. Azure AD MFA only supports security questions for self-service password reset. See [security questions documentation](concept-authentication-security-questions.md).|-|**Passed Sessions tab**|All authentication method registration flows are managed by Azure AD and donΓÇÖt require configuration| +|**Passed Sessions tab**|All authentication method registration flows are managed by Azure AD and don't require configuration| |**Trusted IPs**|[Azure AD trusted IPs](howto-mfa-mfasettings.md#trusted-ips)| Any MFA methods available in MFA Server must be enabled in Azure AD MFA by using [MFA Service settings](howto-mfa-mfasettings.md#mfa-service-settings). Users can't try their newly migrated MFA methods unless they're enabled. #### Authentication services Azure MFA Server can provide MFA functionality for third-party solutions that use RADIUS or LDAP by acting as an authentication proxy. To discover RADIUS or LDAP dependencies, click **RADIUS Authentication** and **LDAP Authentication** options in MFA Server. For each of these dependencies, determine if these third parties support modern authentication. If so, consider federation directly with Azure AD. -For RADIUS deployments that canΓÇÖt be upgraded, youΓÇÖll need to deploy an NPS Server and install the [Azure AD MFA NPS extension](howto-mfa-nps-extension.md). +For RADIUS deployments that can't be upgraded, you'll need to deploy an NPS Server and install the [Azure AD MFA NPS extension](howto-mfa-nps-extension.md). -For LDAP deployments that canΓÇÖt be upgraded or moved to RADIUS, [determine if Azure Active Directory Domain Services can be used](../architecture/auth-ldap.md). In most cases, LDAP was deployed to support in-line password changes for end users. Once migrated, end users can manage their passwords by using [self-service password reset in Azure AD](tutorial-enable-sspr.md). +For LDAP deployments that can't be upgraded or moved to RADIUS, [determine if Azure Active Directory Domain Services can be used](../architecture/auth-ldap.md). In most cases, LDAP was deployed to support in-line password changes for end users. Once migrated, end users can manage their passwords by using [self-service password reset in Azure AD](tutorial-enable-sspr.md). -If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfaserver-adfs-windows-server.md#secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server) on any relying party trusts except for the Office 365 relying party trust, youΓÇÖll need to upgrade to [AD FS 3.0](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server) or federate those relying parties directly to Azure AD if they support modern authentication methods. Determine the best plan of action for each of the dependencies. +If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfaserver-adfs-windows-server.md#secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server) on any relying party trusts except for the Office 365 relying party trust, you'll need to upgrade to [AD FS 3.0](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server) or federate those relying parties directly to Azure AD if they support modern authentication methods. Determine the best plan of action for each of the dependencies. ### Backup Azure AD MFA Server datafile Make a backup of the MFA Server data file located at %programfiles%\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata (default location) on your primary MFA Server. Make sure you have a copy of the installer for your currently installed version in case you need to roll back. If you no longer have a copy, contact Customer Support Services. The **Settings** option allows you to change the settings for the migration proc - User Match ΓÇô Allows you to specify a different on-premises Active Directory attribute for matching Azure AD UPN instead of the default match to userPrincipalName: - The migration utility tries direct matching to UPN before using the on-premises Active Directory attribute. - If no match is found, it calls a Windows API to find the Azure AD UPN and get the SID, which it uses to search the MFA Server user list. - - If the Windows API doesnΓÇÖt find the user or the SID isnΓÇÖt found in the MFA Server, then it will use the configured Active Directory attribute to find the user in the on-premises Active Directory, and then use the SID to search the MFA Server user list. + - If the Windows API doesn't find the user or the SID isn't found in the MFA Server, then it will use the configured Active Directory attribute to find the user in the on-premises Active Directory, and then use the SID to search the MFA Server user list. - Automatic synchronization ΓÇô Starts a background service that will continually monitor any authentication method changes to users in the on-premises MFA Server, and write them to Azure AD at the specified time interval defined. - Synchronization server ΓÇô Allows the MFA Server Migration Sync service to run on a secondary MFA Server rather than only run on the primary. To configure the Migration Sync service to run on a secondary server, the `Configure-MultiFactorAuthMigrationUtility.ps1` script must be run on the server to register a certificate with the MFA Server Migration Utility app registration. The certificate is used to authenticate to Microsoft Graph. The manual process steps are: 1. To begin the migration process for a user or selection of multiple users, press and hold the Ctrl key while selecting each of the user(s) you wish to migrate. 1. After you select the desired users, click **Migrate Users** > **Selected users** > **OK**. 1. To migrate all users in the group, click **Migrate Users** > **All users in AAD group** > **OK**.-1. You can migrate users even if they are unchanged. By default, the utility is set to **Only migrate users that have changed**. Click **Migrate all users** to re-migrate previously migrated users that are unchanged. Migrating unchanged users can be useful during testing if an administrator needs to reset a userΓÇÖs Azure MFA settings and wants to re-migrate them. +1. You can migrate users even if they are unchanged. By default, the utility is set to **Only migrate users that have changed**. Click **Migrate all users** to re-migrate previously migrated users that are unchanged. Migrating unchanged users can be useful during testing if an administrator needs to reset a user's Azure MFA settings and wants to re-migrate them. :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/migrate-users.png" alt-text="Screenshot of Migrate users dialog."::: The following table lists the sync logic for the various methods. |**Mobile App**|Maximum of five devices will be migrated or only four if the user also has a hardware OATH token.<br>If there are multiple devices with the same name, only migrate the most recent one.<br>Devices will be ordered from newest to oldest.<br>If devices already exist in Azure AD, match on OATH Token Secret Key and update.<br>- If there's no match on OATH Token Secret Key, match on Device Token<br>-- If found, create a Software OATH Token for the MFA Server device to allow OATH Token method to work. Notifications will still work using the existing Azure AD MFA device.<br>-- If not found, create a new device.<br>If adding a new device will exceed the five-device limit, the device will be skipped. | |**OATH Token**|If devices already exist in Azure AD, match on OATH Token Secret Key and update.<br>- If not found, add a new Hardware OATH Token device.<br>If adding a new device will exceed the five-device limit, the OATH token will be skipped.| -MFA Methods will be updated based on what was migrated and the default method will be set. MFA Server will track the last migration timestamp and only migrate the user again if the userΓÇÖs MFA settings change or an admin modifies what to migrate in the **Settings** dialog. +MFA Methods will be updated based on what was migrated and the default method will be set. MFA Server will track the last migration timestamp and only migrate the user again if the user's MFA settings change or an admin modifies what to migrate in the **Settings** dialog. During testing, we recommend doing a manual migration first, and test to ensure a given number of users behave as expected. Once testing is successful, turn on automatic synchronization for the Azure AD group you wish to migrate. As you add users to this group, their information will be automatically synchronized to Azure AD. MFA Server Migration Utility targets one Azure AD group, however that group can encompass both users and nested groups of users. Once complete, a confirmation will inform you of the tasks completed: As mentioned in the confirmation message, it can take several minutes for the migrated data to appear on user objects within Azure AD. Users can view their migrated methods by navigating to [aka.ms/mfasetup](https://aka.ms/mfasetup). +#### View migration details ++You can use Audit logs or Log Analytics to view details of MFA Server to Azure MFA user migrations. ++##### Use Audit logs +To access the Audit logs in the Azure portal to view details of MFA Server to Azure MFA user migrations, follow these steps: ++1. Click **Azure Active Directory** > **Audit logs**. To filter the logs, click **Add filters**. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/add-filter.png" alt-text="Screenshot of how to add filters."::: ++1. Select **Initiated by (actor)** and click **Apply**. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/actor.png" alt-text="Screenshot of Initiated by Actor option."::: ++1. Type _Azure MFA Management_ and click **Apply**. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/apply-actor.png" alt-text="Screenshot of MFA management option."::: ++1. This filter displays only MFA Server Migration Utility logs. To view details for a user migration, click a row, and then choose the **Modified Properties** tab. This tab shows changes to registered MFA methods and phone numbers. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/changes.png" alt-text="Screenshot of user migration details."::: ++ The following table lists the authentication method for each code. ++ | Code | Method | + |:--|:| + | 0 | Voice mobile | + | 2 | Voice office | + | 3 | Voice alternate mobile | + | 5 | SMS | + | 6 | Microsoft Authenticator push notification | + | 7 | Hardware or software token OTP | ++1. If any user devices were migrated, there is a separate log entry. ++ :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/migrated-device.png" alt-text="Screenshot of a migrated device."::: +++##### Use Log Analytics ++The details of MFA Server to Azure MFA user migrations can also be queried using Log Analytics. + +```kusto +AuditLogs +| where ActivityDateTime > ago(7d) +| extend InitiatedBy = tostring(InitiatedBy["app"]["displayName"]) +| where InitiatedBy == "Azure MFA Management" +| extend UserObjectId = tostring(TargetResources[0]["id"]) +| extend Upn = tostring(TargetResources[0]["userPrincipalName"]) +| extend ModifiedProperties = TargetResources[0]["modifiedProperties"] +| project ActivityDateTime, InitiatedBy, UserObjectId, Upn, ModifiedProperties +| order by ActivityDateTime asc +``` ++This screenshot shows changes for user migration: +++This screenshot shows changes for device migration: +++Log Analytics can also be used to summarize user migration activity. ++```kusto +AuditLogs +| where ActivityDateTime > ago(7d) +| extend InitiatedBy = tostring(InitiatedBy["app"]["displayName"]) +| where InitiatedBy == "Azure MFA Management" +| extend UserObjectId = tostring(TargetResources[0]["id"]) +| summarize UsersMigrated = dcount(UserObjectId) by InitiatedBy, bin(ActivityDateTime, 1d) +``` ++ ### Validate and test Once you've successfully migrated user data, you can validate the end-user experience using Staged Rollout before making the global tenant change. The following process will allow you to target specific Azure AD group(s) for Staged Rollout for MFA. Staged Rollout tells Azure AD to perform MFA by using Azure AD MFA for users in the targeted groups, rather than sending them on-premises to perform MFA. You can validate and testΓÇöwe recommend using the Azure portal, but if you prefer, you can also use Microsoft Graph. Once you've successfully migrated user data, you can validate the end-user exper 1. Are users able to authenticate successfully using Hardware OATH tokens? ### Educate users-Ensure users know what to expect when they're moved to Azure MFA, including new authentication flows. You may also wish to instruct users to use the Azure AD Combined Registration portal ([aka.ms/mfasetup](https://aka.ms/mfasetup)) to manage their authentication methods rather than the User portal once migrations are complete. Any changes made to authentication methods in Azure AD won't propagate back to your on-premises environment. In a situation where you had to roll back to MFA Server, any changes users have made in Azure AD wonΓÇÖt be available in the MFA Server User portal. +Ensure users know what to expect when they're moved to Azure MFA, including new authentication flows. You may also wish to instruct users to use the Azure AD Combined Registration portal ([aka.ms/mfasetup](https://aka.ms/mfasetup)) to manage their authentication methods rather than the User portal once migrations are complete. Any changes made to authentication methods in Azure AD won't propagate back to your on-premises environment. In a situation where you had to roll back to MFA Server, any changes users have made in Azure AD won't be available in the MFA Server User portal. -If you use third-party solutions that depend on Azure MFA Server for authentication (see [Authentication services](#authentication-services)), youΓÇÖll want users to continue to make changes to their MFA methods in the User portal. These changes will be synced to Azure AD automatically. Once you've migrated these third party solutions, you can move users to the Azure AD combined registration page. +If you use third-party solutions that depend on Azure MFA Server for authentication (see [Authentication services](#authentication-services)), you'll want users to continue to make changes to their MFA methods in the User portal. These changes will be synced to Azure AD automatically. Once you've migrated these third party solutions, you can move users to the Azure AD combined registration page. ### Complete user migration Repeat migration steps found in [Migrate user data](#migrate-user-data) and [Validate and test](#validate-and-test) sections until all user data is migrated. Repeat migration steps found in [Migrate user data](#migrate-user-data) and [Val Using the data points you collected in [Authentication services](#authentication-services), begin carrying out the various migrations necessary. Once this is completed, consider having users manage their authentication methods in the combined registration portal, rather than in the User portal on MFA server. ### Update domain federation settings-Once you've completed user migrations, and moved all of your [Authentication services](#authentication-services) off of MFA Server, itΓÇÖs time to update your domain federation settings. After the update, Azure AD no longer sends MFA request to your on-premises federation server. +Once you've completed user migrations, and moved all of your [Authentication services](#authentication-services) off of MFA Server, it's time to update your domain federation settings. After the update, Azure AD no longer sends MFA request to your on-premises federation server. To configure Azure AD to ignore MFA requests to your on-premises federation server, install the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-&preserve-view=true) and set [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true) to `rejectMfaByFederatedIdp`, as shown in the following example. Content-Type: application/json } ``` -Users will no longer be redirected to your on-premises federation server for MFA, whether theyΓÇÖre targeted by the Staged Rollout tool or not. Note this can take up to 24 hours to take effect. +Users will no longer be redirected to your on-premises federation server for MFA, whether they're targeted by the Staged Rollout tool or not. Note this can take up to 24 hours to take effect. >[!NOTE] >The update of the domain federation setting can take up to 24 hours to take effect. |
active-directory | How To Migrate Mfa Server To Azure Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md | description: Step-by-step guidance to migrate from MFA Server on-premises to Azu + Last updated 01/29/2023 |
active-directory | How To Migrate Mfa Server To Mfa With Federation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md | Title: Migrate to Azure AD MFA with federations description: Step-by-step guidance to move from MFA Server on-premises to Azure AD MFA with federation + Last updated 05/23/2023 |
active-directory | Howto Authentication Passwordless Phone | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-phone.md | description: Enable passwordless sign-in to Azure AD using Microsoft Authenticat + Last updated 05/16/2023 |
active-directory | Howto Authentication Use Email Signin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md | description: Learn how to enable users to sign in to Azure Active Directory with + Last updated 06/01/2023 -> Sign-in to Azure AD with email as an alternate login ID is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Sign-in to Azure AD with email as an alternate login ID is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). Many organizations want to let users sign in to Azure Active Directory (Azure AD) using the same credentials as their on-premises directory environment. With this approach, known as hybrid authentication, users only need to remember one set of credentials. |
active-directory | Howto Mfa Getstarted | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-getstarted.md | Title: Deployment considerations for Azure AD Multi-Factor Authentication description: Learn about deployment considerations and strategy for successful implementation of Azure AD Multi-Factor Authentication + Last updated 03/06/2023 |
active-directory | Howto Mfa Mfasettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-mfasettings.md | To unblock a user, complete the following steps: Users who report an MFA prompt as suspicious are set to **High User Risk**. Administrators can use risk-based policies to limit access for these users, or enable self-service password reset (SSPR) for users to remediate problems on their own. If you previously used the **Fraud Alert** automatic blocking feature and don't have an Azure AD P2 license for risk-based policies, you can use risk detection events to identify and disable impacted users and automatically prevent their sign-in. For more information about using risk-based policies, see [Risk-based access policies](../identity-protection/concept-identity-protection-policies.md). -To enable **Report suspicious activity** from the Authentication Methods Settings: +To enable **Report suspicious activity** from the Authentication methods **Settings**: 1. In the Azure portal, click **Azure Active Directory** > **Security** > **Authentication Methods** > **Settings**. -1. Set **Report suspicious activity** to **Enabled**. +1. Set **Report suspicious activity** to **Enabled**. The feature remains disabled if you choose **Microsoft managed**. For more information about Microsoft managed values, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md). 1. Select **All users** or a specific group. +1. Select a **Reporting code**. +1. Click **Save**. ++>[!NOTE] +>If you enable **Report suspicious activity** and specify a custom voice reporting value while the tenant still has **Fraud Alert** enabled in parallel with a custom voice reporting number configured, the **Report suspicious activity** value will be used instead of **Fraud Alert**. ### View suspicious activity events OATH TOTP hardware tokens typically come with a secret key, or seed, pre-program Programmable OATH TOTP hardware tokens that can be reseeded can also be set up with Azure AD in the software token setup flow. -OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms). +OATH hardware tokens are supported as part of a public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://aka.ms/EntraPreviewsTermsOfUse). ![Screenshot that shows the OATH tokens section.](media/concept-authentication-methods/mfa-server-oath-tokens-azure-ad.png) The following table lists more numbers for different countries. | Sri Lanka | +94 117750440 | | Sweden | +46 701924176 | | Taiwan | +886 277515260 |-| Turkey | +90 8505404893 | +| T├╝rkiye | +90 8505404893 | | Ukraine | +380 443332393 | | United Arab Emirates | +971 44015046 | | Vietnam | +84 2039990161 | |
active-directory | Howto Mfa Nps Extension Errors | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-errors.md | If you encounter errors with the NPS extension for Azure AD Multi-Factor Authent | **REQUEST_FORMAT_ERROR** <br> Radius Request missing mandatory Radius userName\Identifier attribute.Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension does not work when installed over such installations and errors out since it cannot read the details from the authentication request. | | **REQUEST_MISSING_CODE** | Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. **PAP** supports all the authentication methods of Azure AD MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. **CHAPV2** and **EAP** support phone call and mobile app notification. | | **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you are using cross-forest trusts, [contact support](#contact-microsoft-support) for further help. |+| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP will observe user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). | ### Alternate login ID errors |
active-directory | Howto Mfa Nps Extension Rdg | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md | description: Integrate your Remote Desktop Gateway infrastructure with Azure AD + Last updated 01/29/2023 |
active-directory | Howto Mfa Nps Extension Vpn | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md | description: Integrate your VPN infrastructure with Azure AD MFA by using the Ne + Last updated 01/29/2023 |
active-directory | Howto Mfa Nps Extension | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension.md | |
active-directory | Howto Mfa Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-reporting.md | |
active-directory | Howto Mfa Userdevicesettings | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md | Install the Microsoft.Graph.Identity.Signins PowerShell module using the followi ```powershell Install-module Microsoft.Graph.Identity.Signins-Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All +Connect-MgGraph -Scopes "User.Read.all","UserAuthenticationMethod.Read.All","UserAuthenticationMethod.ReadWrite.All" Select-MgProfile -Name beta ``` |
active-directory | Howto Mfa Userstates | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userstates.md | |
active-directory | Howto Password Smart Lockout | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-password-smart-lockout.md | Based on your organizational requirements, you can customize the Azure AD smart To check or modify the smart lockout values for your organization, complete the following steps: -1. Sign in to the [Entra portal](https://entra.microsoft.com/#home). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**. 1. Set the **Lockout threshold**, based on how many failed sign-ins are allowed on an account before its first lockout. |
active-directory | Howto Registration Mfa Sspr Combined Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md | description: Troubleshoot Azure AD Multi-Factor Authentication and self-service + Last updated 01/29/2023 |
active-directory | Howto Sspr Authenticationdata | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-authenticationdata.md | |
active-directory | V1 Permissions Consent | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/azuread-dev/v1-permissions-consent.md | |
active-directory | Faqs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md | Title: Frequently asked questions (FAQs) about Microsoft Entra Permissions Management -description: Frequently asked questions (FAQs) about Microsoft Permissions Management. +description: Frequently asked questions (FAQs) about Microsoft Entra Permissions Management. This article answers frequently asked questions (FAQs) about Microsoft Entra Per Microsoft Entra Permissions Management (Permissions Management) is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle. - ## What are the prerequisites to use Permissions Management? Permissions Management supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use Permissions Management. Permissions Management currently supports the three major public clouds: Amazon Permissions Management currently doesn't support hybrid environments. -## What types of identities are supported by Permissions Management? +## What types of identities does Permissions Management support? Permissions Management supports user identities (for example, employees, customers, external partners) and workload identities (for example, virtual machines, containers, web apps, serverless functions). The Permissions Creep Index (PCI) is a quantitative measure of risk associated w ## How can customers use Permissions Management to delete unused or excessive permissions? -Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed. +Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size the permissions of that identity to permissions that are only being used for day-to-day operations. All unused and other risky permissions can be automatically removed. ## How can customers grant permissions on-demand with Permissions Management? No, Permissions Management doesn't have access to sensitive personal data. You can read our [blog](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/bg-p/Identity) and visit our [web page](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-permissions-management). You can also get in touch with your Microsoft point of contact to schedule a demo. -## What is the data destruction/decommission process? +## What is the data destruction/decommission process? ++If a customer initiates a free Permissions Management 45-day trial and does not convert to a paid license within 45 days of the trial expiration, all collected data is deleted within 30 days of the trial expiration date. ++If a customer decides to discontinue licensing the service, all previously collected data is deleted within 30 days of license termination. ++Customers can also remove, export or modify specific data if a Global Administrator using the Permissions Management service files an official Data Subject Request. To file a request: -If a customer initiates a free Permissions Management 45-day trial, but does not follow up and convert to a paid license within 45 days of the free trial expiration, we will delete all collected data on or just before 45 days. +If you're an enterprise customer, you can contact your Microsoft representative, account team, or tenant admin to file a high-priority IcM support ticket requesting a Data Subject Request. Do not include details or any personally identifiable information in the IcM request. We'll reach out to you for these details only after an IcM is filed. -If a customer decides to discontinue licensing the service, we will also delete all previously collected data within 45 days of license termination. +If you're a self-service customer (you set up a trial or paid license in the Microsoft 365 admin center) you can contact the Permissions Management privacy team by selecting your profile drop-down menu, then **Account Settings** in Permissions Management. Follow the instructions to make a Data Subject Request. -We also have the ability to remove, export or modify specific data should the Global Administrator using the Entra Permissions Management service file an official Data Subject Request. This can be initiated by opening a ticket in the Azure portal [New support request - Microsoft Entra admin center](https://entra.microsoft.com/#blade/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical), or alternately contacting your local Microsoft representative. +Learn more about [Azure Data Subject Requests](https://go.microsoft.com/fwlink/?linkid=2245178). ## Do I require a license to use Entra Permissions Management? Permissions Management is $125 per resources/year ($10.40 per resource/month). P ## Do I need to pay for all resources? -Although Permissions Management supports all resources, Microsoft only requires licenses for certain resources per cloud. To learn more about billable resources, visit [View billable resources listed in your authorization system](product-data-billable-resources.md) +Although Permissions Management supports all resources, Microsoft only requires licenses for billable resources per cloud environment. To learn more about billable resources, visit [View billable resources listed in your authorization system](product-data-billable-resources.md) -## How do I figure out how many resources I have? +## How do I calculate the number of billable resources I have? -To find out how many resources you have across your multicloud infrastructure, select Settings (gear icon) and view the Billable Resources tab in Permissions Management. +To calculate the billable resources you have across your multicloud infrastructure, you must first activate a [45-day free trial](https://aka.ms/TryPermissionsManagement) of Permissions Management or [purchase a paid license](https://aka.ms/BuyPermissionsManagement). In Permissions Management, select **Settings** (gear icon), then click the **Billable Resources** tab. View the amount of billable resources in the **Total Number of Licenses** column. ## What do I do if IΓÇÖm using the legacy version of the CloudKnox service? |
active-directory | Onboard Aws | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md | This option detects all AWS accounts that are accessible through OIDC role acces On the **Data Collectors** dashboard, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** - You have now completed onboarding AWS, and Permissions Management has started collecting and processing your data. + The status column in your Permissions Management UI shows you which step of data collection you're at: + + - **Pending**: Permissions Management has not started detecting or onboarding yet. + - **Discovering**: Permissions Management is detecting the authorization systems. + - **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. + - **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ### 7. View the data |
active-directory | Onboard Azure | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-azure.md | To view status of onboarding after saving the configuration: ### 2. Review and save. -- In **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.+1. In **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration.** On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.** - You have now completed onboarding Azure, and Permissions Management has started collecting and processing your data. + The status column in your Permissions Management UI shows you which step of data collection you're at: + + - **Pending**: Permissions Management has not started detecting or onboarding yet. + - **Discovering**: Permissions Management is detecting the authorization systems. + - **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. + - **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ### 3. View the data. -- To view the data, select the **Authorization Systems** tab.+1. To view the data, select the **Authorization Systems** tab. The **Status** column in the table displays **Collecting Data.** |
active-directory | Onboard Enable Controller After Onboarding | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-controller-after-onboarding.md | -With the controller, you determine what level of access to provide Permissions Management. +With the controller, you can decide what level of access to grant in Permissions Management. -* Enable to grant read and write access to your environment(s). You can manage permissions and remediate through Permissions Management. +* Enable to grant read and write access to your environments. You can right-size permissions and remediate through Permissions Management. -* Disable to grant read-only access to your environment(s). +* Disable to grant read-only access to your environments. This article describes how to enable the controller in Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete. This article also describes how to disable the controller in Microsoft Azure and ## Enable the controller in AWS > [!NOTE]-> You can enable the controller in AWS if you disabled it during onboarding. Once you enable the controller, you canΓÇÖt disable it at this time. +> You can enable the controller in AWS if you disabled it during onboarding. Once you enable the controller in AWS, you canΓÇÖt disable it. 1. Sign in to the AWS console of the member account in a separate browser window. 1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab. |
active-directory | Onboard Gcp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md | The required commands to run in Google Cloud Shell are listed in the Manage Auth ### 3. Review and save. -- In the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.+1. In the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**. The following message appears: **Successfully Created Configuration**. On the **Data Collectors** tab, the **Recently Uploaded On** column displays **Collecting**. The **Recently Transformed On** column displays **Processing.**-- You've completed onboarding GCP, and Permissions Management has started collecting and processing your data. + + The status column in your Permissions Management UI shows you which step of data collection you're at: + + - **Pending**: Permissions Management has not started detecting or onboarding yet. + - **Discovering**: Permissions Management is detecting the authorization systems. + - **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. + - **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ### 4. View the data. -- To view the data, select the **Authorization Systems** tab.+1. To view the data, select the **Authorization Systems** tab. The **Status** column in the table displays **Collecting Data.** |
active-directory | Permissions Management Quickstart Guide | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/permissions-management-quickstart-guide.md | + + Title: Microsoft Entra Permissions Management Quickstart Guide +description: Quickstart guide - How to quickly onboard your Microsoft Entra Permissions Management product +# CustomerIntent: As a security administrator, I want to successfully onboard Permissions Management so that I can enable identity security in my cloud environment as efficiently as possible.' +++++++ Last updated : 08/24/2023++++# Quickstart guide to Microsoft Entra Permissions Management ++Welcome to the Quickstart Guide for Microsoft Entra Permissions Management. ++Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. These identities include over-privileged workload and user identities, actions, and resources across multicloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permissions Management helps your organization effectively secure and manage cloud permissions by detecting, automatically right-sizing, and continuously monitoring unused and excessive permissions. ++With this quickstart guide, youΓÇÖll set up your multicloud environment(s), configure data collection, and enable permissions access to ensure your cloud identities are managed and secure. ++## Prerequisites ++Before you begin, you need access to these tools for the onboarding process: ++- Access to a local BASH shell with the Azure CLI or Azure Cloud Shell using BASH environment (Azure CLI is included). +- Access to AWS, Azure, and GCP consoles. +- A user must have *Global Administrator* or *Permissions Management Administrator* role assignments to create a new app registration in Entra ID tenant is required for AWS and GCP onboarding. +++## Step 1: Set-up Permissions Management ++To enable Permissions Management, you must have a Microsoft Entra ID tenant (example, Entra admin center). +- If you have an Azure account, you automatically have an Entra admin center tenant. +- If you donΓÇÖt already have one, create a free account at [entra.microsoft.com.](https://entra.microsoft.com) ++If the above points are met, continue with: ++[Enable Microsoft Entra Permissions Management in your organization](onboard-enable-tenant.md) ++Ensure you're a *Global Administrator* or *Permissions Management Administrator*. Learn more about [Permissions Management roles and permissions](product-roles-permissions.md). ++ +## Step 2: Onboard your multicloud environment ++So far youΓÇÖve, ++1. Been assigned the *Permissions Management Administrator* role in your Entra admin center tenant. +2. Purchased licenses or activated your 45-day free trial for Permissions Management. +3. Successfully launched Permissions Management. ++Now, you're going to learn about the role and settings of the Controller and Data collection modes in Permissions Management. ++### Set the controller +The controller gives you the choice to determine the level of access you grant to users in Permissions Management. ++- Enabling the controller during onboarding grants Permissions Management admin access, or read and write access, so users can right-size permissions and remediate directly through Permissions Management (instead of going to the AWS, Azure, or GCP consoles).ΓÇ» ++- Disabling the controller during onboarding, or never enabling it, grants a Permissions Management user read-only access to your environment(s). ++> [!NOTE] +> If you don't enable the controller during onboarding, you have the option to enable it after onboarding is complete. To set the controller in Permissions Management after onboarding, see [Enable or disable the controller after onboarding](onboard-enable-controller-after-onboarding.md). +> For AWS environments, once you have enabled the controller, you *cannot* disable it. ++To set the controller settings during onboarding: +1. Select **Enable** to give read and write access to Permissions Management. +2. Select **Disable** to give read-only access to Permissions Management. ++### Configure data collection ++There are three modes to choose from in order to collect data in Permissions Management. ++- **Automatic (recommended)** +Permissions Management automatically discovers, onboards, and monitors all current and future subscriptions. ++- **Manual** +Manually enter individual subscriptions for Permissions Management to discover, onboard, and monitor. You can enter up to 100 subscriptions per data collection. ++- **Select** +Permissions Management automatically discovers all current subscriptions. Once discovered, you select which subscriptions to onboard and monitor. ++> [!NOTE] +> To use **Automatic** or **Select** modes, the controller must be enabled while configuring data collection. ++To configure data collection: +1. In Permissions Management, navigate to the data collectors page. +2. Select a cloud environment: AWS, Azure, or GCP. +3. Click **Create configuration**. ++### Onboard Amazon Web Services (AWS) +Since Permissions Management is hosted on Microsoft Entra, there are more steps to take to onboard your AWS environment. ++To connect AWS to Permissions Management, you must create an Entra ID application in the Entra admin center tenant where Permissions Management is enabled. This Entra ID application is used to set up an OIDC connection to your AWS environment. ++*OpenID Connect (OIDC) is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.* ++### Prerequisites ++A user must have *Global Administrator* or *Permissions Management Administrator* role assignments to create a new app registration in Entra ID. ++Account IDs and roles for: +- AWS OIDC account: An AWS member account designated by you to create and host the OIDC connection through an OIDC IdP +- AWS Logging account (optional but recommended) +- AWS Management account (optional but recommended) +- AWS member accounts monitored and managed by Permissions Management (for manual mode) ++To use **Automatic** or **Select** data collection modes, you must connect your AWS Management account. ++During this step, you can enable the controller by entering the name of the S3 bucket with AWS CloudTrail activity logs (found on AWS Trails). ++To onboard your AWS environment and configure data collection, see [Onboard an Amazon Web Services (AWS) account](onboard-aws.md). ++### Onboard Microsoft Azure +When you enabled Permissions Management in the Entra ID tenant, an enterprise application for CIEM was created. To onboard your Azure environment, you grant permissions to this application for Permissions management. ++1. In the Entra ID tenant where Permissions management is enabled, locate the **Cloud Infrastructure Entitlement Management (CIEM)** enterprise application. ++2. Assign the *Reader* role to the CIEM application to allow Permissions management to read the Entra subscriptions in your environment. ++### Prerequisites +- A user with ```Microsoft.Authorization/roleAssignments/write``` permissions at the subscription or management group scope. ++- To use **Automatic** or **Select** data collection modes, you must assign the *Reader* role at the Management group scope. ++- To enable the controller, you must assign the *User Access Administrator* role to the CIEM application. ++To onboard your Azure environment and configure data collection, see [Onboard a Microsoft Azure subscription](onboard-azure.md). +++### Onboard Google Cloud Platform (GCP) +Because Permissions Management is hosted on Microsoft Azure, there are additional steps to take to onboard your GCP environment. ++To connect GCP to Permissions Management, you must create an Entra admin center application in the Entra ID tenant where Permissions Management is enabled. This Entra admin center application is used to set up an OIDC connection to your GCP environment. ++*OpenID Connect (OIDC) is an interoperable authentication protocol based on the OAuth 2.0 family of specifications.* ++ +### Prerequisites +A user with the ability to create a new app registration in Entra (needed to facilitate the OIDC connection) is needed for AWS and GCP onboarding. + +ID details for: +- GCP OIDC project: a GCP project designated by you to create and host the OIDC connection through an OIDC IdP. + - Project number and project ID +- GCP OIDC Workload identity + - Pool ID, pool provider ID +- GCP OIDC service account + - G-suite IdP Secret name and G-suite IdP user email (optional) + - IDs for the GCP projects you wish to onboard (optional, for manual mode) ++Assign the *Viewer* and *Security Reviewer* roles to the GCP service account at the organization, folder, or project levels to grant Permissions management read access to your GCP environment. ++During this step, you have the option to **Enable** controller mode by assigning the *Role Administrator* and *Security Administrator* roles to the GCP service account at the organization, folder, or project levels. ++> [!NOTE] +> The Permissions Management default scope is at the project level. ++To onboard your GCP environment and configure data collection, see [Onboard a GCP project](onboard-gcp.md). ++## Summary ++Congratulations! You have finished configuring data collection for your environment(s), and the data collection process has begun. ++The status column in your Permissions Management UI shows you which step of data collection you're at. ++ +- **Pending**: Permissions Management has not started detecting or onboarding yet. +- **Discovering**: Permissions Management is detecting the authorization systems. +- **In progress**: Permissions Management has finished detecting the authorization systems and is onboarding. +- **Onboarded**: Data collection is complete, and all detected authorization systems are onboarded to Permissions Management. ++> [!NOTE] +> Data collection might take time depending on the amount of authorization systems you've onboarded. While the data collection process continues, you can begin setting up [users and groups in Permissions Management](how-to-add-remove-user-to-group.md). ++## Next steps ++- [Enable or disable the controller after onboarding](onboard-enable-controller-after-onboarding.md) +- [Add an account/subscription/project after onboarding is complete](onboard-add-account-after-onboarding.md) +- [Create folders to organize your authorization systems](how-to-create-folders.md) ++References: +- [Permissions Management Glossary](multi-cloud-glossary.md) +- [Permissions Management FAQs](faqs.md) |
active-directory | Product Roles Permissions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-infrastructure-entitlement-management/product-roles-permissions.md | + + Title: Microsoft Entra Permissions Management roles and permissions +description: Review roles and the level of permissions assigned in Microsoft Entra Permissions Management. +# customerintent: As a cloud administer, I want to understand Permissions Management role assignments, so that I can effectively assign the correct permissions to users. +++++++ Last updated : 08/24/2023+++++# Microsoft Entra Permissions Management roles and permissions levels ++In Microsoft Azure and Microsoft Entra Permissions Management role assignments grant users permissions to monitor and take action in multicloud environments. ++- **Global Administrator**: Manages all aspects of Entra Admin Center and Microsoft services that use Entra Admin Center identities. +- **Billing Administrator**: Performs common billing related tasks like updating payment information. +- **Permissions Management Administrator**: Manages all aspects of Entra Permissions Management. ++See [Microsoft Entra ID built-in roles to learn more.](product-privileged-role-insights.md) ++## Enabling Permissions Management +- To activate a trial or purchase a license, you must have *Global Administrator* or *Billing Administrator* permissions. ++## Onboarding your Amazon Web Service (AWS), Microsoft Entra, or Google Cloud Platform (GCP) environments ++- To configure data collection, you must have *Permissions Management Administrator* or *Global Administrator* permissions. +- A user with *Global Administrator* or *Permissions Management Administrator* role assignments is required for AWS and GCP onboarding. ++## Notes on permissions and roles in Permissions Management ++- Users can have the following permissions: + - Admin for all authorization system types + - Admin for selected authorization system types + - Fine-grained permissions for all or selected authorization system types +- If a user isn't an admin, they're assigned Microsoft Entra ID security group-based, fine-grained permissions for all or selected authorization system types: + - Viewers: View the specified AWS accounts, Azure subscriptions, and GCP projects + - Controller: Modify Cloud Infrastructure Entitlement Management (CIEM) properties and use the Remediation dashboard. + - Approvers: Able to approve permission requests + - Requestors: Request permissions in the specified AWS accounts, Entra subscriptions, and GCP projects. ++## Permissions Management actions and required roles ++Remediation +- To view the **Remediation** tab, you must have *Viewer*, *Controller*, or *Approver* permissions. +- To make changes in the **Remediation** tab, you must have *Controller* or *Approver* permissions. ++Autopilot +- To view and make changes in the **Autopilot** tab, you must be a *Permissions Management Administrator*. ++Alert +- Any user (admin, nonadmin) can create an alert. +- Only the user who creates the alert can edit, rename, deactivate, or delete the alert. ++Manage users or groups +- Only the owner of a group can add or remove a user from the group. +- Managing users and groups is only done in the Entra Admin Center. +++## Next steps ++For information about managing roles, policies and permissions requests in your organization, see [View roles/policies and requests for permission in the Remediation dashboard](ui-remediation.md). |
active-directory | Block Legacy Authentication | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/block-legacy-authentication.md | The following messaging protocols support legacy authentication: - Universal Outlook - Used by the Mail and Calendar app for Windows 10. - Other clients - Other protocols identified as utilizing legacy authentication. -For more information about these authentication protocols and services, see [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md#filter-sign-in-activities). +For more information about these authentication protocols and services, see [Sign-in log activity details](../reports-monitoring/concept-sign-in-log-activity-details.md). ### Identify legacy authentication use Before you can block legacy authentication in your directory, you need to first #### Sign-in log indicators -1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Add the **Client App** column if it isn't shown by clicking on **Columns** > **Client App**. 1. Select **Add filters** > **Client App** > choose all of the legacy authentication protocols and select **Apply**. 1. If you've activated the [new sign-in activity reports preview](../reports-monitoring/concept-all-sign-ins.md), repeat the above steps also on the **User sign-ins (non-interactive)** tab. |
active-directory | Concept Condition Filters For Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-condition-filters-for-devices.md | There are multiple scenarios that organizations can now enable using filter for ## Create a Conditional Access policy -Filter for devices is an option when creating a Conditional Access policy in the Azure portal or using the Microsoft Graph API. +Filter for devices is an optional control when creating a Conditional Access policy. The following steps will help create two Conditional Access policies to support the first scenario under [Common scenarios](#common-scenarios). Policy 1: All users with the directory role of Global Administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Concept Conditional Access Cloud Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md | description: What are cloud apps, actions, and authentication context in an Azur + Previously updated : 06/27/2023 Last updated : 08/31/2023 -Target resources (formerly Cloud apps, actions, and authentication context) are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, actions, or authentication context. +Target resources (formerly Cloud apps, actions, and authentication context) are key signals in a Conditional Access policy. Conditional Access policies allow administrators to assign controls to specific applications, services, actions, or authentication context. -- Administrators can choose from the list of applications that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../app-proxy/what-is-application-proxy.md).+- Administrators can choose from the list of applications or services that include built-in Microsoft applications and any [Azure AD integrated applications](../manage-apps/what-is-application-management.md) including gallery, non-gallery, and applications published through [Application Proxy](../app-proxy/what-is-application-proxy.md). - Administrators may choose to define policy not based on a cloud application but on a [user action](#user-actions) like **Register security information** or **Register or join devices**, allowing Conditional Access to enforce controls around those actions. - Administrators can target [traffic forwarding profiles](#traffic-forwarding-profiles) from Global Secure Access for enhanced functionality. - Administrators can use [authentication context](#authentication-context) to provide an extra layer of security in applications. -![Define a Conditional Access policy and specify cloud apps](./media/concept-conditional-access-cloud-apps/conditional-access-cloud-apps-or-actions.png) ## Microsoft cloud applications Targeting this group of applications helps to avoid issues that may arise becaus Administrators can exclude the entire Office 365 suite or specific Office 365 cloud apps from the Conditional Access policy. -The following key applications are affected by the Office 365 cloud app: --- Exchange Online-- Microsoft 365 Search Service-- Microsoft Forms-- Microsoft Planner (ProjectWorkManagement)-- Microsoft Stream-- Microsoft Teams-- Microsoft To-Do-- Microsoft Flow-- Microsoft Office 365 Portal-- Microsoft Office client application-- Microsoft To-Do WebApp-- Microsoft Whiteboard Services-- Office Delve-- Office Online-- OneDrive-- Power Apps-- Power Automate-- Security & compliance portal-- SharePoint Online-- Skype for Business Online-- Skype and Teams Tenant Admin API-- Sway-- Yammer- A complete list of all services included can be found in the article [Apps included in Conditional Access Office 365 app suite](reference-office-365-application-contents.md). ### Microsoft Azure Management Because the policy is applied to the Azure management portal and API, services, - Azure Data Factory portal - Azure Event Hubs - Azure Service Bus -- [Azure SQL Database](/azure/azure-sql/database/conditional-access-configure)+- Azure SQL Database - SQL Managed Instance - Azure Synapse - Visual Studio subscriptions administrator portal -- [Microsoft IoT Central](https://apps.azureiotcentral.com/)+- Microsoft IoT Central > [!NOTE] > The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](../../azure-resource-manager/management/overview.md). It does not apply to [Azure AD PowerShell](/powershell/azure/active-directory/overview), which calls the [Microsoft Graph API](/graph/overview). For more information on how to set up a sample policy for Microsoft Azure Manage When a Conditional Access policy targets the Microsoft Admin Portals cloud app, the policy is enforced for tokens issued to application IDs of the following Microsoft administrative portals: -- Microsoft 365 Admin Center-- Exchange admin center - Azure portal+- Exchange admin center +- Microsoft 365 admin center +- Microsoft 365 Defender portal - Microsoft Entra admin center-- Security and Microsoft Purview compliance portal+- Microsoft Intune admin center +- Microsoft Purview compliance portal -Other Microsoft admin portals will be added over time. +We're continually adding more administrative portals to the list. > [!IMPORTANT]-> Microsoft Admin Poratls (preview) is not currently supported in Government clouds. +> Microsoft Admin Portals (preview) is not currently supported in Government clouds. > [!NOTE] > The Microsoft Admin Portals app applies to interactive sign-ins to the listed admin portals only. Sign-ins to the underlying resources or services like Microsoft Graph or Azure Resource Manager APIs are not covered by this application. Those resources are protected by the [Microsoft Azure Management](#microsoft-azure-management) app. This enables customers to move along the MFA adoption journey for admins without impacting automation that relies on APIs and PowerShell. When you are ready, Microsoft recommends using a [policy requiring administrators perform MFA always](howto-conditional-access-policy-admin-mfa.md) for comprehensive protection. User actions are tasks that can be performed by a user. Currently, Conditional A ## Traffic forwarding profiles -Traffic forwarding profiles in Global Secure Access enable administrators to define and control how traffic is routed through Microsoft Entra Internet Access and Microsoft Entra Private Access. Traffic forwarding profiles can be assigned to devices and remote networks. For an example of how to configure these traffic profiles in Conditional Access policy, see the article [How to require a compliant network check](../../global-secure-access/how-to-compliant-network.md). +Traffic forwarding profiles in Global Secure Access enable administrators to define and control how traffic is routed through Microsoft Entra Internet Access and Microsoft Entra Private Access. Traffic forwarding profiles can be assigned to devices and remote networks. For an example of how to apply a Conditional Access policy to these traffic profiles, see the article [How to apply Conditional Access policies to the Microsoft 365 traffic profile](../../global-secure-access/how-to-target-resource-microsoft-365-profile.md). For more information about these profiles, see the article [Global Secure Access traffic forwarding profiles](../../global-secure-access/concept-traffic-forwarding.md). For example, an organization may keep files in SharePoint sites like the lunch m ### Configure authentication contexts -Authentication contexts are managed in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Authentication context**. +Authentication contexts are managed under **Azure Active Directory** > **Security** > **Conditional Access** > **Authentication context**. -![Manage authentication context in the Azure portal](./media/concept-conditional-access-cloud-apps/conditional-access-authentication-context-get-started.png) -Create new authentication context definitions by selecting **New authentication context** in the Azure portal. Organizations are limited to a total of 25 authentication context definitions. Configure the following attributes: +Create new authentication context definitions by selecting **New authentication context**. Organizations are limited to a total of 25 authentication context definitions. Configure the following attributes: - **Display name** is the name that is used to identify the authentication context in Azure AD and across applications that consume authentication contexts. We recommend names that can be used across resources, like "trusted devices", to reduce the number of authentication contexts needed. Having a reduced set limits the number of redirects and provides a better end to end-user experience. - **Description** provides more information about the policies it's used by Azure AD administrators and those applying authentication contexts to resources. Create new authentication context definitions by selecting **New authentication Administrators can select published authentication contexts in their Conditional Access policies under **Assignments** > **Cloud apps or actions** and selecting **Authentication context** from the **Select what this policy applies to** menu. #### Delete an authentication context |
active-directory | Concept Conditional Access Conditions | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-conditions.md | This setting has an effect on access attempts made from the following mobile app | Outlook mobile app | Exchange Online | Android, iOS | | Power BI app | Power BI service | Windows 10, Windows 8.1, Windows 7, Android, and iOS | | Skype for Business | Exchange Online| Android, iOS |-| Visual Studio Team Services app | Visual Studio Team Services | Windows 10, Windows 8.1, Windows 7, iOS, and Android | +| Azure DevOps Services (formerly Visual Studio Team Services, or VSTS) app | Azure DevOps Services (formerly Visual Studio Team Services, or VSTS) | Windows 10, Windows 8.1, Windows 7, iOS, and Android | ### Exchange ActiveSync clients |
active-directory | Concept Conditional Access Policy Common | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-policy-common.md | Policies in this category provide new ways to protect against compromise. -Find these templates in the **[Microsoft Entra admin center](https://entra.microsoft.com)** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category. +Find these templates in the [Microsoft Entra admin center](https://entra.microsoft.com) > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category. :::image type="content" source="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png" alt-text="Screenshot that shows how to create a Conditional Access policy from a preconfigured template in the Microsoft Entra admin center." lightbox="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png"::: > [!IMPORTANT]-> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. Simply navigate to **Microsoft Entra admin center** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Policies**, select the policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. +> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. You can find these policies in the [Microsoft Entra admin center](https://entra.microsoft.com) > **Protection** > **Conditional Access** > **Policies**. Select a policy to open the editor and modify the excluded users and groups to select accounts you want to exclude. By default, each policy is created in [report-only mode](concept-conditional-access-report-only.md), we recommended organizations test and monitor usage, to ensure intended result, before turning on each policy. |
active-directory | Concept Conditional Access Session | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-session.md | For more information, see the article [Configure authentication session manageme - **Disable** only work when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy. You can choose to disable all users or specific users and groups. ## Disable resilience defaults |
active-directory | Concept Conditional Access Users Groups | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-conditional-access-users-groups.md | By default the policy provides an option to exclude the current user from the po ![Warning, don't lock yourself out!](./media/concept-conditional-access-users-groups/conditional-access-users-and-groups-lockout-warning.png) -If you do find yourself locked out, see [What to do if you're locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal) +If you do find yourself locked out, see [What to do if you're locked out?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out) ### External partner access |
active-directory | Concept Continuous Access Evaluation Strict Enforcement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-strict-enforcement.md | Repeat steps 2 and 3 with expanding groups of users until Strictly Enforce Locat Administrators can investigate the Sign-in logs to find cases with **IP address (seen by resource)**. -1. Sign in to the **Azure portal** as at least a Global Reader. -1. Browse to **Azure Active Directory** > **Sign-ins**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Find events to review by adding filters and columns to filter out unnecessary information. 1. Add the **IP address (seen by resource)** column and filter out any blank items to narrow the scope. The **IP address (seen by resource)** is blank when that IP seen by Azure AD matches the IP address seen by the resource. |
active-directory | Concept Continuous Access Evaluation Workload | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md | Last updated 07/22/2022 -+ -# Continuous access evaluation for workload identities (preview) +# Continuous access evaluation for workload identities Continuous access evaluation (CAE) for [workload identities](../workload-identities/workload-identities-overview.md) provides security benefits to your organization. It enables real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for workload identities. Continuous access evaluation doesn't currently support managed identities. ## Scope of preview -The continuous access evaluation for workload identities public preview scope includes support for Microsoft Graph as a resource provider. +The continuous access evaluation for workload identities is supported only on access requests sent to Microsoft Graph as a resource provider. More resource providers will be added over time. -The preview targets service principals for line of business (LOB) applications. +Service principals for line of business (LOB) applications are supported We support the following revocation events: When a clientΓÇÖs access to a resource is blocked due to CAE being triggered, th The following steps detail how an admin can verify sign in activity in the sign-in logs: -1. Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process. 1. Select an entry to see activity details. The **Continuous access evaluation** field indicates whether a CAE token was issued in a particular sign-in attempt. ## Next steps The following steps detail how an admin can verify sign in activity in the sign- - [Register an application with Azure AD and create a service principal](../develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) - [How to use Continuous Access Evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md) - [Sample application using continuous access evaluation](https://github.com/Azure-Samples/ms-identity-dotnetcore-daemon-graph-cae)+- [Securing workload identities with Azure AD Identity Protection](../identity-protection/concept-workload-identity-risk.md) - [What is continuous access evaluation?](../conditional-access/concept-continuous-access-evaluation.md) |
active-directory | Concept Continuous Access Evaluation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md | The CAE setting has been moved to under the Conditional Access blade. New CAE cu #### Migration -Customers who have configured CAE settings under Security before have to migrate settings to a new Conditional Access policy. Use the steps that follow to migrate your CAE settings to a Conditional Access policy. ---1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Continuous access evaluation**. -1. You have the option to **Migrate** your policy. This action is the only one that you have access to at this point. -1. Browse to **Conditional Access** and you find a new policy named **Conditional Access policy created from CAE settings** with your settings configured. Administrators can choose to customize this policy or create their own to replace it. +Customers who have configured CAE settings under Security before have to migrate settings to a new Conditional Access policy. The following table describes the migration experience of each customer group based on previously configured CAE settings. Changes made to Conditional Access policies and group membership made by adminis When Conditional Access policy or group membership changes need to be applied to certain users immediately, you have two options. - Run the [revoke-mgusersign PowerShell command](/powershell/module/microsoft.graph.users.actions/revoke-mgusersigninsession) to revoke all refresh tokens of a specified user.-- Select "Revoke Session" on the user profile page in the Azure portal to revoke the user's session to ensure that the updated policies are applied immediately.+- Select "Revoke Session" on the user profile page to revoke the user's session to ensure that the updated policies are applied immediately. ### IP address variation and networks with IP address shared or unknown egress IPs |
active-directory | Concept Filter For Applications | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-filter-for-applications.md | Application filters are a new feature for Conditional Access that allows organiz In this document, you create a custom attribute set, assign a custom security attribute to your application, and create a Conditional Access policy to secure the application. > [!IMPORTANT]-> Filter for applications is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Filter for applications is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Assign roles Custom security attributes are security sensitive and can only be managed by del 1. Assign the appropriate role to the users who will manage or report on these attributes at the directory scope. - For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md). + For detailed steps, see [Assign Azure roles](../../role-based-access-control/role-assignments-portal.md). ## Create custom security attributes Follow the instructions in the article, [Add or deactivate custom security attri :::image type="content" source="media/concept-filter-for-applications/edit-filter-for-applications.png" alt-text="A screenshot showing a Conditional Access policy with the edit filter window showing an attribute of require MFA." lightbox="media/concept-filter-for-applications/edit-filter-for-applications.png"::: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Set up a sample application that, demonstrates how a job or a Windows service ca When you don't have a service principal listed in your tenant, it can't be targeted. The Office 365 suite is an example of one such service principal. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Select the service principal you want to apply a custom security attribute to. 1. Under **Manage** > **Custom security attributes (preview)**, select **Add assignment**. 1. Under **Attribute set**, select **ConditionalAccessTest**. |
active-directory | Concept Token Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/concept-token-protection.md | Token protection (sometimes referred to as token binding in the industry) attemp Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means: A policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource. > [!IMPORTANT]-> Token protection is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -+> Token protection is currently in public preview. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). With this preview, we're giving you the ability to create a Conditional Access policy to require token protection for sign-in tokens (refresh tokens) for specific services. We support token protection for sign-in tokens in Conditional Access for desktop applications accessing Exchange Online and SharePoint Online on Windows devices. > [!IMPORTANT] Users who perform specialized roles like those described in [Privileged access s The steps that follow help create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **New policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Monitoring Conditional Access enforcement of token protection before and after e Use Azure AD sign-in log to verify the outcome of a token protection enforcement policy in report only mode or in enabled mode. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Sign-in logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Select a specific request to determine if the policy is applied or not. 1. Go to the **Conditional Access** or **Report-Only** pane depending on its state and select the name of your policy requiring token protection. 1. Under **Session Controls** check to see if the policy requirements were satisfied or not. |
active-directory | How To App Protection Policy Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md | App protection policies apply mobile application management (MAM) to specific ap ## Prerequisites -Customers interested in the public preview will need to opt-in using the [MAM for Windows Public Preview Sign Up Form](https://aka.ms/MAMforWindowsPublic). +Customers interested in the public preview need to opt in using the [MAM for Windows Public Preview Sign Up Form](https://aka.ms/MAMforWindowsPublic). ## User exclusions [!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] The following policy is put in to [Report-only mode](howto-conditional-access-in ### Require app protection policy for Windows devices -The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [Preview: App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). +The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [Preview: App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). The following policy includes multiple controls allowing devices to either use app protection policies for mobile application management (MAM) or be managed and compliant with mobile device management (MDM) policies. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. The following steps help create a Conditional Access policy requiring an app pro 1. **Client apps**, set **Configure** to **Yes**. 1. Select **Browser** only. 1. Under **Access controls** > **Grant**, select **Grant access**.- 1. Select **Require app protection policy** + 1. Select **Require app protection policy** and **Require device to be marked as compliant**. 1. **For multiple controls** select **Require one of the selected controls** 1. Confirm your settings and set **Enable policy** to **Report-only**. 1. Select **Create** to create to enable your policy. -After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**. +After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**. ++> [!TIP] +> Organizations should also deploy a policy that [blocks access from unsupported or unknown device platforms](howto-policy-unknown-unsupported-device.md) along with this policy. ## Sign in to Windows devices -When users attempt to sign in to a site that is protected by an app protection policy for the first time, they're prompted: To access your service, app or website, you may need to sign in to Microsoft Edge using `username@domain.com` or register your device with `organization` if you are already signed in. +When users attempt to sign in to a site that is protected by an app protection policy for the first time, they're prompted: To access your service, app or website, you may need to sign in to Microsoft Edge using `username@domain.com` or register your device with `organization` if you're already signed in. Clicking on **Switch Edge profile** opens a window listing their Work or school account along with an option to **Sign in to sync data**. Clicking on **Switch Edge profile** opens a window listing their Work or school This process opens a window offering to allow Windows to remember your account and automatically sign you in to your apps and websites. > [!CAUTION]-> You must *CLEAR THE CHECKBOX* **Allow my organization to manage my device**. Leaving this checked enrolls your device in mobile device maangment (MDM) not mobile application management (MAM). +> You must *CLEAR THE CHECKBOX* **Allow my organization to manage my device**. Leaving this checked enrolls your device in mobile device maangment (MDM) not mobile application management (MAM). +> +> Don't select **No, sign in to this app only**. ![Screenshot showing the stay signed in to all your apps window. Uncheck the allow my organization to manage my device checkbox.](./media/how-to-app-protection-policy-windows/stay-signed-in-to-all-your-apps.png) -After selecting **OK** you may see a progress window while policy is applied. After a few moments you should see a window saying "you're all set", app protection policies are applied. +After selecting **OK**, you may see a progress window while policy is applied. After a few moments, you should see a window saying "you're all set", app protection policies are applied. ## Troubleshooting To resolve these possible scenarios: ### Existing account -If there's a pre-existing, unregistered account, like `user@contoso.com` in Microsoft Edge, or if a user signs in without registering using the Heads Up Page, then the account isn't properly enrolled in MAM. This configuration blocks the user from being properly enrolled in MAM. This is a known issue that is currently being worked on. +If there's a pre-existing, unregistered account, like `user@contoso.com` in Microsoft Edge, or if a user signs in without registering using the Heads Up Page, then the account isn't properly enrolled in MAM. This configuration blocks the user from being properly enrolled in MAM. This is a known issue. ## Next steps |
active-directory | How To Policy Mfa Admin Portals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-policy-mfa-admin-portals.md | Microsoft recommends securing access to any Microsoft admin portals like Microso ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | How To Policy Phish Resistant Admin Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/how-to-policy-phish-resistant-admin-mfa.md | Organizations can choose to include or exclude roles as they see fit. ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-apis.md | description: Using the Azure AD Conditional Access APIs and PowerShell to manage + Last updated 09/10/2020 |
active-directory | Howto Conditional Access Insights Reporting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md | If you haven't integrated Azure AD logs with Azure Monitor logs, you need to tak To access the insights and reporting workbook: -1. Sign in to the **Azure portal**. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Insights and reporting**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Insights and reporting**. ### Get started: Select parameters You can also investigate the sign-ins of a specific user by searching for sign-i To configure a Conditional Access policy in report-only mode: -1. Sign into the **Azure portal** as a Conditional Access Administrator, security administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select an existing policy or create a new policy. 1. Under **Enable policy** set the toggle to **Report-only** mode. 1. Select **Save** To configure a Conditional Access policy in report-only mode: ### Why are queries failing due to a permissions error? -In order to access the workbook, you need the proper Azure AD permissions and Log Analytics workspace permissions. To test whether you have the proper workspace permissions by running a sample log analytics query: +In order to access the workbook, you need the proper permissions in Azure AD and Log Analytics. To test whether you have the proper workspace permissions by running a sample log analytics query: -1. Sign in to the **Azure portal**. -1. Browse to **Azure Active Directory** > **Log Analytics**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Log Analytics**. 1. Type `SigninLogs` into the query box and select **Run**. 1. If the query doesn't return any results, your workspace may not have been configured correctly. |
active-directory | Howto Conditional Access Policy Admin Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md | Organizations can choose to include or exclude roles as they see fit. The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multifactor authentication. Some organizations may be ready to move to stronger authentication methods for their administrators. These organizations may choose to implement a policy like the one described in the article [Require phishing-resistant multifactor authentication for administrators](how-to-policy-phish-resistant-admin-mfa.md). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy All Users Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md | Organizations that use [Subscription Activation](/windows/deployment/windows-10- The following steps help create a Conditional Access policy to require all users do multifactor authentication. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Authentication Strength External | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-authentication-strength-external.md | The authentication methods that external users can use to satisfy MFA requiremen Determine if one of the built-in authentication strengths will work for your scenario or if you'll need to create a custom authentication strength. -1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator. -1. Browse to **Azure Active Directory** > **Security** > **Authentication methods** > **Authentication strengths**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Authentication methods** > **Authentication strengths**. 1. Review the built-in authentication strengths to see if one of them meets your requirements. 1. If you want to enforce a different set of authentication methods, [create a custom authentication strength](https://aka.ms/b2b-auth-strengths). Determine if one of the built-in authentication strengths will work for your sce Use the following steps to create a Conditional Access policy that applies an authentication strength to external users. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Azure Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md | The following steps will help create a Conditional Access policy to require user > [!CAUTION] > Make sure you understand how Conditional Access works before setting up a policy to manage access to Microsoft Azure Management. Make sure you don't create conditions that could block your own access to the portal. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Block Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-access.md | -> Misconfiguration of a block policy can lead to organizations being locked out of the Azure portal. +> Misconfiguration of a block policy can lead to organizations being locked out. Policies like these can have unintended side effects. Proper testing and validation are vital before enabling. Administrators should utilize tools such as [Conditional Access report-only mode](concept-conditional-access-report-only.md) and [the What If tool in Conditional Access](what-if-tool.md) when making changes. The following steps will help create Conditional Access policies to block access The first policy blocks access to all apps except for Microsoft 365 applications if not on a trusted location. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Block Legacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md | Organizations can choose to deploy this policy using the steps outlined below or The following steps will help create a Conditional Access policy to block legacy authentication requests. This policy is put in to [Report-only mode](howto-conditional-access-insights-reporting.md) to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policy applies as they intend, they can switch to **On** or stage the deployment by adding specific groups and excluding others. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Compliant Device Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device-admin.md | Organizations can choose to include or exclude roles as they see fit. The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Compliant Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md | Requiring a hybrid Azure AD joined device is dependent on your devices already b The following steps will help create a Conditional Access policy to require multifactor authentication, devices accessing resources be marked as compliant with your organization's Intune compliance policies, or be hybrid Azure AD joined. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Location | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-location.md | With the location condition in Conditional Access, you can control access to you ## Define locations -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Named locations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Named locations**. 1. Choose the type of location to create. 1. **Countries location** or **IP ranges location**. 1. Give your location a name. More information about the location condition in Conditional Access can be found ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-registration.md | Organizations can choose to deploy this policy using the steps outlined below or The following policy applies to the selected users, who attempt to register using the combined registration experience. The policy requires users to be in a trusted network location, do multifactor authentication or use Temporary Access Pass credentials. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration with TAP**. 1. Under **Assignments**, select **Users or workload identities**. Organizations may choose to require other grant controls with or in place of **R For [guest users](../external-identities/what-is-b2b.md) who need to register for multifactor authentication in your directory you may choose to block registration from outside of [trusted network locations](concept-conditional-access-conditions.md#locations) using the following guide. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. In Name, Enter a Name for this policy. For example, **Combined Security Info Registration on Trusted Networks**. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Risk User | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk-user.md | Organizations can choose to deploy this policy using the steps outlined below or ## Enable with Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Policy Risk | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-policy-risk.md | Organizations can choose to deploy this policy using the steps outlined below or ## Enable with Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Conditional Access Session Lifetime | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md | description: Customize Azure AD authentication session configuration including u + Last updated 07/18/2023 To make sure that your policy works as expected, the recommended best practice i ### Policy 1: Sign-in frequency control -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Choose all required conditions for customerΓÇÖs environment, including the target cloud apps. To make sure that your policy works as expected, the recommended best practice i ### Policy 2: Persistent browser session -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Choose all required conditions. To make sure that your policy works as expected, the recommended best practice i 1. Select **Persistent browser session**. > [!NOTE]- > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane in the Azure portal for the same user if you have configured both policies. + > Persistent Browser Session configuration in Azure AD Conditional Access overrides the ΓÇ£Stay signed in?ΓÇ¥ setting in the company branding pane for the same user if you have configured both policies. 1. Select a value from dropdown. 1. Save your policy. ### Policy 3: Sign-in frequency control every time risky user -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Continuous Access Evaluation Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot.md | Administrators can monitor and troubleshoot sign in events where [continuous acc Administrators can monitor user sign-ins where continuous access evaluation (CAE) is applied. This information is found in the Azure AD sign-in logs: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Sign-in logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Apply the **Is CAE Token** filter. [ ![Screenshot showing how to add a filter to the Sign-ins log to see where CAE is being applied or not.](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png) ](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png#lightbox) The continuous access evaluation insights workbook allows administrators to view Log Analytics integration must be completed before workbooks are displayed. For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Workbooks**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Workbooks**. 1. Under **Public Templates**, search for **Continuous access evaluation insights**. The **Continuous access evaluation insights** workbook contains the following table: Admins can view records filtered by time range and application. Admins can compa To unblock users, administrators can add specific IP addresses to a trusted named location. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations. > [!NOTE] > Before adding an IP address as a trusted named location, confirm that the IP address does in fact belong to the intended organization. |
active-directory | Howto Policy App Enforced Restriction | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-app-enforced-restriction.md | Block or limit access to SharePoint, OneDrive, and Exchange content from unmanag ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Approved App Or App Protection | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-approved-app-or-app-protection.md | The following steps will help create a Conditional Access policy requiring an ap Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates). -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. After administrators confirm the settings using [report-only mode](howto-conditi This policy will block all Exchange ActiveSync clients using basic authentication from connecting to Exchange Online. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Guest Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-guest-mfa.md | Require guest users perform multifactor authentication when accessing your organ ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Persistent Browser Session | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-persistent-browser-session.md | Protect user access on unmanaged devices by preventing browser sessions from rem ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Howto Policy Unknown Unsupported Device | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/howto-policy-unknown-unsupported-device.md | -Users will be blocked from accessing company resources when the device type is unknown or unsupported. +Users are blocked from accessing company resources when the device type is unknown or unsupported. ++The [device platform condition](concept-conditional-access-conditions.md#device-platforms) is based on user agent strings. Conditional Access policies using it should be used with another policy, like one requiring device compliance or app protection policies. ## User exclusions [!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)] Users will be blocked from accessing company resources when the device type is u ## Create a Conditional Access policy -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Users will be blocked from accessing company resources when the device type is u 1. Set **Configure** to **Yes**. 1. Under **Include**, select **Any device** 1. Under **Exclude**, select **Android**, **iOS**, **Windows**, and **macOS**.+ > [!NOTE] + > For the exclusion select any platforms that your organization knowingly uses, and leave the others unselected. 1. Select, **Done**. 1. Under **Access controls** > **Grant**, select **Block access**, then select **Select**. 1. Confirm your settings and set **Enable policy** to **Report-only**. 1. Select **Create** to create to enable your policy. After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.+ ## Next steps [Conditional Access templates](concept-conditional-access-policy-common.md) |
active-directory | Location Condition | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/location-condition.md | The location found using the public IP address a client provides to Azure Active ## Named locations -Locations exist in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. +Locations exist under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations are defined by IPv4 and IPv6 address ranges or by countries/regions. > [!VIDEO https://www.youtube.com/embed/P80SffTIThY] To define a named location by IPv4/IPv6 address ranges, you need to provide: - One or more IP ranges. - Optionally **Mark as trusted location**. -![New IP locations in the Azure portal](./media/location-condition/new-trusted-location.png) +![New IP locations](./media/location-condition/new-trusted-location.png) Named locations defined by IPv4/IPv6 address ranges are subject to the following limitations: To define a named location by country/region, you need to provide: - Add one or more countries/regions. - Optionally choose to **Include unknown countries/regions**. -![Country as a location in the Azure portal](./media/location-condition/new-named-location-country-region.png) +![Country as a location](./media/location-condition/new-named-location-country-region.png) If you select **Determine location by IP address**, the system collects the IP address of the device the user is signing into. When a user signs in, Azure AD resolves the user's IPv4 or [IPv6](/troubleshoot/azure/active-directory/azure-ad-ipv6-support) address (starting April 3, 2023) to a country or region, and the mapping updates periodically. Organizations can use named locations defined by countries/regions to block traffic from countries/regions where they don't do business. Some IP addresses don't map to a specific country or region. To capture these IP ## Define locations 1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator.-1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. +1. Browse to **Protection** > **Conditional Access** > **Named locations**. 1. Choose **New location**. 1. Give your location a name. 1. Choose **IP ranges** if you know the specific externally accessible IPv4 address ranges that make up that location or **Countries/Regions**. |
active-directory | Migrate Approved Client App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/migrate-approved-client-app.md | The following steps make an existing Conditional Access policy require an approv Organizations can choose to update their policies using the following steps. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select a policy that uses the approved client app grant. 1. Under **Access controls** > **Grant**, select **Grant access**. 1. Select **Require approved client app** and **Require app protection policy** The following steps help create a Conditional Access policy requiring an approve Organizations can choose to deploy this policy using the following steps. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/overview.md | Title: What is Conditional Access in Azure Active Directory? -description: Learn how Conditional Access is at the heart of the new identity-driven control plane. +description: Conditional Access is the Zero Trust policy engine at the heart of the new identity-driven control plane. Previously updated : 06/20/2023 Last updated : 08/24/2023 -Microsoft is providing Conditional Access templates to organizations in report-only mode starting in January of 2023. We may add more policies as new threats emerge. - The modern security perimeter extends beyond an organization's network perimeter to include user and device identity. Organizations now use identity-driven signals as part of their access control decisions. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4MwZs] +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4MwZs] Azure AD Conditional Access brings signals together, to make decisions, and enforce organizational policies. Conditional Access is Microsoft's [Zero Trust policy engine](/security/zero-trust/deploy/identity) taking signals from various sources into account when enforcing policy decisions. :::image type="content" source="media/overview/conditional-access-signal-decision-enforcement.png" alt-text="Diagram showing concept of Conditional Access signals plus decision to enforce organizational policy."::: -Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multifactor authentication to access it. +Conditional Access policies at their simplest are if-then statements; **if** a user wants to access a resource, **then** they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access. Administrators are faced with two primary goals: These signals include: - Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies. - Use filters for devices to target policies to specific devices like privileged access workstations. - Application- - Users attempting to access specific applications can trigger different Conditional Access policies. + - Users attempting to access specific applications can trigger different Conditional Access policies. - Real-time and calculated risk detection- - Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify and remediate risky users and sign-in behavior. + - Signals integration with [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify and remediate risky users and sign-in behavior. - [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps) - Enables user application access and sessions to be monitored and controlled in real time. This integration increases visibility and control over access to and activities done within your cloud environment. Many organizations have [common access concerns that Conditional Access policies - Requiring multifactor authentication for users with administrative roles - Requiring multifactor authentication for Azure management tasks - Blocking sign-ins for users attempting to use legacy authentication protocols-- Requiring trusted locations for Azure AD Multifactor Authentication registration+- Requiring trusted locations for security information registration - Blocking or granting access from specific locations - Blocking risky sign-in behaviors - Requiring organization-managed devices for specific applications Administrators can create policies from scratch or start from a template policy ## Administrator experience -Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies in Azure AD. +Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies. -Conditional Access is found in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access**. +Conditional Access is found in the [Microsoft Entra admin center](https://entra.microsoft.com) under **Protection** > **Conditional Access**. - The **Overview** page provides a summary of policy state, users, devices, and applications as well as general and security alerts with suggestions. - The **Coverage** page provides a synopsis of applications with and without Conditional Access policy coverage over the last seven days. Conditional Access is found in the Azure portal under **Azure Active Directory** Customers with [Microsoft 365 Business Premium licenses](/office365/servicedescriptions/office-365-service-descriptions-technet-library) also have access to Conditional Access features. -Risk-based policies require access to [Identity Protection](../identity-protection/overview-identity-protection.md), which is an Azure AD P2 feature. +Risk-based policies require access to [Identity Protection](../identity-protection/overview-identity-protection.md), which requires P2 licenses. Other products and features that may interact with Conditional Access policies require appropriate licensing for those products and features. |
active-directory | Plan Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/plan-conditional-access.md | Taking into account our learnings in the use of Conditional Access and supportin **Ensure that every app has at least one Conditional Access policy applied**. From a security perspective it's better to create a policy that encompasses **All cloud apps**, and then exclude applications that you don't want the policy to apply to. This practice ensures you don't need to update Conditional Access policies every time you onboard a new application. > [!TIP]-> Be very careful in using block and all apps in a single policy. This could lock admins out of the Azure portal, and exclusions cannot be configured for important endpoints such as Microsoft Graph. +> Be very careful in using block and all apps in a single policy. This could lock admins out, and exclusions cannot be configured for important endpoints such as Microsoft Graph. ### Minimize the number of Conditional Access policies |
active-directory | Policy Migration Mfa | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/policy-migration-mfa.md | -This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies in the Azure portal](policy-migration.md) before you start migrating your classic policies. +This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies](policy-migration.md) before you start migrating your classic policies. ![Classic policy details requiring MFA for Salesforce app](./media/policy-migration/33.png) The migration process consists of the following steps: ## Open a classic policy -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Navigate to **Azure Active Directory** > **Security** > **Conditional Access**. +1. Browse to **Protection** > **Conditional Access**. 1. Select, **Classic policies**. The migration process consists of the following steps: 1. In the list of classic policies, select the policy you wish to migrate. Document the configuration settings so that you can re-create with a new Conditional Access policy. -For examples of common policies and their configuration in the Azure portal, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md). +For examples of common policies and their configuration, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md). ## Disable the classic policy |
active-directory | Require Tou | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/require-tou.md | In this quickstart, you'll configure a Conditional Access policy in Azure Active To complete the scenario in this quickstart, you need: - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).-- Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. You can sign up for a trial in the Azure portal.+- Azure AD Premium P1 or P2 - Azure AD Conditional Access is an Azure AD Premium capability. - A test account to sign-in with - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users.md#add-a-new-user). ## Sign-in without terms of use - The goal of this step is to get an impression of the sign-in experience without a Conditional Access policy. -1. Sign in to the [Azure portal](https://portal.azure.com) as your test user. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as your test user. 1. Sign out. ## Create your terms of use This section provides you with the steps to create a sample ToU. When you create 1. In Microsoft Word, create a new document. 1. Type **My terms of use**, and then save the document on your computer as **mytou.pdf**.-1. Sign in to the [Azure portal](https://portal.azure.com) as a Conditional Access Administrator, Security Administrator, or a Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. - :::image type="content" source="media/require-tou/terms-of-use-azure-ad-conditional-access.png" alt-text="Screenshot of terms of use shown in the Azure portal highlighting the new terms button." lightbox="media/require-tou/terms-of-use-azure-ad-conditional-access.png"::: + :::image type="content" source="media/require-tou/terms-of-use-azure-ad-conditional-access.png" alt-text="Screenshot of terms of use highlighting the new terms button." lightbox="media/require-tou/terms-of-use-azure-ad-conditional-access.png"::: 1. In the menu on the top, select **New terms**. - :::image type="content" source="media/require-tou/new-terms-of-use-creation.png" alt-text="Screenshot that shows creating a new terms of use policy in the Azure portal." lightbox="media/require-tou/new-terms-of-use-creation.png"::: + :::image type="content" source="media/require-tou/new-terms-of-use-creation.png" alt-text="Screenshot that shows creating a new terms of use policy." lightbox="media/require-tou/new-terms-of-use-creation.png"::: 1. In the **Name** textbox, type **My TOU**. 1. Upload your terms of use PDF file. |
active-directory | Resilience Defaults | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/resilience-defaults.md | You can configure Conditional Access resilience defaults from the Azure portal, ### Azure portal -1. Navigate to the **Azure portal** > **Security** > **Conditional Access** +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Create a new policy or select an existing policy 1. Open the Session control settings 1. Select Disable resilience defaults to disable the setting for this policy. Sign-ins in scope of the policy will be blocked during an Azure AD outage |
active-directory | Terms Of Use | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/terms-of-use.md | Azure AD terms of use policies use the PDF format to present content. The PDF fi Once you've completed your terms of use policy document, use the following procedure to add it. -1. Sign in to the **Azure portal** as a Conditional Access Administrator or Security Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select, **New terms**. ![New term of use pane to specify your terms of use settings](./media/terms-of-use/new-tou.png) -1. In the **Name** box, enter a name for the terms of use policy used in the Azure portal. +1. In the **Name** box, enter a name for the terms of use policy. 1. For **Terms of use document**, browse to your finalized terms of use policy PDF and select it. 1. Select the language for your terms of use policy document. The language option allows you to upload multiple terms of use policies, each with a different language. The version of the terms of use policy that an end user sees is based on their browser preferences. 1. In the **Display name** box, enter a title that users see when they sign in. Once you've completed your terms of use policy document, use the following proce The Terms of use blade shows a count of the users who have accepted and declined. These counts and who accepted/declined are stored for the life of the terms of use policy. -1. Sign in to Azure and navigate to **Terms of use** at [https://aka.ms/catou](https://aka.ms/catou). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. ![Terms of use blade listing the number of user show have accepted and declined](./media/terms-of-use/view-tou.png) If you want to view more activity, Azure AD terms of use policies include audit To get started with Azure AD audit logs, use the following procedure: -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select a terms of use policy. 1. Select **View audit logs**. 1. On the Azure AD audit logs screen, you can filter the information using the provided lists to target specific audit log information. Users can review and see the terms of use policies that they've accepted by usin You can edit some details of terms of use policies, but you can't modify an existing document. The following procedure describes how to edit the details. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit terms**. 1. In the Edit terms of use pane, you can change the following options: You can edit some details of terms of use policies, but you can't modify an exis ## Update the version or pdf of an existing terms of use -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit terms**. 1. For the language that you would like to update a new version, select **Update** under the action column You can edit some details of terms of use policies, but you can't modify an exis ## View previous versions of a ToU -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy for which you want to view a version history. 1. Select **Languages and version history** 1. Select **See previous versions.** You can edit some details of terms of use policies, but you can't modify an exis ## See who has accepted each version -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. To see who has currently accepted the ToU, select the number under the **Accepted** column for the ToU you want. 1. By default, the next page will show you the current state of each user's acceptance to the ToU 1. If you would like to see the previous consent events, you can select **All** from the **Current State** drop-down. Now you can see each user's events in details about each version and what happened. You can edit some details of terms of use policies, but you can't modify an exis The following procedure describes how to add a ToU language. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to edit. 1. Select **Edit Terms** 1. Select **Add language** at the bottom of the page. If a user is using browser that isn't supported, they're asked to use a differen You can delete old terms of use policies using the following procedure. -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Terms of use**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access** > **Terms of use**. 1. Select the terms of use policy you want to remove. 1. Select **Delete terms**. 1. In the message that appears asking if you want to continue, select **Yes**. |
active-directory | Troubleshoot Conditional Access | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-conditional-access.md | Organizations should avoid the following configurations: **For all users, all cloud apps:** - **Block access** - This configuration blocks your entire organization.-- **Require device to be marked as compliant** - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back into the Azure portal to change the policy.+- **Require device to be marked as compliant** - For users that haven't enrolled their devices yet, this policy blocks all access including access to the Intune portal. If you're an administrator without an enrolled device, this policy blocks you from getting back in to change the policy. - **Require Hybrid Azure AD domain joined device** - This policy block access has also the potential to block access for all users in your organization if they don't have a hybrid Azure AD joined device. - **Require app protection policy** - This policy block access has also the potential to block access for all users in your organization if you don't have an Intune policy. If you're an administrator without a client application that has an Intune app protection policy, this policy blocks you from getting back into portals such as Intune and Azure. More information can be found about the problem by clicking **More Details** in To find out which Conditional Access policy or policies applied and why do the following. -1. Sign in to the **Azure portal** as a Global Administrator, Security Administrator, or Global Reader. -1. Browse to **Azure Active Directory** > **Sign-ins**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**. 1. Find the event for the sign-in to review. Add or remove filters and columns to filter out unnecessary information. 1. Add filters to narrow the scope: 1. **Correlation ID** when you have a specific event to investigate. To determine the service dependency, check the sign-ins log for the application :::image type="content" source="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png" alt-text="Screenshot that shows an example sign-in log showing an Application calling a Resource. This scenario is also known as a service dependency." lightbox="media/troubleshoot-conditional-access/service-dependency-example-sign-in.png"::: -## What to do if you're locked out of the Azure portal? +## What to do if you're locked out? -If you're locked out of the Azure portal due to an incorrect setting in a Conditional Access policy: +If you're locked out of the due to an incorrect setting in a Conditional Access policy: -- Check is there are other administrators in your organization that aren't blocked yet. An administrator with access to the Azure portal can disable the policy that is impacting your sign-in. +- Check is there are other administrators in your organization that aren't blocked yet. An administrator with access can disable the policy that is impacting your sign-in. - If none of the administrators in your organization can update the policy, submit a support request. Microsoft support can review and upon confirmation update the Conditional Access policies that are preventing access. ## Next steps - [Use the What If tool to troubleshoot Conditional Access policies](what-if-tool.md)-- [Sign-in activity reports in the Azure portal](../reports-monitoring/concept-sign-ins.md)+- [Sign-in activity reports](../reports-monitoring/concept-sign-ins.md) - [Troubleshooting Conditional Access using the What If tool](troubleshoot-conditional-access-what-if.md) |
active-directory | Troubleshoot Policy Changes Audit Log | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/troubleshoot-policy-changes-audit-log.md | Find these options in the **Azure portal** > **Azure Active Directory**, **Diagn ## Use the audit log -1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. -1. Browse to **Azure Active Directory** > **Audit logs**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Identity** > **Monitoring & health** > **Audit logs**. 1. Select the **Date** range you want to query. 1. From the **Service** filter, select **Conditional Access** and select the **Apply** button. |
active-directory | What If Tool | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/what-if-tool.md | When the evaluation has finished, the tool generates a report of the affected po ## Running the tool -You can find the **What If** tool in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**. +You can find the **What If** tool under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**. Before you can run the What If tool, you must provide the conditions you want to evaluate. Before you can run the What If tool, you must provide the conditions you want to The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions, see the article [Building a Conditional Access policy](concept-conditional-access-policies.md). ## Evaluation |
active-directory | Workload Identity | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/workload-identity.md | -Conditional Access policies have historically applied only to users when they access apps and services like SharePoint online or the Azure portal. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. +Conditional Access policies have historically applied only to users when they access apps and services like SharePoint Online. We're now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability Conditional Access for workload identities. A [workload identity](../workload-identities/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they: Conditional Access for workload identities enables blocking service principals f Create a location based Conditional Access policy that applies to service principals. -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Create a risk-based Conditional Access policy that applies to service principals :::image type="content" source="media/workload-identity/conditional-access-workload-identity-risk-policy.png" alt-text="Creating a Conditional Access policy with a workload identity and risk as a condition." lightbox="media/workload-identity/conditional-access-workload-identity-risk-policy.png"::: -1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). -1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator). +1. Browse to **Protection** > **Conditional Access**. 1. Select **Create new policy**. 1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. 1. Under **Assignments**, select **Users or workload identities**. Create a risk-based Conditional Access policy that applies to service principals 1. Set the **Configure** toggle to **Yes**. 1. Select the levels of risk where you want this policy to trigger. 1. Select **Done**.-1. Under **Grant**, **Block access** is the only available option. Access is blocked when a token request is made from outside the allowed range. +1. Under **Grant**, **Block access** is the only available option. Access is blocked when the specified risk levels are seen. 1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**. 1. Select **Create** to complete your policy. If you wish to roll back this feature, you can delete or disable any created pol The sign-in logs are used to review how policy is enforced for service principals or the expected affects of policy when using report-only mode. -1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service principal sign-ins**. +1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs** > **Service principal sign-ins**. 1. Select a log entry and choose the **Conditional Access** tab to view evaluation information. Failure reason when Service Principal is blocked by Conditional Access: ΓÇ£Access has been blocked due to Conditional Access policies.ΓÇ¥ To view results of a risk-based policy, refer to the **Report-only** tab of even You can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations canΓÇÖt be used. This identifier is the Object ID of the app registration, not of the service principal. -1. Browse to the **Azure portal** > **Azure Active Directory** > **Enterprise Applications**, find the application you registered. +1. Browse to **Identity** > **Applications** > **Enterprise Applications**, find the application you registered. 1. From the **Overview** tab, copy the **Object ID** of the application. This identifier is the unique to the service principal, used by Conditional Access policy to find the calling app. ### Microsoft Graph |
active-directory | Api Find An Api How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/api-find-an-api-how-to.md | - Title: Find an API for a custom-developed app -description: How to configure the permissions you need to access a particular API in your custom developed Azure AD application -------- Previously updated : 09/27/2021-----# How to find a specific API needed for a custom-developed application --Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. --## Configuring a resource application to expose web APIs --When you expose your web API, the API be displayed in the **Select an API** list when adding permissions to an app registration. To add access scopes, follow the steps outlined in [Configure an application to expose web APIs](quickstart-configure-app-expose-web-apis.md). --## Configuring a client application to access web APIs --When you add permissions to your app registration, you can **add API access** to exposed web APIs. To access web APIs, follow the steps outlined in [Configure a client application to access web APIs](quickstart-configure-app-access-web-apis.md). --## Next steps --- [Understanding the Azure Active Directory application manifest](./reference-app-manifest.md) |
active-directory | App Objects And Service Principals | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/app-objects-and-service-principals.md | This article describes application registration, application objects, and servic ## Application registration -To delegate identity and access management functions to Azure AD, an application must be registered with an Azure AD tenant. When you register your application with Azure AD, you're creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app in the Azure portal, you choose whether it's a [single tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), or [multi-tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), and can optionally set a [redirect URI](reply-url.md). For step-by-step instructions on registering an app, see the [app registration quickstart](quickstart-register-app.md). +To delegate identity and access management functions to Azure AD, an application must be registered with an Azure AD tenant. When you register your application with Azure AD, you're creating an identity configuration for your application that allows it to integrate with Azure AD. When you register an app, you choose whether it's a [single tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), or [multi-tenant](single-and-multi-tenant-apps.md#who-can-sign-in-to-your-app), and can optionally set a [redirect URI](reply-url.md). For step-by-step instructions on registering an app, see the [app registration quickstart](quickstart-register-app.md). -When you've completed the app registration, you have a globally unique instance of the app (the application object) that lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). In the portal, you can then add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more. +When you've completed the app registration, you have a globally unique instance of the app (the application object) that lives within your home tenant or directory. You also have a globally unique ID for your app (the app/client ID). You can add secrets or certificates and scopes to make your app work, customize the branding of your app in the sign-in dialog, and more. -If you register an application in the portal, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step. +If you register an application, an application object and a service principal object are automatically created in your home tenant. If you register/create an application using the Microsoft Graph APIs, creating the service principal object is a separate step. ## Application object The application object describes three aspects of an application: - The resources that the application might need to access - The actions that the application can take -You can use the **App registrations** page in the [Azure portal] to list and manage the application objects in your home tenant. +You can use the **App registrations** page in the [Microsoft Entra admin center](https://entra.microsoft.com) to list and manage the application objects in your home tenant. ![App registrations blade](./media/app-objects-and-service-principals/app-registrations-blade.png) There are three types of service principal: - **Application** - This type of service principal is the local representation, or application instance, of a global application object in a single tenant or directory. In this case, a service principal is a concrete instance created from the application object and inherits certain properties from that application object. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access. - When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. When you register an application using the Azure portal, a service principal is created automatically. You can also create service principal objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools. + When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. When you register an application, a service principal is created automatically. You can also create service principal objects in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, and other tools. - **Managed identity** - This type of service principal is used to represent a [managed identity](../managed-identities-azure-resources/overview.md). Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but can't be updated or modified directly. There are three types of service principal: The Microsoft Graph [ServicePrincipal entity][ms-graph-sp-entity] defines the schema for a service principal object's properties. -You can use the **Enterprise applications** page in the Azure portal to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more. +You can use the **Enterprise applications** page in the Microsoft Entra admin center to list and manage the service principals in a tenant. You can see the service principal's permissions, user consented permissions, which users have done that consent, sign in information, and more. ![Enterprise apps blade](./media/app-objects-and-service-principals/enterprise-apps-blade.png) You can find the service principals associated with an application object. # [Browser](#tab/browser) -In the [Azure portal](https://portal.azure.com), navigate to the application registration overview. Select **Managed application in local directory**. +In the Microsoft Entra admin center, navigate to the application registration overview. Select **Managed application in local directory**. :::image type="content" alt-text="Screen shot that shows the Managed application in local directory option in the overview." source="./media/app-objects-and-service-principals/find-service-principal.png" border="false"::: In this example scenario: Learn how to create a service principal: -- [Using the Azure portal](howto-create-service-principal-portal.md)+- [Using the Microsoft Entra admin center](howto-create-service-principal-portal.md) - [Using Azure PowerShell](howto-authenticate-service-principal-powershell.md) - [Using Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli) - [Using Microsoft Graph](/graph/api/serviceprincipal-post-serviceprincipals) and then use [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to query both the application and service principal objects. Learn how to create a service principal: [ms-graph-app-entity]: /graph/api/resources/application [ms-graph-sp-entity]: /graph/api/resources/serviceprincipal-[Azure portal]: https://portal.azure.com |
active-directory | Apple Sso Plugin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/apple-sso-plugin.md | The Microsoft Enterprise SSO plug-in relies on Apple's [enterprise SSO](https:// For the SSO plug-in to function properly, Apple devices should be allowed to reach to both identity provider URLs and its own URLs without additional interception. This means that those URLs need to be excluded from network proxies, interception and other enterprise systems. Here is the minimum set of URLs that need to be allowed for the SSO plug-in to function:+ - `*.cdn-apple.com` - `*.networking.apple` - `login.microsoftonline.com` Here is the minimum set of URLs that need to be allowed for the SSO plug-in to f - `login.microsoftonline.us` - `login-us.microsoftonline.com` -Additional Apple's URLs that may need to be allowed are documented here: https://support.apple.com/en-us/HT210060 +> [!WARNING] +> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access. ++If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error` or `1000 com.apple.AuthenticationServices.AuthorizationError`. ++Other Apple URLs that may need to be allowed are documented in their support article, [Use Apple products on enterprise networks](https://support.apple.com/HT210060). #### Use Intune for simplified configuration |
active-directory | Application Consent Experience | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/application-consent-experience.md | The following diagram and table provide information about the building blocks of | 5 | Publisher name and verification | The blue "verified" badge means that the app publisher has verified their identity using a Microsoft Partner Network account and has completed the verification process. If the app is publisher verified, the publisher name is displayed. If the app isn't publisher verified, "Unverified" is displayed instead of a publisher name. For more information, read about [Publisher Verification](publisher-verification-overview.md). Selecting the publisher name displays more app info as available, such as the publisher name, publisher domain, date created, certification details, and reply URLs. | | 6 | Microsoft 365 Certification | The Microsoft 365 Certification logo means that an app has been vetted against controls derived from leading industry standard frameworks, and that strong security and compliance practices are in place to protect customer data. For more information, read about [Microsoft 365 Certification](/microsoft-365-app-certification/docs/enterprise-app-certification-guide).| | 7 | Publisher information | Displays whether the application is published by Microsoft. |-| 8 | Permissions | This list contains the permissions being requested by the client application. Users should always evaluate the types of permissions being requested to understand what data the client application will be authorized to access on their behalf if they accept. As an application developer it's best to request access, to the permissions with the least privilege. | +| 8 | Permissions | This list contains the permissions being requested by the client application. Users should always evaluate the types of permissions being requested to understand what data the client application will be authorized to access on their behalf if they accept. As an application developer, it's best to request access to the permissions with the least privilege. | | 9 | Permission description | This value is provided by the service exposing the permissions. To see the permission descriptions, you must toggle the chevron next to the permission. | | 10 | https://myapps.microsoft.com | This is the link where users can review and remove any non-Microsoft applications that currently have access to their data. | | 11 | Report it here | This link is used to report a suspicious app if you don't trust the app, if you believe the app is impersonating another app, if you believe the app will misuse your data, or for some other reason. | |
active-directory | Authentication Flows App Scenarios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-flows-app-scenarios.md | Title: Microsoft identity platform authentication flows & app scenarios + Title: Microsoft identity platform app types and authentication flows description: Learn about application scenarios for the Microsoft identity platform, including authenticating identities, acquiring tokens, and calling protected APIs. Previously updated : 05/05/2022 Last updated : 08/11/2023 -#Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform. +# Customer intent: As an app developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform. -# Authentication flows and application scenarios +# Microsoft identity platform app types and authentication flows The Microsoft identity platform supports authentication for different kinds of modern application architectures. All of the architectures are based on the industry-standard protocols [OAuth 2.0 and OpenID Connect](./v2-protocols.md). By using the [authentication libraries for the Microsoft identity platform](reference-v2-libraries.md), applications authenticate identities and acquire tokens to access protected APIs. This article describes authentication flows and the application scenarios that t ## Application categories -Tokens can be acquired from several types of applications, including: +[Security tokens](./security-tokens.md) can be acquired from several types of applications, including: - Web apps - Mobile apps The following sections describe the categories of applications. Authentication scenarios involve two activities: -- **Acquiring security tokens for a protected web API**: We recommend that you use the [Microsoft Authentication Library (MSAL)](reference-v2-libraries.md), developed and supported by Microsoft.+- **Acquiring security tokens for a protected web API**: We recommend that you use the [Microsoft Authentication Library (MSAL)](msal-overview.md), developed and supported by Microsoft. - **Protecting a web API or a web app**: One challenge of protecting these resources is validating the security token. On some platforms, Microsoft offers [middleware libraries](reference-v2-libraries.md). ### With users or without users The available authentication flows differ depending on the sign-in audience. Som For more information, see [Supported account types](v2-supported-account-types.md#account-type-support-in-authentication-flows). -## Application scenarios +## Application types The Microsoft identity platform supports authentication for these app architectures: For a desktop app to call a web API that signs in users, use the interactive tok There's another possibility for Windows-hosted applications on computers joined either to a Windows domain or by Azure Active Directory (Azure AD). These applications can silently acquire a token by using [integrated Windows authentication](https://aka.ms/msal-net-iwa). -Applications running on a device without a browser can still call an API on behalf of a user. To authenticate, the user must sign in on another device that has a web browser. This scenario requires that you use the [device code flow](https://aka.ms/msal-net-device-code-flow). +Applications running on a device without a browser can still call an API on behalf of a user. To authenticate, the user must sign in on another device that has a web browser. This scenario requires that you use the [device code flow](v2-oauth2-device-code.md). ![Device code flow](media/scenarios/device-code-flow-app.svg) Similar to a desktop app, a mobile app calls the interactive token-acquisition m MSAL iOS and MSAL Android use the system web browser by default. However, you can direct them to use the embedded web view instead. There are specificities that depend on the mobile platform: Universal Windows Platform (UWP), iOS, or Android. -Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL can now interact with brokers. For more information about brokers, see [Leveraging brokers on Android and iOS](https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS). +Some scenarios, like those that involve Conditional Access related to a device ID or a device enrollment, require a broker to be installed on the device. Examples of brokers are Microsoft Company Portal on Android and Microsoft Authenticator on Android and iOS. MSAL can now interact with brokers. For more information about brokers, see [Leveraging brokers on Android and iOS](msal-net-use-brokers-with-xamarin-apps.md). For more information, see [Mobile app that calls web APIs](scenario-mobile-overview.md). |
active-directory | Authentication National Cloud | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-national-cloud.md | Including the global Azure cloud, Azure Active Directory (Azure AD) is deplo - Microsoft Azure operated by 21Vianet - Azure Germany ([Closed on October 29, 2021](https://www.microsoft.com/cloud-platform/germany-cloud-regions)). Learn more about [Azure Germany migration](#azure-germany-microsoft-cloud-deutschland). -The individual national clouds and the global Azure cloud are cloud _instances_. Each cloud instance is separate from the others and has its own environment and _endpoints_. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment, like the Azure portal. +The individual national clouds and the global Azure cloud are cloud _instances_. Each cloud instance is separate from the others and has its own environment and _endpoints_. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment. As you develop your apps, use the endpoints for the cloud instance where you'll deploy the application. The following table lists the base URLs for the Azure AD endpoints used to regis ## Application endpoints -You can find the authentication endpoints for your application in the Azure portal. +You can find the authentication endpoints for your application. -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. Select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **Endpoints** in the top menu. - The **Endpoints** page is displayed showing the authentication endpoints for the application registered in your Azure AD tenant. + The **Endpoints** page is displayed showing the authentication endpoints for the application. Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application. |
active-directory | Authentication Protocols | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/authentication-protocols.md | - Title: Microsoft identity platform authentication protocols -description: An overview of the authentication protocols supported by the Microsoft identity platform -------- Previously updated : 09/27/2021-------# Microsoft identity platform authentication protocols --The Microsoft identity platform supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Microsoft identity platform. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section. --## Authentication protocols articles and reference --* [Important Information About Signing Key Rollover in Microsoft identity platform](./signing-key-rollover.md) ΓÇô Learn about Microsoft identity platformΓÇÖs signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios. -* [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that the Microsoft identity platform issues. -* [OAuth 2.0 in Microsoft identity platform](v2-oauth2-auth-code-flow.md) - Learn about the implementation of OAuth 2.0 in Microsoft identity platform. -* [OpenID Connect 1.0](v2-protocols-oidc.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication. -* [Service to Service Calls with Client Credentials](v2-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls. -* [Service to Service Calls with On-Behalf-Of Flow](v2-oauth2-on-behalf-of-flow.md) - Learn how to use OAuth 2.0 On-Behalf-Of flow for service to service calls. -* [SAML Protocol Reference](./saml-protocol-reference.md) - Learn about the Single Sign-On and Single Sign-out SAML profiles of Microsoft identity platform. --## See also --* [Microsoft identity platform overview](v2-overview.md) -* [Active Directory Code Samples](sample-v2-code.md) |
active-directory | Configure App Multi Instancing | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/configure-app-multi-instancing.md | The IDP initiated SSO feature exposes the following settings for each applicatio ### Configure IDP initiated SSO +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Open any SSO enabled enterprise app and navigate to the SAML single sign-on blade. 1. Select **Edit** on the **User Attributes & Claims** panel. 1. Select **Edit** to open the advanced options blade. |
active-directory | Consent Framework Links | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/consent-framework-links.md | - Title: How application consent works -description: Learn more about how the Azure AD consent framework works to see how you can use it when developing applications on Azure AD --------- Previously updated : 09/27/2021-----# How application consent works --This article is to help you learn more about how the Azure AD consent framework works so you can develop applications more effectively. --## Recommended documents --- Get a general understanding of [how consent allows a resource owner to govern an application's access to resources](./developer-glossary.md#consent).-- Get a step-by-step overview of [how the Azure AD consent framework implements consent](./quickstart-register-app.md).-- For more depth, learn [how a multi-tenant application can use the consent framework](./howto-convert-app-to-be-multi-tenant.md) to implement "user" and "admin" consent, supporting more advanced multi-tier application patterns.-- For more depth, learn [how consent is supported at the OAuth 2.0 protocol layer during the authorization code grant flow.](v2-oauth2-auth-code-flow.md#request-an-authorization-code)--## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Custom Extension Configure Saml App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-extension-configure-saml-app.md | Title: Source claims from an external store (SAML app) description: Use a custom claims provider to augment tokens with claims from an external identity system. Configure a SAML app to receive tokens with external claims. -+ The following steps are for registering a demo [XRayClaims](https://adfshelp.mic Add a new, non-gallery SAML application in your tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). -1. Go to **Azure Active Directory** and then **Enterprise applications**. Select **New application** and then **Create your own application**. +1. Browse to **Identity** > **Applications** > **Enterprise applications**. ++1. Select **New application** and then **Create your own application**. 1. Add a name for the app. For example, **AzureADClaimsXRay**. Select the **Integrate any other application you don't find in the gallery (Non-gallery)** option and select **Create**. |
active-directory | Custom Extension Get Started | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-extension-get-started.md | Title: Get started with custom claims providers (preview) description: Learn how to develop and register an Azure Active Directory custom authentication extensions REST API. The custom authentication extension allows you to source claims from a data store that is external to Azure Active Directory. -+ Previously updated : 05/23/2023 Last updated : 08/16/2023 -This article describes how to configure and setup a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token. +This article describes how to configure and set up a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token. This how-to guide demonstrates the token issuance start event with a REST API running in Azure Functions and a sample OpenID Connect application. Before you start, take a look at following video, which demonstrates how to configure Azure AD custom claims provider with Function App: The following screenshot demonstrates how to configure the Azure HTTP trigger fu In this step, you configure a custom authentication extension, which will be used by Azure AD to call your Azure function. The custom authentication extension contains information about your REST API endpoint, the claims that it parses from your REST API, and how to authenticate to your REST API. Follow these steps to register a custom authentication extension: -# [Azure portal](#tab/azure-portal) +# [Microsoft Entra admin center](#tab/entra-admin-center) -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Under **Azure services**, select **Azure Active Directory**. -1. Ensure your user account has the Global Administrator or Application Administrator and Authentication Extensibility Administrator role. Otherwise, learn how to [assign a role](../roles/manage-roles-portal.md). -1. From the menu, select **Enterprise applications**. -1. Under **Manage**, select the **Custom authentication extensions**. -1. Select **Create a custom authentication extension**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-developer) and [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. +1. Select **Custom authentication extensions**, and then select **Create a custom authentication extension**. 1. In **Basics**, select the **tokenIssuanceStart** event and select **Next**. 1. In **Endpoint Configuration**, fill in the following properties: In this step, you configure a custom authentication extension, which will be use # [Microsoft Graph](#tab/microsoft-graph) -Create an Application Registration to authenticate your custom authentication extension to your Azure Function. +Register an application to authenticate your custom authentication extension to your Azure Function. -1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/applications` -1. Select **Request Body** and paste the following JSON: +1. Sign in to [Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. The account must have the privileges to create and manage an application registration in the tenant. +2. Run the following request. - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/applications + Content-type: application/json + {- "displayName": "authenticationeventsAPI" + "displayName": "authenticationeventsAPI" } ``` -1. Select **Run Query** to submit the request. --1. Copy the **Application ID** value (*appId*) from the response. You need this value later, which is referred to as the `{authenticationeventsAPI_AppId}`. Also get the object ID of the app (*ID*), which is referred to as `{authenticationeventsAPI_ObjectId}` from the response. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/csharp/v1/tutorial-application-basics-create-app-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/go/v1/tutorial-application-basics-create-app-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/javascript/v1/tutorial-application-basics-create-app-javascript-snippets.md)] + + # [PHP](#tab/php) + Snippet not available. + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/powershell/v1/tutorial-application-basics-create-app-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/includes/snippets/python/v1/tutorial-application-basics-create-app-python-snippets.md)] + + -Create a service principal in the tenant for the authenticationeventsAPI app registration: +3. From the response, record the value of **id** and **appId** of the newly created app registration. These values will be referenced in this article as `{authenticationeventsAPI_ObjectId}` and `{authenticationeventsAPI_AppId}` respectively. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals` -1. Select **Request Body** and paste the following JSON: +Create a service principal in the tenant for the authenticationeventsAPI app registration. - ```json - { - "appId": "{authenticationeventsAPI_AppId}" - } - ``` +Still in Graph Explorer, run the following request. Replace `{authenticationeventsAPI_AppId}` with the value of **appId** that you recorded from the previous step. -1. Select **Run Query** to submit the request. +```http +POST https://graph.microsoft.com/v1.0/servicePrincipals +Content-type: application/json + +{ + "appId": "{authenticationeventsAPI_AppId}" +} +``` ### Set the App ID URI, access token version, and required resource access Update the newly created application to set the application ID URI value, the access token version, and the required resource access. -1. Set the HTTP method to **PATCH**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId}` -1. Select **Request Body** and paste the following JSON: +In Graph Explorer, run the following request. + - Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier. + - Set the `{authenticationeventsAPI_AppId}` value with the **appId** that you recorded earlier. + - An example value is `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as you'll use it later in this article in place of `{functionApp_IdentifierUri}`. - Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier. - - Set the `{authenticationeventsAPI_AppId}` value with the App ID generated from the app registration created in the previous step. - - An example value would be `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as it is used in following steps and is referenced as `{functionApp_IdentifierUri}`. - - ```json +```http +POST https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId} +Content-type: application/json ++{ +"identifierUris": [ + "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}" +], +"api": { + "requestedAccessTokenVersion": 2, + "acceptMappedClaims": null, + "knownClientApplications": [], + "oauth2PermissionScopes": [], + "preAuthorizedApplications": [] +}, +"requiredResourceAccess": [ {- "identifierUris": [ - "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}" - ], - "api": { - "requestedAccessTokenVersion": 2, - "acceptMappedClaims": null, - "knownClientApplications": [], - "oauth2PermissionScopes": [], - "preAuthorizedApplications": [] - }, - "requiredResourceAccess": [ + "resourceAppId": "00000003-0000-0000-c000-000000000000", + "resourceAccess": [ {- "resourceAppId": "00000003-0000-0000-c000-000000000000", - "resourceAccess": [ - { - "id": "214e810f-fda8-4fd7-a475-29461495eb00", - "type": "Role" - } - ] + "id": "214e810f-fda8-4fd7-a475-29461495eb00", + "type": "Role" } ] }- ``` --1. Select **Run Query** to submit the request. +] +} +``` ### Register a custom authentication extension -Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the App Registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`. +Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the app registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/beta/identity/customAuthenticationExtensions` -1. Select **Request Body** and paste the following JSON: +1. In Graph Explorer, run the following request. Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step. + - You'll need the *CustomAuthenticationExtension.ReadWrite.All* delegated permission. - Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step. + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/beta/identity/customAuthenticationExtensions + Content-type: application/json - ```json { "@odata.type": "#microsoft.graph.onTokenIssuanceStartCustomExtension", "displayName": "onTokenIssuanceStartCustomExtension", Next, you register the custom authentication extension. You register the custom ] } ```+ # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] -1. Select **Run Query** to submit the request. + -Record the ID value of the created custom claims provider object. The ID is needed in a later step and is referred to as the `{customExtensionObjectId}`. +1. Record the **id** value of the created custom claims provider object. You'll use the value later in this tutorial in place of `{customExtensionObjectId}`. ### 2.2 Grant admin consent -After your custom authentication extension is created, you'll be taken to the **Overview** tab of the new custom authentication extension. +After your custom authentication extension is created, open the **Overview** tab of the new custom authentication extension. From the **Overview** page, select the **Grant permission** button to give admin consent to the registered app, which allows the custom authentication extension to authenticate to your API. The custom authentication extension uses `client_credentials` to authenticate to the Azure Function App using the `Receive custom authentication extension HTTP requests` permission. Follow these steps to register the **jwt.ms** web application: ### 3.1 Register a test web application -1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Active Directory**. -1. Select **App registrations**, and then select **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application. For example, **My Test application**. 1. Under **Supported account types**, select **Accounts in this organizational directory only**. 1. In the **Select a platform** dropdown in **Redirect URI**, select **Web** and then enter `https://jwt.ms` in the URL text box. The following screenshot shows how to register the *My Test application*. ### 3.1 Get the application ID -In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps. +In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps. In Microsoft Graph, it's referenced by the **appId** propety. :::image type="content" border="false"source="media/custom-extension-get-started/get-the-test-application-id.png" alt-text="Screenshot that shows how to copy the application ID."::: For tokens to be issued with claims incoming from the custom authentication exte Follow these steps to connect the *My Test application* with your custom authentication extension: -# [Azure portal](#tab/azure-portal) +# [Microsoft Entra admin center](#tab/entra-admin-center) First assign the custom authentication extension as a custom claims provider source: -1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Active Directory**. -1. Select **App registrations**, and find the *My Test application* registration you created. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. 1. In the **Overview** page, under **Managed application in local directory**, select **My Test application**. 1. Under **Manage**, select **Single sign-on**. 1. Under **Attributes & Claims**, select **Edit**. Next, assign the attributes from the custom claims provider, which should be iss # [Microsoft Graph](#tab/microsoft-graph) -First create an event listener to trigger a custom authentication extension using the token issuance start event: --1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/beta/identity/authenticationEventListeners` -1. Select **Request Body** and paste the following JSON: +First create an event listener to trigger a custom authentication extension for the *My Test application* using the token issuance start event. - Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier. +1. Sign in to [Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in. +1. Run the following request. Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier. + - You'll need the *EventListener.ReadWrite.All* delegated permission. - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/beta/identity/authenticationEventListeners + Content-type: application/json + { "@odata.type": "#microsoft.graph.onTokenIssuanceStartListener", "conditions": { First create an event listener to trigger a custom authentication extension usin } ``` -1. Select **Run Query** to submit the request. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/bet)] + + +++Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider. -Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider: +1. Still in Graph Explorer, run the following request. You'll need the *Policy.ReadWrite.ApplicationConfiguration* delegated permission. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/policies/claimsmappingpolicies` -1. Select **Request Body** and paste the following JSON: - ```json + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies + Content-type: application/json + { "definition": [ "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\":[{\"Source\":\"CustomClaimsProvider\",\"ID\":\"DateOfBirth\",\"JwtClaimType\":\"dob\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"CustomRoles\",\"JwtClaimType\":\"my_roles\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"CorrelationId\",\"JwtClaimType\":\"correlationId\"},{\"Source\":\"CustomClaimsProvider\",\"ID\":\"ApiVersion\",\"JwtClaimType\":\"apiVersion \"},{\"Value\":\"tokenaug_V2\",\"JwtClaimType\":\"policy_version\"}]}}" Next, create the claims mapping policy, which describes which claims can be issu "isOrganizationDefault": false } ```+ # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/csharp/create-claimsmappingpolicy-from-claimsmappingpolicies-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/go/create-claimsmappingpolicy-from-claimsmappingpolicies-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/javascript/create-claimsmappingpolicy-from-claimsmappingpolicies-javascript-snippets.md)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/php/create-claimsmappingpolicy-from-claimsmappingpolicies-php-snippets.md)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/powershell/create-claimsmappingpolicy-from-claimsmappingpolicies-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/python/create-claimsmappingpolicy-from-claimsmappingpolicies-python-snippets.md)] + + -1. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`. -1. Select **Run Query** to submit the request. +2. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`. ++Get the service principal object ID: ++1. Run the following request in Graph Explorer. Replace `{App_to_enrich_ID}` with the **appId** of *My Test Application*. ++ ```http + GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}') + ``` -Get the `servicePrincipal` objectId: +Record the value of **id**. -1. Set the HTTP method to **GET**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}')/claimsMappingPolicies/$ref`. Replace `{App_to_enrich_ID}` with *My Test Application* App ID. -1. Record the `id` value, later it's referred to as `{test_App_Service_Principal_ObjectId}`. +Assign the claims mapping policy to the service principal of *My Test Application*. -Assign the claims mapping policy to the `servicePrincipal` of *My Test Application*: +1. Run the following request in Graph Explorer. You'll need the *Policy.ReadWrite.ApplicationConfiguration* and *Application.ReadWrite.All* delegated permission. -1. Set the HTTP method to **POST**. -1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref` -1. Select **Request Body** and paste the following JSON: + # [HTTP](#tab/http) + ```http + POST https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref + Content-type: application/json - ```json { "@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/{claims_mapping_policy_ID}" } ``` -1. Select **Run Query** to submit the request. + # [C#](#tab/csharp) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/csharp/create-claimsmappingpolicy-from-serviceprincipal-csharp-snippets.md)] + + # [Go](#tab/go) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/go/create-claimsmappingpolicy-from-serviceprincipal-go-snippets.md)] + + # [Java](#tab/java) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/jav)] + + # [JavaScript](#tab/javascript) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/javascript/create-claimsmappingpolicy-from-serviceprincipal-javascript-snippets.md)] + + # [PHP](#tab/php) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/php/create-claimsmappingpolicy-from-serviceprincipal-php-snippets.md)] + + # [PowerShell](#tab/powershell) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/powershell/create-claimsmappingpolicy-from-serviceprincipal-powershell-snippets.md)] + + # [Python](#tab/python) + [!INCLUDE [sample-code](~/microsoft-graph/api-reference/v1.0/includes/snippets/python/create-claimsmappingpolicy-from-serviceprincipal-python-snippets.md)] + + If you configured the [Microsoft identity provider](#step-5-protect-your-azure-f 1. Under the **App registration**, enter the application ID (client ID) of the *Azure Functions authentication events API* app registration [you created previously](#step-2-register-a-custom-authentication-extension). -1. Go to your Azure AD tenant in which your custom authentication extension is registered, and select **Azure Active Directory** > **App registrations**. +1. In the Microsoft Entra admin center: 1. Select the *Azure Functions authentication events API* app registration [you created previously](#step-2-register-a-custom-authentication-extension). 1. Select **Certificates & secrets** > **Client secrets** > **New client secret**. 1. Add a description for your client secret. |
active-directory | Custom Extension Troubleshoot | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/custom-extension-troubleshoot.md | Title: Troubleshoot a custom claims provider description: Troubleshoot and monitor your custom claims provider API. Learn how to use logging and Azure AD sign-in logs to find errors and issues in your custom claims provider API. -+ Azure AD sign-in logs also integrate with [Azure Monitor](../../azure-monitor/in To access the Azure AD sign-in logs: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the **Enterprise apps** experience for your given application, select on the **Sign-in** logs tab. -1. Select the latest sign-in log. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. +1. Select **Sign-in logs**, and then select the latest sign-in log. 1. For more details, select the **Authentication Events** tab. Information related to the custom authentication extension REST API call is displayed, including any [error codes](#error-codes-reference). :::image type="content" source="media/custom-extension-troubleshoot/authentication-events.png" alt-text="Screenshot that shows the authentication events information." ::: Use the following table to diagnose an error code. Your REST API is protected by Azure AD access token. You can test your API by obtaining an access token with the [application registration](custom-extension-get-started.md#22-grant-admin-consent) associated with the custom authentiction extensions. After you acquire an access token, pass it the HTTP `Authorization` header. To obtain an access token, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure administrator account. -1. Select **Azure Active Directory** > **App registrations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. 1. Select the *Azure Functions authentication events API* app registration [you created previously](custom-extension-get-started.md#step-2-register-a-custom-authentication-extension). 1. Copy the [application ID](custom-extension-get-started.md#22-grant-admin-consent). 1. If you haven't created an app secret, follow these steps: |
active-directory | Delegated And App Perms | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/delegated-and-app-perms.md | - Title: Differences between delegated and app permissions -description: Learn about delegated and application permissions, how they are used by clients and exposed by resources for applications you are developing with Azure AD --------- Previously updated : 11/10/2022-----# How to recognize differences between delegated and application permissions --## Recommended documents --- Learn more about how client applications use [delegated and application permission requests](developer-glossary.md#permissions) to access resources.-- Learn about [delegated and application permissions](permissions-consent-overview.md).-- See step-by-step instructions on how to [configure a client application's permission requests](quickstart-configure-app-access-web-apis.md)-- For more depth, learn how resource applications expose [scopes](developer-glossary.md#scopes) and [application roles](developer-glossary.md#roles) to client applications, which manifest as delegated and application permissions respectively in the Azure portal. --## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Deploy Web App Authentication Pipeline | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/deploy-web-app-authentication-pipeline.md | Add a [service connection](/azure/devops/pipelines/library/service-endpoints) so An application is also created in your Azure AD tenant that provides an identity for the pipeline. You need the display name of the app registration in later steps. To find the display name: -1. Sign into the [Entra admin portal](https://entra.microsoft.com/). -1. Select **App registrations** in the left navigation pane, and then the **All applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Applications** > **App registrations** > **All applications**. 1. Find the display name of the app registration, which is of the form `{organization}-{project}-{guid}`. Grant the service connection permission to access the pipeline: Grant the service connection permission to access the pipeline: The `DeployAzureResources` stage that you create in the next section uses several values to create and deploy resources to Azure: -- The Azure AD tenant ID (find in the [Entra admin portal](https://entra.microsoft.com/)).+- The Azure AD tenant ID (find in the [Microsoft Entra admin center](https://entra.microsoft.com/)). - The region, or location, where the resources are deployed. - A resource group name. - The App Service service plan name. Next, add a stage to the pipeline that deploys Azure resources. The pipeline us The inline script runs in the context of the pipeline, assign the [Application.Administrator](/azure/active-directory/roles/permissions-reference#application-administrator) role to the app so the script can create app registrations: -1. Sign into the [Entra admin portal](https://entra.microsoft.com/). -1. In the left navigation pane, select **Roles & admins**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. 1. Select **Application Administrator** from the list of built-in roles and then **Add assignment**. 1. Search for the pipeline app registration by display name. 1. Select the app registration from the list and select **Add**. A `DeployWebApp` stage is defined with several tasks: - [DownloadBuildArtifacts@1](/azure/devops/pipelines/tasks/reference/download-build-artifacts-v1) downloads the build artifacts that were published to the pipeline in a previous stage. - [AzureRmWebAppDeployment@4](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4) deploys the web app to App Service. -View the deployed website on App Service. Navigate to your App Service in Azure portal and select the instance's **Default domain**: `https://pipelinetestwebapp.azurewebsites.net`. +View the deployed website on App Service. Navigate to your App Service and select the instance's **Default domain**: `https://pipelinetestwebapp.azurewebsites.net`. :::image type="content" alt-text="Screen shot that shows the default domain URL." source="./media/deploy-web-app-authentication-pipeline/default-domain.png" border="true"::: Save your changes and run the pipeline. ## Verify limited access to the web app -To verify that access to your app is limited to users in your organization, navigate to your App Service in the [Azure portal](https://portal.azure.com) and select the instance's **Default domain**: `https://pipelinetestwebapp.azurewebsites.net`. +To verify that access to your app is limited to users in your organization, navigate to your App Service and select the instance's **Default domain**: `https://pipelinetestwebapp.azurewebsites.net`. You should be directed to a secured sign-in page, verifying that unauthenticated users aren't allowed access to the site. Sign in as a user in your organization to gain access to the site. Clean up your Azure resources and Azure DevOps environment so you're not charged ### Delete the resource group -In the Azure portal, select **Resource groups** from the menu and select the resource group that contains your deployed web app. +Select **Resource groups** from the menu and select the resource group that contains your deployed web app. Select **Delete resource group** to delete the resource group and all the resources. Choose this option if you don't need your DevOps project for future reference. T ### Delete app registrations in Azure AD -In the [Entra admin center](https://entra.microsoft.com/), select **Applications** > **App registrations** > **All applications**. +In the [Microsoft Entra admin center](https://entra.microsoft.com/), select **Identity** > **Applications** > **App registrations** > **All applications**. Select the application for the pipeline, the display name has the form `{organization}-{project}-{guid}`, and delete it. |
active-directory | Developer Glossary | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-glossary.md | Title: Glossary of terms in the Microsoft identity platform -description: Definitions of terms commonly found in Microsoft identity platform documentation, Azure portal, and authentication SDKs like the Microsoft Authentication Library (MSAL). +description: Definitions of terms commonly found in Microsoft identity platform documentation, Microsoft Entra admin center, and authentication SDKs like the Microsoft Authentication Library (MSAL). -You see these terms when you use our documentation, the Azure portal, our authentication libraries, and the Microsoft Graph API. Some terms are Microsoft-specific while others are related to protocols like OAuth or other technologies you use with the Microsoft identity platform. +You see these terms when you use our documentation, the Microsoft Entra admin center, our authentication libraries, and the Microsoft Graph API. Some terms are Microsoft-specific while others are related to protocols like OAuth or other technologies you use with the Microsoft identity platform. ## Access token The application ID, or _[client ID](https://datatracker.ietf.org/doc/html/rfc674 ## Application manifest -A feature provided by the [Azure portal], which produces a JSON representation of the application's identity configuration, used as a mechanism for updating its associated [Application][Graph-App-Resource] and [ServicePrincipal][Graph-Sp-Resource] entities. See [Understanding the Azure Active Directory application manifest][AAD-App-Manifest] for more details. +An application manifest is a feature that produces a JSON representation of the application's identity configuration, used as a mechanism for updating its associated [Application][Graph-App-Resource] and [ServicePrincipal][Graph-Sp-Resource] entities. See [Understanding the Azure Active Directory application manifest][AAD-App-Manifest] for more details. ## Application object -When you register/update an application in the [Azure portal], the portal creates/updates both an application object and a corresponding [service principal object](#service-principal-object) for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). +When you register/update an application, both an application object and a corresponding [service principal object](#service-principal-object) are created/updated for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). For more information, see [Application and Service Principal Objects][AAD-App-SP-Objects]. A [client application](#client-application) gains access to a [resource server]( They also surface during the [consent](#consent) process, giving the administrator or resource owner the opportunity to grant/deny the client access to resources in their tenant. -Permission requests are configured on the **API permissions** page for an application in the [Azure portal], by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Administrator role). Because a [public client](#client-application) can't securely maintain credentials, it can only request delegated permissions, while a [confidential client](#client-application) has the ability to request both delegated and application permissions. The client's [application object](#application-object) stores the declared permissions in its [requiredResourceAccess property][Graph-App-Resource]. +Permission requests are configured on the **API permissions** page for an application, by selecting the desired "Delegated Permissions" and "Application Permissions" (the latter requires membership in the Global Administrator role). Because a [public client](#client-application) can't securely maintain credentials, it can only request delegated permissions, while a [confidential client](#client-application) has the ability to request both delegated and application permissions. The client's [application object](#application-object) stores the declared permissions in its [requiredResourceAccess property][Graph-App-Resource]. ## Refresh token Like [scopes](#scopes), app roles provide a way for a [resource server](#resourc App roles can support two assignment types: "user" assignment implements role-based access control for users/groups that require access to the resource, while "application" assignment implements the same for [client applications](#client-application) that require access. An app role can be defined as user-assignable, app-assignabnle, or both. -Roles are resource-defined strings (for example "Expense approver", "Read-only", "Directory.ReadWrite.All"), managed in the [Azure portal] via the resource's [application manifest](#application-manifest), and stored in the resource's [appRoles property][Graph-Sp-Resource]. The Azure portal is also used to assign users to "user" assignable roles, and configure client [application permissions](#permissions) to request "application" assignable roles. +Roles are resource-defined strings (for example "Expense approver", "Read-only", "Directory.ReadWrite.All"), managed via the resource's [application manifest](#application-manifest), and stored in the resource's [appRoles property][Graph-Sp-Resource]. Users can be assigned to "user" assignable roles and client [application permissions](#permissions) can be configured to request "application" assignable roles. -For a detailed discussion of the application roles exposed by the Microsoft Graph API, see [Graph API Permission Scopes][Graph-Perm-Scopes]. For a step-by-step implementation example, see [Add or remove Azure role assignments using the Azure portal][AAD-RBAC]. +For a detailed discussion of the application roles exposed by the Microsoft Graph API, see [Graph API Permission Scopes][Graph-Perm-Scopes]. For a step-by-step implementation example, see [Add or remove Azure role assignments][AAD-RBAC]. ## Scopes Like [roles](#roles), scopes provide a way for a [resource server](#resource-server) to govern access to its protected resources. Scopes are used to implement [scope-based][OAuth2-Access-Token-Scopes] access control, for a [client application](#client-application) that has been given delegated access to the resource by its owner. -Scopes are resource-defined strings (for example "Mail.Read", "Directory.ReadWrite.All"), managed in the [Azure portal] via the resource's [application manifest](#application-manifest), and stored in the resource's [oauth2Permissions property][Graph-Sp-Resource]. The Azure portal is also used to configure client application [delegated permissions](#permissions) to access a scope. +Scopes are resource-defined strings (for example "Mail.Read", "Directory.ReadWrite.All"), managed via the resource's [application manifest](#application-manifest), and stored in the resource's [oauth2Permissions property][Graph-Sp-Resource]. Client application [delegated permissions](#permissions) can be configured to access a scope. A best practice naming convention, is to use a "resource.operation.constraint" format. For a detailed discussion of the scopes exposed by Microsoft Graph API, see [Graph API Permission Scopes][Graph-Perm-Scopes]. For scopes exposed by Microsoft 365 services, see [Microsoft 365 API permissions reference][O365-Perm-Ref]. A signed document containing claims, such as an OAuth 2.0 token or SAML 2.0 asse ## Service principal object -When you register/update an application in the [Azure portal], the portal creates/updates both an [application object](#application-object) and a corresponding service principal object for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). +When you register/update an application, both an [application object](#application-object) and a corresponding service principal object are created/updated for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant). For more information, see [Application and Service Principal Objects][AAD-App-SP-Objects]. An instance of an Azure AD directory is referred to as an Azure AD tenant. It pr - authentication of user accounts and registered applications - REST endpoints required to support various protocols including OAuth 2.0 and SAML, including the [authorization endpoint](#authorization-endpoint), [token endpoint](#token-endpoint) and the "common" endpoint used by [multi-tenant applications](#multi-tenant-application). -Azure AD tenants are created/associated with Azure and Microsoft 365 subscriptions during sign-up, providing Identity & Access Management features for the subscription. Azure subscription administrators can also create additional Azure AD tenants via the Azure portal. See [How to get an Azure Active Directory tenant][AAD-How-To-Tenant] for details on the various ways you can get access to a tenant. See [Associate or add an Azure subscription to your Azure Active Directory tenant][AAD-How-Subscriptions-Assoc] for details on the relationship between subscriptions and an Azure AD tenant, and for instructions on how to associate or add a subscription to an Azure AD tenant. +Azure AD tenants are created/associated with Azure and Microsoft 365 subscriptions during sign-up, providing Identity & Access Management features for the subscription. Azure subscription administrators can also create additional Azure AD tenants. See [How to get an Azure Active Directory tenant][AAD-How-To-Tenant] for details on the various ways you can get access to a tenant. See [Associate or add an Azure subscription to your Azure Active Directory tenant][AAD-How-Subscriptions-Assoc] for details on the relationship between subscriptions and an Azure AD tenant, and for instructions on how to associate or add a subscription to an Azure AD tenant. ## Token endpoint Many of the terms in this glossary are related to the OAuth 2.0 and OpenID Conne [AAD-Multi-Tenant-Overview]:howto-convert-app-to-be-multi-tenant.md [AAD-Security-Token-Claims]: ./authentication-vs-authorization.md#claims-in-azure-ad-security-tokens [AAD-Tokens-Claims]:access-tokens.md-[Azure portal]: https://portal.azure.com [AAD-RBAC]: ../../role-based-access-control/role-assignments-portal.md [JWT]: https://tools.ietf.org/html/rfc7519 [Microsoft-Graph]: https://developer.microsoft.com/graph |
active-directory | Developer Support Help Options | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-support-help-options.md | If you need an answer to a question or help in solving a problem not covered in <img alt='Azure support' src='./media/common/logo_azure.svg'> </div> -Explore the range of [Azure support options and choose the plan](https://azure.microsoft.com/support/plans) that best fits you. There are two options to create and manage support requests in the Azure portal: +Explore the range of [Azure support options and choose the plan](https://azure.microsoft.com/support/plans) that best fits you. There are two options to create and manage support requests in the Microsoft Entra admin center: -- If you already have an Azure Support Plan, [open a support request here](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).+- If you already have an Azure Support Plan, [open a support request here](https://entra.microsoft.com/#view/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical). -- If you're using Azure AD for customers (preview), the support request feature is currently unavailable in customer tenants. However, you can use the **Give Feedback** link on the **New support request** page to provide feedback. Or, you can switch to your Azure AD workforce tenant and [open a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).+- If you're using Azure AD for customers (preview), the support request feature is currently unavailable in customer tenants. However, you can use the **Give Feedback** link on the **New support request** page to provide feedback. Or, you can switch to your Azure AD workforce tenant and [open a support request](https://entra.microsoft.com/#view/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical). - If you're not an Azure customer, you can open a support request with [Microsoft Support for business](https://support.serviceshub.microsoft.com/supportforbusiness). |
active-directory | Enterprise App Role Management | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/enterprise-app-role-management.md | You can customize the role claim in the access token that is received after an a Use the following steps to locate the enterprise application: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the left pane, select **Azure Active Directory**. -1. Select **Enterprise applications**, and then select **All applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. 1. Enter the name of the existing application in the search box, and then select the application from the search results. 1. After the application is selected, copy the object ID from the overview pane. - :::image type="content" source="media/enterprise-app-role-management/record-objectid.png" alt-text="Screenshot that shows how to locate and record the object identifier for the application."::: - ## Add roles Use the Microsoft Graph Explorer to add roles to an enterprise application. Use the Microsoft Graph Explorer to add roles to an enterprise application. Update the attributes to define the role claim that is included in the token. -1. Locate the application in the Azure portal, and then select **Single sign-on** in the left menu. +1. Locate the application in the Microsoft Entra admin center, and then select **Single sign-on** in the left menu. 1. In the **Attributes & Claims** section, select **Edit**. 1. Select **Add new claim**. 1. In the **Name** box, type the attribute name. This example uses **Role Name** as the claim name. Update the attributes to define the role claim that is included in the token. 1. From the **Source attribute** list, select **user.assignedroles**. 1. Select **Save**. The new **Role Name** attribute should now appear in the **Attributes & Claims** section. The claim should now be included in the access token when signing into the application. - :::image type="content" source="media/enterprise-app-role-management/attributes-summary.png" alt-text="Screenshot that shows a display of the list of attributes and claims defined for the application."::: - ## Assign roles After the service principal is patched with more roles, you can assign users to the respective roles. -1. In the Azure portal, locate the application to which the role was added. +1. Locate the application to which the role was added in the Microsoft Entra admin center. 1. Select **Users and groups** in the left menu and then select the user that you want to assign the new role. 1. Select **Edit assignment** at the top of the pane to change the role. 1. Select **None Selected**, select the role from the list, and then select **Select**. 1. Select **Assign** to assign the role to the user. - :::image type="content" source="media/enterprise-app-role-management/assign-role.png" alt-text="Screenshot that shows how to assign a role to a user of an application."::: - ## Update roles To update an existing role, perform the following steps: |
active-directory | How Applications Are Added | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-applications-are-added.md | |
active-directory | Howto Add App Roles In Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-add-app-roles-in-apps.md | To create an app role by using the Azure portal's user interface: When the app role is set to enabled, any users, applications or groups who are assigned has it included in their tokens. These can be access tokens when your app is the API being called by an app or ID tokens when your app is signing in a user. If set to disabled, it becomes inactive and no longer assignable. Any previous assignees will still have the app role included in their tokens, but it has no effect as it is no longer actively assignable. +## Assign application owner ++If you have not already done so, you'll need to assign yourself as the application owner. ++1. In your app registration, under **Manage**, select **Owners**, and **Add owners**. +1. In the new window, find and select the owner(s) that you want to assign to the application. Selected owners appear in the right panel. Once done, confirm with **Select**. The app owner(s) will now appear in the owner's list. ++>[!NOTE] +> +> Ensure that both the API application and the application you want to add permissions to both have an owner, otherwise the API will not be listed when requesting API permissions. + ## Assign users and groups to roles Once you've added app roles in your application, you can assign users and groups to the roles. Assignment of users and groups to roles can be done through the portal's UI, or programmatically using [Microsoft Graph](/graph/api/user-post-approleassignments). When the users assigned to the various app roles sign in to the application, their tokens will have their assigned roles in the `roles` claim. |
active-directory | Howto Add Terms Of Service Privacy Statement | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-add-terms-of-service-privacy-statement.md | Examples: `https://myapp.com/terms-of-service` and `https://myapp.com/privacy-st When the terms of service and privacy statement are ready, you can add links to these documents in your app using one of these methods: -* [Through the Azure portal](#azure-portal) +* [Through the Microsoft Entra admin center](#entra-admin-center) * [Using the app object JSON](#app-object-json) * [Using the Microsoft Graph API](#msgraph-rest-api) -### <a name="azure-portal"></a>Using the Azure portal +### <a name="entra-admin-center"></a>Using the Microsoft Entra admin center [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -Follow these steps in the Azure portal. +Follow these steps to add links: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a> and select the correct Azure AD tenant(not B2C). -2. Navigate to the **App registrations** section and select your app. -3. Under **Manage**, select **Branding & properties**. -4. Fill out the **Terms of service URL** and **Privacy statement URL** fields. -5. Select **Save**. -- ![App properties contains terms of service and privacy statement URLs](./media/howto-add-terms-of-service-privacy-statement/azure-portal-terms-service-privacy-statement-urls.png) +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **User experiences** > **Company branding**. +1. Select **Getting started**, and then select **Edit** for the **Default sign-in experience**. +1. Select **Footer** and fill out the URL for **Terms of Use** and **Privacy & Cookies**. +1. Select **Review + save**. ### <a name="app-object-json"></a>Using the app object JSON -If you prefer to modify the app object JSON directly, you can use the manifest editor in the Azure portal or Application Registration Portal to include links to your app's terms of service and privacy statement. +If you prefer to modify the app object JSON directly, you can use the manifest editor to include links to your app's terms of service and privacy statement. 1. Navigate to the **App Registrations** section and select your app. 2. Open the **Manifest** pane. |
active-directory | Howto Call A Web Api With Curl | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-call-a-web-api-with-curl.md | zone_pivot_groups: web-api-howto-prereq ::: zone pivot="no-api" -This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using cURL. +This article shows you how to call a protected ASP.NET Core web API using Client URL (cURL). cURL is a command line tool that developers use to transfer data to and from a server. In this article, you'll register a web app and a web API in a tenant. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using cURL. ::: zone-end The Microsoft identity platform requires your application to be registered befor Follow these steps to create the web API registration: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as *NewWebAPI1*. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option. 1. Select **Register**. Follow these steps to create the web app registration: ::: zone pivot="no-api" -1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Select **Home** to return to the home page. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone pivot="api" -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a Name for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone-end -When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. +When registration is complete, the app registration is displayed on the **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. #### Add a client secret A client secret is a string value your app can use to identity itself, and is so Follow these steps to configure a client secret: -1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. +1. From the **Overview** pane, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. 1. Add a description for your client secret, for example *My client secret*. 1. Select an expiration for the secret or specify a custom lifetime. By specifying a web API's scopes in the web app registration, the web app can ob Follow these steps to configure the web app permissions to the web API: -1. From the **Overview** pane of your web application in the Azure portal (*web-app-that-calls-web-api*), under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. +1. From the **Overview** pane of your web application (*web-app-that-calls-web-api*), under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. 1. Select **NewWebAPI1** or the API that you wish to add permissions to. 1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user. 1. Select **Add permissions** to complete the process. After adding these permissions to your API, you should see the selected permissions under **Configured permissions**. -You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal. +You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app. ::: zone pivot="no-api" You may also notice the **User.Read** permission for the Microsoft Graph API. Th 1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `./appsettings.json` file, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with: - - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal. - - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal. + - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations**. + - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations**. 1. Execute the following command to start the app: The authorization code flow begins with the client directing the user to the `/a ``` 1. Copy the URL, replace the following parameters and paste it into your browser: - - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal. - - `{web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web app's (*web-app-calls-web-api*) **Overview** pane in the Azure portal. - - `{web_API_application_client_id}` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal. + - `{tenant_id}` is the web app **Directory (tenant) ID**. + - `{web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web app's (*web-app-calls-web-api*) **Overview** pane. + - `{web_API_application_client_id}` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane. 1. Sign in as a user in the Azure AD tenant in which the apps are registered. Consent to any requests for access, if necessary. 1. Your browser will be redirected to `http://localhost/`. Refer to your browser's navigation bar and copy the `{authorization_code}` to use in the following steps. The URL takes the form of the following snippet: cURL can now be used to request an access token from the Microsoft identity plat -d 'grant_type=authorization_code' \ -d 'client_secret={client_secret}' ``` - - `{tenant_id}` is the web app **Directory (tenant) ID**. This should be the same value across both of the applications's **Overview** pane **App registrations** in the Azure portal. - - `client_id={web-app-calls-web-api_application_client_id}`, and `session_state={web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web application's (*web-app-calls-web-api*) **Overview** pane in the Azure portal. - - `api://{web_API_application_client_id}/Forecast.Read` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane in the Azure portal. + - `{tenant_id}` is the web app **Directory (tenant) ID**. + - `client_id={web-app-calls-web-api_application_client_id}`, and `session_state={web-app-calls-web-api_application_client_id}` is the **Application (client) ID** on the web application's (*web-app-calls-web-api*) **Overview** pane. + - `api://{web_API_application_client_id}/Forecast.Read` is the **Application (client) ID** on the web API's (*NewWebAPI1*) **Overview** pane. - `code={authorization_code}` is the authorization code that was received in [Request an authorization code](#request-an-authorization-code). This enables the cURL tool to request an access token. - `client_secret={client_secret}` is the client secret **Value** recorded in [Add a client secret](#add-a-client-secret). |
active-directory | Howto Call A Web Api With Postman | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-call-a-web-api-with-postman.md | zone_pivot_groups: web-api-howto-prereq ::: zone pivot="no-api" -This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. In this article, you'll register a web app and a web API in a tenant on the Azure portal. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using Postman. +This article shows you how to call a protected ASP.NET Core web API using [Postman](https://www.postman.com/). Postman is an application that lets you send HTTP requests to a web API to test its authorization and access control (authentication) policies. In this article, you'll register a web app and a web API in a tenant. The web app is used to get an access token generated by the Microsoft identity platform. Next, you'll use the token to make an authorized call to the web API using Postman. ::: zone-end The Microsoft identity platform requires your application to be registered befor Follow these steps to create the web API registration: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as _NewWebAPI1_. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option. 1. Select **Register**. Follow these steps to create the web app registration: ::: zone pivot="no-api" -1. Select **Home** to return to the home page. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +Select **Home** to return to the home page. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone pivot="api" -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If access to multiple tenants is available, use the Directories + subscriptions filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a Name for the application, such as `web-app-calls-web-api`. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, select **Web**, and then enter `http://localhost` in the URL text box. Follow these steps to create the web app registration: ::: zone-end -When registration is complete, the Azure portal displays the app registration's **Overview** pane. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. +The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in later steps. #### Add a client secret A client secret is a string value your app can use to identity itself, and is so Follow these steps to configure a client secret: -1. From the **Overview** pane in the Azure portal, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. +1. From the **Overview** pane, under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**. 1. Add a description for your client secret, for example _My client secret_. 1. Select an expiration for the secret or specify a custom lifetime. By specifying a web API's scopes, the web app can obtain an access token contain Follow these steps to configure client's permissions to the web API: -1. From the **Overview** pane of your application in the Azure portal, under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. +1. From the **Overview** pane of your application, under **Manage**, select **API permissions** > **Add a permission** > **My APIs**. 1. Select **NewWebAPI1** or the API that you wish to add permissions to. 1. Under **Select permissions**, check the box next to **Forecast.Read**. You may need to expand the **Permission** list. This selects the permissions the client app should have on behalf of the signed-in user. 1. Select **Add permissions** to complete the process. After adding these permissions to your API, you should see the selected permissions under **Configured permissions**. -You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app in the Azure portal. +You may also notice the **User.Read** permission for the Microsoft Graph API. This permission is added automatically when you register an app. ::: zone pivot="no-api" You may also notice the **User.Read** permission for the Microsoft Graph API. Th 1. Navigate to `ms-identity-docs-code-dotnet/web-api` folder and open `appsettings.json`, replace the `{APPLICATION_CLIENT_ID}` and `{DIRECTORY_TENANT_ID}` with: - - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane **App registrations** in the Azure portal. - - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane **App registrations** in the Azure portal. + - `{APPLICATION_CLIENT_ID}` is the web API **Application (client) ID** on the app's **Overview** pane. + - `{DIRECTORY_TENANT_ID}` is the web API **Directory (tenant) ID** on the app's **Overview** pane. 1. Execute the following command to start the app: |
active-directory | Howto Configure App Instance Property Locks | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-configure-app-instance-property-locks.md | -# How to configure app instance property lock for your applications (Preview) +# How to configure app instance property lock for your applications Application instance lock is a feature in Azure Active Directory (Azure AD) that allows sensitive properties of a multi-tenant application object to be locked for modification after the application is provisioned in another tenant. This feature provides application developers with the ability to lock certain properties if the application doesn't support scenarios that require configuring those properties. The following property usage scenarios are considered as sensitive: - Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Verify`. In this scenario, your application supports an OIDC client credentials flow. - `TokenEncryptionKeyId` which specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key to which this property points. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. +> [!NOTE] +> App instance lock is enabled by default for all new applications created using the Microsoft Entra admin center. + ## Configure an app instance lock [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To configure an app instance lock using the Azure portal: +To configure an app instance lock: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration you want to configure. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, and then select the application you want to configure. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select the application you want to configure. 1. Select **Authentication**, and then select **Configure** under the *App instance property lock* section. - :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock in the Azure portal."::: + :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock."::: 2. In the **App instance property lock** pane, enter the settings for the lock. The table following the image describes each setting and their parameters. - :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane in the Azure portal."::: + :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane."::: | Field | Description | | - | -- | |
active-directory | Howto Create Self Signed Certificate | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-create-self-signed-certificate.md | To customize the start and expiry date and other properties of the certificate, Use the certificate you create using this method to authenticate from an application running from your machine. For example, authenticate from Windows PowerShell. -In an elevated PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate. +In a PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate. ```powershell $certname = "{certificateName}" ## Replace {certificateName} |
active-directory | Howto Modify Supported Accounts | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-modify-supported-accounts.md | -In the following sections, you learn how to modify your app's registration in the Azure portal to change who, or what types of accounts, can access the application. +In the following sections, you learn how to modify your app's registration to change who, or what types of accounts, can access the application. ## Prerequisites In the following sections, you learn how to modify your app's registration in th To specify a different setting for the account types supported by an existing app registration: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which the app is registered. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, select your application, and then select **Manifest** to use the manifest editor. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant where the application is registered. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select your application, and then select **Manifest** to use the manifest editor. 1. Download the manifest JSON file locally. 1. Now, specify who can use the application, sometimes referred to as the *sign-in audience*. Find the *signInAudience* property in the manifest JSON file and set it to one of the following property values: |
active-directory | Identity Platform Integration Checklist | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/identity-platform-integration-checklist.md | -If youΓÇÖre just getting started, check out the [Microsoft identity platform documentation](index.yml) to learn about authentication basics, application scenarios in the Microsoft identity platform, and more. +If you're just getting started, check out the [Microsoft identity platform documentation](index.yml) to learn about authentication basics, application scenarios in the Microsoft identity platform, and more. Use the following checklist to ensure that your application is effectively integrated with the [Microsoft identity platform](./index.yml). > [!TIP]-> The *Integration assistant* in the Azure portal can help you apply many of these best practices and recommendations. Select any of your [app registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal, and then select the **Integration assistant** menu item to get started with the assistant. +> The *Integration assistant* can help you apply many of these best practices and recommendations. Select any of your app registrations, and then select the **Integration assistant** menu item to get started with the assistant. ## Basics Use the following checklist to ensure that your application is effectively integ ![checkbox](./media/integration-checklist/checkbox-two.svg) Adhere to the [Branding guidelines for applications](/azure/active-directory/develop/howto-add-branding-in-apps). -![checkbox](./medi). Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks. +![checkbox](./medi). Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks. ## Privacy Use the following checklist to ensure that your application is effectively integ ![checkbox](./medi#suitable-scenarios-for-the-oauth2-implicit-grant). -![checkbox](./medi). +![checkbox](./medi). ![checkbox](./medi) to store and regularly rotate your credentials. Use the following checklist to ensure that your application is effectively integ ![checkbox](./medi). If you must hand-code for the authentication protocols, you should follow the [Microsoft SDL](https://www.microsoft.com/sdl/default.aspx) or similar development methodology. Pay close attention to the security considerations in the standards specifications for each protocol. -![checkbox](./medi) apps. +![checkbox](./medi) apps. -![checkbox](./media/integration-checklist/checkbox-two.svg) For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a ΓÇ£broker redirect URIΓÇ¥ configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible. +![checkbox](./media/integration-checklist/checkbox-two.svg) For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a "broker redirect URI" configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible. ![checkbox](./medi). Use the following checklist to ensure that your application is effectively integ ![checkbox](./media/integration-checklist/checkbox-two.svg) Minimize the number of times a user needs to enter login credentials while using your app by attempting silent authentication (silent token acquisition) before interactive flows. -![checkbox](./media/integration-checklist/checkbox-two.svg) Don't use ΓÇ£prompt=consentΓÇ¥ for every sign-in. Only use prompt=consent if youΓÇÖve determined that you need to ask for consent for additional permissions (for example, if youΓÇÖve changed your appΓÇÖs required permissions). +![checkbox](./media/integration-checklist/checkbox-two.svg) Don't use "prompt=consent" for every sign-in. Only use prompt=consent if you've determined that you need to ask for consent for additional permissions (for example, if you've changed your app's required permissions). ![checkbox](./media/integration-checklist/checkbox-two.svg) Where applicable, enrich your application with user data. Using the [Microsoft Graph API](https://developer.microsoft.com/graph) is an easy way to do this. The [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) tool that can help you get started. ![checkbox](./medi#consent) at run time to help users understand why your app is requesting permissions that may concern or confuse users when requested on first start. -![checkbox](./media/integration-checklist/checkbox-two.svg) Implement a [clean single sign-out experience](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut). ItΓÇÖs a privacy and a security requirement, and makes for a good user experience. +![checkbox](./media/integration-checklist/checkbox-two.svg) Implement a [clean single sign-out experience](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut). It's a privacy and a security requirement, and makes for a good user experience. ## Testing -![checkbox](./media/integration-checklist/checkbox-two.svg) Test for [Conditional Access policies](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) that may affect your usersΓÇÖ ability to use your application. +![checkbox](./media/integration-checklist/checkbox-two.svg) Test for [Conditional Access policies](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) that may affect your users' ability to use your application. ![checkbox](./media/integration-checklist/checkbox-two.svg) Test your application with all possible accounts that you plan to support (for example, work or school accounts, personal Microsoft accounts, child accounts, and sovereign accounts). |
active-directory | Identity Videos | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/identity-videos.md | ___ <!-- IMAGES -->-[auth-fund-01-img]: ./media/identity-videos/aad-auth-fund-01.jpg -[auth-fund-02-img]: ./media/identity-videos/aad-auth-fund-02.jpg -[auth-fund-03-img]: ./media/identity-videos/aad-auth-fund-03.jpg -[auth-fund-04-img]: ./media/identity-videos/aad-auth-fund-04.jpg -[auth-fund-05-img]: ./media/identity-videos/aad-auth-fund-05.jpg -[auth-fund-06-img]: ./media/identity-videos/aad-auth-fund-06.jpg +[auth-fund-01-img]: ./media/identity-videos/auth-fund-01.jpg +[auth-fund-02-img]: ./media/identity-videos/auth-fund-02.jpg +[auth-fund-03-img]: ./media/identity-videos/auth-fund-03.jpg +[auth-fund-04-img]: ./media/identity-videos/auth-fund-04.jpg +[auth-fund-05-img]: ./media/identity-videos/auth-fund-05.jpg +[auth-fund-06-img]: ./media/identity-videos/auth-fund-06.jpg <!-- VIDEOS --> [auth-fund-01-vid]: https://www.youtube.com/watch?v=fbSVgC8nGz4&list=PLLasX02E8BPD5vC2XHS_oHaMVmaeHHPLy&index=1 |
active-directory | Jwt Claims Customization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/jwt-claims-customization.md | These JSON Web tokens (JWT) used by OIDC and OAuth applications contain pieces o [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To view or edit the claims issued in the JWT to the application, open the application in Azure portal. Then select **Single sign-on** blade in the left-hand menu and open the **Attributes & Claims** section. +To view or edit the claims issued in the JWT to the application: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. +1. Select the application, select **Single sign-on** in the left-hand menu, and then select **Edit** in the **Attributes & Claims** section. An application may need claims customization for various reasons. For example, when an application requires a different set of claim URIs or claim values. Using the **Attributes & Claims** section, you can add or remove a claim for your application. You can also create a custom claim that is specific for an application based on the use case. The following steps describe how to assign a constant value: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the **Attributes & Claims** section, Select **Edit** to edit the claims. -1. Select the required claim that you want to modify. +1. Select the claim that you want to modify. 1. Enter the constant value without quotes in the **Source attribute** as per your organization, and then select **Save**. - The Attributes overview displays the constant value. - ## Special claims transformations You can use the following special claims transformations functions. To apply a transformation to a user attribute: 1. **Treat source as multivalued** indicates whether the transform is applied to all values or just the first. By default, the first element in a multi-value claim is applied the transformations. When you check this box, it ensures it's applied to all. This checkbox is only enabled for multi-valued attributes. For example, `user.proxyaddresses`. 1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case. - :::image type="content" source="./media/jwt-claims-customization/sso-saml-multiple-claims-transformation.png" alt-text="Screenshot of claims transformation."::: - You can use the following functions to transform claims. | Function | Description | You can use the following functions to transform claims. | **ToLowercase()** | Converts the characters of the selected attribute into lowercase characters. | | **ToUppercase()** | Converts the characters of the selected attribute into uppercase characters. | | **Contains()** | Outputs an attribute or constant if the input matches the specified value. Otherwise, you can specify another output if there's no match. <br/>For example, if you want to emit a claim where the value is the user's email address if it contains the domain `@contoso.com`, otherwise you want to output the user principal name. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.email<br/>*Value*: "@contoso.com"<br/>Parameter 2 (output): user.email<br/>Parameter 3 (output if there's no match): user.userprincipalname |-| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with "000", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.employeeid<br/>*Value*: "000"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | -| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with "US", otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.country<br/>*Value*: "US"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | +| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with `000`, otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.employeeid<br/>*Value*: "000"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | +| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with `US`, otherwise you want to output an extension attribute. To perform this function, you configure the following values:<br/>*Parameter 1(input)*: user.country<br/>*Value*: "US"<br/>Parameter 2 (output): user.employeeid<br/>Parameter 3 (output if there's no match): user.extensionattribute1 | | **Extract() - After matching** | Returns the substring after it matches the specified value.<br/>For example, if the input's value is `Finance_BSimon`, the matching value is `Finance_`, then the claim's output is `BSimon`. | | **Extract() - Before matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is `BSimon_US`, the matching value is `_US`, then the claim's output is `BSimon`. | | **Extract() - Between matching** | Returns the substring until it matches the specified value.<br/>For example, if the input's value is `Finance_BSimon_US`, the first matching value is `Finance_`, the second matching value is `_US`, then the claim's output is `BSimon`. | For example, Britta Simon is a guest user in the Contoso tenant. Britta belongs First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta. - As another example, consider when Britta Simon tries to sign in using the following configuration. Azure AD first evaluates all conditions with source `Attribute`. The source for the claim is `user.mail` when Britta's user type is **AAD guests**. Next, Azure AD evaluates the transformations. Because Britta is a guest, `user.extensionattribute1` is the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is the new source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta. - As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. The claim falls back to `user.extensionattribute1` ignoring the condition entry in both cases. ## Security considerations-Applications that receive tokens rely on claim values that are authoritatively issued by Azure AD and can't be tampered with. When you modify the token contents through claims customization, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified by the creator of the customization to protect themselves from customizations created by malicious actors. This can be done in one the following ways: +Applications that receive tokens rely on claim values that can't be tampered with. When you modify the token contents through claims customization, these assumptions may no longer be correct. Applications must explicitly acknowledge that tokens have been modified to protect themselves from customizations created by malicious actors. Protect from inappropriate customizations in one the following ways: - [Configure a custom signing key](#configure-a-custom-signing-key) - [update the application manifest to accept mapped claims](#update-the-application-manifest). Applications that receive tokens rely on claim values that are authoritatively i Without this, Azure AD returns an [AADSTS50146 error code](./reference-error-codes.md#aadsts-error-codes). ## Configure a custom signing key-For multi-tenant apps, a custom signing key should be used. Don't set `acceptMappedClaims` in the app manifest. when setting up an app in the Azure portal, you get an app registration object and a service principal in your tenant. That app is using the Azure global sign-in key, which can't be used for customizing claims in tokens. To get custom claims in tokens, create a custom sign-in key from a certificate and add it to service principal. For testing purposes, you can use a self-signed certificate. After configuring the custom signing key, your application code needs to validate the token signing key. +For multi-tenant apps, a custom signing key should be used. Don't set `acceptMappedClaims` in the app manifest. when setting up an app in the Azure portal, you get an app registration object and a service principal in your tenant. That app is using the Azure global sign-in key, which can't be used for customizing claims in tokens. To get custom claims in tokens, create a custom sign-in key from a certificate and add it to service principal. For testing purposes, you can use a self-signed certificate. After you configure the custom signing key, your application code needs to validate the token signing key. Add the following information to the service principal: Add the following information to the service principal: Extract the private and public key base-64 encoded from the PFX file export of your certificate. Make sure that the `keyId` for the `keyCredential` used for "Sign" matches the `keyId` of the `passwordCredential`. You can generate the `customkeyIdentifier` by getting the hash of the cert's thumbprint. ## Request-The following example shows the format of the HTTP PATCH request to add a custom signing key to a service principal. The "key" value in the `keyCredentials` property is shortened for readability. The value is base-64 encoded. For the private key, the property usage is "Sign". For the public key, the property usage is "Verify". +The following example shows the format of the HTTP PATCH request to add a custom signing key to a service principal. The "key" value in the `keyCredentials` property is shortened for readability. The value is base-64 encoded. For the private key, the property usage is `Sign`. For the public key, the property usage is `Verify`. ``` PATCH https://graph.microsoft.com/v1.0/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e Authorization: Bearer {token} ``` ## Configure a custom signing key using PowerShell-Use PowerShell to [instantiate an MSAL Public Client Application](msal-net-initializing-client-applications.md#initializing-a-public-client-application-from-code) and use the [Authorization Code Grant](v2-oauth2-auth-code-flow.md) flow to obtain a delegated permission access token for Microsoft Graph. Use the access token to call Microsoft Graph and configure a custom signing key for the service principal. After configuring the custom signing key, your application code needs to [validate the token signing key](#validate-token-signing-key). +Use PowerShell to [instantiate an MSAL Public Client Application](msal-net-initializing-client-applications.md#initializing-a-public-client-application-from-code) and use the [Authorization Code Grant](v2-oauth2-auth-code-flow.md) flow to obtain a delegated permission access token for Microsoft Graph. Use the access token to call Microsoft Graph and configure a custom signing key for the service principal. After you configure the custom signing key, your application code needs to [validate the token signing key](#validate-token-signing-key). -To run this script you need: +To run this script, you need: - The object ID of your application's service principal, found in the Overview blade of your application's entry in Enterprise Applications in the Azure portal. - An app registration to sign in a user and get an access token to call Microsoft Graph. Get the application (client) ID of this app in the Overview blade of the application's entry in App registrations in the Azure portal. The app registration should have the following configuration: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration ``` ## Update the application manifest-For single tenant apps, you can set the `acceptMappedClaims` property to `true` in the [application manifest](reference-app-manifest.md). As documented on the [apiApplication resource type](/graph/api/resources/apiapplication?view=graph-rest-1.0&preserve-view=true#properties), this allows an application to use claims mapping without specifying a custom signing key. +For single tenant apps, you can set the `acceptMappedClaims` property to `true` in the [application manifest](reference-app-manifest.md). As documented on the [apiApplication resource type](/graph/api/resources/apiapplication?view=graph-rest-1.0&preserve-view=true#properties). Setting the property allows an application to use claims mapping without specifying a custom signing key. >[!WARNING] >Do not set the acceptMappedClaims property to true for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app. |
active-directory | Mark App As Publisher Verified | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/mark-app-as-publisher-verified.md | Title: Mark an app as publisher verified -description: Describes how to mark an app as publisher verified. When an application is marked as publisher verified, it means that the publisher (application developer) has verified the authenticity of their organization using a Microsoft Partner Network (MPN) account that has completed the verification process and has associated this MPN account with that application registration. +description: Describes how to mark an app as publisher verified. When an application is marked as publisher verified, it means that the publisher (application developer) has verified the authenticity of their organization using a Cloud Partner Program (CPP) account that has completed the verification process and has associated this CPP account with that application registration. -When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process. +When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Cloud Partner Program (CPP) account and has associated this CPP account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process. ## Quickstart-If you are already enrolled in the Microsoft Partner Network (MPN) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: +If you are already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: 1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) 1. Choose an app and click **Branding & properties**. -1. Click **Add MPN ID to verify publisher** and review the listed requirements. +1. Click **Add Partner One ID to verify publisher** and review the listed requirements. -1. Enter your MPN ID and click **Verify and save**. +1. Enter your Partner One ID and click **Verify and save**. For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md). ## Mark your app as publisher verified Make sure you meet the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified. -1. Sign in using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) to an organizational (Azure AD) account authorized to make changes to the app you want to mark as Publisher Verified and on the MPN Account in Partner Center. +1. Sign in using [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) to an organizational (Azure AD) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center. - The Azure AD user must have one of the following [roles](../roles/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. - - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): MPN Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Azure AD). + - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): CPP Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Azure AD). 1. Navigate to the **App registrations** blade: Make sure you meet the [pre-requisites](publisher-verification-overview.md#requi 1. Ensure the appΓÇÖs [publisher domain](howto-configure-publisher-domain.md) is set. -1. Ensure that either the publisher domain or a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your MPN account. +1. Ensure that either the publisher domain or a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your CPP account. -1. Click **Add MPN ID to verify publisher** near the bottom of the page. +1. Click **Add Partner One ID to verify publisher** near the bottom of the page. -1. Enter the **MPN ID** for: +1. Enter the **Partner One ID** for: - - A valid Microsoft Partner Network account that has completed the verification process. + - A valid Cloud Partner Program account that has completed the verification process. - The Partner global account (PGA) for your organization. |
active-directory | Migrate Adal Msal Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-adal-msal-java.md | - Title: ADAL to MSAL migration guide (MSAL4j) -description: Learn how to migrate your Azure Active Directory Authentication Library (ADAL) Java app to the Microsoft Authentication Library (MSAL). -------- Previously updated : 11/04/2019----#Customer intent: As a Java application developer, I want to learn how to migrate my v1 ADAL app to v2 MSAL. ---# ADAL to MSAL migration guide for Java --This article highlights changes you need to make to migrate an app that uses the Azure Active Directory Authentication Library (ADAL) to use the Microsoft Authentication Library (MSAL). --Both the Microsoft Authentication Library for Java (MSAL4J) and Azure AD Authentication Library for Java (ADAL4J) are used to authenticate Azure AD entities and request tokens from Azure AD. Until now, most developers have worked with Azure AD for developers platform (v1.0) to authenticate Azure AD identities (work and school accounts) by requesting tokens using Azure AD Authentication Library (ADAL). --MSAL offers the following benefits: --- Because it uses the newer Microsoft identity platform, you can authenticate a broader set of Microsoft identities such as Azure AD identities, Microsoft accounts, and social and local accounts through Azure AD Business to Consumer (B2C).-- Your users will get the best single-sign-on experience.-- Your application can enable incremental consent, and supporting Conditional Access is easier.--MSAL for Java is the auth library we recommend you use with the Microsoft identity platform. No new features will be implemented on ADAL4J. All efforts going forward are focused on improving MSAL. --You can learn more about MSAL and get started with an [overview of the Microsoft Authentication Library](msal-overview.md). --## Scopes not resources --ADAL4J acquires tokens for resources whereas MSAL for Java acquires tokens for scopes. Many MSAL for Java classes require a scopes parameter. This parameter is a list of strings that declare the desired permissions and resources that are requested. See [Microsoft Graph's scopes](/graph/permissions-reference) to see example scopes. --You can add the `/.default` scope suffix to the resource to help migrate your apps from the ADAL to MSAL. For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource isn't in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`. --For more details about the different types of scopes, refer -[Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles. --## Core classes --In ADAL4J, the `AuthenticationContext` class represents your connection to the Security Token Service (STS), or authorization server, through an Authority. However, MSAL for Java is designed around client applications. It provides two separate classes: `PublicClientApplication` and `ConfidentialClientApplication` to represent client applications. The latter, `ConfidentialClientApplication`, represents an application that is designed to securely maintain a secret such as an application identifier for a daemon app. --The following table shows how ADAL4J functions map to the new MSAL for Java functions: --| ADAL4J method| MSAL4J method| -||-| -|acquireToken(String resource, ClientCredential credential, AuthenticationCallback callback) | acquireToken(ClientCredentialParameters)| -|acquireToken(String resource, ClientAssertion assertion, AuthenticationCallback callback)|acquireToken(ClientCredentialParameters)| -|acquireToken(String resource, AsymmetricKeyCredential credential, AuthenticationCallback callback)|acquireToken(ClientCredentialParameters)| -|acquireToken(String resource, String clientId, String username, String password, AuthenticationCallback callback)| acquireToken(UsernamePasswordParameters)| -|acquireToken(String resource, String clientId, String username, String password=null, AuthenticationCallback callback)|acquireToken(IntegratedWindowsAuthenticationParameters)| -|acquireToken(String resource, UserAssertion userAssertion, ClientCredential credential, AuthenticationCallback callback)| acquireToken(OnBehalfOfParameters)| -|acquireTokenByAuthorizationCode() | acquireToken(AuthorizationCodeParameters) | -| acquireDeviceCode() and acquireTokenByDeviceCode()| acquireToken(DeviceCodeParameters)| -|acquireTokenByRefreshToken()| acquireTokenSilently(SilentParameters)| --## IAccount instead of IUser --ADAL4J manipulated users. Although a user represents a single human or software agent, it can have one or more accounts in the Microsoft identity system. For example, a user may have several Azure AD, Azure AD B2C, or Microsoft personal accounts. --MSAL for Java defines the concept of Account via the `IAccount` interface. This is a breaking change from ADAL4J, but it's a good one because it captures the fact that the same user can have several accounts, and perhaps even in different Azure AD directories. MSAL for Java provides better information in guest scenarios because home account information is provided. --## Cache persistence --ADAL4J didn't have support for token cache. -MSAL for Java adds a [token cache](msal-acquire-cache-tokens.md) to simplify managing token lifetimes by automatically refreshing expired tokens when possible and preventing unnecessary prompts for the user to provide credentials when possible. --## Common Authority --In v1.0, if you use the `https://login.microsoftonline.com/common` authority, users can sign in with any Azure Active Directory (Azure AD) account (for any organization). --If you use the `https://login.microsoftonline.com/common` authority in v2.0, users can sign in with any Azure AD organization, or even a Microsoft personal account (MSA). In MSAL for Java, if you want to restrict login to any Azure AD account, use the `https://login.microsoftonline.com/organizations` authority (which is the same behavior as with ADAL4J). To specify an authority, set the `authority` parameter in the [PublicClientApplication.Builder](https://javadoc.io/doc/com.microsoft.azure/msal4j/1.0.0/com/microsoft/aad/msal4j/PublicClientApplication.Builder.html) method when you create your `PublicClientApplication` class. --## v1.0 and v2.0 tokens --The v1.0 endpoint (used by ADAL) only emits v1.0 tokens. --The v2.0 endpoint (used by MSAL) can emit v1.0 and v2.0 tokens. A property of the application manifest of the web API enables developers to choose which version of token is accepted. See `accessTokenAcceptedVersion` in the [application manifest](./reference-app-manifest.md) reference documentation. --For more information about v1.0 and v2.0 tokens, see [Azure Active Directory access tokens](./access-tokens.md). --## ADAL to MSAL migration --In ADAL4J, the refresh tokens were exposed--which allowed developers to cache them. They would then use `AcquireTokenByRefreshToken()` to enable solutions such as implementing long-running services that refresh dashboards on behalf of the user when the user is no longer connected. --MSAL for Java doesn't expose refresh tokens for security reasons. Instead, MSAL handles refreshing tokens for you. --MSAL for Java has an API that allows you to migrate refresh tokens you acquired with ADAL4j into the ClientApplication: [acquireToken(RefreshTokenParameters)](https://javadoc.io/static/com.microsoft.azure/msal4j/1.0.0/com/microsoft/aad/msal4j/PublicClientApplication.html#acquireToken-com.microsoft.aad.msal4j.RefreshTokenParameters-). With this method, you can provide the previously used refresh token along with any scopes (resources) you desire. The refresh token will be exchanged for a new one and cached for use by your application. --The following code snippet shows some migration code in a confidential client application: --```java -String rt = GetCachedRefreshTokenForSignedInUser(); // Get refresh token from where you have them stored -Set<String> scopes = Collections.singleton("SCOPE_FOR_REFRESH_TOKEN"); --RefreshTokenParameters parameters = RefreshTokenParameters.builder(scopes, rt).build(); --PublicClientApplication app = PublicClientApplication.builder(CLIENT_ID) // ClientId for your application - .authority(AUTHORITY) //plug in your authority - .build(); --IAuthenticationResult result = app.acquireToken(parameters); -``` --The `IAuthenticationResult` returns an access token and ID token, while your new refresh token is stored in the cache. -The application will also now contain an IAccount: --```java -Set<IAccount> accounts = app.getAccounts().join(); -``` --To use the tokens that are now in the cache, call: --```java -SilentParameters parameters = SilentParameters.builder(scope, accounts.iterator().next()).build(); -IAuthenticationResult result = app.acquireToken(parameters); -``` |
active-directory | Migrate Python Adal Msal | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-python-adal-msal.md | - Title: Python ADAL to MSAL migration guide -description: Learn how to migrate your Azure Active Directory Authentication Library (ADAL) Python app to the Microsoft Authentication Library (MSAL) for Python. -------- Previously updated : 03/30/2023----#Customer intent: As a Python application developer, I want to learn how to migrate my v1 ADAL app to v2 MSAL. ---# ADAL to MSAL migration guide for Python --This article highlights changes you need to make to migrate an app that uses the Azure Active Directory Authentication Library (ADAL) to use the Microsoft Authentication Library (MSAL). --You can learn more about MSAL and get started with an [overview of the Microsoft Authentication Library](msal-overview.md). --## Difference highlights --ADAL works with the Azure Active Directory (Azure AD) v1.0 endpoint. The Microsoft Authentication Library (MSAL) works with the Microsoft identity platform--formerly known as the Azure Active Directory v2.0 endpoint. The Microsoft identity platform differs from Azure AD v1.0 in that it: --Supports: --- Work and school accounts (Azure AD provisioned accounts)-- Personal accounts (such as Outlook.com or Hotmail.com)-- Your customers who bring their own email or social identity (such as LinkedIn, Facebook, Google) via the Azure AD B2C offering--- Is standards compatible with:- - OAuth v2.0 - - OpenID Connect (OIDC) --For more information about MSAL, see [MSAL overview](./msal-overview.md). --### Scopes not resources --ADAL Python acquires tokens for resources, but MSAL Python acquires tokens for scopes. The API surface in MSAL Python doesn't have resource parameter anymore. You would need to provide scopes as a list of strings that declare the desired permissions and resources that are requested. To see some example of scopes, see [Microsoft Graph's scopes](/graph/permissions-reference). --You can add the `/.default` scope suffix to the resource to help migrate your apps from the v1.0 endpoint (ADAL) to the Microsoft identity platform (MSAL). For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource isn't in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`. --For more details about the different types of scopes, refer to [Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles. --### Error handling --ADAL for Python uses the exception `AdalError` to indicate that there's been a problem. MSAL for Python typically uses error codes, instead. For more information, see [MSAL for Python error handling](msal-error-handling-python.md). --### API changes --The following table lists an API in ADAL for Python, and the one to use in its place in MSAL for Python: --| ADAL for Python API | MSAL for Python API | -| -- | - | -| [AuthenticationContext](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext) | [PublicClientApplication](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.__init__) or [ConfidentialClientApplication](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.__init__) | -| N/A | [PublicClientApplication.acquire_token_interactive()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_interactive) | -| N/A | [ConfidentialClientApplication.initiate_auth_code_flow()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.initiate_auth_code_flow) | -| [acquire_token_with_authorization_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_authorization_code) | [ConfidentialClientApplication.acquire_token_by_auth_code_flow()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_by_auth_code_flow) | -| [acquire_token()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token) | [PublicClientApplication.acquire_token_silent()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_silent) or [ConfidentialClientApplication.acquire_token_silent()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_silent) | -| [acquire_token_with_refresh_token()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_refresh_token) | These two helpers are intended to be used during [migration](#migrate-existing-refresh-tokens-for-msal-python) only: [PublicClientApplication.acquire_token_by_refresh_token()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_refresh_token) or [ConfidentialClientApplication.acquire_token_by_refresh_token()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_by_refresh_token) | -| [acquire_user_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_user_code) | [initiate_device_flow()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.initiate_device_flow) | -| [acquire_token_with_device_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_device_code) and [cancel_request_to_get_token_with_device_code()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.cancel_request_to_get_token_with_device_code) | [acquire_token_by_device_flow()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_device_flow) | -| [acquire_token_with_username_password()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_username_password) | [acquire_token_by_username_password()](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.acquire_token_by_username_password) | -| [acquire_token_with_client_credentials()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_client_credentials) and [acquire_token_with_client_certificate()](https://adal-python.readthedocs.io/en/latest/#adal.AuthenticationContext.acquire_token_with_client_certificate) | [acquire_token_for_client()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_for_client) | -| N/A | [acquire_token_on_behalf_of()](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.acquire_token_on_behalf_of) | -| [TokenCache()](https://adal-python.readthedocs.io/en/latest/#adal.TokenCache) | [SerializableTokenCache()](https://msal-python.readthedocs.io/en/latest/#msal.SerializableTokenCache) | -| N/A | Cache with persistence, available from [MSAL Extensions](https://github.com/marstr/original-microsoft-authentication-extensions-for-python) | --## Migrate existing refresh tokens for MSAL Python --MSAL abstracts the concept of refresh tokens. MSAL Python provides an in-memory token cache by default so that you don't need to store, lookup, or update refresh tokens. Users will also see fewer sign-in prompts because refresh tokens can usually be updated without user intervention. For more information about the token cache, see [Custom token cache serialization in MSAL for Python](msal-python-token-cache-serialization.md). --The following code will help you migrate your refresh tokens managed by another OAuth2 library (including but not limited to ADAL Python) to be managed by MSAL for Python. One reason for migrating those refresh tokens is to prevent existing users from needing to sign in again when you migrate your app to MSAL for Python. --The method for migrating a refresh token is to use MSAL for Python to acquire a new access token using the previous refresh token. When the new refresh token is returned, MSAL for Python will store it in the cache. -Since MSAL Python 1.3.0, we provide an API inside MSAL for this purpose. -Please refer to the following code snippet, quoted from -[a completed sample of migrating refresh tokens with MSAL Python](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/1.3.0/sample/migrate_rt.py#L28-L67) --```python -import msal -def get_preexisting_rt_and_their_scopes_from_elsewhere(): - # Maybe you have an ADAL-powered app like this - # https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/1.2.3/sample/device_code_sample.py#L72 - # which uses a resource rather than a scope, - # you need to convert your v1 resource into v2 scopes - # See https://learn.microsoft.com/azure/active-directory/develop/migrate-python-adal-msal#scopes-not-resources - # You may be able to append "/.default" to your v1 resource to form a scope - # See https://learn.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope -- # Or maybe you have an app already talking to the Microsoft identity platform, - # powered by some 3rd-party auth library, and persist its tokens somehow. -- # Either way, you need to extract RTs from there, and return them like this. - return [ - ("old_rt_1", ["scope1", "scope2"]), - ("old_rt_2", ["scope3", "scope4"]), - ] ---# We will migrate all the old RTs into a new app powered by MSAL -app = msal.PublicClientApplication( - "client_id", authority="...", - # token_cache=... # Default cache is in memory only. - # You can learn how to use SerializableTokenCache from - # https://msal-python.readthedocs.io/en/latest/#msal.SerializableTokenCache - ) --# We choose a migration strategy of migrating all RTs in one loop -for old_rt, scopes in get_preexisting_rt_and_their_scopes_from_elsewhere(): - result = app.acquire_token_by_refresh_token(old_rt, scopes) - if "error" in result: - print("Discarding unsuccessful RT. Error: ", json.dumps(result, indent=2)) --print("Migration completed") -``` |
active-directory | Msal Acquire Cache Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-acquire-cache-tokens.md | When your client requests an access token, Azure AD also returns an authenticati Several of the platforms supported by MSAL have additional token cache-related information in the documentation for that platform's library. For example: - [Get a token from the token cache using MSAL.NET](msal-net-acquire-token-silently.md) - [Single sign-on with MSAL.js](msal-js-sso.md)-- [Custom token cache serialization in MSAL for Python](msal-python-token-cache-serialization.md)-- [Custom token cache serialization in MSAL for Java](msal-java-token-cache-serialization.md)+- [Custom token cache serialization in MSAL for Python](/entra/msal/python/advanced/msal-python-token-cache-serialization) +- [Custom token cache serialization in MSAL for Java](/entra/msal/java/advanced/msal-java-token-cache-serialization) |
active-directory | Msal Android Shared Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-shared-devices.md | These Microsoft applications support Azure AD's shared device mode: - [Microsoft Edge](/microsoft-edge) - [Outlook](/mem/intune/apps/app-configuration-policies-outlook) - [Microsoft Power Apps](/power-apps)+- [Microsoft Power BI Mobile](/power-bi/consumer/mobile/mobile-app-shared-device-mode) (preview) - [Microsoft Viva Engage](/viva/engage/overview) (previously [Yammer](/yammer)) ## Shared device sign-out and the overall app lifecycle |
active-directory | Msal Android Single Sign On | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-android-single-sign-on.md | In this how-to, you'll learn how to configure the SDKs used by your application This how-to assumes you know how to: -- Provision your app using the Azure portal. For more information, see the instructions for creating an app in [the Android tutorial](./tutorial-v2-android.md#create-a-project)+- Provision your app. For more information, see the instructions for creating an app in [the Android tutorial](./tutorial-v2-android.md#create-a-project) - Integrate your application with the [MSAL for Android](https://github.com/AzureAD/microsoft-authentication-library-for-android) ## Methods for SSO You must register a redirect URI that is compatible with the broker. The redirec The format of the redirect URI is: `msauth://<yourpackagename>/<base64urlencodedsignature>` -You can use [keytool](https://manpages.debian.org/buster/openjdk-11-jre-headless/keytool.1.en.html) to generate a Base64-encoded signature hash using your app's signing keys, and then use the Azure portal to generate your redirect URI using that hash. +You can use [keytool](https://manpages.debian.org/buster/openjdk-11-jre-headless/keytool.1.en.html) to generate a Base64-encoded signature hash using your app's signing keys, and then generate your redirect URI using that hash. Linux and macOS: keytool -exportcert -alias androiddebugkey -keystore %HOMEPATH%\.android\debug.k Once you've generated a signature hash with _keytool_, use the Azure portal to generate the redirect URI: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="/azure/active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you registered your application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. -1. Under **Manage**, select **App registrations**, then select your application. -1. Under **Manage**, select **Authentication** > **Add a platform** > **Android**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select your application, and then select **Authentication** > **Add a platform** > **Android**. 1. In the **Configure your Android app** pane that opens, enter the **Signature hash** that you generated earlier and a **Package name**. 1. Select the **Configure** button. -The Azure portal generates the redirect URI for you and displays it in the **Android configuration** pane's **Redirect URI** field. +The redirect URI is generated for you and is displayed in the **Android configuration** pane's **Redirect URI** field. For more information about signing your app, see [Sign your app](https://developer.android.com/studio/publish/app-signing) in the Android Studio User Guide. If the application uses a `WebView` strategy without integrating Microsoft Authe If the application uses MSAL with a broker like Microsoft Authenticator or Intune Company Portal, then users can have SSO experience across applications if they have an active sign-in with one of the apps. +> [!NOTE] +> MSAL with broker utilizes WebViews instead of Custom Tabs. As a result, the Single Sign-On (SSO) state is not extended to other apps that use Custom Tabs. + ### WebView To use the in-app WebView, put the following line in the app configuration JSON that is passed to MSAL: |
active-directory | Msal Client Application Configuration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-client-application-configuration.md | The authority you specify in your code needs to be consistent with the **Support The authority can be: - An Azure AD cloud authority.-- An Azure AD B2C authority. See [B2C specifics](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics).-- An Active Directory Federation Services (AD FS) authority. See [AD FS support](https://aka.ms/msal-net-adfs-support).+- An Azure AD B2C authority. See [B2C specifics](msal-net-b2c-considerations.md). +- An Active Directory Federation Services (AD FS) authority. See [AD FS support](msal-net-adfs-support.md). Azure AD cloud authorities have two parts: You can override the redirect URI by using the `RedirectUri` property (for examp - `RedirectUriOnAndroid` = "msauth-5a434691-ccb2-4fd1-b97b-b64bcfbc03fc://com.microsoft.identity.client.sample"; - `RedirectUriOnIos` = $"msauth.{Bundle.ID}://auth"; -For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Leveraging-the-broker-on-iOS). +For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](msal-net-use-brokers-with-xamarin-apps.md). For more Android details, see [Brokered auth in Android](msal-android-single-sign-on.md). ### Redirect URI for confidential client apps To help in debugging and authentication failure troubleshooting scenarios, the M :::column-end::: :::column::: - [Logging in MSAL for iOS/macOS](msal-logging-ios.md)- - [Logging in MSAL for Java](msal-logging-java.md) - - [Logging in MSAL for Python](msal-logging-python.md) + - [Logging in MSAL for Java](/entra/msal/java/advanced/msal-logging-java) + - [Logging in MSAL for Python](/entra/msal/python/advanced/msal-logging-python) :::column-end::: :::row-end::: |
active-directory | Msal Error Handling Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-error-handling-java.md | - Title: Handle errors and exceptions in MSAL4J -description: Learn how to handle errors and exceptions, Conditional Access claims challenges, and retries in MSAL4J applications. -------- Previously updated : 11/27/2020-----# Handle errors and exceptions in MSAL for Java ---## Error handling in MSAL for Java --In MSAL for Java, there are three types of exceptions: `MsalClientException`, `MsalServiceException`, and `MsalInteractionRequiredException`; all which inherit from `MsalException`. --- `MsalClientException` is thrown when an error occurs that is local to the library or device.-- `MsalServiceException` is thrown when the secure token service (STS) returns an error response or another networking error occurs.-- `MsalInteractionRequiredException` is thrown when UI interaction is required for authentication to succeed.--### MsalServiceException --`MsalServiceException` exposes HTTP headers returned in the requests to the STS. Access them via `MsalServiceException.headers()` --### MsalInteractionRequiredException --One of common status codes returned from MSAL for Java when calling `AcquireTokenSilently()` is `InvalidGrantError`. This means that additional user interaction is required before an authentication token can be issued. Your application should call the authentication library again, but in interactive mode by sending `AuthorizationCodeParameters` or `DeviceCodeParameters` for public client applications. --Most of the time when `AcquireTokenSilently` fails, it's because the token cache doesn't have a token matching your request. Access tokens expire in one hour, and `AcquireTokenSilently` will try to get a new one based on a refresh token. In OAuth2 terms, this is the Refresh Token flow. This flow can also fail for various reasons such as when a tenant admin configures more stringent login policies. --Some conditions that result in this error are easy for users to resolve. For example, they may need to accept Terms of Use or the request can't be fulfilled with the current configuration because the machine needs to connect to a specific corporate network. --MSAL exposes a `reason` field, which you can use to provide a better user experience. For example, the `reason` field may lead you to tell the user that their password expired or that they'll need to provide consent to use some resources. The supported values are part of the `InteractionRequiredExceptionReason` enum: --| Reason | Meaning | Recommended Handling | -||--|--| -| `BasicAction` | Condition can be resolved by user interaction during the interactive authentication flow. | Call `acquireToken` with interactive parameters. | -| `AdditionalAction` | Condition can be resolved by additional remedial interaction with the system outside of the interactive authentication flow. | Call `acquireToken` with interactive parameters to show a message that explains the remedial action to take. The calling app may choose to hide flows that require additional action if the user is unlikely to complete the remedial action. | -| `MessageOnly` | Condition can't be resolved at this time. Launch interactive authentication flow to show a message explaining the condition. | Call `acquireToken` with interactive parameters to show a message that explains the condition. `acquireToken` will return the `UserCanceled` error after the user reads the message and closes the window. The app may choose to hide flows that result in message if the user is unlikely to benefit from the message. | -| `ConsentRequired`| User consent is missing, or has been revoked. |Call `acquireToken` with interactive parameters so that the user can give consent. | -| `UserPasswordExpired` | User's password has expired. | Call `acquireToken` with interactive parameter so the user can reset their password. | -| `None` | Further details are provided. The condition may be resolved by user interaction during the interactive authentication flow. | Call `acquireToken` with interactive parameters. | --### Code Example --```java - IAuthenticationResult result; - try { - PublicClientApplication application = PublicClientApplication - .builder("clientId") - .b2cAuthority("authority") - .build(); -- SilentParameters parameters = SilentParameters - .builder(Collections.singleton("scope")) - .build(); -- result = application.acquireTokenSilently(parameters).join(); - } - catch (Exception ex){ - if(ex instanceof MsalInteractionRequiredException){ - // AcquireToken by either AuthorizationCodeParameters or DeviceCodeParameters - } else{ - // Log and handle exception accordingly - } - } -``` ----## Next steps --Consider enabling [Logging in MSAL for Java](msal-logging-java.md) to help you diagnose and debug issues. |
active-directory | Msal Error Handling Js | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-error-handling-js.md | The following error types are available: - `AuthError`: Base error class for the MSAL.js library, also used for unexpected errors. -- `ClientAuthError`: Error class, which denotes an issue with Client authentication. Most errors that come from the library will be ClientAuthErrors. These errors result from things like calling a login method when login is already in progress, the user cancels the login, and so on.+- `ClientAuthError`: Error class which denotes an issue with Client authentication. Most errors that come from the library are ClientAuthErrors. These errors result from things like calling a login method when login is already in progress, the user cancels the login, and so on. - `ClientConfigurationError`: Error class, extends `ClientAuthError` thrown before requests are made when the given user config parameters are malformed or missing. -- `ServerError`: Error class, represents the error strings sent by the authentication server. These may be errors such as invalid request formats or parameters, or any other errors that prevent the server from authenticating or authorizing the user.+- `ServerError`: Error class, represents the error strings sent by the authentication server. These errors may be invalid request formats or parameters, or any other errors that prevent the server from authenticating or authorizing the user. - `InteractionRequiredAuthError`: Error class, extends `ServerError` to represent server errors, which require an interactive call. This error is thrown by `acquireTokenSilent` if the user is required to interact with the server to provide credentials or consent for authentication/authorization. Error codes include `"interaction_required"`, `"login_required"`, and `"consent_required"`. myMSALObj.handleRedirectPromise() myMSALObj.acquireTokenRedirect(request); ``` -The methods for pop-up experience (`loginPopup`, `acquireTokenPopup`) return promises, so you can use the promise pattern (.then and .catch) to handle them as shown: +The methods for pop-up experience (`loginPopup`, `acquireTokenPopup`) return promises, so you can use the promise pattern (`.then` and `.catch`) to handle them as shown: ```javascript myMSALObj.acquireTokenPopup(request).then( When calling an API requiring Conditional Access, you can receive a claims chall See [How to use Continuous Access Evaluation enabled APIs in your applications](./app-resilience-continuous-access-evaluation.md) for more detail. +### Using other frameworks ++Using toolkits like Tauri for registered single page applications (SPAs) with the identity platform are not recognized for production apps. SPAs only support URLs that start with `https` for production apps and `http://localhost` for local development. Prefixes like `tauri://localhost` cannot be used for browser apps. This format can only be supported for mobile or web apps as they have a confidential component unlike browser apps. + [!INCLUDE [Active directory error handling retries](./includes/error-handling-and-tips/error-handling-retries.md)] ## Next steps |
active-directory | Msal Error Handling Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-error-handling-python.md | - Title: Handle errors and exceptions in MSAL for Python -description: Learn how to handle errors and exceptions, Conditional Access claims challenges, and retries in MSAL for Python applications. -------- Previously updated : 03/16/2023-----# Handle errors and exceptions in MSAL for Python ---## Error handling in MSAL for Python --In MSAL for Python, most errors are conveyed as a return value from the API call. The error is represented as a dictionary containing the JSON response from the Microsoft identity platform. --* A successful response contains the `"access_token"` key. The format of the response is defined by the OAuth2 protocol. For more information, see [5.1 Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1) -* An error response contains `"error"` and usually `"error_description"`. The format of the response is defined by the OAuth2 protocol. For more information, see [5.2 Error Response](https://tools.ietf.org/html/rfc6749#section-5.2) --When an error is returned, the `"error"` key contains a machine-readable code. If the `"error"` is, for example, an `"interaction_required"`, you may prompt the user to provide additional information to complete the authentication process. If the `"error"` is `"invalid_grant"`, you may prompt the user to reenter their credentials. The following snippet is an example of error handling in MSAL for Python. --```python --from msal import ConfidentialClientApplication --authority_url = "https://login.microsoftonline.com/your_tenant_id" -client_id = "your_client_id" -client_secret = "your_client_secret" -scopes = ["https://graph.microsoft.com/.default"] --app = ConfidentialClientApplication(client_id, authority=authority_url, client_credential=client_secret) --result = app.acquire_token_silent(scopes=scopes, account=None) --if not result: - result = app.acquire_token_silent(scopes=scopes) --if "access_token" in result: - print("Access token: %s" % result["access_token"]) -else: - print("Error: %s" % result.get("error")) --``` --When an error is returned, the `"error_description"` key also contains a human-readable message, and there is typically also an `"error_code"` key which contains a machine-readable Microsoft identity platform error code. For more information about the various Microsoft identity platform error codes, see [Authentication and authorization error codes](./reference-error-codes.md). --In MSAL for Python, exceptions are rare because most errors are handled by returning an error value. The `ValueError` exception is only thrown when there's an issue with how you're attempting to use the library, such as when API parameter(s) are malformed. ----## Retrying after errors and exceptions --MSAL makes HTTP calls to the Azure AD service, and occasionally failures can occur. -For example the network can go down or the server is overloaded. --MSAL Python 1.11+ automatically performs one retry attempt for you. -You may customize this behavior by following -[this instruction](https://msal-python.readthedocs.io/en/latest/#msal.ConfidentialClientApplication.params.http_client). --### HTTP 429 --When the Service Token Server (STS) is overloaded with too many requests, -it returns HTTP error 429 with a hint about how long until you can try again in the `Retry-After` response field. --Your app was expected to throttle the subsequent requests, and only retry after the specified period. -That was not an easy task. --MSAL Python 1.16+ made it easy for you, in that your app could blindly retry in any given time -(say, whenever the end user clicks the sign-in button again), -MSAL Python 1.16+ would automatically throttle those retry attempts by returning same error response from an HTTP cache, -and only sending out a real HTTP call when that call is attempted after the specified period. --By default, this throttle mechanism works by saving throttle information into a built-in in-memory HTTP cache. -You may provide your own `dict`-like object as the HTTP cache, which you can control how to persist its content. -See [MSAL Python's API document](https://msal-python.readthedocs.io/en/latest/#msal.PublicClientApplication.params.http_cache) -for more details. --## Next steps --Consider enabling [Logging in MSAL for Python](msal-logging-python.md) to help you diagnose and debug issues. |
active-directory | Msal Ios Shared Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-ios-shared-devices.md | For iOS, your app requires a background permission to remain active in the backg These Microsoft applications support Azure AD's shared device mode: - [Microsoft Teams](/microsoftteams/platform/) (in Public Preview)+- [Microsoft Power BI Mobile](/power-bi/consumer/mobile/mobile-app-shared-device-mode) (in Public Preview) > [!IMPORTANT]-> Public preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Public preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see [Universal License Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). ## Next steps |
active-directory | Msal Java Adfs Support | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-java-adfs-support.md | - Title: AD FS support (MSAL for Java) -description: Learn about Active Directory Federation Services (AD FS) support in the Microsoft Authentication Library for Java (MSAL4j). -------- Previously updated : 11/21/2019----#Customer intent: As an application developer, I want to learn about AD FS support in MSAL for Java so I can decide if this platform meets my application development needs and requirements. ---# Active Directory Federation Services support in MSAL for Java --Active Directory Federation Services (AD FS) in Windows Server enables you to add OpenID Connect and OAuth 2.0 based authentication and authorization to your Microsoft Authentication Library for Java (MSAL for Java) app. Once integrated, your app can authenticate users in AD FS, federated through Azure AD. For more information about scenarios, see [AD FS Scenarios for Developers](/windows-server/identity/ad-fs/ad-fs-development). --An app that uses MSAL for Java will talk to Azure Active Directory (Azure AD), which then federates to AD FS. --MSAL for Java connects to Azure AD, which signs in users that are managed in Azure AD (managed users) or users managed by another identity provider such as AD FS (federated users). MSAL for Java doesn't know that a user is federated. It simply talks to Azure AD. --The [authority](msal-client-application-configuration.md#authority) you use in this case is the usual authority (authority host name + tenant, common, or organizations). --## Acquire a token interactively for a federated user --When you call `ConfidentialClientApplication.AcquireToken()` or `PublicClientApplication.AcquireToken()` with `AuthorizationCodeParameters` or `DeviceCodeParameters`, the user experience is typically: --1. The user enters their account ID. -2. Azure AD briefly displays "Taking you to your organization's page", and the user is redirected to the sign-in page of the identity provider. The sign-in page is usually customized with the logo of the organization. --The supported AD FS versions in this federated scenario are: -- Active Directory Federation Services FS v2-- Active Directory Federation Services v3 (Windows Server 2012 R2)-- Active Directory Federation Services v4 (AD FS 2016)--## Acquire a token via username and password --When you acquire a token using `ConfidentialClientApplication.AcquireToken()` or `PublicClientApplication.AcquireToken()` with `IntegratedWindowsAuthenticationParameters` or `UsernamePasswordParameters`, MSAL for Java gets the identity provider to contact based on the username. MSAL for Java gets a [SAML 1.1 token](reference-saml-tokens.md) token from the identity provider, which it then provides to Azure AD which returns the JSON Web Token (JWT). --## Next steps --For the federated case, see [Configure Azure Active Directory sign-in behavior for an application by using a Home Realm Discovery policy](../manage-apps/configure-authentication-for-federated-users-portal.md) |
active-directory | Msal Java Get Remove Accounts Token Cache | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-java-get-remove-accounts-token-cache.md | - Title: Get & remove accounts from the token cache (MSAL4j) -description: Learn how to view and remove accounts from the token cache using the Microsoft Authentication Library for Java. -------- Previously updated : 11/07/2019----#Customer intent: As an application developer using the Microsoft Authentication Library for Java (MSAL4J), I want to learn how to get and remove accounts stored in the token cache. ---# Get and remove accounts from the token cache using MSAL for Java --MSAL for Java provides an in-memory token cache by default. The in-memory token cache lasts the duration of the application instance. --## See which accounts are in the cache --You can check what accounts are in the cache by calling `PublicClientApplication.getAccounts()` as shown in the following example: --```java -PublicClientApplication pca = new PublicClientApplication.Builder( - labResponse.getAppId()). - authority(TestConstants.ORGANIZATIONS_AUTHORITY). - build(); --Set<IAccount> accounts = pca.getAccounts().join(); -``` --## Remove accounts from the cache --To remove an account from the cache, find the account that needs to be removed and then call `PublicClientApplication.removeAccount()` as shown in the following example: --```java -Set<IAccount> accounts = pca.getAccounts().join(); --IAccount accountToBeRemoved = accounts.stream().filter( - x -> x.username().equalsIgnoreCase( - UPN_OF_USER_TO_BE_REMOVED)).findFirst().orElse(null); --pca.removeAccount(accountToBeRemoved).join(); -``` --## Learn more --If you are using MSAL for Java, learn about [Custom token cache serialization in MSAL for Java](msal-java-token-cache-serialization.md). |
active-directory | Msal Java Token Cache Serialization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-java-token-cache-serialization.md | - Title: Custom token cache serialization (MSAL4j) -description: Learn how to serialize the token cache for MSAL for Java -------- Previously updated : 11/07/2019----#Customer intent: As an application developer using the Microsoft Authentication Library for Java (MSAL4J), I want to learn how to persist the token cache so that it is available to a new instance of my application. ---# Custom token cache serialization in MSAL for Java --To persist the token cache between instances of your application, you will need to customize the serialization. The Java classes and interfaces involved in token cache serialization are the following: --- [ITokenCache](https://static.javadoc.io/com.microsoft.azure/msal4j/0.5.0-preview/com/microsoft/aad/msal4j/ITokenCache.html): Interface representing security token cache.-- [ITokenCacheAccessAspect](https://static.javadoc.io/com.microsoft.azure/msal4j/0.5.0-preview/com/microsoft/aad/msal4j/ITokenCacheAccessAspect.html): Interface representing operation of executing code before and after access. You would @Override *beforeCacheAccess* and *afterCacheAccess* with the logic responsible for serializing and deserializing the cache.-- [ITokenCacheContext](https://static.javadoc.io/com.microsoft.azure/msal4j/0.5.0-preview/com/microsoft/aad/msal4j/ITokenCacheAccessContext.html): Interface representing context in which the token cache is accessed. --Below is a naive implementation of custom serialization of token cache serialization/deserialization. Do not copy and paste this into a production environment. --```Java -static class TokenPersistence implements ITokenCacheAccessAspect { -String data; --TokenPersistence(String data) { - this.data = data; -} --@Override -public void beforeCacheAccess(ITokenCacheAccessContext iTokenCacheAccessContext) { - iTokenCacheAccessContext.tokenCache().deserialize(data); -} --@Override -public void afterCacheAccess(ITokenCacheAccessContext iTokenCacheAccessContext) { - data = iTokenCacheAccessContext.tokenCache().serialize(); -} -``` --```Java -// Loads cache from file -String dataToInitCache = readResource(this.getClass(), "/cache_data/serialized_cache.json"); --ITokenCacheAccessAspect persistenceAspect = new TokenPersistence(dataToInitCache); --// By setting *TokenPersistence* on the PublicClientApplication, MSAL will call *beforeCacheAccess()* before accessing the cache and *afterCacheAccess()* after accessing the cache. -PublicClientApplication app = -PublicClientApplication.builder("my_client_id").setTokenCacheAccessAspect(persistenceAspect).build(); -``` --## Learn more --Learn about [Get and remove accounts from the token cache using MSAL for Java](msal-java-get-remove-accounts-token-cache.md). |
active-directory | Msal Logging Java | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-logging-java.md | - Title: Logging errors and exceptions in MSAL for Java -description: Learn how to log errors and exceptions in MSAL for Java -------- Previously updated : 11/25/2022------# Logging in MSAL for Java ---## MSAL for Java logging --MSAL for Java allows you to use the logging library that you're already using with your app, as long as it's compatible with SLF4J. MSAL for Java uses the [Simple Logging Facade for Java](http://www.slf4j.org/) (SLF4J) as a simple facade or abstraction for various logging frameworks, such as [java.util.logging](https://docs.oracle.com/javase/7/docs/api/java/util/logging/package-summary.html), [Logback](http://logback.qos.ch/) and [Log4j](https://logging.apache.org/log4j/2.x/). SLF4J allows the user to plug in the desired logging framework at deployment time and automatically binds to Logback at deployment time. MSAL logs will be written to the console. --This article shows how to enable MSAL4J logging using the logback framework in a spring boot web application. You can refer to the [code sample](https://github.com/Azure-Samples/ms-identity-java-webapp/tree/master/msal-java-webapp-sample) for reference. --1. To implement logging, include the `logback` package in the *pom.xml* file. -- ```xml - <dependency> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - <version>1.2.3</version> - </dependency> - ``` --2. Navigate to the *resources* folder, and add a file called *logback.xml*, and insert the following code. This will append logs to the console. You can change the appender `class` to write logs to a file, database or any appender of your choosing. -- ```xml - <?xml version="1.0" encoding="UTF-8"?> - <configuration> - <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> - <encoder> - <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern> - </encoder> - </appender> - <root level="debug"> - <appender-ref ref="STDOUT" /> - </root> - </configuration> - ``` -3. Next, you should set the *logging.config* property to the location of the *logback.xml* file before the main method. Navigate to *MsalWebSampleApplication.java* and add the following code to the `MsalWebSampleApplication` public class. -- ```java - @SpringBootApplication - public class MsalWebSampleApplication { -- static { System.setProperty("logging.config", "C:\Users\<your path>\src\main\resources\logback.xml"); } - public static void main(String[] arrgs) { - // Console.log("main"); - // System.console().printf("Hello"); - // System.out.printf("Hello %s!%n", "World"); - System.out.printf("%s%n", "Hello World"); - SpringApplication.run(MsalWebSampleApplication.class, args); - } - } - ``` - -In your tenant, you'll need separate app registrations for the web app and the web API. For app registration and exposing the web API scope, follow the steps in the scenario [A web app that authenticates users and calls web APIs](./scenario-web-app-call-api-overview.md). --For instructions on how to bind to other logging frameworks, see the [SLF4J manual](http://www.slf4j.org/manual.html). --### Personal and organization information --By default, MSAL logging doesn't capture or log any personal or organizational data. In the following example, logging personal or organizational data is off by default: --```java - PublicClientApplication app2 = PublicClientApplication.builder(PUBLIC_CLIENT_ID) - .authority(AUTHORITY) - .build(); -``` --Turn on personal and organizational data logging by setting `logPii()` on the client application builder. If you turn on personal or organizational data logging, your app must take responsibility for safely handling highly-sensitive data and complying with any regulatory requirements. --In the following example, logging personal or organizational data is enabled: --```java -PublicClientApplication app2 = PublicClientApplication.builder(PUBLIC_CLIENT_ID) - .authority(AUTHORITY) - .logPii(true) - .build(); -``` --## Next steps --For more code samples, refer to [Microsoft identity platform code samples](sample-v2-code.md). |
active-directory | Msal Logging Python | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-logging-python.md | - Title: Logging errors and exceptions in MSAL for Python -description: Learn how to log errors and exceptions in MSAL for Python -------- Previously updated : 01/25/2021-----# Logging in MSAL for Python ---## MSAL for Python logging --Logging in MSAL for Python leverages the [logging module in the Python standard library](https://docs.python.org/3/library/logging.html). You can configure MSAL logging as follows (and see it in action in the [username_password_sample](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/1.0.0/sample/username_password_sample.py#L31L32)): --### Enable debug logging for all modules --By default, the logging in any Python script is turned off. If you want to enable verbose logging for **all** Python modules in your script, use `logging.basicConfig` with a level of `logging.DEBUG`: --```python -import logging --logging.basicConfig(level=logging.DEBUG) -``` --This will print all log messages given to the logging module to the standard output. --### Configure MSAL logging level --You can configure the logging level of the MSAL for Python log provider by using the `logging.getLogger()` method with the logger name `"msal"`: --```python -import logging --logging.getLogger("msal").setLevel(logging.WARN) -``` --### Configure MSAL logging with Azure App Insights --Python logs are given to a log handler, which by default is the `StreamHandler`. To send MSAL logs to an Application Insights with an Instrumentation Key, use the `AzureLogHandler` provided by the `opencensus-ext-azure` library. --To install, `opencensus-ext-azure` add the `opencensus-ext-azure` package from PyPI to your dependencies or pip install: --```console -pip install opencensus-ext-azure -``` --Then change the default handler of the `"msal"` log provider to an instance of `AzureLogHandler` with an instrumentation key set in the `APP_INSIGHTS_KEY` environment variable: --```python -import logging -import os --from opencensus.ext.azure.log_exporter import AzureLogHandler --APP_INSIGHTS_KEY = os.getenv('APP_INSIGHTS_KEY') --logging.getLogger("msal").addHandler(AzureLogHandler(connection_string='InstrumentationKey={0}'.format(APP_INSIGHTS_KEY))) -``` --### Personal and organizational data in Python --MSAL for Python does not log personal data or organizational data. There is no property to turn personal or organization data logging on or off. --You can use standard Python logging to log whatever you want, but you are responsible for safely handling sensitive data and following regulatory requirements. --For more information about logging in Python, please refer to Python's [Logging: how-to](https://docs.python.org/3/howto/logging.html#logging-basic-tutorial). --## Next steps --For more code samples, refer to [Microsoft identity platform code samples](sample-v2-code.md). |
active-directory | Msal Migration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-migration.md | MSAL Supports a wide range of application types and scenarios. Refer to [Microso ADAL to MSAL migration guide for different platforms are available in the following links: - [Migrate to MSAL iOS and macOS](migrate-objc-adal-msal.md)-- [Migrate to MSAL Java](migrate-adal-msal-java.md)+- [Migrate to MSAL Java](/entra/msal/java/advanced/migrate-adal-msal-java) - [Migrate to MSAL.js](msal-compare-msal-js-and-adal-js.md) - [Migrate to MSAL .NET](msal-net-migration.md) - [Migrate to MSAL Node](msal-node-migration.md)-- [Migrate to MSAL Python](migrate-python-adal-msal.md) +- [Migrate to MSAL Python](/entra/msal/python/advanced/migrate-python-adal-msal) ## Migration help |
active-directory | Msal Net Use Brokers With Xamarin Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-use-brokers-with-xamarin-apps.md | public static string redirectUriOnIos = "msauth.com.yourcompany.XForms://auth"; Notice that the redirect URI matches the `CFBundleURLSchemes` name that you included in the *Info.plist* file. -Add the redirect URI to the app's registration in the [Azure portal](https://portal.azure.com). To generate a properly formatted redirect URI, use **App registrations** in the Azure portal to generate the brokered redirect URI from the bundle ID. +Add the redirect URI to the app's registration. To generate a properly formatted redirect URI, use **App registrations** to generate the brokered redirect URI from the bundle ID. **To generate the redirect URI:** -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. Select **Azure Active Directory** > **App registrations** > your registered app +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Search for and select the application. 1. Select **Authentication** > **Add a platform** > **iOS / macOS** 1. Enter your bundle ID, and then select **Configure**. Copy the generated redirect URI that appears in the **Redirect URI** text box for inclusion in your code: - :::image type="content" source="media/msal-net-use-brokers-with-xamarin-apps/portal-01-ios-platform-settings.png" alt-text="iOS platform settings with generated redirect URI in Azure portal"::: + :::image type="content" source="media/msal-net-use-brokers-with-xamarin-apps/portal-01-ios-platform-settings.png" alt-text="iOS platform settings with generated redirect URI"::: 1. Select **Done** to complete generation of the redirect URI. ## Brokered authentication for Android result = await app.AcquireTokenInteractive(scopes) ### Step 4: Add a redirect URI to your app registration -MSAL uses URLs to invoke the broker and then return to your app. To complete that round trip, register a **Redirect URI** for your app by using the [Azure portal](https://portal.azure.com). +MSAL uses URLs to invoke the broker and then return to your app. To complete that round trip, register a **Redirect URI** for your app. The format of the redirect URI for your application depends on the certificate used to sign the APK. For example: The format of the redirect URI for your application depends on the certificate u msauth://com.microsoft.xforms.testApp/hgbUYHVBYUTvuvT&Y6tr554365466= ``` -The last part of the URI, `hgbUYHVBYUTvuvT&Y6tr554365466=`, is the Base64-encoded version of the signature that the APK is signed with. While developing your app in Visual Studio, if you're debugging your code without signing the APK with a specific certificate, Visual Studio signs the APK for you for debugging purposes. When Visual Studio signs the APK for you in this way, it gives it a unique signature for the machine it's built on. Thus, each time you build your app on a different machine, you'll need to update the redirect URI in the application's code and the application's registration in the Azure portal in order to authenticate with MSAL. +The last part of the URI, `hgbUYHVBYUTvuvT&Y6tr554365466=`, is the Base64-encoded version of the signature that the APK is signed with. While developing your app in Visual Studio, if you're debugging your code without signing the APK with a specific certificate, Visual Studio signs the APK for you for debugging purposes. When Visual Studio signs the APK for you in this way, it gives it a unique signature for the machine it's built on. Thus, each time you build your app on a different machine, you'll need to update the redirect URI in the application's code and the application's registration in order to authenticate with MSAL. -While debugging, you may encounter an MSAL exception (or log message) stating the redirect URI provided is incorrect. **The exception or log message also indicates the redirect URI you should be using** with the current machine you're debugging on. You can use the provided redirect URI to continue developing your app as long as you update redirect URI in code and add the provided redirect URI to the app's registration in the Azure portal. +While debugging, you may encounter an MSAL exception (or log message) stating the redirect URI provided is incorrect. **The exception or log message also indicates the redirect URI you should be using** with the current machine you're debugging on. You can use the provided redirect URI to continue developing your app as long as you update redirect URI in code and add the provided redirect URI to the app's registration. -Once you're ready to finalize your code, update the redirect URI in the code and the application's registration in the Azure portal to use the signature of the certificate you sign the APK with. +Once you're ready to finalize your code, update the redirect URI in the code and the application's registration to use the signature of the certificate you sign the APK with. In practice, this means you should consider adding a redirect URI for each member of your development team, *plus* a redirect URI for the production signed version of the APK. As an alternative, you can configure MSAL to fall back to the embedded browser, Here are a few tips on avoiding issues when you implement brokered authentication on Android: -- **Redirect URI** - Add a redirect URI to your application registration in the [Azure portal](https://portal.azure.com). A missing or incorrect redirect URI is a common issue encountered by developers.+- **Redirect URI** - Add a redirect URI to your application registration. A missing or incorrect redirect URI is a common issue encountered by developers. - **Broker version** - Install the minimum required version of the broker apps. Either of these two apps can be used for brokered authentication on Android. - [Intune Company Portal](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) (version 5.0.4689.0 or greater) - [Microsoft Authenticator](https://play.google.com/store/apps/details?id=com.azure.authenticator) (version 6.2001.0140 or greater). |
active-directory | Msal Net User Gets Consent For Multiple Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources.md | -The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopeToConsent` builder method. +The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the *scopes* parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopesToConsent` builder method. > [!NOTE] > Getting consent for several resources works for Microsoft identity platform, but not for Azure AD B2C. Azure AD B2C supports only admin consent, not user consent. For example, if you have two resources that have 2 scopes each: - https:\//mytenant.onmicrosoft.com/customerapi (with 2 scopes `customer.read` and `customer.write`) - https:\//mytenant.onmicrosoft.com/vendorapi (with 2 scopes `vendor.read` and `vendor.write`) -You should use the `.WithExtraScopeToConsent` modifier which has the *extraScopesToConsent* parameter as shown in the following example: +You should use the `.WithExtraScopesToConsent` method which has the *extraScopesToConsent* parameter as shown in the following example: ```csharp string[] scopesForCustomerApi = new string[] string[] scopesForVendorApi = new string[] var accounts = await app.GetAccountsAsync(); var result = await app.AcquireTokenInteractive(scopesForCustomerApi) .WithAccount(accounts.FirstOrDefault())- .WithExtraScopeToConsent(scopesForVendorApi) + .WithExtraScopesToConsent(scopesForVendorApi) .ExecuteAsync(); ``` -This will get you an access token for the first web API. Then, to access the second web API you can silently acquire the token from the token cache: +`AcquireTokenInteractive` will return an access token for the first web API. Along with that access token, a refresh token will also be retrieved from Azure AD and cached. Then, to access the second web API, you can silently acquire the token using `AcquireTokenSilent`. MSAL will use the cached refresh token to retrieve from Azure AD the access token for the second web API. ```csharp-AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync(); +var result = await AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync(); ``` |
active-directory | Msal Python Token Cache Serialization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-python-token-cache-serialization.md | - Title: Custom token cache serialization (MSAL Python) -description: Learn how to serialize token cache using MSAL for Python -------- Previously updated : 06/26/2023----#Customer intent: As an application developer using the Microsoft Authentication Library (MSAL) for Python, I want to learn how to persist the token cache so that it is available to a new instance of my application. ---# Custom token cache serialization in MSAL for Python --In Microsoft Authentication Library (MSAL) for Python, an in-memory token cache that persists for the duration of the app session, is provided by default when you create an instance of [ClientApplication](/python/api/msal/msal.application.confidentialclientapplication). --Serialization of the token cache, so that different sessions of your app can access it, isn't provided "out of the box." MSAL for Python can be used in app types that don't have access to the file system--such as Web apps. To have a persistent token cache in an app that uses MSAL for Python, you must provide custom token cache serialization. --The strategies for serializing the token cache differ depending on whether you're writing a public client application (Desktop), or a confidential client application (web app, web API, or daemon app). --## Token cache for a public client application --Public client applications run on a user's device and manage tokens for a single user. In this case, you could serialize the entire cache into a file. Remember to provide file locking if your app, or another app, can access the cache concurrently. For a simple example of how to serialize a token cache to a file without locking, see the example in the [SerializableTokenCache](/python/api/msal/msal.token_cache.serializabletokencache) class reference documentation. --## Token cache for a Web app (confidential client application) --For web apps or web APIs, you might use the session, or a Redis cache, or a database to store the token cache. There should be one token cache per user (per account) so ensure that you serialize the token cache per account. --## Next steps --See [ms-identity-python-webapp](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/0.3.0/app.py#L66-L74) for an example of how to use the token cache for a Windows or Linux Web app or web API. The example is for a web app that calls the Microsoft Graph API. |
active-directory | Multi Service Web App Authentication App Service | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/multi-service-web-app-authentication-app-service.md | You now have an app that's secured by the App Service authentication and authori ## Verify limited access to the web app -When you enabled the App Service authentication/authorization module, an app registration was created in your Azure AD tenant. The app registration has the same display name as your web app. To check the settings, select **Azure Active Directory** from the portal menu, and select **App registrations**. Select the app registration that was created. In the overview, verify that **Supported account types** is set to **My organization only**. +When you enabled the App Service authentication/authorization module, an app registration was created in your Azure AD tenant. The app registration has the same display name as your web app. To check the settings, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer) and browse to **Identity** > **Applications** > **App registrations**. Select the app registration that was created. In the overview, verify that **Supported account types** is set to **My organization only**. :::image type="content" alt-text="Screenshot that shows verifying access." source="./media/multi-service-web-app-authentication-app-service/verify-access.png"::: |
active-directory | Multi Service Web App Clean Up Resources | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/multi-service-web-app-clean-up-resources.md | This command might take several minutes to run. ## Delete the app registration -From the portal menu, select **Azure Active Directory** > **App registrations**. Then select the application you created. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select the application you created. +1. In the app registration overview, select **Delete**. -In the app registration overview, select **Delete**. |
active-directory | Optional Claims | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/optional-claims.md | -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Choose the application for which you want to configure optional claims based on your scenario and desired outcome. 1. Under **Manage**, select **Token configuration**. - The UI option **Token configuration** blade isn't available for apps registered in an Azure AD B2C tenant, which can be configured by modifying the application manifest. For more information, see [Add claims and customize user input using custom policies in Azure Active Directory B2C](../../active-directory-b2c/configure-user-input.md) This section covers the configuration options under optional claims for changing Complete the following steps to configure groups optional claims using the Azure portal: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. -1. Select the application you want to configure optional claims for in the list. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Token configuration**. 1. Select **Add groups claim**. 1. Select the group types to return (**Security groups**, or **Directory roles**, **All groups**, and/or **Groups assigned to the application**): Complete the following steps to configure groups optional claims using the Azure Complete the following steps to configure groups optional claims through the application manifest: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your Azure AD tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Select the application you want to configure optional claims for in the list. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Manifest**. 1. Add the following entry using the manifest editor: Complete the following steps to configure groups optional claims through the app Multiple token types can be listed: - - idToken for the OIDC ID token - - accessToken for the OAuth access token - - Saml2Token for SAML tokens. + - `idToken` for the OIDC ID token + - `accessToken` for the OAuth access token + - `Saml2Token` for SAML tokens. - The Saml2Token type applies to both SAML1.1 and SAML2.0 format tokens. + The `Saml2Token` type applies to both SAML1.1 and SAML2.0 format tokens. For each relevant token type, modify the groups claim to use the `optionalClaims` section in the manifest. The `optionalClaims` schema is as follows: In the following example, the Azure portal and manifest are used to add optional Configure claims in the Azure portal: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**. -1. Find the application you want to configure optional claims for in the list and select it. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Token configuration**. 1. Select **Add optional claim**, select the **ID** token type, select **upn** from the list of claims, and then select **Add**. 1. Select **Add optional claim**, select the **Access** token type, select **auth_time** from the list of claims, then select **Add**. Configure claims in the Azure portal: Configure claims in the manifest: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. After you've authenticated, choose your tenant by selecting it from the top-right corner of the page. -1. Search for and select **Azure Active Directory**. -1. Find the application you want to configure optional claims for in the list and select it. +1. Select the application for which you want to configure optional claims. 1. Under **Manage**, select **Manifest** to open the inline manifest editor. 1. You can directly edit the manifest using this editor. The manifest follows the schema for the [Application entity](./reference-app-manifest.md), and automatically formats the manifest once saved. New elements are added to the `optionalClaims` property. |
active-directory | Permissions Consent Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/permissions-consent-overview.md | Depending on the permissions they require, some applications might require an ad Preauthorization allows a resource application owner to grant permissions without requiring users to see a consent prompt for the same set of permissions that have been preauthorized. This way, an application that has been preauthorized won't ask users to consent to permissions. Resource owners can preauthorize client apps in the Azure portal or by using PowerShell and APIs, like Microsoft Graph. -## Next steps +## See also - [Delegated access scenario](delegated-access-primer.md) - [User and admin consent overview](../manage-apps/user-admin-consent-overview.md) - [OpenID connect scopes](scopes-oidc.md)+-- [Making your application multi-tenant](./howto-convert-app-to-be-multi-tenant.md) +- [AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Perms For Given Api | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/perms-for-given-api.md | - Title: Select permissions for a given API -description: Learn about how permissions requests work for client and resource applications for applications you are developing --------- Previously updated : 11/10/2022-----# How to select permissions for a given API --## Recommended documents --- Learn more about how client applications use [delegated and application permission requests](./developer-glossary.md#permissions) to access resources.-- Learn about [scopes and permissions in the Microsoft identity platform](scopes-oidc.md)-- See step-by-step instructions on how to [configure a client application's permission requests](./quickstart-configure-app-access-web-apis.md)-- For more depth, learn how resource applications expose [scopes](./developer-glossary.md#scopes) and [application roles](./developer-glossary.md#roles) to client applications, which manifest as delegated and application permissions respectively in the Azure portal.--## Next steps --[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Publisher Verification Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/publisher-verification-overview.md | -When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (MCPP), formerly known as Microsoft Partner Network (MPN), account that's been [verified](/partner-center/verification-responses) and associating the verified PartnerID with an app registration. +When an app has a verified publisher, this means that the organization that publishes the app has been verified as authentic by Microsoft. Verifying an app includes using a Microsoft Cloud Partner Program (CPP), formerly known as Microsoft Partner Network (MPN), account that's been [verified](/partner-center/verification-responses) and associating the verified PartnerID with an app registration. When the publisher of an app has been verified, a blue *verified* badge appears in the Azure Active Directory (Azure AD) consent prompt for the app and on other webpages: Publisher verification for an app has the following benefits: App developers must meet a few requirements to complete the publisher verification process. Many Microsoft partners will have already satisfied these requirements. -- The developer must have an MPN ID for a valid [Microsoft Cloud Partner Program](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process. The MPN account must be the [partner global account (PGA)](/partner-center/account-structure#the-top-level-is-the-partner-global-account-pga) for the developer's organization.+- The developer must have an Partner One ID for a valid [Microsoft Cloud Partner Program](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process. The CPP account must be the [partner global account (PGA)](/partner-center/account-structure#the-top-level-is-the-partner-global-account-pga) for the developer's organization. > [!NOTE]- > The MPN account you use for publisher verification can't be your partner location MPN ID. Currently, location MPN IDs aren't supported for the publisher verification process. + > The CPP account you use for publisher verification can't be your partner location Partner One ID. Currently, location Partner One IDs aren't supported for the publisher verification process. - The app that's to be publisher verified must be registered by using an Azure AD work or school account. Apps that are registered by using a Microsoft account can't be publisher verified. -- The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the MPN PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account).+- The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to [set up the CPP PGA as a multitenant account and associate the Azure AD tenant](/partner-center/multi-tenant-account#add-an-azure-ad-tenant-to-your-account). - The app must be registered in an Azure AD tenant and have a [publisher domain](howto-configure-publisher-domain.md) set. The feature is not supported in Azure AD B2C tenant. -- The domain of the email address that's used during MPN account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) +- The domain of the email address that's used during CPP account verification must either match the publisher domain that's set for the app or be a DNS-verified [custom domain](../fundamentals/add-custom-domain.md) that's added to the Azure AD tenant. (**NOTE**__: the app's publisher domain can't be *.onmicrosoft.com to be publisher verified) -- The user who initiates verification must be authorized to make changes both to the app registration in Azure AD and to the MPN account in Partner Center. The user who initiates the verification must have one of the required roles in both Azure AD and Partner Center.+- The user who initiates verification must be authorized to make changes both to the app registration in Azure AD and to the CPP account in Partner Center. The user who initiates the verification must have one of the required roles in both Azure AD and Partner Center. - In Azure AD, this user must be a member of one of the following [roles](../roles/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. - - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): MPN Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD). + - In Partner Center, this user must have one of the following [roles](/partner-center/permissions-overview): CPP Partner Admin, Account Admin, or Global Administrator (a shared role that's mastered in Azure AD). - The user who initiates verification must sign in by using [Azure AD multifactor authentication](../authentication/howto-mfa-getstarted.md). |
active-directory | Quickstart Configure App Access Web Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-access-web-apis.md | By specifying a web API's scopes in your client app's registration, the client a [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] +Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. + In the first scenario, you grant a client app access to your own web API, both of which you should have registered as part of the prerequisites. If you don't yet have both a client app and a web API registered, complete the steps in the two [Prerequisites](#prerequisites) articles. This diagram shows how the two app registrations relate to one another. In this section, you add permissions to the client app's registration. |
active-directory | Quickstart Configure App Expose Web Apis | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-configure-app-expose-web-apis.md | -In this quickstart, you'll register a web API with the Microsoft identity platform and expose it to client apps by adding a scope. By registering your web API and exposing it through scopes, you can provide permissions-based access to its resources to authorized users and client apps that access your API. +In this quickstart, you'll register a web API with the Microsoft identity platform and expose it to client apps by adding a scope. By registering your web API and exposing it through scopes, assigning an owner and app role, you can provide permissions-based access to its resources to authorized users and client apps that access your API. ## Prerequisites In this quickstart, you'll register a web API with the Microsoft identity platfo ## Register the web API +Access to APIs require configuration of access scopes and roles. If you want to expose your resource application web APIs to client applications, configure access scopes and roles for the API. If you want a client application to access a web API, configure permissions to access the API in the app registration. + To provide scoped access to the resources in your web API, you first need to register the API with the Microsoft identity platform. Perform the steps in the **Register an application** section of [Quickstart: Register an app with the Microsoft identity platform](quickstart-register-app.md). Skip the **Redirect URI (optional)** section. You don't need to configure a redirect URI for a web API since no user is logged in interactively. -With the web API registered, you can add scopes to the API's code so it can provide granular permission to consumers. +## Assign application owner ++1. In your app registration, under **Manage**, select **Owners**, and **Add owners**. +1. In the new window, find and select the owner(s) that you want to assign to the application. Selected owners appear in the right panel. Once done, confirm with **Select**. The app owner(s) will now appear in the owner's list. ++>[!NOTE] +> +> Ensure that both the API application and the application you want to add permissions to both have an owner, otherwise the API will not be listed when requesting API permissions. ++## Assign app role ++1. In your app registration, under **Manage**, select **App roles**, and **Create app role**. +1. Next, specify the app role's attributes in the **Create app role** pane. For this walk-through, you can use the example values or specify your own. ++ | Field | Description | Example | + |-|-|| + | **Display name** | The name of your app role | *Employee Records* | + | **Allowed member types** | Specifies whether the app role can be assigned to users/groups and/or applications | *Applications* | + | **Value** | The value displayed in the "roles" claim of a token | `Employee.Records` | + | **Description** | A more detailed description of the app role | *Applications have access to employee records* | ++1. Select the checkbox to enable the app role. ++With the web API registered, assigned an app role and owner, you can add scopes to the API's code so it can provide granular permission to consumers. ## Add a scope The code in a client application requests permission to perform operations defin First, follow these steps to create an example scope named `Employees.Read.All`: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/quickstart-configure-app-expose-web-apis/portal-01-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant containing your client app's registration. -1. Select **Azure Active Directory** > **App registrations**, and then select your API's app registration. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/quickstart-configure-app-access-web-apis/portal-01-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant containing your client app's registration. +1. Browse to **Identity** > **Applications** > **App registrations**, and then select your API's app registration. 1. Select **Expose an API** 1. Select **Add** next to **Application ID URI** if you haven't yet configured one. First, follow these steps to create an example scope named `Employees.Read.All`: :::image type="content" source="media/quickstart-configure-app-expose-web-apis/portal-02-expose-api.png" alt-text="An app registration's Expose an API pane in the Azure portal"::: - 1. Next, specify the scope's attributes in the **Add a scope** pane. For this walk-through, you can use the example values or specify your own. | Field | Description | Example | |
active-directory | Quickstart Console App Netcore Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-console-app-netcore-acquire-token.md | |
active-directory | Quickstart Console App Nodejs Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-console-app-nodejs-acquire-token.md | |
active-directory | Quickstart Create New Tenant | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-create-new-tenant.md | Many developers already have tenants through services or subscriptions that are To check the tenant: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. Use the account you'll use to manage your application. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Tenant Creator](../roles/permissions-reference.md#tenant-creator). 1. Check the upper-right corner. If you have a tenant, you'll automatically be signed in. You see the tenant name directly under your account name. * Hover over your account name to see your name, email address, directory or tenant ID (a GUID), and domain. * If your account is associated with multiple tenants, you can select your account name to open a menu where you can switch between tenants. Each tenant has its own tenant ID. To check the tenant: > [!TIP] > To find the tenant ID, you can: > * Hover over your account name to get the directory or tenant ID.-> * Search and select **Azure Active Directory** > **Overview** > **Tenant ID** in the Azure portal. +> * Select **Identity** > **Overview** and look for **Tenant ID**. If you don't have a tenant associated with your account, you'll see a GUID under your account name. You won't be able to do actions like registering apps until you create an Azure AD tenant. ### Create a new Azure AD tenant -If you don't already have an Azure AD tenant or if you want to create a new one for development, see [Create a new tenant in Azure AD](../fundamentals/create-new-tenant.md) or use the [directory creation experience](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory) in the Azure portal. If you want to create a tenant for app testing, see [build a test environment](test-setup-environment.md). +If you don't already have an Azure AD tenant or if you want to create a new one for development, see [Create a new tenant in Azure AD](../fundamentals/create-new-tenant.md). If you want to create a tenant for app testing, see [build a test environment](test-setup-environment.md). You'll provide the following information to create your new tenant: |
active-directory | Quickstart Daemon App Java Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-daemon-app-java-acquire-token.md | To run this sample, you need: - [Java Development Kit (JDK)](https://openjdk.java.net/) 8 or greater - [Maven](https://maven.apache.org/) - ## Register and download your quickstart app -You have two options to start your quickstart application: Express (Option 1 below), and Manual (Option 2) --### Option 1: Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/JavaDaemonQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application and select **Register**. -1. Follow the instructions to download and automatically configure your new application with just one click. --### Option 2: Register and manually configure your application and code sample --#### Step 1: Register your application - [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] +### Step 1: Register the application + To register your application and add the app's registration information to your solution manually, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application, for example `Daemon-console`. Users of your app might see this name, and you can change it later. 1. Select **Register**. 1. Under **Manage**, select **Certificates & secrets**. To register your application and add the app's registration information to your 1. Select **Application permissions**. 1. Under **User** node, select **User.Read.All**, then select **Add permissions**. -#### Step 2: Download the Java project +### Step 2: Download the Java project [Download the Java daemon project](https://github.com/Azure-Samples/ms-identity-java-daemon/archive/master.zip) -#### Step 3: Configure the Java project +### Step 3: Configure the Java project 1. Extract the zip file to a local folder close to the root of the disk, for example, *C:\Azure-Samples*. 1. Navigate to the sub folder **msal-client-credential-secret**. To register your application and add the app's registration information to your - `Enter_the_Client_Secret_Here` - replace this value with the client secret created on step 1. >[!TIP]->To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal. To generate a new key, go to **Certificates & secrets** page. +>To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page. To generate a new key, go to **Certificates & secrets** page. -#### Step 4: Admin consent +### Step 4: Admin consent If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires Admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role: -##### Global tenant administrator +#### Global tenant administrator -If you are a global tenant administrator, go to **API Permissions** page in **App registrations** in the Azure portal and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory). +If you are a global tenant administrator, go to **API Permissions** page in **App registrations** and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory). -##### Standard user +#### Standard user If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator: https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_i * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered. -#### Step 5: Run the application +### Step 5: Run the application You can test the sample directly by running the main method of ClientCredentialGrant.java from your IDE. ConfidentialClientApplication cca = | Where: |Description | |||-| `CLIENT_SECRET` | Is the client secret created for the application in Azure portal. | -| `CLIENT_ID` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. | +| `CLIENT_SECRET` | Is the client secret created for the application. | +| `CLIENT_ID` | Is the **Application (client) ID** for the registered application. You can find this value in the app's **Overview** page. | | `AUTHORITY` | The STS endpoint for user to authenticate. Usually `https://login.microsoftonline.com/{tenant}` for public cloud, where {tenant} is the name of your tenant or your tenant ID.| ### Requesting tokens IAuthenticationResult result; |Where:| Description | |||-| `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations** in the Azure portal.| +| `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations**.| [!INCLUDE [Help and support](includes/error-handling-and-tips/help-support-include.md)] |
active-directory | Quickstart Desktop App Nodejs Electron Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-desktop-app-nodejs-electron-sign-in.md | |
active-directory | Quickstart Mobile App Ios Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-mobile-app-ios-sign-in.md | The quickstart applies to both iOS and macOS apps. Some steps are needed only fo ![Diagram showing how the sample app generated by this quickstart works.](media/quickstart-v2-ios/ios-intro.svg) -## Register and download your quickstart app -You have two options to start your quickstart application: -* [Express] [Option 1: Register and auto configure your app and then download your code sample](#option-1-register-and-auto-configure-your-app-and-then-download-the-code-sample) -* [Manual] [Option 2: Register and manually configure your application and code sample](#option-2-register-and-manually-configure-your-application-and-code-sample) --### Option 1: Register and auto configure your app and then download the code sample -#### Step 1: Register your application -To register your app, -1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/IosQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application and select **Register**. -1. Follow the instructions to download and automatically configure your new application with just one click. --### Option 2: Register and manually configure your application and code sample --#### Step 1: Register your application +## Register your quickstart app [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] To register your application and add the app's registration information to your solution manually, follow these steps: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Select **Register**. 1. Under **Manage**, select **Authentication** > **Add Platform** > **iOS**. To register your application and add the app's registration information to your #### Step 4: Configure your project If you selected Option 1 above, you can skip these steps. 1. Open the project in XCode.-1. Edit **ViewController.swift** and replace the line starting with 'let kClientID' with the following code snippet. Remember to update the value for `kClientID` with the clientID that you saved when you registered your app in the portal earlier in this quickstart: +1. Edit **ViewController.swift** and replace the line starting with 'let kClientID' with the following code snippet. Remember to update the value for `kClientID` with the clientID that you saved when you registered your app earlier in this quickstart: ```swift let kClientID = "Enter_the_Application_Id_Here" If you selected Option 1 above, you can skip these steps. let kAuthority = "https://login.microsoftonline.de/common" ``` -3. Open the project settings. In the **Identity** section, enter the **Bundle Identifier** that you entered into the portal. +3. Open the project settings. In the **Identity** section, enter the **Bundle Identifier**. 4. Right-click **Info.plist** and select **Open As** > **Source Code**. 5. Under the dict root node, replace `Enter_the_bundle_Id_Here` with the ***Bundle Id*** that you used in the portal. Notice the `msauth.` prefix in the string. |
active-directory | Quickstart Single Page App Angular Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-angular-sign-in.md | This quickstart uses MSAL Angular v2 with the authorization code flow. * [Node.js](https://nodejs.org/en/download/) * [Visual Studio Code](https://code.visualstudio.com/download) or another code editor --## Register and download your quickstart application +## Register your quickstart application [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To start your quickstart application, use either of the following options. --### Option 1 (Express): Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Select **Register**. -1. Go to the quickstart pane and follow the instructions to download and automatically configure your new application. --### Option 2 (Manual): Register and manually configure your application and code sample --#### Step 1: Register your application --1. Sign in to the [Azure portal](https://portal.azure.com/). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use. Modify the values in the `auth` section as described here: - `Enter_the_Application_Id_Here` is the **Application (client) ID** for the application you registered. - To find the value of **Application (client) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Application (client) ID**, go to the app registration's **Overview** page. - `Enter_the_Cloud_Instance_Id_Here` is the instance of the Azure cloud. For the main or global Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), see [National clouds](authentication-national-cloud.md). - `Enter_the_Tenant_info_here` is set to one of the following: - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`. - To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page. - If your application supports *accounts in any organizational directory*, replace this value with `organizations`. - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`. - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`. - To find the value of **Supported account types**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Supported account types**, go to the app registration's **Overview** page. - `Enter_the_Redirect_Uri_Here` is `http://localhost:4200/`. The `authority` value in your *app.module.ts* should be similar to the following if you're using the main (global) Azure cloud: |
active-directory | Quickstart Single Page App Javascript Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-javascript-sign-in.md | See [How the sample works](#how-the-sample-works) for an illustration. [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To start your quickstart application, use either of the following options. +### Step 1: Register your application -### Option 1 (Express): Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Select **Register**. -1. Go to the quickstart pane and follow the instructions to download and automatically configure your new application. --### Option 2 (Manual): Register and manually configure your application and code sample --#### Step 1: Register your application --1. Sign in to the [Azure portal](https://portal.azure.com/). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use. To start your quickstart application, use either of the following options. 1. Set the **Redirect URI** value to `http://localhost:3000/`. 1. Select **Configure**. -#### Step 2: Download the project +### Step 2: Download the project To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-v2/archive/master.zip). --#### Step 3: Configure your JavaScript app +### Step 3: Configure your JavaScript app In the *app* folder, open the *authConfig.js* file, and then update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object. Modify the values in the `msalConfig` section: - `Enter_the_Application_Id_Here` is the **Application (client) ID** for the application you registered. - To find the value of **Application (client) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Application (client) ID**, go to the app registration's **Overview** page. - `Enter_the_Cloud_Instance_Id_Here` is the Azure cloud instance. For the main or global Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), see [National clouds](authentication-national-cloud.md). - `Enter_the_Tenant_info_here` is one of the following: - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`. - To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page. - If your application supports *accounts in any organizational directory*, replace this value with `organizations`. - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`. - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`. - To find the value of **Supported account types**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Supported account types**, go to the app registration's **Overview** page. - `Enter_the_Redirect_Uri_Here` is `http://localhost:3000/`. The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud: graphMeEndpoint: "https://graph.microsoft.com/v1.0/me", graphMailEndpoint: "https://graph.microsoft.com/v1.0/me/messages" ``` -#### Step 4: Run the project +### Step 4: Run the project Run the project with a web server by using Node.js. |
active-directory | Quickstart Single Page App React Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-single-page-app-react-sign-in.md | See [How the sample works](#how-the-sample-works) for an illustration. [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -To start your quickstart application, use either of the following options. +### Step 1: Register your application -### Option 1 (Express): Register and auto configure your app and then download your code sample --1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience. -1. Enter a name for your application. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Select **Register**. -1. Go to the quickstart pane and follow the instructions to download and automatically configure your new application. --### Option 2 (Manual): Register and manually configure your application and code sample --#### Step 1: Register your application ---1. Sign in to the [Azure portal](https://portal.azure.com/). -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. When the **Register an application** page appears, enter a name for your application. 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use. Under **Manage**, select **App registrations** > **New registration**. 1. Under **Platform Configurations** expand **Single-page application**. 1. Confirm that under **Grant types** ![Already configured](media/quickstart-v2-javascript/green-check.png) Your Redirect URI is eligible for the Authorization Code Flow with PKCE. -#### Step 2: Download the project -+### Step 2: Download the project To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-react-spa/archive/main.zip). -#### Step 3: Configure your JavaScript app +### Step 3: Configure your JavaScript app In the *src* folder, open the *authConfig.js* file and update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object. Modify the values in the `msalConfig` section as described here: - `Enter_the_Application_Id_Here` is the **Application (client) ID** for the application you registered. - To find the value of **Application (client) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Application (client) ID**, go to the app registration's **Overview** page. - `Enter_the_Cloud_Instance_Id_Here` is the instance of the Azure cloud. For the main or global Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), see [National clouds](authentication-national-cloud.md). - `Enter_the_Tenant_info_here` is set to one of the following: - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`. - To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page in the Azure portal. + To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page. - If your application supports *accounts in any organizational directory*, replace this value with `organizations`. - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`. - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`. - To find the value of **Supported account types**, go to the app registration's **Overview** page in the Azure portal. + To find the value of **Supported account types**, go to the app registration's **Overview** page. - `Enter_the_Redirect_Uri_Here` is `http://localhost:3000/`. The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud: Scroll down in the same file and update the `graphMeEndpoint`. }; ``` -#### Step 4: Run the project +### Step 4: Run the project Run the project with a web server by using Node.js: |
active-directory | Quickstart Web App Java Sign In | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-web-app-java-sign-in.md | |
active-directory | Reference App Manifest | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-app-manifest.md | -You can configure an app's attributes through the Azure portal or programmatically using [Microsoft Graph API](/graph/api/resources/application) or [Microsoft Graph PowerShell SDK](/powershell/module/microsoft.graph.applications/?view=graph-powershell-1.0&preserve-view=true). However, there are some scenarios where you'll need to edit the app manifest to configure an app's attribute. These scenarios include: +You can configure an app's attributes through the Microsoft Entra admin center or programmatically using [Microsoft Graph API](/graph/api/resources/application) or [Microsoft Graph PowerShell SDK](/powershell/module/microsoft.graph.applications/?view=graph-powershell-1.0&preserve-view=true). However, there are some scenarios where you'll need to edit the app manifest to configure an app's attribute. These scenarios include: * If you registered the app as Azure AD multi-tenant and personal Microsoft accounts, you can't change the supported Microsoft accounts in the UI. Instead, you must use the application manifest editor to change the supported account type. * To define permissions and roles that your app supports, you must modify the application manifest. You can configure an app's attributes through the Azure portal or programmatical To configure the application manifest: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. Search for and select the **Azure Active Directory** service. -1. Select **App registrations**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Applications** > **App registrations**. 1. Select the app you want to configure.-1. From the app's **Overview** page, select the **Manifest** section. A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select **Download** to edit the manifest locally, and then use **Upload** to reapply it to your application. +1. From the app's **Overview** page, select the **Manifest** section. A web-based manifest editor opens, allowing you to edit the manifest. Optionally, you can select **Download** to edit the manifest locally, and then use **Upload** to reapply it to your application. ## Manifest reference Example: The optional claims returned in the token by the security token service for this specific app. -At this time, apps that support both personal accounts and Azure AD (registered through the app registration portal) cannot use optional claims. However, apps registered for just Azure AD using the v2.0 endpoint can get the optional claims they requested in the manifest. For more info, see [Optional claims](./optional-claims.md). +Apps that support both personal accounts and Azure AD cannot use optional claims. However, apps registered for just Azure AD using the v2.0 endpoint can get the optional claims they requested in the manifest. For more info, see [Optional claims](./optional-claims.md). Example: Example: | : | : | | logoUrl | String | -Read only value that points to the CDN URL to logo that was uploaded in the portal. +Read only value that points to the CDN URL to logo that was uploaded. Example: |
active-directory | Reference Claims Mapping Policy Type | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-claims-mapping-policy-type.md | Restricted Claim type (URI): - `http://schemas.microsoft.com/ws/2008/06/identity/claims/groups` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/ispersistent`-- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid`-- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/samlissuername` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/wids`-- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdeviceclaim` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdevicegroup` - `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsfqbnversion` Restricted Claim type (URI): - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication` - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision` - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid`-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier` - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier`-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid` - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn` - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`-- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname` - `http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor` |
active-directory | Reference Error Codes | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-error-codes.md | The `error` field has several possible values - review the protocol documentatio | AADSTS50015 | ViralUserLegalAgeConsentRequiredState - The user requires legal age group consent. | | AADSTS50017 | CertificateValidationFailed - Certification validation failed, reasons for the following reasons:<ul><li>Cannot find issuing certificate in trusted certificates list</li><li>Unable to find expected CrlSegment</li><li>Cannot find issuing certificate in trusted certificates list</li><li>Delta CRL distribution point is configured without a corresponding CRL distribution point</li><li>Unable to retrieve valid CRL segments because of a timeout issue</li><li>Unable to download CRL</li></ul>Contact the tenant admin. | | AADSTS50020 | UserUnauthorized - Users are unauthorized to call this endpoint. User account '{email}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appid}'({appName}) in that tenant. This account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. If this user should be a member of the tenant, they should be invited via the [B2B system](/azure/active-directory/b2b/add-users-administrator). For additional information, visit [AADSTS50020](/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist). |+| AADSTS500208 | The domain is not a valid login domain for the account type - This situation occurs when the user's account does not match the expected account type for the given tenant.. For instance, if the tenant is configured to allow only work or school accounts, and the user tries to sign in with a personal Microsoft account, they will receive this error. | AADSTS500212 | NotAllowedByOutboundPolicyTenant - The user's administrator has set an outbound access policy that doesn't allow access to the resource tenant. | | AADSTS500213 | NotAllowedByInboundPolicyTenant - The resource tenant's cross-tenant access policy doesn't allow this user to access this tenant. | | AADSTS50027 | InvalidJwtToken - Invalid JWT token because of the following reasons:<ul><li>doesn't contain nonce claim, sub claim</li><li>subject identifier mismatch</li><li>duplicate claim in idToken claims</li><li>unexpected issuer</li><li>unexpected audience</li><li>not within its valid time range </li><li>token format isn't proper</li><li>External ID token from issuer failed signature verification.</li></ul> | The `error` field has several possible values - review the protocol documentatio | AADSTS50048 | SubjectMismatchesIssuer - Subject mismatches Issuer claim in the client assertion. Contact the tenant admin. | | AADSTS50049 | NoSuchInstanceForDiscovery - Unknown or invalid instance. | | AADSTS50050 | MalformedDiscoveryRequest - The request is malformed. |-| AADSTS50053 | This error can result from two different reasons: <br><ul><li>IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password. The user is blocked due to repeated sign-in attempts. See [Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md).</li><li>Or, sign-in was blocked because it came from an IP address with malicious activity.</li></ul> <br>To determine which failure reason caused this error, sign in to the [Azure portal](https://portal.azure.com). Navigate to your Azure AD tenant and then **Monitoring** -> **Sign-ins**. Find the failed user sign-in with **Sign-in error code** 50053 and check the **Failure reason**.| +| AADSTS50053 | This error can result from two different reasons: <br><ul><li>IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password. The user is blocked due to repeated sign-in attempts. See [Remediate risks and unblock users](../identity-protection/howto-identity-protection-remediate-unblock.md).</li><li>Or, sign-in was blocked because it came from an IP address with malicious activity.</li></ul> <br>To determine which failure reason caused this error, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). Navigate to your Azure AD tenant and then **Monitoring & health** -> **Sign-in logs**. Find the failed user sign-in with **Sign-in error code** 50053 and check the **Failure reason**.| | AADSTS50055 | InvalidPasswordExpiredPassword - The password is expired. The user's password is expired, and therefore their login or session was ended. They will be offered the opportunity to reset it, or may ask an admin to reset it via [Reset a user's password using Azure Active Directory](../fundamentals/users-reset-password-azure-portal.md). | | AADSTS50056 | Invalid or null password: password doesn't exist in the directory for this user. The user should be asked to enter their password again. | | AADSTS50057 | UserDisabled - The user account is disabled. The user object in Active Directory backing this account has been disabled. An admin can re-enable this account [through PowerShell](/powershell/module/activedirectory/enable-adaccount) | The `error` field has several possible values - review the protocol documentatio | AADSTS50107 | InvalidRealmUri - The requested federation realm object doesn't exist. Contact the tenant admin. | | AADSTS50120 | ThresholdJwtInvalidJwtFormat - Issue with JWT header. Contact the tenant admin. | | AADSTS50124 | ClaimsTransformationInvalidInputParameter - Claims Transformation contains invalid input parameter. Contact the tenant admin to update the policy. |-| AADSTS501241 | Mandatory Input '{paramName}' missing from transformation ID '{transformId}'. This error is returned while Azure AD is trying to build a SAML response to the application. NameID claim or NameIdentifier is mandatory in SAML response and if Azure AD failed to get source attribute for NameID claim, it will return this error. As a resolution, ensure you add claim rules in *Azure portal* > *Azure Active Directory* > *Enterprise Applications* > *Select your application* > *Single Sign-On* > *User Attributes & Claims* > *Unique User Identifier (Name ID)*. | +| AADSTS501241 | Mandatory Input '{paramName}' missing from transformation ID '{transformId}'. This error is returned while Azure AD is trying to build a SAML response to the application. NameID claim or NameIdentifier is mandatory in SAML response and if Azure AD failed to get source attribute for NameID claim, it will return this error. As a resolution, ensure you add claim rules. To add claim rules, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator), and then browse to **Identity** > **Applications** > **Enterprise applications**. Select your application, select **Single Sign-On** and then in **User Attributes & Claims** enter the Unique User Identifier (Name ID). | | AADSTS50125 | PasswordResetRegistrationRequiredInterrupt - Sign-in was interrupted because of a password reset or password registration entry. | | AADSTS50126 | InvalidUserNameOrPassword - Error validating credentials due to invalid username or password. The user didn't enter the right credentials. It's expected to see some number of these errors in your logs due to users making mistakes. | | AADSTS50127 | BrokerAppNotInstalled - User needs to install a broker app to gain access to this content. | The `error` field has several possible values - review the protocol documentatio | AADSTS53000 | DeviceNotCompliant - Conditional Access policy requires a compliant device, and the device isn't compliant. The user must enroll their device with an approved MDM provider like Intune. For additional information, please visit [Conditional Access device remediation](../conditional-access/troubleshoot-conditional-access.md). | | AADSTS53001 | DeviceNotDomainJoined - Conditional Access policy requires a domain joined device, and the device isn't domain joined. Have the user use a domain joined device. | | AADSTS53002 | ApplicationUsedIsNotAnApprovedApp - The app used isn't an approved app for Conditional Access. User needs to use one of the apps from the list of approved apps to use in order to get access. |-| AADSTS53003 | BlockedByConditionalAccess - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. If this is unexpected, see the Conditional Access policy that applied to this request in the Azure portal or contact your administrator. For additional information, please visit [troubleshooting sign-in with Conditional Access](../conditional-access/troubleshoot-conditional-access.md). | +| AADSTS53003 | BlockedByConditionalAccess - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. If this is unexpected, see the Conditional Access policy that applied to this request or contact your administrator. For additional information, please visit [troubleshooting sign-in with Conditional Access](../conditional-access/troubleshoot-conditional-access.md). | | AADSTS53004 | ProofUpBlockedDueToRisk - User needs to complete the multi-factor authentication registration process before accessing this content. User should register for multi-factor authentication. | | AADSTS53010 | ProofUpBlockedDueToSecurityInfoAcr - Cannot configure multi-factor authentication methods because the organization requires this information to be set from specific locations or devices. | | AADSTS53011 | User blocked due to risk on home tenant. | The `error` field has several possible values - review the protocol documentatio | AADSTS54000 | MinorUserBlockedLegalAgeGroupRule | | AADSTS54005 | OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. | | AADSTS65001 | DelegationDoesNotExist - The user or administrator has not consented to use the application with ID X. Send an interactive authorization request for this user and resource. |-| AADSTS65002 | Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register in the [Azure portal](https://portal.azure.com).| +| AADSTS65002 | Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register.| | AADSTS65004 | UserDeclinedConsent - User declined to consent to access the app. Have the user retry the sign-in and consent to the app| | AADSTS65005 | MisconfiguredApplication - The app required resource access list does not contain apps discoverable by the resource or The client app has requested access to resource, which was not specified in its required resource access list or Graph service returned bad request or resource not found. If the app supports SAML, you may have configured the app with the wrong Identifier (Entity). To learn more, see the troubleshooting article for error [AADSTS650056](/troubleshoot/azure/active-directory/error-code-aadsts650056-misconfigured-app). | | AADSTS650052 | The app needs access to a service `(\"{name}\")` that your organization `\"{organization}\"` has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions. | The `error` field has several possible values - review the protocol documentatio | AADSTS700030 | Invalid certificate - subject name in certificate isn't authorized. SubjectNames/SubjectAlternativeNames (up to 10) in token certificate are: {certificateSubjects}. | | AADSTS70004 | InvalidRedirectUri - The app returned an invalid redirect URI. The redirect address specified by the client does not match any configured addresses or any addresses on the OIDC approve list. | | AADSTS70005 | UnsupportedResponseType - The app returned an unsupported response type due to the following reasons:<ul><li>response type 'token' isn't enabled for the app</li><li>response type 'id_token' requires the 'OpenID' scope -contains an unsupported OAuth parameter value in the encoded wctx</li></ul> |-| AADSTS700054 | Response_type 'id_token' isn't enabled for the application. The application requested an ID token from the authorization endpoint, but did not have ID token implicit grant enabled. Go to Azure portal > Azure Active Directory > App registrations > Select your application > Authentication > Under 'Implicit grant and hybrid flows', make sure 'ID tokens' is selected.| +| AADSTS700054 | Response_type 'id_token' isn't enabled for the application. The application requested an ID token from the authorization endpoint, but did not have ID token implicit grant enabled. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator) and then browse to **Identity** > **Applications** > **App registrations**. Select your application and then select **Authentication**. Under **Implicit grant and hybrid flows**, make sure **ID tokens'** is selected.| | AADSTS70007 | UnsupportedResponseMode - The app returned an unsupported value of `response_mode` when requesting a token. | | AADSTS70008 | ExpiredOrRevokedGrant - The refresh token has expired due to inactivity. The token was issued on XXX and was inactive for a certain amount of time. | | AADSTS700082 | ExpiredOrRevokedGrantInactiveToken - The refresh token has expired due to inactivity. The token was issued on {issueDate} and was inactive for {time}. Expected part of the token lifecycle - the user went an extended period of time without using the application, so the token was expired when the app attempted to refresh it. | The `error` field has several possible values - review the protocol documentatio | AADSTS900432 | Confidential Client isn't supported in Cross Cloud request.| | AADSTS90051 | InvalidNationalCloudId - The national cloud identifier contains an invalid cloud identifier. | | AADSTS90055 | TenantThrottlingError - There are too many incoming requests. This exception is thrown for blocked tenants. |-| AADSTS90056 | BadResourceRequest - To redeem the code for an access token, the app should send a POST request to the `/token` endpoint. Also, prior to this, you should provide an authorization code and send it in the POST request to the `/token` endpoint. Refer to this article for an overview of [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md). Direct the user to the `/authorize` endpoint, which will return an authorization_code. By posting a request to the `/token` endpoint, the user gets the access token. Log in the Azure portal, and check **App registrations > Endpoints** to confirm that the two endpoints were configured correctly. | +| AADSTS90056 | BadResourceRequest - To redeem the code for an access token, the app should send a POST request to the `/token` endpoint. Also, prior to this, you should provide an authorization code and send it in the POST request to the `/token` endpoint. Refer to this article for an overview of [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md). Direct the user to the `/authorize` endpoint, which will return an authorization_code. By posting a request to the `/token` endpoint, the user gets the access token. Check **App registrations > Endpoints** to confirm that the two endpoints were configured correctly. | | AADSTS900561 | BadResourceRequestInvalidRequest - The endpoint only accepts {valid_verbs} requests. Received a {invalid_verb} request. {valid_verbs} represents a list of HTTP verbs supported by the endpoint (for example, POST), {invalid_verb} is an HTTP verb used in the current request (for example, GET). This can be due to developer error, or due to users pressing the back button in their browser, triggering a bad request. It can be ignored. | | AADSTS90072 | PassThroughUserMfaError - The external account that the user signs in with doesn't exist on the tenant that they signed into; so the user can't satisfy the MFA requirements for the tenant. This error also might occur if the users are synced, but there is a mismatch in the ImmutableID (sourceAnchor) attribute between Active Directory and Azure AD. The account must be added as an external user in the tenant first. Sign out and sign in with a different Azure AD user account. For more information, please visit [configuring external identities](../external-identities/external-identities-overview.md). | | AADSTS90081 | OrgIdWsFederationMessageInvalid - An error occurred when the service tried to process a WS-Federation message. The message isn't valid. | The `error` field has several possible values - review the protocol documentatio | AADSTS700023 | InvalidResourcelessScope - The provided value for the input parameter scope isn't valid when request an access token. | | AADSTS7000215 | Invalid client secret is provided. Developer error - the app is attempting to sign in without the necessary or correct authentication parameters.| | AADSTS7000218 | The request body must contain the following parameter: 'client_assertion' or 'client_secret'. |-| AADSTS7000222 | InvalidClientSecretExpiredKeysProvided - The provided client secret keys are expired. Visit the Azure portal to create new keys for your app, or consider using certificate credentials for added security: [https://aka.ms/certCreds](./certificate-credentials.md) | +| AADSTS7000222 | InvalidClientSecretExpiredKeysProvided - The provided client secret keys are expired. Create new keys for your app, or consider using certificate credentials for added security: [https://aka.ms/certCreds](./certificate-credentials.md) | | AADSTS700229 | ForbiddenTokenType- Only app-only tokens may be used as Federated Identity Credentials for AAD issuer. Use an app-only access token (generated during a client credentials flow) instead of a user-delegated access token (representing a request coming from a user context). | | AADSTS700005 | InvalidGrantRedeemAgainstWrongTenant - Provided Authorization Code is intended to use against other tenant, thus rejected. OAuth2 Authorization Code must be redeemed against same tenant it was acquired for (/common or /{tenant-ID} as appropriate) | | AADSTS1000000 | UserNotBoundError - The Bind API requires the Azure AD user to also authenticate with an external IDP, which hasn't happened yet. | |
active-directory | Reference V2 Libraries | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reference-v2-libraries.md | For more information about the Microsoft Authentication Library, see the [Overvi <!--Reference-style links --> [AAD-App-Model-V2-Overview]: v2-overview.md [Microsoft-SDL]: https://www.microsoft.com/securityengineering/sdl/-[preview-tos]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/ +[preview-tos]: https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all |
active-directory | Refresh Tokens | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/refresh-tokens.md | The server can revoke refresh tokens because of a change in credentials, user ac - [Access tokens in the Microsoft identity platform](access-tokens.md) - [ID tokens in the Microsoft identity platform](id-tokens.md)-- [Invalidate refresh token](/powershell/module/microsoft.graph.beta.users.actions/invoke-mgbetainvalidateuserrefreshtoken?view=graph-powershell-beta)+- [Invalidate refresh token](/powershell/module/microsoft.graph.beta.users.actions/invoke-mgbetainvalidatealluserrefreshtoken?view=graph-powershell-beta&preserve-view=true) - [Single sign-out](v2-protocols-oidc.md#single-sign-out) ## Next steps |
active-directory | Registration Config How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-how-to.md | - Title: Get the endpoints for an Azure AD app registration -description: How to find the authentication endpoints for a custom application you're developing or registering with Azure AD. --------- Previously updated : 11/09/2022-----# How to discover endpoints --You can find the authentication endpoints for your application in the [Azure portal](https://portal.azure.com). --1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. Select **Azure Active Directory**. -1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu. -- The **Endpoints** page is displayed, showing the authentication endpoints for your tenant. - - Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application. --**National clouds** (for example Azure AD China, Germany, and US Government) have their own app registration portal and Azure AD authentication endpoints. Learn more in the [National clouds overview](authentication-national-cloud.md). --## Next steps --For more information about endpoints in the different Azure environments, see the [National clouds overview](authentication-national-cloud.md). |
active-directory | Registration Config Specific Application Property How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-specific-application-property-how-to.md | - Title: Azure portal registration fields for custom-developed apps -description: Guidance for registering a custom developed application with Azure AD --------- Previously updated : 09/27/2021-----# Azure portal registration fields for custom-developed apps --This article gives you a brief description of all the available fields in the application registration form in the [Azure portal](https://portal.azure.com). --## Register a new application --- To register a new application, sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.--- From the left navigation pane, click **Azure Active Directory.**--- Choose **App registrations** and click **Add**.--- This open up the application registration form.--## Fields in the application registration form --| Field | Description | -||| -| Name | The name of the application. It should have a minimum of four characters. | -| Supported account types| Select which accounts you would like your application to support: accounts in this organizational directory only, accounts in any organizational directory, or accounts in any organizational directory and personal Microsoft accounts. | -| Redirect URI (optional) | Select the type of app you're building, **Web** or **Public client (mobile & desktop)**, and then enter the redirect URI (or reply URL) for your application. For web applications, provide the base URL of your app. For example, http://localhost:31544 might be the URL for a web app running on your local machine. Users would use this URL to sign in to a web client application. For public client applications, provide the URI used by Azure AD to return token responses. Enter a value specific to your application, such as myapp://auth. To see specific examples for web applications or native applications, check out our [quickstarts](./index.yml).| --Once you have filled the above fields, the application is registered in the Azure portal, and you are redirected to the application overview page. The settings pages in the left pane under **Manage** have more fields for you to customize your application. The tables below describe all the fields. You would only see a subset of these fields, depending on whether you created a web application or a public client application. --### Overview --| Field | Description | -|--|--| -| Application ID | When you register an application, Azure AD assigns your application an Application ID. The application ID can be used to uniquely identify your application in authentication requests to Azure AD, as well as to access resources like the Graph API. | -| App ID URI | This should be a unique URI, usually of the form **https://<tenant\_name>/<application\_name>.** This is used during the authorization grant flow, as a unique identifier to specify the resource that the token should be issued for. It also becomes the 'aud' claim in the issued access token. | --### Branding --| Field | Description | -|--|--| -| Upload new logo | You can use this to upload a logo for your application. The logo must be in .bmp, .jpg or .png format, and the file size should be less than 100 KB. The dimensions for the image should be 215x215 pixels, with central image dimensions of 94x94 pixels.| -| Home page URL | This is the sign-on URL specified during application registration.| --### Authentication --| Field | Description | -|--|--| -| Front-channel logout URL | This is the single sign-out logout URL. Azure AD sends a logout request to this URL when the user clears their session with Azure AD using any other registered application.| -| Supported account types | This switch specifies whether the application can be used by multiple tenants. Typically, this means that external organizations can use your application by registering it in their tenant and granting access to their organization's data.| -| Redirect URLs | The redirect, or reply, URLs are the endpoints where Azure AD returns any tokens that your application requests. For native applications, this is where the user is sent after successful authorization. Azure AD checks that the redirect URI your application supplies in the OAuth 2.0 request matches one of the registered values in the portal.| --### Certificates and secrets --| Field | Description | -|--|--| -| Client secrets | You can create client secrets, or keys, to programmatically access web APIs secured by Azure AD without any user interaction. From the **New client secret** page, enter a key description and the expiration date and save to generate the key. Make sure to save it somewhere secure, as you won't be able to access it later. | --## Next steps --[Managing Applications with Azure Active Directory](../manage-apps/what-is-application-management.md) |
active-directory | Registration Config Sso How To | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/registration-config-sso-how-to.md | - Title: Configure application single sign-on -description: How to configure single sign-on for a custom application you are developing and registering with Azure AD. --------- Previously updated : 07/15/2019-----# How to configure single sign-on for an application --Enabling federated single sign-on (SSO) in your app is automatically enabled when federating through Azure AD for OpenID Connect, SAML 2.0, or WS-Fed. If your end users are having to sign in despite already having an existing session with Azure AD, itΓÇÖs likely your app may be misconfigured. --* If youΓÇÖre using Microsoft Authentication Library (MSAL), make sure you have **PromptBehavior** set to **Auto** rather than **Always**. --* If youΓÇÖre building a mobile app, you may need additional configurations to enable brokered or non-brokered SSO. --For Android, see [Enabling Cross App SSO in Android](msal-android-single-sign-on.md). --For iOS, see [Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md). --## Next steps --[Azure AD SSO](../manage-apps/what-is-single-sign-on.md)<br> --[Enabling Cross App SSO in Android](msal-android-single-sign-on.md)<br> --[Enabling Cross App SSO in iOS](single-sign-on-macos-ios.md)<br> --[Integrating Apps to AzureAD](./quickstart-register-app.md)<br> --[Permissions and consent in the Microsoft identity platform](./permissions-consent-overview.md)<br> --[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Reply Url | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/reply-url.md | This table shows the maximum number of redirect URIs you can add to an app regis | Microsoft work or school accounts in any organization's Azure Active Directory (Azure AD) tenant | 256 | `signInAudience` field in the application manifest is set to either *AzureADMyOrg* or *AzureADMultipleOrgs* | | Personal Microsoft accounts and work and school accounts | 100 | `signInAudience` field in the application manifest is set to *AzureADandPersonalMicrosoftAccount* | -The maximum number of redirect URIS can't be raised for [security reasons](#restrictions-on-wildcards-in-redirect-uris). If your scenario requires more redirect URIs than the maximum limit allowed, consider the following [state parameter approach](#use-a-state-parameter) as the solution. +The maximum number of redirect URIs can't be raised for [security reasons](#restrictions-on-wildcards-in-redirect-uris). If your scenario requires more redirect URIs than the maximum limit allowed, consider the following [state parameter approach](#use-a-state-parameter) as the solution. ## Maximum URI length |
active-directory | Saml Claims Customization | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/saml-claims-customization.md | By default, the Microsoft identity platform issues a SAML token to an applicatio ## View or edit claims -To view or edit the claims issued in the SAML token to the application, open the application in Azure portal. Then open the **Attributes & Claims** section. -+To view or edit the claims issued in the SAML token to the application: +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**. +1. Select the application, select **Single sign-on** in the left-hand menu, and then select **Edit** in the **Attributes & Claims** section. You might need to edit the claims issued in the SAML token for the following reasons: To edit the name identifier value claim: 1. Open the **Name identifier value** page. 1. Select the attribute or transformation that you want to apply to the attribute. Optionally, you can specify the format that you want the `nameID` claim to have. - :::image type="content" source="./media/saml-claims-customization/saml-sso-manage-user-claims.png" alt-text="Screenshot of editing the nameID (name identifier) value in the Azure portal."::: - ### NameID format If the SAML request contains the element `NameIDPolicy` with a specific format, then the Microsoft identity platform honors the format in the request. For more information about identifier values, see the table that lists the valid Any constant (static) value can be assigned to any claim. Use the following steps to assign a constant value: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. In the **User Attributes & Claims** section, select **Edit** to edit the claims. -1. Select the required claim that you want to modify. -1. Enter the constant value without quotes in the **Source attribute** as per your organization and select **Save**. -- :::image type="content" source="./media/saml-claims-customization/organization-attribute.png" alt-text="Screenshot of the organization Attributes & Claims section in the Azure portal."::: --1. The constant value is displayed as shown in the following image. -- :::image type="content" source="./media/saml-claims-customization/edit-attributes-claims.png" alt-text="Screenshot of editing in the Attributes & Claims section in the Azure portal."::: +1. On the **Attributes & Claims** blade, select the required claim that you want to modify. +1. Enter the constant value without quotes in the **Source attribute** as per your organization and select **Save**. The constant value is displayed. ### Directory Schema extensions (Preview) You can also configure directory schema extension attributes as non-conditional/conditional attributes. Use the following steps to configure the single or multi-valued directory schema extension attribute as a claim: -1. Sign in to the [Azure portal](https://portal.azure.com). --1. In the **User Attributes & Claims** section, select **Edit** to edit the claims. -1. Select **Add new claim** or edit an existing claim. -- :::image type="content" source="./media/saml-claims-customization/mv-extension-1.jpg" alt-text="Screenshot of the MultiValue extension configuration section in the Azure portal."::: -+1. On the **Attributes & Claims** blade, select **Add new claim** or edit an existing claim. 1. Select source application from application picker where extension property is defined. - :::image type="content" source="./media/saml-claims-customization/mv-extension-2.jpg" alt-text="Screenshot of the source application selection in MultiValue extension configuration section in the Azure portal."::: - 1. Select **Add** to add the selection to the claims. 1. Click **Save** to commit the changes. You can use the following special claims transformations functions. To add application-specific claims: -1. In **User Attributes & Claims**, select **Add new claim** to open the **Manage user claims** page. +1. On the **Attributes & Claims** blade, select **Add new claim** to open the **Manage user claims** page. 1. Enter the **name** of the claims. The value doesn't strictly need to follow a URI pattern, per the SAML spec. If you need a URI pattern, you can put that in the **Namespace** field. 1. Select the **Source** where the claim is going to retrieve its value. You can select a user attribute from the source attribute dropdown or apply a transformation to the user attribute before emitting it as a claim. To apply a transformation to a user attribute: 1. In **Manage claim**, select *Transformation* as the claim source to open the **Manage transformation** page. 1. Select the function from the transformation dropdown. Depending on the function selected, provide parameters and a constant value to evaluate in the transformation. 1. Select the source of the attribute by clicking on the appropriate radio button. Directory schema extension source is in preview currently.-- :::image type="content" source="./media/saml-claims-customization/mv-extension-4.png" alt-text="Screenshot of claims transformation."::: - 1. Select the attribute name from the dropdown.- 1. **Treat source as multivalued** is a checkbox indicating whether the transform should be applied to all values or just the first. By default, transformations are only applied to the first element in a multi-value claim, by checking this box it ensures it's applied to all. This checkbox is only be enabled for multi-valued attributes, for example `user.proxyaddresses`.- 1. To apply multiple transformations, select **Add transformation**. You can apply a maximum of two transformations to a claim. For example, you could first extract the email prefix of the `user.mail`. Then, make the string upper case. When the following conditions occur after **Add** or **Run test** is selected, a ## Add the UPN claim to SAML tokens -The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal. +The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). If you have custom signing key configured, you can add it in the **Attributes & Claims** section. +In case there is no custom signing key configured, please refer to [SAML Restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). You can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal. + Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token. +Customization done in the **Attributes & Claims** section can overwrite the optional claims in the **App Registration**. + ## Emit claims based on conditions You can specify the source of a claim based on user type and the group to which the user belongs. For example, Britta Simon is a guest user in the Contoso tenant. Britta belongs First, the Microsoft identity platform verifies whether Britta's user type is **All guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies whether Britta's user type is **AAD guests**. Because the type is **All guests**, the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with a value of `user.mail` for Britta. - As another example, consider when Britta Simon tries to sign in and the following configuration is used. All conditions are first evaluated with the source of `Attribute`. Because Britta's user type is **AAD guests**, `user.mail` is assigned as the source for the claim. Next, the transformations are evaluated. Because Britta is a guest, `user.extensionattribute1` is now the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is now the source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta. - As a final example, consider what happens if Britta has no `user.othermail` configured or it's empty. In both cases the condition entry is ignored, and the claim falls back to `user.extensionattribute1` instead. ## Advanced SAML claims options |
active-directory | Scenario Mobile App Registration | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-mobile-app-registration.md | For more information, see [Scenarios and supported authentication flows](authent ### Interactive authentication -When you build a mobile app that uses interactive authentication, the most critical registration step is the redirect URI. You can set interactive authentication through the [platform configuration on the **Authentication** blade](https://aka.ms/MobileAppReg). +When you build a mobile app that uses interactive authentication, the most critical registration step is the redirect URI. This experience enables your app to get single sign-on (SSO) through Microsoft Authenticator (and Intune Company Portal on Android). It also supports device management policies. -This experience will enable your app to get single sign-on (SSO) through Microsoft Authenticator (and Intune Company Portal on Android). It will also support device management policies. --The app registration portal provides a preview experience to help you compute the brokered reply URI for iOS and Android applications: --1. In the app registration portal, select **Authentication** > **Try out the new experience**. -- ![The Authentication blade, where you choose a new experience](https://user-images.githubusercontent.com/13203188/60799285-2d031b00-a173-11e9-9d28-ac07a7ae894a.png) --2. Select **Add a platform**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. +1. Enter a **Name** for the application. +1. For **Supported account types**, select **Accounts in this organizational directory only**. +1. Select **Register**. +1. Select **Authentication** and then select **Add a platform**. ![Add a platform](https://user-images.githubusercontent.com/13203188/60799366-4c01ad00-a173-11e9-934f-f02e26c9429e.png) -3. When the list of platforms is supported, select **iOS**. +1. When the list of platforms is supported, select **iOS / macOS**. ![Choose a mobile application](https://user-images.githubusercontent.com/13203188/60799411-60de4080-a173-11e9-9dcc-d39a45826d42.png) -4. Enter your bundle ID, and then select **Register**. +1. Enter your bundle ID, and then select **Configure**. ![Enter your bundle ID](https://user-images.githubusercontent.com/13203188/60799477-7eaba580-a173-11e9-9f8b-431f5b09344e.png) If your app uses only username-password authentication, you don't need to regist However, identify your application as a public client application. To do so: -1. Still in the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, select your app in **App registrations**, and then select **Authentication**. +1. Still in the Microsoft Entra admin center, select your app in **App registrations**, and then select **Authentication**. 1. In **Advanced settings** > **Allow public client flows** > **Enable the following mobile and desktop flows:**, select **Yes**. :::image type="content" source="media/scenarios/default-client-type.png" alt-text="Enable public client setting on Authentication pane in Azure portal"::: |
active-directory | Scenario Web App Call Api Acquire Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-call-api-acquire-token.md | These advanced steps are covered in chapter 3 of the [3-WebApp-multi-APIs](https The code for ASP.NET is similar to the code shown for ASP.NET Core: -- A controller action, protected by an [Authorize] attribute, extracts the tenant ID and user ID of the `ClaimsPrincipal` member of the controller. (ASP.NET uses `HttpContext.User`.)-*Microsoft.Identity.Web* adds extension methods to the Controller that provide convenience services to call Microsoft Graph or a downstream web API, or to get an authorization header, or even a token. The methods used to call an API directly are explained in detail in [A web app that calls web APIs: Call an API](scenario-web-app-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token. +- A controller action, protected by an `[Authorize]` attribute, extracts the tenant ID and user ID of the `ClaimsPrincipal` member of the controller (ASP.NET uses `HttpContext.User`). This ensures that only authenticated users can use the app. +**Microsoft.Identity.Web** adds extension methods to the Controller that provide convenience services to call Microsoft Graph or a downstream web API, or to get an authorization header, or even a token. The methods used to call an API directly are explained in detail in [A web app that calls web APIs: Call an API](scenario-web-app-call-api-call-api.md). With these helper methods, you don't need to manually acquire a token. -If, however, you do want to manually acquire a token or build an authorization header, the following code shows how to use *Microsoft.Identity.Web* to do so in a controller. It calls an API (Microsoft Graph) using the REST API instead of the Microsoft Graph SDK. +If, however, you do want to manually acquire a token or build an authorization header, the following code shows how to use Microsoft.Identity.Web to do so in a controller. It calls an API (Microsoft Graph) using the REST API instead of the Microsoft Graph SDK. To get an authorization header, you get an `IAuthorizationHeaderProvider` service from the controller using an extension method `GetAuthorizationHeaderProvider`. To get an authorization header to call an API on behalf of the user, use `CreateAuthorizationHeaderForUserAsync`. To get an authorization header to call a downstream API on behalf of the application itself, in a daemon scenario, use `CreateAuthorizationHeaderForAppAsync`. -The controller methods are protected by an `[Authorize]` attribute that ensures only authenticated users can use the web app. -- The following snippet shows the action of the `HomeController`, which gets an authorization header to call Microsoft Graph as a REST API: - ```csharp [Authorize] public class HomeController : Controller public class HomeController : Controller # [Java](#tab/java) -In the Java sample, the code that calls an API is in the getUsersFromGraph method in [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62). +In the Java sample, the code that calls an API is in the `getUsersFromGraph` method in [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62). The method attempts to call `getAuthResultBySilentFlow`. If the user needs to consent to more scopes, the code processes the `MsalInteractionRequiredException` object to challenge the user. public ModelAndView getUserFromGraph(HttpServletRequest httpRequest, HttpServlet # [Node.js](#tab/nodejs) -In the Node.js sample, the code that acquires a token is in the *acquireToken* method of the **AuthProvider** class. +In the Node.js sample, the code that acquires a token is in the `acquireToken` method of the `AuthProvider` class. :::code language="js" source="~/ms-identity-node/App/auth/AuthProvider.js" range="79-121"::: This access token is then used to handle requests to the `/profile` endpoint: # [Python](#tab/python) -In the Python sample, the code that calls the API is in `app.py`. +In the Python sample, the code that calls the API is in *app.py*. The code attempts to get a token from the token cache. If it can't get a token, it redirects the user to the sign-in route. Otherwise, it can proceed to call the API. Move on to the next article in this scenario, Move on to the next article in this scenario, [Call a web API](scenario-web-app-call-api-call-api.md?tabs=python). -+ |
active-directory | Setup Multi Tenant App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/setup-multi-tenant-app.md | - Title: Configure a new multi-tenant application -description: Learn how to configure an application as multi-tenant, and how multi-tenant applications work --------- Previously updated : 11/10/2022-----# How to configure a new multi-tenant application --Here is a list of recommended topics to learn more about multi-tenant applications: --- Get a general understanding of [what it means to be a multi-tenant application](./developer-glossary.md#multi-tenant-application)-- Learn about [tenancy in Azure Active Directory](single-and-multi-tenant-apps.md)-- Get a general understanding of [how to configure an application to be multi-tenant](./howto-convert-app-to-be-multi-tenant.md)-- Get a step-by-step overview of [how the Azure AD consent framework is used to implement consent](./quickstart-register-app.md), which is required for multi-tenant applications-- For more depth, learn [how a multi-tenant application is configured and coded end-to-end](./howto-convert-app-to-be-multi-tenant.md), including how to register, use the "common" endpoint, implement "user" and "admin" consent, how to implement more advanced multi-tier scenarios--## Next steps -[AzureAD Microsoft Q&A](/answers/topics/azure-active-directory.html) |
active-directory | Signing Key Rollover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/signing-key-rollover.md | namespace JWTValidation TokenValidationParameters validationParams = new TokenValidationParameters() {- AllowedAudience = "[Your App ID URI goes here, as registered in the Azure Portal]", + AllowedAudience = "[Your App ID URI goes here]", ValidIssuer = "[The issuer for the token goes here, such as https://sts.windows.net/68b98905-130e-4d7c-b6e1-a158a9ed8449/]", SigningTokens = GetSigningCertificates(MetadataAddress) To check and update signing keys with PowerShell, you'll need the [MSIdentityToo Get-MsIdSigningKeyThumbprint ``` -1. Pick any of the key thumbprints and configure Azure Active Directory to use that key with your application (get the app ID from the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)): +1. Pick any of the key thumbprints and configure Azure Active Directory to use that key with your application (get the app ID from the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade)): ```powershell Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -KeyThumbprint <Thumbprint> To check and update signing keys with PowerShell, you'll need the [MSIdentityToo Install-Module -Name MSIdentityTools ``` -1. Get the latest signing key (get the tenant ID from the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)): +1. Get the latest signing key (get the tenant ID from the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)): ```powershell Get-MsIdSigningKeyThumbprint -Tenant <tenandId> -Latest To check and update signing keys with PowerShell, you'll need the [MSIdentityToo 1. Update your application's code or configuration to use the new key. -1. Configure Azure Active Directory to use that latest key with your application (get the app ID from the [portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)): +1. Configure Azure Active Directory to use that latest key with your application (get the app ID from the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade)): ```powershell Get-MsIdSigningKeyThumbprint -Latest | Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> |
active-directory | Single And Multi Tenant Apps | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-and-multi-tenant-apps.md | Azure Active Directory (Azure AD) organizes objects like users and apps into gro ## Who can sign in to your app? -When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration in the [Azure portal](https://portal.azure.com). +When it comes to developing apps, developers can choose to configure their app to be either single-tenant or multi-tenant during app registration. - Single-tenant apps are only available in the tenant they were registered in, also known as their home tenant. - Multi-tenant apps are available to users in both their home tenant and other tenants. -In the Azure portal, you can configure your app to be single-tenant or multi-tenant by setting the audience as follows. +When you register an application, you can configure it to be single-tenant or multi-tenant by setting the audience as follows. -| Audience | Single/multi-tenant | Who can sign in | -| -- | - | | -| Accounts in this directory only | Single tenant | All user and guest accounts in your directory can use your application or API.<br>_Use this option if your target audience is internal to your organization._ | -| Accounts in any Azure AD directory | Multi-tenant | All users and guests with a work or school account from Microsoft can use your application or API. This includes schools and businesses that use Microsoft 365.<br>_Use this option if your target audience is business or educational customers._ | -| Accounts in any Azure AD directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com) | Multi-tenant | All users with a work or school, or personal Microsoft account can use your application or API. It includes schools and businesses that use Microsoft 365 as well as personal accounts that are used to sign in to services like Xbox and Skype.<br>_Use this option to target the widest set of Microsoft accounts._ | +| Audience | Single/multi-tenant | Who can sign in | +| -- | - | | +| Accounts in this directory only | Single tenant | All user and guest accounts in your directory can use your application or API.<br>Use this option if your target audience is internal to your organization. | +| Accounts in any Azure AD directory | Multi-tenant | All users and guests with a work or school account from Microsoft can use your application or API. This includes schools and businesses that use Microsoft 365.<br>Use this option if your target audience is business or educational customers. | +| Accounts in any Azure AD directory and personal Microsoft accounts (such as Skype, Xbox, Outlook.com) | Multi-tenant | All users with a work or school, or personal Microsoft account can use your application or API. It includes schools and businesses that use Microsoft 365 as well as personal accounts that are used to sign in to services like Xbox and Skype.<br>Use this option to target the widest set of Microsoft accounts. | ## Best practices for multi-tenant apps |
active-directory | Single Sign On Saml Protocol | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/single-sign-on-saml-protocol.md | Title: Azure single sign-on SAML protocol + Title: Single sign-on SAML protocol description: This article describes the single sign-on (SSO) SAML protocol in Azure Active Directory documentationcenter: .net To request a user authentication, cloud services send an `AuthnRequest` element | Parameter | Type | Description | | | | |-| ID | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. | -| Version | Required | This parameter should be set to **2.0**. | -| IssueInstant | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. | -| AssertionConsumerServiceURL | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. | -| ForceAuthn | Optional | This is a boolean value. If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Azure AD. | -| IsPassive | Optional | This is a boolean value that specifies whether Azure AD should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Azure AD will attempt to authenticate the user using the session cookie. | --All other `AuthnRequest` attributes, such as Consent, Destination, AssertionConsumerServiceIndex, AttributeConsumerServiceIndex, and ProviderName are **ignored**. +| `ID` | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. | +| `Version` | Required | This parameter should be set to `2.0`. | +| `IssueInstant` | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. | +| `AssertionConsumerServiceURL` | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. | +| `ForceAuthn` | Optional | This is a boolean value. If true, it means that the user will be forced to re-authenticate, even if they have a valid session with Azure AD. | +| `IsPassive` | Optional | This is a boolean value that specifies whether Azure AD should authenticate the user silently, without user interaction, using the session cookie if one exists. If this is true, Azure AD will attempt to authenticate the user using the session cookie. | ++All other `AuthnRequest` attributes, such as `Consent`, `Destination`, `AssertionConsumerServiceIndex`, `AttributeConsumerServiceIndex`, and `ProviderName` are **ignored**. Azure AD also ignores the `Conditions` element in `AuthnRequest`. |
active-directory | Supported Accounts Validation | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/supported-accounts-validation.md | See the following table for the validation differences of various properties for | Certificates (`keyCredentials`) | Symmetric signing key | Symmetric signing key | Encryption and asymmetric signing key | | Client secrets (`passwordCredentials`) | No limit\* | No limit\* | If liveSDK is enabled: Maximum of two client secrets | | Redirect URIs (`replyURLs`) | See [Redirect URI/reply URL restrictions and limitations](reply-url.md) for more info. | | |-| API permissions (`requiredResourceAccess`) | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs. | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs. | Maximum of 50 resources per application and 30 permissions per resource (for example, Microsoft Graph). Total limit of 200 per application (resources x permissions). | +| API permissions (`requiredResourceAccess`) | No more than 50 total APIs (resource apps), with no more than 10 APIs from other tenants. No more than 400 permissions total across all APIs. | No more than 50 total APIs (resource apps), with no more than 10 APIs from other tenants. No more than 400 permissions total across all APIs. | No more than 50 total APIs (resource apps), with no more than 10 APIs from other tenants. No more than 200 permissions total across all APIs. Maximum of 30 permissions per resource (for example, Microsoft Graph). | | Scopes defined by this API (`oauth2Permissions`) | Maximum scope name length of 120 characters <br><br> No limit\* on the number of scopes defined | Maximum scope name length of 120 characters <br><br> No limit\* on the number of scopes defined | Maximum scope name length of 40 characters <br><br> Maximum of 100 scopes defined | | Authorized client applications (`preAuthorizedApplications`) | No limit\* | No limit\* | Total maximum of 500 <br><br> Maximum of 100 client apps defined <br><br> Maximum of 30 scopes defined per client | | appRoles | Supported <br> No limit\* | Supported <br> No limit\* | Not supported | |
active-directory | Test Setup Environment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/test-setup-environment.md | You can [manually create a tenant](quickstart-create-new-tenant.md), which will For convenience, you may want to invite yourself and other members of your development team to be guest users in the tenant. This will create separate guest objects in the test tenant, but means you only have to manage one set of credentials for your corporate account and your test account. -1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. -2. Go to **Users**. -3. Click on **New guest user** and invite your work account email address. -4. Repeat for other members of the development and/or testing team for your application. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Invite external user** and invite your work account email address. +1. Repeat for other members of the development and/or testing team for your application. You can also create test users in your test tenant. If you used one of the Microsoft 365 sample packs, you may already have some test users in your tenant. If not, you should be able to create some yourself as the tenant administrator. -1. Sign in to the [Azure portal](https://portal.azure.com), then select on **Azure Active Directory**. -2. Go to **Users**. -3. Click **New user** and create some new test users in your directory. +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user** and create some new test users in your directory. ### Get an Azure AD subscription (optional) Replicating Conditional Access policies ensures you don't encounter unexpected b Viewing your production tenant Conditional Access policies may need to be performed by a company administrator. -1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account. 1. Go to **Azure Active Directory** > **Enterprise applications** > **Conditional Access**. 1. View the list of policies in your tenant. Click the first one. 1. Navigate to **Cloud apps or actions**. Viewing your production tenant Conditional Access policies may need to be perfor In a new tab or browser session, sign in to the [Azure portal](https://portal.azure.com) to access your test tenant. -1. Go to **Azure Active Directory** > **Enterprise applications** > **Conditional Access**. -1. Click on **New policy** +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Conditional Access**. +1. Select **Create new policy** 1. Copy the settings from the production tenant policy, identified through the previous steps. #### Permission grant policies Replicating permission grant policies ensures you don't encounter unexpected prompts for admin consent when moving to production. -1. Sign in to the [Azure portal](https://portal.azure.com) using your production tenant account. -1. Click on **Azure Active Directory**. -1. Go to **Enterprise applications**. -1. From your production tenant, go to **Azure Active Directory** > **Enterprise applications** > **Consent and permissions** > **User consent** settings. Copy the settings there to your test tenant. +Browse to **Identity** > **Applications** > **Enterprise applications** > **Consent and permissions** > **User consent** settings. Copy the settings there to your test tenant. #### Token lifetime policies You'll need to create an app registration to use in your test environment. This You'll need to create some test users with associated test data to use while testing your scenarios. This step might need to be performed by an admin. -1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. -2. Go to **Users**. -3. Select **New user** and create some new test users in your directory. +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user** and create some new test users in your directory. ### Add the test users to a group (optional) For convenience, you can assign all these users to a group, which makes other assignment operations easier. -1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. -2. Go to **Groups**. -3. Click **New group**. -4. Select either **Security** or **Microsoft 365** for group type. -5. Name your group. -6. Add the test users created in the previous step. +1. Browse to **Identity** > **Groups** > **All groups**. +1. Select **New group**. +1. Select either **Security** or **Microsoft 365** for group type. +1. Name your group. +1. Add the test users created in the previous step. ### Restrict your test application to specific users |
active-directory | Troubleshoot Publisher Verification | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/troubleshoot-publisher-verification.md | -2. Review the instructions to [mark an app as publisher verified](mark-app-as-publisher-verified.md) and ensure all steps have been performed successfully. --3. Review the list of [common issues](#common-issues). --4. Reproduce the request using [Graph Explorer](#making-microsoft-graph-api-calls) to gather more info and rule out any issues in the UI. +1. Review the instructions to [mark an app as publisher verified](mark-app-as-publisher-verified.md) and ensure all steps have been performed successfully. +1. Review the list of [common issues](#common-issues). +1. Reproduce the request using [Graph Explorer](#making-microsoft-graph-api-calls) to gather more info and rule out any issues in the UI. ## Common Issues Below are some common issues that may occur during the process. -- **I donΓÇÖt know my Microsoft Partner Network ID (MPN ID) or I donΓÇÖt know who the primary contact for the account is.** - 1. Navigate to the [MPN enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new). - 2. Sign in with a user account in the org's primary Azure AD tenant. - 3. If an MPN account already exists, this is recognized and you are added to the account. - 4. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed. +- **I donΓÇÖt know my Cloud Partner Program ID (Partner One ID) or I donΓÇÖt know who the primary contact for the account is.** + 1. Navigate to the [Cloud Partner Program enrollment page](https://partner.microsoft.com/dashboard/account/v3/enrollment/joinnow/basicpartnernetwork/new). + 1. Sign in with a user account in the org's primary Azure AD tenant. + 1. If an Cloud Partner Program account already exists, this is recognized and you are added to the account. + 1. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the Partner One ID and primary account contact will be listed. - **I donΓÇÖt know who my Azure AD Global Administrator (also known as company admin or tenant admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?**- 1. Sign in to the [Azure portal](https://portal.azure.com) using a user account in your organization's primary tenant. - 1. Browse to **Azure Active Directory** > [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators). - 3. Select the desired admin role. - 4. The list of users assigned that role will be displayed. + 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Adminstrator](../roles/permissions-reference.md#cloud-application-administrator). + 1. Browse to **Identity** > **Roles & admins** > **Roles & admins**. + 1. Select the desired admin role. + 1. The list of users assigned that role will be displayed. -- **I don't know who the admin(s) for my MPN account are**- Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles. +- **I don't know who the admin(s) for my CPP account are** + Go to the [CPP User Management page](https://partner.microsoft.com/pcv/users) and filter the user list to see what users are in various admin roles. -- **I am getting an error saying that my MPN ID is invalid or that I do not have access to it.**+- **I am getting an error saying that my Partner One ID is invalid or that I do not have access to it.** Follow the [remediation guidance](#mpnaccountnotfoundornoaccess). - **When I sign in to the Azure portal, I do not see any apps registered. Why?** Response 204 No Content ``` > [!NOTE]-> *verifiedPublisherID* is your MPN ID. +> *verifiedPublisherID* is your Partner One ID. ### Unset Verified Publisher The following is a list of the potential error codes you may receive, either whe ### MPNAccountNotFoundOrNoAccess -The MPN ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) doesn't exist, or you don't have access to it. Provide a valid Partner One ID and try again. -Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Partner Center- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. Can also be caused by the tenant the app is registered in not being added to the MPN account, or an invalid MPN ID. +Most commonly caused by the signed-in user not being a member of the proper role for the CPP account in Partner Center- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. Can also be caused by the tenant the app is registered in not being added to the CPP account, or an invalid Partner One ID. **Remediation Steps** 1. Go to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) and verify that: - - The MPN ID is correct. - - There are no errors or ΓÇ£pending actionsΓÇ¥ shown, and the verification status under Legal business profile and Partner info both say ΓÇ£authorizedΓÇ¥ or ΓÇ£successΓÇ¥. -2. Go to the [MPN tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the [multi-tenant-account instructions](/partner-center/multi-tenant-account). All Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account. -3. Go to the [MPN User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions for [creating user accounts and setting permissions](/partner-center/create-user-accounts-and-set-permissions). + - The Partner One ID is correct. + - There are no errors or "pending actions" shown, and the verification status under Legal business profile and Partner info both say "authorized" or "success". +1. Go to the [CPP tenant management page](https://partner.microsoft.com/dashboard/account/v3/tenantmanagement) and confirm that the tenant the app is registered in and that you're signing with a user account from is on the list of associated tenants. To add another tenant, follow the [multi-tenant-account instructions](/partner-center/multi-tenant-account). All Global Admins of any tenant you add will be granted Global Administrator privileges on your Partner Center account. +1. Go to the [CPP User Management page](https://partner.microsoft.com/pcv/users) and confirm the user you're signing in as is either a Global Administrator, MPN Admin, or Accounts Admin. To add a user to a role in Partner Center, follow the instructions for [creating user accounts and setting permissions](/partner-center/create-user-accounts-and-set-permissions). ### MPNGlobalAccountNotFound -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused when an MPN ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. +Most commonly caused when an Partner One ID is provided which corresponds to a Partner Location Account (PLA). Only Partner Global Accounts are supported. See [Partner Center account structure](/partner-center/account-structure) for more details. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### MPNAccountInvalid -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### MPNAccountNotVetted -The MPN ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again. +The Partner One ID (`MPNID`) you provided hasn't completed the vetting process. Complete this process in Partner Center and try again. -Most commonly caused by when the MPN account hasn't completed the [verification](/partner-center/verification-responses) process. +Most commonly caused by when the CPP account hasn't completed the [verification](/partner-center/verification-responses) process. **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) and verify that there are no errors or **pending actions** shown, and that the verification status under Legal business profile and Partner info both say **authorized** or **success**.-2. If not, view pending action items in Partner Center and troubleshoot with [here](/partner-center/verification-responses) +1. If not, view pending action items in Partner Center and troubleshoot with [here](/partner-center/verification-responses). ### NoPublisherIdOnAssociatedMPNAccount -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### MPNIdDoesNotMatchAssociatedMPNAccount -The MPN ID you provided (`MPNID`) isn't valid. Provide a valid MPN ID and try again. +The Partner One ID you provided (`MPNID`) isn't valid. Provide a valid Partner One ID and try again. -Most commonly caused by the wrong MPN ID being provided. +Most commonly caused by the wrong Partner One ID being provided. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal. ### ApplicationNotFound -The target application (`AppId`) canΓÇÖt be found. Provide a valid application ID and try again. +The target application (`AppId`) can't be found. Provide a valid application ID and try again. Most commonly caused when verification is being performed via Graph API, and the ID of the application provided is incorrect. **Remediation Steps**-1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application) -2. Log in to [Azure Active Directory](https://aad.portal.azure.com/) with a user account in your organization's primary tenant > Azure Active Directory > App Registrations blade -3. Find your app's registration to view the Object ID +1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Find your app's registration to view the Object ID. ### ApplicationObjectisInvalid The target application's object ID is invalid. Please provide a valid ID and try Most commonly caused when the verification is being performed via Graph API, and the ID of the application provided does not exist. **Remediation Steps**-1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application) -2. Log in to [Azure Active Directory](https://aad.portal.azure.com/) with a user account in your organization's primary tenant > Azure Active Directory > App Registrations blade -3. Find your app's registration to view the Object ID +1. The Object ID of the application must be provided, not the AppId/ClientId. See **id** on the list of application properties [here](/graph/api/resources/application). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Find your app's registration to view the Object ID. ### B2CTenantNotAllowed The target application (`AppId`) must have a Publisher Domain set. Set a Publish Occurs when a [Publisher Domain](howto-configure-publisher-domain.md) isn't configured on the app. **Remediation Steps**-1. Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain +Follow the directions [here](./howto-configure-publisher-domain.md#set-a-publisher-domain-in-the-azure-portal) to set a Publisher Domain. ### PublisherDomainMismatch See [requirements](publisher-verification-overview.md) for a list of allowed dom **Remediation Steps** 1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile), and view the email listed as Primary Contact-2. The domain used to perform email verification in Partner Center is the portion after the ΓÇ£@ΓÇ¥ in the Primary ContactΓÇÖs email -3. Log in to [Azure Active Directory](https://aad.portal.azure.com/) > Azure Active Directory > App Registrations blade > (`Your App`) > Branding and Properties -4. Select **Update Publisher Domain** and follow the instructions to **Verify a New Domain**. -5. Add the domain used to perform email verification in Partner Center as a New Domain +1. The domain used to perform email verification in Partner Center is the portion after the "@" in the Primary Contact's email +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Application registrations** > **Branding and Properties**. +1. Select **Update Publisher Domain** and follow the instructions to **Verify a New Domain**. +1. Add the domain used to perform email verification in Partner Center as a New Domain. ### NotAuthorizedToVerifyPublisher You aren't authorized to set the verified publisher property on application (<`AppId`). -Most commonly caused by the signed-in user not being a member of the proper role for the MPN account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. +Most commonly caused by the signed-in user not being a member of the proper role for the CPP account in Azure AD- see [requirements](publisher-verification-overview.md#requirements) for a list of eligible roles and see [common issues](#common-issues) for more information. **Remediation Steps**-1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant. -2. Navigate to [Role Management](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators). -3. Select the desired admin role and click ΓÇ£Add AssignmentΓÇ¥ if you have sufficient permissions. -4. If you do not have sufficient permissions, contact an admin role for assistance +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Roles & admins** > **Roles & admins**. +1. Select the desired admin role and select **Add Assignment** if you have sufficient permissions. +1. If you do not have sufficient permissions, contact an admin role for assistance. ### MPNIdWasNotProvided -The MPN ID wasn't provided in the request body or the request content type wasn't "application/json". +The Partner One ID wasn't provided in the request body or the request content type wasn't "application/json". -Most commonly caused when the verification is being performed via Graph API, and the MPN ID wasnΓÇÖt provided in the request. +Most commonly caused when the verification is being performed via Graph API, and the Partner One ID wasnΓÇÖt provided in the request. **Remediation Steps**-1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > Identifiers blade > Microsoft Cloud Partners Program Tab -2. Use the Partner ID with type PartnerGlobal in the request +1. Navigate to your [partner profile](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) > **Identifiers blade** > **Microsoft Cloud Partners Program Tab**. +1. Use the Partner ID with type PartnerGlobal in the request. ### MSANotSupported The error message displayed will be: "Due to a configuration change made by your **Remediation Steps** 1. Ensure [multi-factor authentication](../fundamentals/concept-fundamentals-mfa-get-started.md) is enabled and **required** for the user you're signing in with and for this scenario-2. Retry Publisher Verification +1. Retry Publisher Verification ### UserUnableToAddPublisher If you've reviewed all of the previous information and are still receiving an er - ObjectId of target application - AppId of target application - TenantId where app is registered-- MPN ID+- Partner One ID - REST request being made - Error code and message being returned |
active-directory | Tutorial Blazor Webassembly | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-blazor-webassembly.md | We also have a [tutorial for Blazor Server](tutorial-blazor-server.md). - [.NET Core 7.0 SDK](https://dotnet.microsoft.com/download/dotnet-core/7.0) - An Azure AD tenant where you can register an app. If you don't have access to an Azure AD tenant, you can get one by registering with the [Microsoft 365 Developer Program](https://developer.microsoft.com/microsoft-365/dev-program) or by creating an [Azure free account](https://azure.microsoft.com/free). -## Register the app in the Azure portal +## Register the app Every app that uses Azure AD for authentication must be registered with Azure AD. Follow the instructions in [Register an application](quickstart-register-app.md) with these specifications: To create the application, run the following command. Replace the placeholders i dotnet new blazorwasm --auth SingleOrg --calls-graph -o {APP NAME} --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}" -f net7.0 ``` -| Placeholder | Azure portal name | Example | -| - | -- | -- | -| `{APP NAME}` | — | `BlazorWASMSample` | +| Placeholder | Name | Example | +| -- | - |-- | +| `{APP NAME}` | — | `BlazorWASMSample` | | `{CLIENT ID}` | Application (client) ID | `41451fa7-0000-0000-0000-69eff5a761fd` |-| `{TENANT ID}` | Directory (tenant) ID | `e86c78e2-0000-0000-0000-918e0565a45e` | +| `{TENANT ID}` | Directory (tenant) ID | `e86c78e2-0000-0000-0000-918e0565a45e` | ## Test the app Now you'll update your app's registration and code to pull a user's emails and d First, add the `Mail.Read` API permission to the app's registration so that Azure AD is aware that the app will request to access its users' email. -1. In the Azure portal, select your app in **App registrations**. +1. In the Microsoft Entra admin center, select your app in **App registrations**. 1. Under **Manage**, select **API permissions**. 1. Select **Add a permission** > **Microsoft Graph**. 1. Select **Delegated Permissions**, then search for and select the **Mail.Read** permission. |
active-directory | Tutorial V2 Android | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-android.md | In this tutorial: > [!div class="checklist"] > > - Create an Android app project in _Android Studio_-> - Register the app in the Azure portal +> - Register the app in the Microsoft Entra admin center > - Add code to support user sign-in and sign-out > - Add code to call the Microsoft Graph API > - Test the app Follow these steps to create a new project if you don't already have an Android 1. Open Android Studio, and select **Start a new Android Studio project**. 2. Select **Basic Activity** and select **Next**. 3. Enter a name for the application, such as _MSALAndroidapp_.-4. Record the package name to be used in the Azure portal in later steps. +4. Record the package name to be used in later steps. 5. Change the language from **Kotlin** to **Java**. 6. Set the **Minimum SDK API level** to **API 19** or higher, and select **Finish**. Follow these steps to create a new project if you don't already have an Android [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. For **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. For information on different account types, select the **Help me choose** option. 1. Select **Register**. Follow these steps to create a new project if you don't already have an Android </activity> ``` - - Use your Azure portal **Package name** to replace `android:host=.` value. It should look like `com.azuresamples.msalandroidapp`. - - Use your Azure portal **Signature Hash** to replace `android:path=` value. Ensure that there's a leading `/` at the beginning of your Signature Hash. It should look like `/1wIqXSqBj7w+h11ZifsnqwgyKrY=`. + - Use the **Package name** to replace `android:host=.` value. It should look like `com.azuresamples.msalandroidapp`. + - Use the **Signature Hash** to replace `android:path=` value. Ensure that there's a leading `/` at the beginning of your Signature Hash. It should look like `/1wIqXSqBj7w+h11ZifsnqwgyKrY=`. You can find these values in the Authentication blade of your app registration as well. |
active-directory | Tutorial V2 Angular Auth Code | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-angular-auth-code.md | In this tutorial: > [!div class="checklist"] >-> - Register the application in the Azure portal +> - Register the application in the Microsoft Entra admin center > - Create an Angular project with `npm` > - Add code to support user sign-in and sign-out > - Add code to call Microsoft Graph API To continue with the tutorial and build the application yourself, move on to the To complete registration, provide the application a name, specify the supported account types, and add a redirect URI. Once registered, the application **Overview** pane displays the identifiers needed in the application source code. -1. Sign in to the [Azure portal](https://portal.azure.com). -1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as _Angular-SPA-auth-code_. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. 1. Under **Redirect URI (optional)**, use the drop-down menu to select **Single-page-application (SPA)** and enter `http://localhost:4200` into the text box. To complete registration, provide the application a name, specify the supported export class AppModule {} ``` -1. Replace the following values with the values obtained from the Azure portal. For more information about available configurable options, see [Initialize client applications](msal-js-initializing-client-applications.md). +1. Replace the following values with the values obtained from the Microsoft Entra admin center. For more information about available configurable options, see [Initialize client applications](msal-js-initializing-client-applications.md). - `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application. - `authority` - This is composed of two parts: MSAL Angular provides an `Interceptor` class that automatically acquires tokens ## Add scopes and delegated permissions -The Microsoft Graph API requires the _User.Read_ scope to read a user's profile. The _User.Read_ scope is added automatically to every app registration you create in the Azure portal. Other APIs for Microsoft Graph, and custom APIs for your back-end server, might require other scopes. For example, the Microsoft Graph API requires the _Mail.Read_ scope in order to list the user's email. +The Microsoft Graph API requires the _User.Read_ scope to read a user's profile. The _User.Read_ scope is added automatically to every app registration. Other APIs for Microsoft Graph, and custom APIs for your back-end server, might require other scopes. For example, the Microsoft Graph API requires the _Mail.Read_ scope in order to list the user's email. As you add scopes, your users might be prompted to provide extra consent for the added scopes. |
active-directory | Tutorial V2 Aspnet Daemon Web App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md | In this tutorial: > * Get an access token to call the Microsoft Graph API > * Call the Microsoft Graph API. -If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. +If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. ## Prerequisites - [Visual Studio 2017 or 2019](https://visualstudio.microsoft.com/downloads/). - An Azure AD tenant. For more information, see [How to get an Azure AD tenant](quickstart-create-new-tenant.md).-- One or more user accounts in your Azure AD tenant. This sample won't work with a Microsoft account. If you signed in to the [Azure portal](https://portal.azure.com) with a Microsoft account and have never created a user account in your directory, do that now.+- One or more user accounts in your tenant. This sample won't work with a Microsoft account. If you signed in with a Microsoft account and have never created a user account in your directory, do that now. ## Scenario Or [download the sample in a zip file](https://github.com/Azure-Samples/ms-ident This sample has one project. To register the application with your Azure AD tenant, you can either: -- Follow the steps in [Register the sample with your Azure Active Directory tenant](#register-the-client-app-dotnet-web-daemon-v2) and [Configure the sample to use your Azure AD tenant](#choose-the-azure-ad-tenant).+- Follow the steps in [Choose the tenant](#choose-the-tenant) and [Configure the sample to use your tenant](#configure-the-sample-to-use-your-tenant). - Use PowerShell scripts that: - *Automatically* create the Azure AD applications and related objects (passwords, permissions, dependencies) for you. - Modify the Visual Studio projects' configuration files. If you want to use the automation: If you don't want to use the automation, use the steps in the following sections. -### Choose the Azure AD tenant +### Choose the tenant [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. ---### Register the client app (dotnet-web-daemon-v2) --1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application, for example `dotnet-web-daemon-v2`. Users of your app might see this name, and you can change it later. 1. In the **Supported account types** section, select **Accounts in any organizational directory**. 1. In the **Redirect URI (optional)** section, select **Web** in the combo box and enter `https://localhost:44316/` and `https://localhost:44316/Account/GrantPermissions` as Redirect URIs. If you don't want to use the automation, use the steps in the following sections 1. In the **Application permissions** section, ensure that the right permissions are selected: **User.Read.All**. 1. Select **Add permissions**. -## Configure the sample to use your Azure AD tenant +## Configure the sample to use your tenant In the following steps, **ClientID** is the same as "application ID" or **AppId**. Open the solution in Visual Studio to configure the projects. If you used the setup scripts, the following changes will have been applied for you. 1. Open the **UserSync\Web.Config** file.-1. Find the app key **ida:ClientId**. Replace the existing value with the application ID of the **dotnet-web-daemon-v2** application copied from the Azure portal. -1. Find the app key **ida:ClientSecret**. Replace the existing value with the key that you saved during the creation of the **dotnet-web-daemon-v2** app in the Azure portal. +1. Find the app key **ida:ClientId**. Replace the existing value with the application ID of the **dotnet-web-daemon-v2** application that was previously recorded. +1. Find the app key **ida:ClientSecret**. Replace the existing value with the key that you saved during the creation of the **dotnet-web-daemon-v2** app. ## Run the sample Visual Studio will publish the project and automatically open a browser to the p ### Update the Azure AD tenant application registration for dotnet-web-daemon-v2 -1. Go back to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. In the left pane, select the **Azure Active Directory** service, and then select **App registrations**. -1. Select the **dotnet-web-daemon-v2** application. +1. Go back to the Microsoft Entra admin center, and then select the **dotnet-web-daemon-v2** application in **App registrations**. 1. On the **Authentication** page for your application, update the **Front-channel logout URL** fields with the address of your service. For example, use `https://dotnet-web-daemon-v2-contoso.azurewebsites.net/Account/EndSession`. 1. From the **Branding** menu, update the **Home page URL** to the address of your service. For example, use `https://dotnet-web-daemon-v2-contoso.azurewebsites.net`. 1. Save the configuration. |
active-directory | Tutorial V2 Ios | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-ios.md | In this tutorial: > [!div class="checklist"] > > - Create an iOS or macOS app project in _Xcode_-> - Register the app in the Azure portal +> - Register the app in the Microsoft Entra admin center > - Add code to support user sign-in and sign-out > - Add code to call the Microsoft Graph API > - Test the app If you'd like to download a completed version of the app you build in this tutor 5. Set the **Language** to **Swift** and select **Next**. 6. Select a folder to create your app and select **Create**. -## Register your application +## Register the application [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. 1. Select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)** under **Supported account types**. 1. Select **Register**. carthage update --platform macOS You can also use Git Submodule, or check out the latest release to use as a framework in your application. -## Add your app registration +## Add the app registration Next, we add your app registration to your code. import MSAL Next, add the following code to _ViewController.swift_ before to `viewDidLoad()`: ```swift-// Update the below to your client ID you received in the portal. The below is for running the demo only +// Update the below to your client ID. The below is for running the demo only let kClientID = "Your_Application_Id_Here" let kGraphEndpoint = "https://graph.microsoft.com/" // the Microsoft Graph endpoint let kAuthority = "https://login.microsoftonline.com/common" // this authority allows a personal Microsoft account and a work or school account in any organization's Azure AD tenant to sign in var webViewParameters : MSALWebviewParameters? var currentAccount: MSALAccount? ``` -The only value you modify is the value assigned to `kClientID` to be your [Application ID](./developer-glossary.md#application-client-id). This value is part of the MSAL Configuration data that you saved during the step at the beginning of this tutorial to register the application in the Azure portal. +The only value you modify is the value assigned to `kClientID` to be your [Application ID](./developer-glossary.md#application-client-id). This value is part of the MSAL Configuration data that you saved during the step at the beginning of this tutorial to register the application. ## Configure Xcode project settings Add a new keychain group to your project **Signing & Capabilities**. The keychai In this step, you'll register `CFBundleURLSchemes` so that the user can be redirected back to the app after sign in. By the way, `LSApplicationQueriesSchemes` also allows your app to make use of Microsoft Authenticator. -In Xcode, open _Info.plist_ as a source code file, and add the following inside of the `<dict>` section. Replace `[BUNDLE_ID]` with the value you used in the Azure portal. If you downloaded the code, the bundle identifier is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section. +In Xcode, open _Info.plist_ as a source code file, and add the following inside of the `<dict>` section. Replace `[BUNDLE_ID]` with the value you previously used. If you downloaded the code, the bundle identifier is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section. ```xml <key>CFBundleURLTypes</key> This app is built for a single account scenario. MSAL also supports multi-accoun Build and deploy the app to a test device or simulator. You should be able to sign in and get tokens for Azure AD or personal Microsoft accounts. -The first time a user signs into your app, they'll be prompted by Microsoft identity to consent to the permissions requested. While most users are capable of consenting, some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, register your app's scopes in the Azure portal. +The first time a user signs into your app, they'll be prompted by Microsoft identity to consent to the permissions requested. While most users are capable of consenting, some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, register your app's scopes. After you sign in, the app will display the data returned from the Microsoft Graph `/me` endpoint. |
active-directory | Tutorial V2 Shared Device Mode | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-shared-device-mode.md | In this tutorial: > - Enable and detect shared-device mode > - Detect single or multiple account mode > - Detect a user switch, and enable global sign-in and sign-out-> - Set up tenant and register the application in the Azure portal +> - Set up tenant and register the application > - Set up an Android device in shared-device mode > - Run the sample app private void registerAccountChangeBroadcastReceiver(){ ## Administrator guide -The following steps describe setting up your application in the Azure portal and putting your device into shared-device mode. +The following steps describe setting up your application and putting your device into shared-device mode. -### Register your application in Azure Active Directory +### Register the application -First, register your application within your organizational tenant. Then provide these values below in auth_config.json in order for your application to run correctly. +First, register the application within your organizational tenant. Then provide these values below in auth_config.json in order for your application to run correctly. -For information on how to do this, refer to [Register your application](./tutorial-v2-android.md#register-your-application-with-azure-ad). +For information on how to do this, refer to [Register your application](./tutorial-v2-android.md). > [!NOTE] > When you register your app, please use the quickstart guide on the left-hand side and then select **Android**. This will lead you to a page where you'll be asked to provide the **Package Name** and **Signature Hash** for your app. These are very important to ensure your app configuration will work. You'll then receive a configuration object that you can use for your app that you'll cut and paste into your auth_config.json file. -You should select **Make this change for me** and then provide the values the quickstart asks for in the Azure portal. When that's done, we'll generate all the configuration files you need. +You should select **Make this change for me** and then provide the values the quickstart asks for. When that's done, we'll generate all the configuration files you need. ## Set up a tenant -For testing purposes, set up the following in your tenant: at least two employees, one Cloud Device Administrator, and one Global Administrator. In the Azure portal, set the Cloud Device Administrator by modifying Organizational Roles. In the Azure portal, access your Organizational Roles by selecting **Azure Active Directory** > **Roles and Administrators** > **Cloud Device Administrator**. Add the users that can put a device into shared mode. +For testing purposes, set up the following in your tenant: at least two employees, one Cloud Device Administrator, and one Global Administrator. Set the Cloud Device Administrator by modifying Organizational Roles. Access your Organizational Roles by selecting **Identity** > **Roles & admins** > **Roles & admins** > **All roles**, and then select **Cloud Device Administrator**. Add the users that can put a device into shared mode. ## Set up an Android device in shared mode The device is now in shared mode. Any sign-ins and sign-outs on the device will be global, meaning they apply to all apps that are integrated with MSAL and Microsoft Authenticator on the device. You can now deploy applications to the device that use shared-device mode features. -## View the shared device in the Azure portal +## View the shared device -Once you've put a device in shared-mode, it becomes known to your organization and is tracked in your organizational tenant. You can view your shared devices by looking at the **Join Type** in the Azure Active Directory blade of your Azure portal. +Once you've put a device in shared-mode, it becomes known to your organization and is tracked in your organizational tenant. You can view your shared devices by looking at the **Join Type**. ## Running the sample app |
active-directory | Tutorial V2 Windows Desktop | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-windows-desktop.md | In this tutorial: > > - Create a _Windows Presentation Foundation (WPF)_ project in Visual Studio > - Install the Microsoft Authentication Library (MSAL) for .NET-> - Register the application in the Azure portal +> - Register the application > - Add code to support user sign-in and sign-out > - Add code to call Microsoft Graph API > - Test the app The sample application that you create with this guide enables a Windows Desktop After the user is authenticated, the sample application receives a token you can use to query Microsoft Graph API or a web API that's secured by the Microsoft identity platform. -APIs such as Microsoft Graph require a token to allow access to specific resources. For example, a token is required to read a userΓÇÖs profile, access a userΓÇÖs calendar, or send email. Your application can request an access token by using MSAL to access these resources by specifying API scopes. This access token is then added to the HTTP Authorization header for every call that's made against the protected resource. +APIs such as Microsoft Graph require a token to allow access to specific resources. For example, a token is required to read a user's profile, access a user's calendar, or send email. Your application can request an access token by using MSAL to access these resources by specifying API scopes. This access token is then added to the HTTP Authorization header for every call that's made against the protected resource. MSAL manages caching and refreshing access tokens for you, so that your application doesn't need to. MSAL manages caching and refreshing access tokens for you, so that your applicat This guide uses the following NuGet packages: -| Library | Description | -| - | - | +| Library | Description | +| - | -- | | [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client) | Microsoft Authentication Library (MSAL.NET) | ## Set up your project Create the application using the following steps: [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)] -You can register your application in either of two ways. --### Option 1: Express mode --Use the following steps to register your application: --1. Sign in to the <a href="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/WinDesktopQuickstartPage/sourceType/docs" target="_blank">Azure portal - App registrations</a> quickstart experience. -1. Enter a name for your application and select **Register**. -1. Follow the instructions to download and automatically configure your new application. --### Option 2: Advanced mode -- To register and configure your application, follow these steps: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. -1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. -1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). +1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application, for example `Win-App-calling-MsGraph`. Users of your app might see this name, and you can change it later. 1. In the **Supported account types** section, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. 1. Select **Register**. In this section, you use MSAL to get a token for the Microsoft Graph API. #### Get a user token interactively -Calling the `AcquireTokenInteractive` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time they need to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails (for example, when a userΓÇÖs password is expired). +Calling the `AcquireTokenInteractive` method results in a window that prompts users to sign in. Applications usually require users to sign in interactively the first time they need to access a protected resource. They might also need to sign in when a silent operation to acquire a token fails (for example, when a user's password is expired). #### Get a user token silently |
active-directory | Tutorial V2 Windows Uwp | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-windows-uwp.md | private async Task DisplayMessageAsync(string message) Now, register your application: -1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations** > **New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for your application, for example `UWP-App-calling-MSGraph`. Users of your app might see this name, and you can change it later. 1. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)**. 1. Select **Register**. Now, register your application: Configure authentication for your application: -1. Back in the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, under **Manage**, select **Authentication** > **Add a platform**, and then select **Mobile and desktop applications**. +1. In to the Microsoft Entra admin center, select **Authentication** > **Add a platform**, and then select **Mobile and desktop applications**. 1. In the **Redirect URIs** section, enter `https://login.microsoftonline.com/common/oauth2/nativeclient`. 1. Select **Configure**. Configure API permissions for your application: -1. Under **Manage**, select **API permissions** > **Add a permission**. +1. Select **API permissions** > **Add a permission**. 1. Select **Microsoft Graph**. 1. Select **Delegated permissions**, search for *User.Read*, and verify that **User.Read** is selected. 1. If you made any changes, select **Add permissions** to save them. In the current sample, the `WithRedirectUri("https://login.microsoftonline.com/c You can then remove the line of code because it's required only once, to fetch the value. -3. In the app registration portal, add the returned value in **RedirectUri** in the **Authentication** pane. +3. In the Microsoft Entra admin center, add the returned value in **RedirectUri** in the **Authentication** pane. ## Test your code |
active-directory | V2 App Types | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-app-types.md | -The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios). +The Microsoft identity platform supports authentication for various modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](./v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-types). ## The basics |
active-directory | V2 Howto Get Appsource Certified | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-howto-get-appsource-certified.md | To list a standalone SaaS application on AppSource, your application must accept A *multi-tenant application* is an application that accepts sign-ins from users from any company or organization that have Azure AD without requiring a separate instance, configuration, or deployment. AppSource recommends that applications implement multi-tenancy to enable the *single-click* free trial experience. To enable multi-tenancy on your application, follow these steps:-1. Set `Multi-Tenanted` property to `Yes` on your application registration's information in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps). By default, applications created in the Azure portal are configured as *[single-tenant](#single-tenant-applications)*. +1. Set `Multi-Tenanted` property to `Yes` on your application registration's information in the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade). By default, applications created in the Microsoft Entra admin center are configured as *[single-tenant](#single-tenant-applications)*. 1. Update your code to send requests to the `common` endpoint. To do this, update the endpoint from `https://login.microsoftonline.com/{yourtenant}` to `https://login.microsoftonline.com/common*`. 1. For some platforms, like ASP.NET, you need also to update your code to accept multiple issuers. |
active-directory | V2 Oauth Ropc | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth-ropc.md | Title: Sign in with resource owner password credentials grant + Title: Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials description: Support browser-less authentication flows using the resource owner password credential (ROPC) grant. The Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password > [!WARNING] > Microsoft recommends you do _not_ use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable. - > [!IMPORTANT] > > * The Microsoft identity platform only supports the ROPC grant within Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint. |
active-directory | V2 Oauth2 Implicit Grant Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md | Title: OAuth 2.0 implicit grant flow - The Microsoft identity platform + Title: Microsoft identity platform and OAuth 2.0 implicit grant flow description: Secure single-page apps using Microsoft identity platform implicit flow. -# Microsoft identity platform and implicit grant flow +# Microsoft identity platform and OAuth 2.0 implicit grant flow The Microsoft identity platform supports the OAuth 2.0 implicit grant flow as described in the [OAuth 2.0 Specification](https://tools.ietf.org/html/rfc6749#section-4.2). The defining characteristic of the implicit grant is that tokens (ID tokens or access tokens) are returned directly from the /authorize endpoint instead of the /token endpoint. This is often used as part of the [authorization code flow](v2-oauth2-auth-code-flow.md), in what is called the "hybrid flow" - retrieving the ID token on the /authorize request along with an authorization code. The following diagram shows what the entire implicit sign-in flow looks like and To initially sign the user into your app, you can send an [OpenID Connect](v2-protocols-oidc.md) authentication request and get an `id_token` from the Microsoft identity platform. > [!IMPORTANT]-> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned: `The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'` +> To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and **access tokens** in the **Implicit grant and hybrid flows** section. If it's not enabled, an `unsupported_response` error will be returned: +> +> `The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'` ``` // Line breaks for legibility only client_id=6731de76-14a6-49ae-97bc-6eba6914391e | | | | | `tenant` | required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](./v2-protocols.md#endpoints).Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.| | `client_id` | required | The Application (client) ID that the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page assigned to your app. |-| `response_type` | required |Must include `id_token` for OpenID Connect sign-in. It may also include the response_type `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, user.read on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This id_token+code response is sometimes called the hybrid flow. | -| `redirect_uri` | recommended |The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect_uris you registered in the portal, except it must be URL-encoded. | -| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (id_tokens), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | +| `response_type` | required | Must include `id_token` for OpenID Connect sign-in. It may also include the `response_type`, `token`. Using `token` here will allow your app to receive an access token immediately from the authorize endpoint without having to make a second request to the authorize endpoint. If you use the `token` response_type, the `scope` parameter must contain a scope indicating which resource to issue the token for (for example, `user.read` on Microsoft Graph). It can also contain `code` in place of `token` to provide an authorization code, for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). This `id_token`+`code` response is sometimes called the hybrid flow. | +| `redirect_uri` | recommended |The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except it must be URL-encoded. | +| `scope` | required |A space-separated list of [scopes](./permissions-consent-overview.md). For OpenID Connect (`id_tokens`), it must include the scope `openid`, which translates to the "Sign you in" permission in the consent UI. Optionally you may also want to include the `email` and `profile` scopes for gaining access to additional user data. You may also include other scopes in this request for requesting consent to various resources, if an access token is requested. | | `response_mode` | optional |Specifies the method that should be used to send the resulting token back to your app. Defaults to query for just an access token, but fragment if the request includes an id_token. | | `state` | recommended |A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. |-| `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | -| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | +| `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting ID token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. | +| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, `select_account`, and `consent`. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via SSO, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. | | `login_hint` | optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the `login_hint` [optional claim](./optional-claims.md) from an earlier sign-in. | | `domain_hint` | optional |If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. This parameter is commonly used for Line of Business apps that operate in a single tenant, where they'll provide a domain name within a given tenant, forwarding the user to the federation provider for that tenant. This hint prevents guests from signing into this application, and limits the use of cloud credentials like FIDO. | code=0.AgAAktYV-sfpYESnQynylW_UKZmH-C9y_G1A | | | | `code` | Included if `response_type` includes `code`. It's an authorization code suitable for use in the [authorization code flow](v2-oauth2-auth-code-flow.md). | | `access_token` |Included if `response_type` includes `token`. The access token that the app requested. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. |-| `token_type` |Included if `response_type` includes `token`. Will always be `Bearer`. | +| `token_type` |Included if `response_type` includes `token`. This will always be `Bearer`. | | `expires_in`|Included if `response_type` includes `token`. Indicates the number of seconds the token is valid, for caching purposes. | | `scope` |Included if `response_type` includes `token`. Indicates the scope(s) for which the access_token will be valid. May not include all the requested scopes if they weren't applicable to the user. For example, Azure AD-only scopes requested when logging in using a personal account. |-| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token reference`](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested and `response_type` included `id_tokens`. | +| `id_token` | A signed JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about ID tokens, see the [`id_token reference`](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested and `response_type` included `id_tokens`. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | [!INCLUDE [remind-not-to-validate-access-tokens](includes/remind-not-to-validate-access-tokens.md)] For details on the query parameters in the URL, see [send the sign in request](# > [!TIP] > Try copy & pasting the request below into a browser tab! (Don't forget to replace the `login_hint` values with the correct value for your user) >->`https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=fragment&state=12345&nonce=678910&prompt=none&login_hint={your-username}` +> ``` +> https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&scope=https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&response_mode=fragment&state=12345&nonce=678910&prompt=none&login_hint={your-username} +> ``` > > Note that this will work even in browsers without third party cookie support, since you're entering this directly into a browser bar as opposed to opening it within an iframe. access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q.. | Parameter | Description | | | | | `access_token` |Included if `response_type` includes `token`. The access token that the app requested, in this case for the Microsoft Graph. The access token shouldn't be decoded or otherwise inspected, it should be treated as an opaque string. |-| `token_type` | Will always be `Bearer`. | +| `token_type` | This will always be `Bearer`. | | `expires_in` | Indicates the number of seconds the token is valid, for caching purposes. |-| `scope` | Indicates the scope(s) for which the access_token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | +| `scope` | Indicates the scope(s) for which the access token will be valid. May not include all of the scopes requested, if they weren't applicable to the user (in the case of Azure AD-only scopes being requested when a personal account is used to log in). | | `id_token` | A signed JSON Web Token (JWT). Included if `response_type` includes `id_token`. The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it shouldn't rely on them for any authorization or security boundaries. For more information about id_tokens, see the [`id_token` reference](id-tokens.md). <br> **Note:** Only provided if `openid` scope was requested. | | `state` |If a state parameter is included in the request, the same value should appear in the response. The app should verify that the state values in the request and response are identical. | If you receive this error in the iframe request, the user must interactively sig ## Refreshing tokens -The implicit grant does not provide refresh tokens. Both `id_token`s and `access_token`s will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new `id_token`, be sure to use `id_token` in the `response_type` and `scope=openid`, as well as a `nonce` parameter. +The implicit grant does not provide refresh tokens. Both ID tokens and access tokens will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the `prompt=none` parameter to control the identity platform's behavior. If you want to receive a new ID token, be sure to use `id_token` in the `response_type` and `scope=openid`, as well as a `nonce` parameter. In browsers that do not support third party cookies, this will result in an error indicating that no user is signed in. |
active-directory | V2 Oauth2 On Behalf Of Flow | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md | This access token is a v1.0-formatted token for Microsoft Graph. This is because An error response is returned by the token endpoint when trying to acquire an access token for the downstream API, if the downstream API has a Conditional Access policy (such as [multifactor authentication](../authentication/concept-mfa-howitworks.md)) set on it. The middle-tier service should surface this error to the client application so that the client application can provide the user interaction to satisfy the Conditional Access policy. +To [surface this error back](https://datatracker.ietf.org/doc/html/rfc6750#section-3.1) to the client, the middle-tier service will reply with HTTP 401 Unauthorized and with a WWW-Authenticate HTTP header containing the error and the claim challenge. The client must parse this header and acquire a new token from the token issuer, by presenting the claims challenge if one exists. Clients should not retry to access the middle-tier service using a cached access token. + ```json { "error":"interaction_required", |
active-directory | Web Api Tutorial 01 Register App | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-api-tutorial-01-register-app.md | In this tutorial: To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **App registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as *NewWebAPI1*. 1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select **Help me choose** option. 1. Select **Register**. |
active-directory | Web App Tutorial 01 Register Application | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-tutorial-01-register-application.md | In this tutorial: To complete registration, provide the application a name and specify the supported account types. Once registered, the application **Overview** page will display the identifiers needed in the application source code. -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer). 1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.-1. Search for and select **Azure Active Directory**. -1. Under **Manage**, select **App registrations > New registration**. +1. Browse to **Identity** > **Applications** > **Application registrations**. +1. Select **New registration**. 1. Enter a **Name** for the application, such as *NewWebApp1*. 1. For Supported account types, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. - The **Redirect URI (optional)** will be configured at a later stage. |
active-directory | Whats New Docs | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/whats-new-docs.md | +## August 2023 ++### Updated articles ++- [Call an ASP.NET Core web API with cURL](howto-call-a-web-api-with-curl.md) - Updated sign-in steps for admin center +- [Troubleshoot publisher verification](troubleshoot-publisher-verification.md) - Removed references to aad.portal.azure.com and terminology updates for partner program updates +- [Configure a custom claim provider token issuance event (preview)](custom-extension-get-started.md) - Updated MS Graph sections - custom claim provider token issuance event tutorial and custom authentication extensions references +- [Customize claims issued in the JSON web token (JWT) for enterprise applications](jwt-claims-customization.md) - Updated sign-in steps for admin center +- [Access tokens in the Microsoft identity platform](access-tokens.md) - Updated details about issuer validation + ## July 2023 ### New articles Welcome to what's new in the Microsoft identity platform documentation. This art - [Tokens and claims overview](security-tokens.md) - Editorial review of security tokens - [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md) - Editorial review - [What's new for authentication?](reference-breaking-changes.md) - Identity breaking change: omission of unverified emails by default--## May 2023 --### New articles --- [Access token claims reference](access-token-claims-reference.md)-- [Directory extension attributes in claims](schema-extensions.md)-- [Provide optional claims to your app](optional-claims.md)--### Updated articles --- [Application and service principal objects in Azure Active Directory](app-objects-and-service-principals.md)-- [What's new for authentication?](reference-breaking-changes.md)-- [A web app that calls web APIs: Acquire a token for the app](scenario-web-app-call-api-acquire-token.md)-- [A web app that calls web APIs: Code configuration](scenario-web-app-call-api-app-configuration.md)-- [A web app that calls web APIs: Call a web API](scenario-web-app-call-api-call-api.md)-- [A web API that calls web APIs: Acquire a token for the app](scenario-web-api-call-api-acquire-token.md)-- [A web API that calls web APIs: Code configuration](scenario-web-api-call-api-app-configuration.md)-- [A web API that calls web APIs: Call an API](scenario-web-api-call-api-call-api.md)-- [Confidential client assertions](msal-net-client-assertions.md)-- [Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview)](jwt-claims-customization.md)-- [Customize claims issued in the SAML token for enterprise applications](saml-claims-customization.md)-- [Desktop app that calls web APIs: Acquire a token by using WAM](scenario-desktop-acquire-token-wam.md)-- [Desktop app that calls web APIs: Acquire a token interactively](scenario-desktop-acquire-token-interactive.md)-- [Handle errors and exceptions in MSAL for Python](msal-error-handling-python.md)-- [Protected web API: Code configuration](scenario-protected-web-api-app-configuration.md)-- [Shared device mode for iOS devices](msal-ios-shared-devices.md)-- [Tutorial: Sign in users and call the Microsoft Graph API from an Android application](tutorial-v2-android.md)-- [Tutorial: Sign in users and call the Microsoft Graph API from an Angular single-page application (SPA) using auth code flow](tutorial-v2-angular-auth-code.md)-- [Web app that signs in users: Code configuration](scenario-web-app-sign-user-app-configuration.md) |
active-directory | Assign Local Admin | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md | When you connect a Windows device with Azure AD using an Azure AD join, Azure AD - The Azure AD joined device local administrator role - The user performing the Azure AD join -By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been *only* assigned the device administrator role to manage a device. +By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to users with the Global Administrator role, you can also enable users that have been *only* assigned the Azure AD Joined Device Local Administrator role to manage a device. -## Manage the global administrators role +## Manage the Global Administrator role -To view and update the membership of the Global Administrator role, see: +To view and update the membership of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) role, see: - [View all members of an administrator role in Azure Active Directory](../roles/manage-roles-portal.md) - [Assign a user to administrator roles in Azure Active Directory](../fundamentals/how-subscriptions-associated-directory.md) -## Manage the device administrator role +## Manage the Azure AD Joined Device Local Administrator role +You can manage the [Azure AD Joined Device Local Administrator](/azure/active-directory/roles/permissions-reference#azure-ad-joined-device-local-administrator) role from **Device settings**. -In the Azure portal, you can manage the device administrator role from **Device settings**. --1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator. -1. Browse to **Azure Active Directory** > **Devices** > **Device settings**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Browse to **Identity** > **Devices** > **All devices** > **Device settings**. 1. Select **Manage Additional local administrators on all Azure AD joined devices**. 1. Select **Add assignments** then choose the other administrators you want to add and select **Add**. -To modify the device administrator role, configure **Additional local administrators on all Azure AD joined devices**. +To modify the Azure AD Joined Device Local Administrator role, configure **Additional local administrators on all Azure AD joined devices**. > [!NOTE] > This option requires Azure AD Premium licenses. -Device administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: +Azure AD Joined Device Local Administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope this role to a specific set of devices. Updating the Azure AD Joined Device Local Administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen: - Upto 4 hours have passed for Azure AD to issue a new Primary Refresh Token with the appropriate privileges. - User signs out and signs back in, not lock/unlock, to refresh their profile. -Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token. +Users aren't directly listed in the local administrator group, the permissions are received through the Primary Refresh Token. > [!NOTE] > The above actions are not applicable to users who have not signed in to the relevant device previously. In this case, the administrator privileges are applied immediately after their first sign-in to the device. ## Manage administrator privileges using Azure AD groups (preview) -Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices. +Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you with the granularity to configure distinct administrators for different groups of devices. Organizations can use Intune to manage these policies using [Custom OMA-URI Settings](/mem/intune/configuration/custom-settings-windows-10) or [Account protection policy](/mem/intune/protect/endpoint-security-account-protection-policy). A few considerations for using this policy: -- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID is defined by the property `securityIdentifier` in the API response.+- Adding Azure AD groups through the policy requires the group's SID that can be obtained by executing the [Microsoft Graph API for Groups](/graph/api/resources/group). The SID equates to the property `securityIdentifier` in the API response. - Administrator privileges using this policy are evaluated only for the following well-known groups on a Windows 10 or newer device - Administrators, Users, Guests, Power Users, Remote Desktop Users and Remote Management Users. By default, Azure AD adds the user performing the Azure AD join to the administr - [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) - Windows Autopilot provides you with an option to prevent primary user performing the join from becoming a local administrator by [creating an Autopilot profile](/intune/enrollment-autopilot#create-an-autopilot-deployment-profile).-- [Bulk enrollment](/intune/windows-bulk-enroll) - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an auto-created user. Users signing in after a device has been joined aren't added to the administrators group. +- [Bulk enrollment](/intune/windows-bulk-enroll) - An Azure AD join that is performed in the context of a bulk enrollment happens in the context of an autocreated user. Users signing in after a device has been joined aren't added to the administrators group. ## Manually elevate a user on a device Additionally, you can also add users using the command prompt: ## Considerations -- You can only assign role based groups to the device administrator role.-- Device administrators are assigned to all Azure AD Joined devices. They can't be scoped to a specific set of devices.+- You can only assign role based groups to the Azure AD Joined Device Local Administrator role. +- The Azure AD Joined Device Local Administrator role is assigned to all Azure AD Joined devices. This role can't be scoped to a specific set of devices. - Local administrator rights on Windows devices aren't applicable to [Azure AD B2B guest users](../external-identities/what-is-b2b.md).-- When you remove users from the device administrator role, changes aren't instant. Users still have local administrator privilege on a device as long as they're signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours.+- When you remove users from the Azure AD Joined Device Local Administrator role, changes aren't instant. Users still have local administrator privilege on a device as long as they're signed in to it. The privilege is revoked during their next sign-in when a new primary refresh token is issued. This revocation, similar to the privilege elevation, could take upto 4 hours. ## Next steps -- To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).+- To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md). - To learn more about device-based Conditional Access, see [Conditional Access: Require compliant or hybrid Azure AD joined device](../conditional-access/howto-conditional-access-policy-compliant-device.md). |
active-directory | Concept Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/concept-primary-refresh-token.md | The following diagrams illustrate the underlying details in issuing, renewing, a > [!NOTE] > In Azure AD joined devices, Azure AD PRT issuance (steps A-F) happens synchronously before the user can logon to Windows. In hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. So, the user is able to login hybrid Azure AD joined Windows after they can acquire a TGT to login, while the PRT issuance happens asynchronously. This scenario does not apply to Azure AD registered devices as logon does not use Azure AD credentials. +> [!NOTE] +> In a Hybrid Azure AD joined Windows environment, the issuance of the PRT occurs asynchronously. The issuance of the PRT may fail due to issues with the federation provider. This failure can result in sign on issues when users try to access cloud resources. It is important to troubleshoot this scenario with the federation provider. + | Step | Description | | :: | | | A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. | |
active-directory | Device Join Out Of Box | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/device-join-out-of-box.md | Your device may restart several times as part of the setup process. Your device :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-device-sign-in-info.png" alt-text="Screenshot of Windows 11 out-of-box experience showing the sign-in experience."::: 1. Continue to follow the prompts to set up your device. 1. Azure AD checks if an enrollment in mobile device management is required and starts the process.- 1. Windows registers the device in the organizationΓÇÖs directory in Azure AD and enrolls it in mobile device management, if applicable. + 1. Windows registers the device in the organizationΓÇÖs directory and enrolls it in mobile device management, if applicable. 1. If you sign in with a managed user account, Windows takes you to the desktop through the automatic sign-in process. Federated users are directed to the Windows sign-in screen to enter your credentials. :::image type="content" source="media/device-join-out-of-box/windows-11-first-run-experience-complete-automatic-sign-in-desktop.png" alt-text="Screenshot of Windows 11 at the desktop after first run experience Azure AD joined."::: To verify whether a device is joined to your Azure AD, review the **Access work ## Next steps -- For more information about managing devices in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md).+- For more information about managing devices, see [managing devices using the Azure portal](manage-device-identities.md). - [What is Microsoft Intune?](/mem/intune/fundamentals/what-is-intune) - [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) - [Passwordless authentication options for Azure Active Directory](../authentication/concept-authentication-passwordless.md) |
active-directory | Enterprise State Roaming Enable | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-enable.md | Enterprise State Roaming provides users with a unified experience across their W ## To enable Enterprise State Roaming --1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Devices** > **Enterprise State Roaming**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Browse to **Identity** > **Devices** > **Overview** > **Enterprise State Roaming**. 1. Select **Users may sync settings and app data across devices**. For more information, see [how to configure device settings](./manage-device-identities.md). For a Windows 10 or newer device to use the Enterprise State Roaming service, the device must authenticate using an Azure AD identity. For devices that are joined to Azure AD, the userΓÇÖs primary sign-in identity is their Azure AD identity, so no other configuration is required. For devices that use on-premises Active Directory, the IT admin must [Configure hybrid Azure Active Directory joined devices](./hybrid-join-plan.md). The country/region value is set as part of the Azure AD directory creation proce Follow these steps to view a per-user device sync status report. -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Users** > **All users**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). +1. Browse to **Identity** > **Users** > **All users**. 1. Select the user, and then select **Devices**. 1. Select **View devices syncing settings and app data** to show sync status. 1. Devices syncing for the user are shown and can be downloaded. |
active-directory | Enterprise State Roaming Troubleshooting | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/enterprise-state-roaming-troubleshooting.md | Enterprise State Roaming requires the device to be registered with Azure AD. Alt **Potential issue**: **WamDefaultSet** and **AzureAdJoined** both have ΓÇ£NOΓÇ¥ in the field value, the device was domain-joined and registered with Azure AD, and the device doesn't sync. If it's showing this, the device may need to wait for policy to be applied or the authentication for the device failed when connecting to Azure AD. The user may have to wait a few hours for the policy to be applied. Other troubleshooting steps may include retrying autoregistration by signing out and back in, or launching the task in Task Scheduler. In some cases, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. -**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled in the Azure portal. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. +**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Azure Active Directory** > **Devices** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue. ## Enterprise State Roaming and multifactor authentication |
active-directory | How To Hybrid Join Verify | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/how-to-hybrid-join-verify.md | description: Verify configurations for hybrid Azure AD joined devices + Last updated 02/27/2023 For downlevel devices, see the article [Troubleshooting hybrid Azure Active Dire ## Using the Azure portal -1. Go to the devices page using a [direct link](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices). -2. Information on how to locate a device can be found in [How to manage device identities using the Azure portal](./manage-device-identities.md). -3. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle. -4. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com)ntra.microsoft.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Browse to **Identity** > **Devices** > **All devices**. +1. If the **Registered** column says **Pending**, then hybrid Azure AD join hasn't completed. In federated environments, this state happens only if it failed to register and Azure AD Connect is configured to sync the devices. Wait for Azure AD Connect to complete a sync cycle. +1. If the **Registered** column contains a **date/time**, then hybrid Azure AD join has completed. ## Using PowerShell |
active-directory | Howto Manage Local Admin Passwords | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-manage-local-admin-passwords.md | -> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. +> For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all). Every Windows device comes with a built-in local administrator account that you must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) product for local administrator password management of their domain joined Windows machines. With Azure AD support for Windows LAPS, we're providing a consistent experience for both Azure AD joined and hybrid Azure AD joined devices. Other than the built-in Azure AD roles of Cloud Device Administrator, Intune Adm To enable Windows LAPS with Azure AD, you must take actions in Azure AD and the devices you wish to manage. We recommend organizations [manage Windows LAPS using Microsoft Intune](/mem/intune/protect/windows-laps-policy). However, if your devices are Azure AD joined but you're not using Microsoft Intune or Microsoft Intune isn't supported (like for Windows Server 2019/2022), you can still deploy Windows LAPS for Azure AD manually. For more information, see the article [Configure Windows LAPS policy settings](/windows-server/identity/laps/laps-management-policy-settings). -1. Sign in to the **Azure portal** as a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). -1. Browse to **Azure Active Directory** > **Devices** > **Device settings** +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator). +1. Browse to **Identity** > **Devices** > **Overview** > **Device settings** 1. Select **Yes** for the Enable Local Administrator Password Solution (LAPS) setting and select **Save**. You may also use the Microsoft Graph API [Update deviceRegistrationPolicy](/graph/api/deviceregistrationpolicy-update?view=graph-rest-beta&preserve-view=true). 1. Configure a client-side policy and set the **BackUpDirectory** to be Azure AD. |
active-directory | Howto Vm Sign In Azure Ad Linux | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md | There are two ways to enable Azure AD login for your Linux VM: ### Azure portal - You can enable Azure AD login for any of the [supported Linux distributions](#supported-linux-distributions-and-azure-regions) by using the Azure portal. For example, to create an Ubuntu Server 18.04 Long Term Support (LTS) VM in Azure with Azure AD login: To configure role assignments for your Azure AD-enabled Linux VMs: | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** | | Assign access to | User, group, service principal, or managed identity | - ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) + ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) After a few moments, the security principal is assigned the role at the selected scope. The application that appears in the Conditional Access policy is called *Azure L If the Azure Linux VM Sign-In application is missing from Conditional Access, make sure the application isn't in the tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Remove the filters to see all applications, and search for **Virtual Machine**. If you don't see Microsoft Azure Linux Virtual Machine Sign-In as a result, the service principal is missing from the tenant. Another way to verify it is via Graph PowerShell: |
active-directory | Howto Vm Sign In Azure Ad Windows | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md | There are two ways to enable Azure AD login for your Windows VM: - Azure Cloud Shell, when you're creating a Windows VM or using an existing Windows VM. > [!NOTE]-> If a device object with the same displayMame as the hostname of a VM where an extension is installed exists, the VM fails to join Azure AD with a hostname duplication error. Avoid duplication by [modifying the hostname](../../virtual-network/virtual-networks-viewing-and-modifying-hostnames.md#modify-a-hostname). +> If a device object with the same displayName as the hostname of a VM where an extension is installed exists, the VM fails to join Azure AD with a hostname duplication error. Avoid duplication by [modifying the hostname](../../virtual-network/virtual-networks-viewing-and-modifying-hostnames.md#modify-a-hostname). ### Azure portal - You can enable Azure AD login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later. To create a Windows Server 2019 Datacenter VM in Azure with Azure AD login: To configure role assignments for your Azure AD-enabled Windows Server 2019 Data | Role | **Virtual Machine Administrator Login** or **Virtual Machine User Login** | | Assign access to | User, group, service principal, or managed identity | - ![Screenshot that shows the page for adding a role assignment in the Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) + ![Screenshot that shows the page for adding a role assignment.](../../../includes/role-based-access-control/media/add-role-assignment-page.png) ### Azure Cloud Shell Exit code -2145648607 translates to `DSREG_AUTOJOIN_DISC_FAILED`. The extension - `curl https://pas.windows.net/ -D -` > [!NOTE]- > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID** in the Azure portal. + > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID**. > > Attempts to connect to `enterpriseregistration.windows.net` might return 404 Not Found, which is expected behavior. Attempts to connect to `pas.windows.net` might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable. Share your feedback about this feature or report problems with using it on the [ If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application is in the tenant: -1. Sign in to the [Azure portal](https://portal.azure.com). -1. Browse to **Azure Active Directory** > **Enterprise applications**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications**. 1. Remove the filters to see all applications, and search for **VM**. If you don't see **Azure Windows VM Sign-In** as a result, the service principal is missing from the tenant. Another way to verify it is via Graph PowerShell: |
active-directory | Hybrid Join Manual | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-manual.md | description: Learn how to manually configure hybrid Azure Active Directory join + Last updated 07/05/2022 The following script helps you with the creation of the issuance transform rules #### Remarks * This script appends the rules to the existing rules. Don't run the script twice, because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.-* If you have multiple verified domain names (as shown in the Azure portal or via the **Get-MsolDomain** cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule: +* If you have multiple verified domain names, set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing **issuerid** claim that might have been created by Azure AD Connect or via other means. Here's an example for this rule: ``` c:[Type == "http://schemas.xmlsoap.org/claims/UPN"] |
active-directory | Hybrid Join Plan | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/hybrid-join-plan.md | When you're using AD FS, you need to enable the following WS-Trust endpoints: > [!WARNING] > Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. -Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. If installing the required version of Azure AD Connect isn't an option for you, see [how to manually configure device registration](hybrid-join-manual.md). +Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. The wizard enables you to significantly simplify the configuration process. If installing the required version of Azure AD Connect isn't an option for you, see [how to manually configure device registration](hybrid-join-manual.md). If contoso.com is registered as a confirmed custom domain, users can get a PRT even if their syncronized on-premises AD DS UPN suffix is in a subdomain like test.contoso.com. ## Review on-premises AD users UPN support for hybrid Azure AD join |
active-directory | Manage Device Identities | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md | -[![Screenshot that shows the devices overview in the Azure portal.](./media/manage-device-identities/devices-azure-portal.png)](./media/manage-device-identities/devices-azure-portal.png#lightbox) +[![Screenshot that shows the devices overview.](./media/manage-device-identities/devices-azure-portal.png)](./media/manage-device-identities/devices-azure-portal.png#lightbox) You can access the devices overview by completing these steps: -1. Sign in to the [Azure portal](https://portal.azure.com). +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). 1. Go to **Azure Active Directory** > **Devices**. In the devices overview, you can view the number of total devices, stale devices, noncompliant devices, and unmanaged devices. You'll also find links to Intune, Conditional Access, BitLocker keys, and basic monitoring. From there, you can go to **All devices** to: - Review device-related audit logs. - Download devices. -[![Screenshot that shows the All devices view in the Azure portal.](./media/manage-device-identities/all-devices-azure-portal.png)](./media/manage-device-identities/all-devices-azure-portal.png#lightbox) +[![Screenshot that shows the All devices view.](./media/manage-device-identities/all-devices-azure-portal.png)](./media/manage-device-identities/all-devices-azure-portal.png#lightbox) > [!TIP] > - Hybrid Azure AD joined Windows 10 or newer devices don't have an owner. If you're looking for a device by owner and don't find it, search by the device ID. To view or copy BitLocker keys, you need to be the owner of the device or have o ## View and filter your devices (preview) - In this preview, you have the ability to infinitely scroll, reorder columns, and select all devices. You can filter the device list by these device attributes: - Enabled state In this preview, you have the ability to infinitely scroll, reorder columns, and To enable the preview in the **All devices** view: -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Go to **Azure Active Directory** > **Devices** > **All devices**. -3. Select the **Preview features** button. -4. Turn on the toggle that says **Enhanced devices list experience**. Select **Apply**. -5. Refresh your browser. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). +1. Browse to **Identity** > **Devices** > **All devices**. +1. Select the **Preview features** button. +1. Turn on the toggle that says **Enhanced devices list experience**. Select **Apply**. +1. Refresh your browser. You can now experience the enhanced **All devices** view. The exported list includes these device identity attributes: If you want to manage device identities by using the Azure portal, the devices need to be either [registered or joined](overview.md) to Azure AD. As an administrator, you can control the process of registering and joining devices by configuring the following device settings. -You must be assigned one of the following roles to view device settings in the Azure portal: +You must be assigned one of the following roles to view device settings: - Global Administrator - Global Reader You must be assigned one of the following roles to view device settings in the A - Windows 365 Administrator - Directory Reviewer -You must be assigned one of the following roles to manage device settings in the Azure portal: +You must be assigned one of the following roles to manage device settings: - Global Administrator - Cloud Device Administrator |
active-directory | Manage Stale Devices | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-stale-devices.md | description: Learn how to remove stale devices from your database of registered + Last updated 09/27/2022 -#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data. - +#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data. # How To: Manage stale devices in Azure AD If the delta between the existing value of the activity timestamp and the curren You have two options to retrieve the value of the activity timestamp: -- The **Activity** column on the [devices page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices) in the Azure portal+- The **Activity** column on the [devices page](https://portal.azure.com/#blade/Microsoft_AAD_IAM/DevicesMenuBlade/Devices). - :::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot of a page in the Azure portal listing the name, owner, and other information on devices. One column lists the activity time stamp." border="false"::: + :::image type="content" source="./media/manage-stale-devices/01.png" alt-text="Screenshot listing the name, owner, and other information of devices. One column lists the activity time stamp." border="false"::: -- The [Get-AzureADDevice](/powershell/module/azuread/Get-AzureADDevice) cmdlet+- The [Get-AzureADDevice](/powershell/module/azuread/Get-AzureADDevice) cmdlet. :::image type="content" source="./media/manage-stale-devices/02.png" alt-text="Screenshot showing command-line output. One line is highlighted and lists a time stamp for the ApproximateLastLogonTimeStamp value." border="false"::: Any authentication where a device is being used to authenticate to Azure AD are Devices managed with Intune can be retired or wiped, for more information see the article [Remove devices by using wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe). -To get an overview of how to manage device in the Azure portal, see [managing devices using the Azure portal](manage-device-identities.md) +To get an overview of how to manage devices, see [managing devices using the Azure portal](manage-device-identities.md) |
active-directory | Overview | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/overview.md | Getting devices in to Azure AD can be done in a self-service manner or a control - Learn more about [Azure AD registered devices](concept-device-registration.md) - Learn more about [Azure AD joined devices](concept-directory-join.md) - Learn more about [hybrid Azure AD joined devices](concept-hybrid-join.md)-- To get an overview of how to manage device identities in the Azure portal, see [Managing device identities using the Azure portal](manage-device-identities.md).+- To get an overview of how to manage device identities, see [Managing device identities using the Azure portal](manage-device-identities.md). - To learn more about device-based Conditional Access, see [Configure Azure Active Directory device-based Conditional Access policies](../conditional-access/concept-conditional-access-grant.md). |
active-directory | Plan Device Deployment | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/plan-device-deployment.md | Administrators can also [deploy virtual desktop infrastructure (VDI) platforms]( ## Next steps +* [Analyze your on-premises GPOs using Group Policy analytics in Microsoft Intune](/mem/intune/configuration/group-policy-analytics) * [Plan your Azure AD join implementation](device-join-plan.md) * [Plan your hybrid Azure AD join implementation](hybrid-join-plan.md) * [Manage device identities](manage-device-identities.md) |
active-directory | Troubleshoot Device Windows Joined | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-windows-joined.md | -1. Sign in to the **Azure portal**. -1. Browse to **Azure Active Directory** > **Devices** > **Diagnose and solve problems**. +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../roles/permissions-reference.md#global-reader). +1. Browse to **Identity** > **Devices** > **All devices** > **Diagnose and solve problems**. 1. Select **Troubleshoot** under the **Windows 10+ related issue** troubleshooter. :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane of the Azure portal." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png"::: 1. Select **instructions** and follow the steps to download, run, and collect the required logs for the troubleshooter to analyze. |
active-directory | Troubleshoot Hybrid Join Windows Current | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md | Use Event Viewer to look for the log entries that are logged by the Azure AD Clo | Error code | Reason | Resolution | | | | |-| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled in the Azure portal. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. | +| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. | | **AADSTS50034: The user account `Account` does not exist in the `tenant id` directory** | Azure AD is unable to find the user account in the tenant. | <li>Ensure that the user is typing the correct UPN.<li>Ensure that the on-premises user account is being synced with Azure AD.<li>Event 1144 (Azure AD analytics logs) will contain the UPN provided. | | **AADSTS50126: Error validating credentials due to invalid username or password.** | <li>The username and password entered by the user in the Windows LoginUI are incorrect.<li>If the tenant has password hash sync enabled, the device is hybrid-joined, and the user just changed the password, it's likely that the new password hasn't synced with Azure AD. | To acquire a fresh PRT with the new credentials, wait for the Azure AD password sync to finish. | | | | |
active-directory | Troubleshoot Hybrid Join Windows Legacy | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-hybrid-join-windows-legacy.md | This article provides you with troubleshooting guidance on how to resolve potent - Hybrid Azure AD join for downlevel Windows devices works slightly differently than it does in Windows 10 or newer. Many customers don't realize that they need AD FS (for federated domains) or Seamless SSO configured (for managed domains). - Seamless SSO doesn't work in private browsing mode on Firefox and Microsoft Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode or if Enhanced Security Configuration is enabled.-- For customers with federated domains, if the Service Connection Point (SCP) was configured such that it points to the managed domain name (for example, contoso.onmicrosoft.com, instead of contoso.com), then Hybrid Azure AD Join for downlevel Windows devices won't work.+- For customers with federated domains, if the Service Connection Point (SCP) was configured such that it points to the managed domain name (for example, contoso.onmicrosoft.com, instead of contoso.com), then Hybrid Azure AD Join for downlevel Windows devices doesn't work. - The same physical device appears multiple times in Azure AD when multiple domain users sign-in the downlevel hybrid Azure AD joined devices. For example, if *jdoe* and *jharnett* sign-in to a device, a separate registration (DeviceID) is created for each of them in the **USER** info tab. - You can also get multiple entries for a device on the user info tab because of a reinstallation of the operating system or a manual re-registration. - The initial registration / join of devices is configured to perform an attempt at either sign-in or lock / unlock. There could be 5-minute delay triggered by a task scheduler task. This command displays a dialog box that provides you with details about the join ## Step 2: Evaluate the hybrid Azure AD join status -If the device wasn't hybrid Azure AD joined, you can attempt to do hybrid Azure AD join by clicking on the "Join" button. If the attempt to do hybrid Azure AD join fails, the details about the failure will be shown. +If the device wasn't hybrid Azure AD joined, you can attempt to do hybrid Azure AD join by clicking on the "Join" button. If the attempt to do hybrid Azure AD join fails, the details about the failure are shown. **The most common issues are:** If the device wasn't hybrid Azure AD joined, you can attempt to do hybrid Azure - It could be that AD FS and Azure AD URLs are missing in IE's intranet zone on the client. - Network connectivity issues may be preventing **autoworkplace.exe** from reaching AD FS or the Azure AD URLs. - **Autoworkplace.exe** requires the client to have direct line of sight from the client to the organization's on-premises AD domain controller, which means that hybrid Azure AD join succeeds only when the client is connected to organization's intranet.- - If your organization uses Azure AD Seamless Single Sign-On, `https://autologon.microsoftazuread-sso.com` or `https://aadg.windows.net.nsatc.net` aren't present on the device's IE intranet settings. + - If your organization uses Azure AD Seamless Single Sign-On, `https://autologon.microsoftazuread-sso.com` isn't present on the device's IE intranet settings. + - The internet setting `Do not save encrypted pages to disk` is checked. - You aren't signed on as a domain user :::image type="content" source="./media/troubleshoot-hybrid-join-windows-legacy/03.png" alt-text="Screenshot of the Workplace Join for Windows dialog box. Text reports that an error occurred during account verification." border="false"::: |
active-directory | Troubleshoot Primary Refresh Token | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-primary-refresh-token.md | You can find a full list and description of server error codes in [Azure AD auth - Azure AD can't authenticate the device to issue a PRT. -- The device might have been deleted or disabled in the Azure portal. (For more information, see [Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10/11 devices?](./faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices))+- The device might have been deleted or disabled. (For more information, see [Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10/11 devices?](./faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices)) ##### Solution -Re-register the device based on the device join type. For instructions, see [I disabled or deleted my device in the Azure portal or by using Windows PowerShell. But the local state on the device says it's still registered. What should I do?](./faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do). +Re-register the device based on the device join type. For instructions, see [I disabled or deleted my device. But the local state on the device says it's still registered. What should I do?](./faq.yml#i-disabled-or-deleted-my-device--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do). </details> <details> |
active-directory | Directory Delete Howto | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-delete-howto.md | |
active-directory | Directory Self Service Signup | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/directory-self-service-signup.md | |
active-directory | Domains Admin Takeover | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-admin-takeover.md | The key and templates aren't moved over when the unmanaged organization is in a Although RMS for individuals is designed to support Azure AD authentication to open protected content, it doesn't prevent users from also protecting content. If users did protect content with the RMS for individuals subscription, and the key and templates weren't moved over, that content isn't accessible after the domain takeover. ### Azure AD PowerShell cmdlets for the ForceTakeover option+ You can see these cmdlets used in [PowerShell example](#powershell-example). cmdlet | Usage |
active-directory | Domains Verify Custom Subdomain | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/domains-verify-custom-subdomain.md | |
active-directory | Groups Assign Sensitivity Labels | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md | |
active-directory | Groups Change Type | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-change-type.md | |
active-directory | Groups Lifecycle | https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/groups-lifecycle.md |