Merge pull request #241107 from MicrosoftDocs/main

6/09/2023 3PM Publishing

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+    {
+      "source_path_from_root": "/articles/active-directory/develop/reference-app-multi-instancing.md",
+      "redirect_url": "/azure/active-directory/develop/configure-app-multi-instancing",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-enterprise-app-role-management.md",
       "redirect_url": "/azure/active-directory/develop/enterprise-app-role-management",

articles/active-directory/develop/TOC.yml

@@ -462,9 +462,8 @@
               href: saml-claims-customization.md
             - name: Set an access token lifetime policy
               href: configure-token-lifetimes.md    
-            - name: SAML app multi-instancing
-              displayName: Configure SAML app multi-instancing for an application
-              href: reference-app-multi-instancing.md
+            - name: Configure app multi-instancing
+              href: configure-app-multi-instancing.md
         - name: Custom claims provider
           items:
             - name: Token issuance start event

articles/active-directory/develop/configure-app-multi-instancing.md

@@ -0,0 +1,57 @@
+---
+title: Configure app multi-instancing
+description: Learn about multi-instancing, which is needed for configuring multiple instances of the same application within a tenant.
+services: active-directory
+author: davidmu1
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: develop
+ms.custom: aaddev, curation-claims
+ms.workload: identity
+ms.topic: how-to
+ms.date: 06/09/2023
+ms.author: davidmu
+ms.reviewer: rahulnagraj, alamaral, jeedes
+---
+
+# Configure app multi-instancing
+
+App multi-instancing refers to the need for the configuration of multiple instances of the same application within a tenant. For example, the organization has multiple accounts, each of which needs a separate service principal to handle instance-specific claims mapping and roles assignment. Or the customer has multiple instances of an application, which doesn't need special claims mapping, but does need separate service principals for separate signing keys.
+
+## Sign-in approaches
+
+A user can sign-in to an application one of the following ways:
+
+- Through the application directly, which is known as service provider (SP) initiated single sign-on (SSO).
+- Go directly to the identity provider (IDP), known as IDP initiated SSO. 
+
+Depending on which approach is used within your organization, follow the appropriate instructions described in this article.
+
+## SP initiated SSO
+
+In the SAML request of SP initiated SSO, the `issuer` specified is usually the app ID URI. Utilizing App ID URI doesn't allow the customer to distinguish which instance of an application is being targeted when using SP initiated SSO.
+
+### Configure SP initiated SSO
+
+Update the SAML single sign-on service URL configured within the service provider for each instance to include the service principal guid as part of the URL. For example, the general SSO sign-in URL for SAML is `https://login.microsoftonline.com/<tenantid>/saml2`, the URL can be updated to target a specific service principal, such as `https://login.microsoftonline.com/<tenantid>/saml2/<issuer>`.
+
+Only service principal identifiers in GUID format are accepted for the issuer value. The service principal identifiers override the issuer in the SAML request and response, and the rest of the flow is completed as usual. There's one exception: if the application requires the request to be signed, the request is rejected even if the signature was valid. The rejection is done to avoid any security risks with functionally overriding values in a signed request.
+
+## IDP initiated SSO
+
+The IDP initiated SSO feature exposes the following settings for each application:
+
+- An **audience override** option exposed for configuration by using claims mapping or the portal. The intended use case is applications that require the same audience for multiple instances. This setting is ignored if no custom signing key is configured for the application.
+
+- An **issuer with application id** flag to indicate the issuer should be unique for each application instead of unique for each tenant. This setting is ignored if no custom signing key is configured for the application.
+
+### Configure IDP initiated SSO
+
+1. Open any SSO enabled enterprise app and navigate to the SAML single sign-on blade.
+1. Select **Edit** on the **User Attributes & Claims** panel.
+1. Select **Edit** to open the advanced options blade.
+1. Configure both options according to your preferences and then select **Save**.
+
+## Next steps
+
+- To learn more about how to configure this policy see [Customize app SAML token claims](active-directory-saml-claims-customization.md)

articles/active-directory/develop/enterprise-app-role-management.md

@@ -1,5 +1,5 @@
 ---
-title: Configure the role claim for enterprise applications
+title: Configure the role claim
 description: Learn how to configure the role claim issued in the SAML token for enterprise applications in Azure Active Directory.
 services: active-directory
 author: davidmu1
@@ -9,14 +9,14 @@ ms.subservice: develop
 ms.custom: aaddev 
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/10/2023
+ms.date: 06/09/2023
 ms.author: davidmu
 ms.reviewer: jeedes
 ---
 
-# Configure the role claim issued in the SAML token
+# Configure the role claim
 
-In Azure Active Directory (Azure AD), you can customize the role claim in the access token that is received after an application is authorized. Use this feature if your application expects custom roles in the token returned by Azure AD. You can create as many roles as you need.
+You can customize the role claim in the access token that is received after an application is authorized. Use this feature if your application expects custom roles in the token. You can create as many roles as you need.
 
 ## Prerequisites
 
@@ -26,7 +26,7 @@ In Azure Active Directory (Azure AD), you can customize the role claim in the ac
 - A user account that is assigned to the role. For more information, see [Quickstart: Create and assign a user account](../manage-apps/add-application-portal-assign-users.md).
 
 > [!NOTE]
-> This article explains how to create, update, or delete application roles on the service principal using APIs in Azure AD. To use the new user interface for App Roles, see [Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md).
+> This article explains how to create, update, or delete application roles on the service principal using APIs. To use the new user interface for App Roles, see [Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md).
 
 ## Locate the enterprise application
 
@@ -105,7 +105,7 @@ Use the Microsoft Graph Explorer to add roles to an enterprise application.
     }
     ```
 
-    You can only add new roles after msiam_access for the patch operation. Also, you can add as many roles as your organization needs. Azure AD sends the value of these roles as the claim value in the SAML response. To generate the GUID values for the ID of new roles use the web tools, such as the [Online GUID / UUID Generator](https://www.guidgenerator.com/). The appRoles property should now represent what was in the request body of the query.
+    You can only add new roles after msiam_access for the patch operation. Also, you can add as many roles as your organization needs. The value of these roles is sent as the claim value in the SAML response. To generate the GUID values for the ID of new roles use the web tools, such as the [Online GUID / UUID Generator](https://www.guidgenerator.com/). The appRoles property should represent what was in the request body of the query.
 
 ## Edit attributes
 

articles/active-directory/develop/media/reference-app-multi-instancing/advancedclaimsoptions.png

@@ -17,6 +17,7 @@ ms.custom: "it-pro;seo-update-azuread-jan"
 
 ms.collection: M365-identity-device-management
 ---
+
 # Set up self-service group management in Azure Active Directory 
 
 You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure Active Directory (Azure AD), part of Microsoft Entra. The owner of the group can approve or deny membership requests, and can delegate control of group membership. Self-service group management features are not available for [mail-enabled security groups or distribution lists](../fundamentals/concept-learn-about-groups.md).
@@ -44,19 +45,21 @@ Groups created in | Security group default behavior | Microsoft 365 group defaul
 
 1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's been assigned the Global Administrator or Groups Administrator role for the directory.
 
-1. Browse to **Azure Active Directory** > **Groups**, and then select **General** settings.
+2. Browse to **Azure Active Directory** > **Groups**, and then select **General** settings.
 
-    ![Azure Active Directory groups general settings.](./media/groups-self-service-management/groups-settings-general.png)
+ ![Azure Active Directory groups general settings.](./media/groups-self-service-management/groups-settings-general.png)
+   > [!NOTE]
+   > In November 2023, the setting **Restrict users access to My Groups** will change to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to ‘Yes,’ end users will be able to access My Groups in November 2023, but will not be able to see security groups.
 
-1. Set **Owners can manage group membership requests in the Access Panel** to **Yes**.
+3. Set **Owners can manage group membership requests in the Access Panel** to **Yes**.
 
-1. Set **Restrict user ability to access groups features in the Access Panel** to **No**.
+4. Set **Restrict user ability to access groups features in the Access Panel** to **No**.
 
-1. Set **Users can create security groups in Azure portals, API or PowerShell** to **Yes** or **No**.
+5. Set **Users can create security groups in Azure portals, API or PowerShell** to **Yes** or **No**.
 
     For more information about this setting, see the next section [Group settings](#group-settings).
 
-1. Set **Users can create Microsoft 365 groups in Azure portals, API or PowerShell** to **Yes** or **No**.
+6. Set **Users can create Microsoft 365 groups in Azure portals, API or PowerShell** to **Yes** or **No**.
 
     For more information about this setting, see the next section [Group settings](#group-settings).
 
@@ -103,3 +106,6 @@ These articles provide additional information on Azure Active Directory.
 * [Application Management in Azure Active Directory](../manage-apps/what-is-application-management.md)
 * [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md)
 * [Integrate your on-premises identities with Azure Active Directory](../hybrid/whatis-hybrid-identity.md)
+
+
+

articles/active-directory/develop/media/reference-app-multi-instancing/advancedoptionsblade.png

@@ -9,16 +9,16 @@ ms.author: owenrichards
 ms.service: active-directory
 ms.subservice: ciam
 ms.topic: tutorial
-ms.date: 05/25/2023
+ms.date: 06/09/2023
 
 #Customer intent: As a developer, I want to learn how to configure vanilla JavaScript single-page app (SPA) to sign in and sign out users with my Azure Active Directory (AD) for customers tenant.
 ---
 
 # Tutorial: Handle authentication flows in a vanilla JavaScript single-page app
 
-In the [previous article](./how-to-single-page-app-vanillajs-prepare-app.md), you created a vanilla JavaScript (JS) single-page application (SPA) and a server to host it. In this article, you'll configure the application to authenticate and authorize users to access protected resources. Authentication and authorization are handled by the [Microsoft Authentication Library for JavaScript (MSAL.js)](/javascript/api/overview/). 
+In the [previous article](./how-to-single-page-app-vanillajs-prepare-app.md), you created a vanilla JavaScript (JS) single-page application (SPA) and a server to host it. This article shows you how to configure the application to authenticate and authorize users to access protected resources.
 
-In this tutorial you'll;
+In this tutorial;
 
 > [!div class="checklist"]
 > * Configure the settings for the application
@@ -97,7 +97,7 @@ The application uses the [Implicit Grant Flow](../../develop/v2-oauth2-implicit-
      ```
 
 1. Replace the following values with the values from the Azure portal:
-    - Find the `Enter_the_Application_Id_Here` value and replace it with the **application ID (clientId)** of the app you registered in the Microsoft Entra admin center.
+    - Find the `Enter_the_Application_Id_Here` value and replace it with the **Application ID (clientId)** of the app you registered in the Microsoft Entra admin center.
     - In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is *caseyjensen@onmicrosoft.com*, the value you should enter is *casyjensen*.
 1. Save the file.