Skip to content

Commit 1426834

Browse files
committed
[AzureAD-Passwordless] Resolving redirects merge conflict
2 parents 395b836 + b21d791 commit 1426834

File tree

2,678 files changed

+41494
-30700
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

2,678 files changed

+41494
-30700
lines changed

.openpublishing.publish.config.json

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -433,14 +433,6 @@
433433
"master": [
434434
"Publish",
435435
"PDF"
436-
],
437-
"release-event-grid": [
438-
"Publish",
439-
"PDF"
440-
],
441-
"hd-insight-pdf": [
442-
"Publish",
443-
"PDF"
444436
]
445437
},
446438
"need_generate_pdf_url_template": true,

.openpublishing.redirection.json

Lines changed: 903 additions & 324 deletions
Large diffs are not rendered by default.

CODEOWNERS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ articles/chef/ @TomArcherMsft
88
articles/jenkins/ @TomArcherMsft
99
articles/terraform/ @TomArcherMsft
1010

11+
# Requires Internal Review
12+
articles/best-practices-availability-paired-regions.md @jpconnock @arob98 @syntaxc4 @tysonn @snoviking
13+
1114
# Governance
1215
articles/governance/ @DCtheGeek
1316

articles/active-directory-b2c/TOC.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -348,6 +348,9 @@
348348
displayName: migrate, b2clogin, owin
349349
- name: Automation
350350
items:
351+
- name: Azure Monitor
352+
href: azure-monitor.md
353+
displayName: log, logs, logging, usage, events
351354
- name: Export usage report
352355
href: view-usage-reports.md
353356
- name: Account management
@@ -382,6 +385,7 @@
382385
href: https://azure.microsoft.com/resources/samples/?service=active-directory-b2c
383386
- name: Cookie definitions
384387
href: cookie-definitions.md
388+
displayName: cookies, SameSite
385389
- name: Error codes
386390
href: error-codes.md
387391
- name: Region availability & data residency

articles/active-directory-b2c/access-tokens.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ GET https://<tenant-name>.b2clogin.com/tfp/<tenant-name>.onmicrosoft.com/<policy
6868
client_id=<application-ID>
6969
&nonce=anyRandomValue
7070
&redirect_uri=https://jwt.ms
71-
&scope=https://tenant-name>.onmicrosoft.com/api/read
71+
&scope=https://<tenant-name>.onmicrosoft.com/api/read
7272
&response_type=code
7373
```
7474

Lines changed: 224 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,224 @@
1+
---
2+
title: Monitor Azure AD B2C with Azure Monitor
3+
titleSuffix: Azure AD B2C
4+
description: Learn how to log Azure AD B2C events with Azure Monitor by using delegated resource management.
5+
services: active-directory-b2c
6+
author: mmacy
7+
manager: celestedg
8+
9+
ms.service: active-directory
10+
ms.workload: identity
11+
ms.topic: conceptual
12+
ms.author: marsma
13+
ms.subservice: B2C
14+
ms.date: 02/05/2020
15+
---
16+
17+
# Monitor Azure AD B2C with Azure Monitor
18+
19+
Use Azure Monitor to route Azure Active Directory B2C (Azure AD B2C) sign-in and [auditing](view-audit-logs.md) logs to different monitoring solutions. You can retain the logs for long-term use or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment.
20+
21+
You can route log events to:
22+
23+
* An Azure storage account.
24+
* An Azure event hub (and integrate with your Splunk and Sumo Logic instances).
25+
* An Azure Log Analytics workspace (to analyze data, create dashboards, and alert on specific events).
26+
27+
![Azure Monitor](./media/azure-monitor/azure-monitor-flow.png)
28+
29+
## Prerequisites
30+
31+
To complete the steps in this article, you deploy an Azure Resource Manager template by using the Azure PowerShell module.
32+
33+
* [Azure PowerShell module](https://docs.microsoft.com/powershell/azure/install-az-ps) version 6.13.1 or higher
34+
35+
You can also use the [Azure Cloud Shell](https://shell.azure.com), which includes the latest version of the Azure PowerShell module.
36+
37+
## Delegated resource management
38+
39+
Azure AD B2C leverages [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). To enable *Diagnostic settings* in Azure Active Directory within your Azure AD B2C tenant, you use [delegated resource management](../lighthouse/concepts/azure-delegated-resource-management.md).
40+
41+
You authorize a user in your Azure AD B2C directory (the **Service Provider**) to configure the Azure Monitor instance within the tenant that contains your Azure subscription (the **Customer**). To create the authorization, you deploy an [Azure Resource Manager](../azure-resource-manager/index.yml) template to your Azure AD tenant containing the subscription. The following sections walk you through the process.
42+
43+
## Create a resource group
44+
45+
In the Azure Active Directory (Azure AD) tenant that contains your Azure subscription (*not* the directory that contains your Azure AD B2C tenant), [create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups). Use the following values:
46+
47+
* **Subscription**: Select your Azure subscription.
48+
* **Resource group**: Enter name for the resource group. For example, *azure-ad-b2c-monitor*.
49+
* **Region**: Select an Azure location. For example, *Central US*.
50+
51+
## Delegate resource management
52+
53+
Next, gather the following information:
54+
55+
**Directory ID** of your Azure AD B2C directory (also known as the tenant ID).
56+
57+
1. Sign in to the [Azure portal](https://portal.azure.com/) as a user with the *User administrator* role (or higher).
58+
1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
59+
1. Select **Azure Active Directory**, select **Properties**.
60+
1. Record the **Directory ID**.
61+
62+
**Object ID** of the Azure AD B2C group or user you want to give *Contributor* permission to the resource group you created earlier in the directory containing your subscription.
63+
64+
To make management easier, we recommend using Azure AD user *groups* for each role, allowing you to add or remove individual users to the group rather than assigning permissions directly to that user. In this walkthrough, you add a user.
65+
66+
1. With **Azure Active Directory** still selected in the Azure portal, select **Users**, and then select a user.
67+
1. Record the user's **Object ID**.
68+
69+
### Create an Azure Resource Manager template
70+
71+
To onboard your Azure AD tenant (the **Customer**), create an [Azure Resource Manager template](../lighthouse/how-to/onboard-customer.md) for your offer with the following information. The `mspOfferName` and `mspOfferDescription` values are visible when you view offer details in the [Service providers page](../lighthouse/how-to/view-manage-service-providers.md) of the Azure portal.
72+
73+
| Field | Definition |
74+
|---------|------------|
75+
| `mspOfferName` | A name describing this definition. For example, *Azure AD B2C Managed Services*. This value is displayed to the customer as the title of the offer. |
76+
| `mspOfferDescription` | A brief description of your offer. For example, *Enables Azure Monitor in Azure AD B2C*.|
77+
| `rgName` | The name of the resource group you create earlier in your Azure AD tenant. For example, *azure-ad-b2c-monitor*. |
78+
| `managedByTenantId` | The **Directory ID** of your Azure AD B2C tenant (also known as the tenant ID). |
79+
| `authorizations.value.principalId` | The **Object ID** of the B2C group or user that will have access to resources in this Azure subscription. For this walkthrough, specify the user's Object ID that you recorded earlier. |
80+
81+
Download the Azure Resource Manager template and parameter files:
82+
83+
- [rgDelegatedResourceManagement.json](https://raw.githubusercontent.com/Azure/Azure-Lighthouse-samples/master/Azure-Delegated-Resource-Management/templates/rg-delegated-resource-management/rgDelegatedResourceManagement.json)
84+
- [rgDelegatedResourceManagement.parameters.json](https://raw.githubusercontent.com/Azure/Azure-Lighthouse-samples/master/Azure-Delegated-Resource-Management/templates/rg-delegated-resource-management/rgDelegatedResourceManagement.parameters.json)
85+
86+
Next, update the parameters file with the values you recorded earlier. The following JSON snippet shows an example of an Azure Resource Manager template parameters file. For `authorizations.value.roleDefinitionId`, use the [built-in role](../role-based-access-control/built-in-roles.md) value for the *Contributor role*, `b24988ac-6180-42a0-ab88-20f7382dd24c`.
87+
88+
```JSON
89+
{
90+
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
91+
"contentVersion": "1.0.0.0",
92+
"parameters": {
93+
"mspOfferName": {
94+
"value": "Azure AD B2C Managed Services"
95+
},
96+
"mspOfferDescription": {
97+
"value": "Enables Azure Monitor in Azure AD B2C"
98+
},
99+
"rgName": {
100+
"value": "azure-ad-b2c-monitor"
101+
},
102+
"managedByTenantId": {
103+
"value": "<Replace with DIRECTORY ID of Azure AD B2C tenant (tenant ID)>"
104+
},
105+
"authorizations": {
106+
"value": [
107+
{
108+
"principalId": "<Replace with user's OBJECT ID>",
109+
"principalIdDisplayName": "Azure AD B2C tenant administrator",
110+
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
111+
}
112+
]
113+
}
114+
}
115+
}
116+
```
117+
118+
### Deploy the Azure Resource Manager templates
119+
120+
Once you've updated your parameters file, deploy the Azure Resource Manager template into the Azure tenant as a subscription-level deployment. Because this is a subscription-level deployment, it cannot be initiated in the Azure portal. You can deploy by using the Azure PowerShell module or the Azure CLI. The Azure PowerShell method is shown below.
121+
122+
Sign in to the directory containing your subscription by using [Connect-AzAccount](/powershell/azure/authenticate-azureps). Use the `-tenant` flag to force authentication to the correct directory.
123+
124+
```PowerShell
125+
Connect-AzAccount -tenant contoso.onmicrosoft.com
126+
```
127+
128+
Use the [Get-AzSubscription](/powershell/module/az.accounts/get-azsubscription) cmdlet to list the subscriptions that the current account can access under the Azure AD tenant. Record the ID of the subscription you want to project into your Azure AD B2C tenant.
129+
130+
```PowerShell
131+
Get-AzSubscription
132+
```
133+
134+
Next, switch to the subscription you want to project into the Azure AD B2C tenant:
135+
136+
``` PowerShell
137+
Select-AzSubscription <subscription ID>
138+
```
139+
140+
Finally, deploy the Azure Resource Manager template and parameter files you downloaded and updated earlier. Replace the `Location`, `TemplateFile`, and `TemplateParameterFile` values accordingly.
141+
142+
```PowerShell
143+
New-AzDeployment -Name "AzureADB2C" `
144+
-Location "centralus" `
145+
-TemplateFile "C:\Users\azureuser\Documents\rgDelegatedResourceManagement.json" `
146+
-TemplateParameterFile "C:\Users\azureuser\Documents\rgDelegatedResourceManagement.parameters.json" `
147+
-Verbose
148+
```
149+
150+
Successful deployment of the template produces output similar to the following (output truncated for brevity):
151+
152+
```Console
153+
PS /usr/csuser/clouddrive> New-AzDeployment -Name "AzureADB2C" `
154+
>> -Location "centralus" `
155+
>> -TemplateFile "rgDelegatedResourceManagement.json" `
156+
>> -TemplateParameterFile "rgDelegatedResourceManagement.parameters.json" `
157+
>> -Verbose
158+
WARNING: Breaking changes in the cmdlet 'New-AzDeployment' :
159+
WARNING: - The cmdlet 'New-AzSubscriptionDeployment' is replacing this cmdlet.
160+
161+
162+
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
163+
VERBOSE: 7:25:14 PM - Template is valid.
164+
VERBOSE: 7:25:15 PM - Create template deployment 'AzureADB2C'
165+
VERBOSE: 7:25:15 PM - Checking deployment status in 5 seconds
166+
VERBOSE: 7:25:42 PM - Resource Microsoft.ManagedServices/registrationDefinitions '44444444-4444-4444-4444-444444444444' provisioning status is succeeded
167+
VERBOSE: 7:25:48 PM - Checking deployment status in 5 seconds
168+
VERBOSE: 7:25:53 PM - Resource Microsoft.Resources/deployments 'rgAssignment' provisioning status is running
169+
VERBOSE: 7:25:53 PM - Checking deployment status in 5 seconds
170+
VERBOSE: 7:25:59 PM - Resource Microsoft.ManagedServices/registrationAssignments '11111111-1111-1111-1111-111111111111' provisioning status is running
171+
VERBOSE: 7:26:17 PM - Checking deployment status in 5 seconds
172+
VERBOSE: 7:26:23 PM - Resource Microsoft.ManagedServices/registrationAssignments '11111111-1111-1111-1111-111111111111' provisioning status is succeeded
173+
VERBOSE: 7:26:23 PM - Checking deployment status in 5 seconds
174+
VERBOSE: 7:26:29 PM - Resource Microsoft.Resources/deployments 'rgAssignment' provisioning status is succeeded
175+
176+
DeploymentName : AzureADB2C
177+
Location : centralus
178+
ProvisioningState : Succeeded
179+
Timestamp : 1/31/20 7:26:24 PM
180+
Mode : Incremental
181+
TemplateLink :
182+
Parameters :
183+
Name Type Value
184+
===================== ========================= ==========
185+
mspOfferName String Azure AD B2C Managed Services
186+
mspOfferDescription String Enables Azure Monitor in Azure AD B2C
187+
...
188+
```
189+
190+
After you deploy the template, it can take a few minutes for the resource projection to complete. You may need to wait a few minutes (typically no more than five) before moving on to the next section to select the subscription.
191+
192+
## Select your subscription
193+
194+
Once you've deployed the template and have waited a few minutes for the resource projection to complete, associate your subscription to your Azure AD B2C directory with the following steps.
195+
196+
1. **Sign out** of the Azure portal if you're currently signed in. This and the following step are done to refresh your credentials in the portal session.
197+
1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure AD B2C administrative account.
198+
1. Select the **Directory + Subscription** icon in the portal toolbar.
199+
1. Select the directory that contains your subscription.
200+
201+
![Switch directory](./media/azure-monitor/azure-monitor-portal-03-select-subscription.png)
202+
1. Verify that you've selected the correct directory and subscription. In this example, all directories and subscriptions are selected.
203+
204+
![All directories selected in Directory & Subscription filter](./media/azure-monitor/azure-monitor-portal-04-subscriptions-selected.png)
205+
206+
## Configure diagnostic settings
207+
208+
After you've delegated resource management and have selected your subscription, you're ready to [Create diagnostic settings](../active-directory/reports-monitoring/overview-monitoring.md) in the Azure portal.
209+
210+
To configure monitoring settings for Azure AD B2C activity logs:
211+
212+
1. Sign in to the [Azure portal](https://portal.azure.com/).
213+
1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
214+
1. Select **Azure Active Directory**
215+
1. Under **Monitoring**, select **Diagnostic settings**.
216+
1. Select **+ Add diagnostic setting**.
217+
218+
![Diagnostics settings pane in Azure portal](./media/azure-monitor/azure-monitor-portal-05-diagnostic-settings-pane-enabled.png)
219+
220+
## Next steps
221+
222+
For more information about adding and configuring diagnostic settings in Azure Monitor, see this tutorial in the Azure Monitor documentation:
223+
224+
[Tutorial: Collect and analyze resource logs from an Azure resource](/azure-monitor/learn/tutorial-resource-logs.md)

articles/active-directory-b2c/boolean-transformations.md

Lines changed: 39 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ manager: celestedg
99
ms.service: active-directory
1010
ms.workload: identity
1111
ms.topic: reference
12-
ms.date: 09/10/2018
12+
ms.date: 02/03/2020
1313
ms.author: marsma
1414
ms.subservice: B2C
1515
---
@@ -110,6 +110,44 @@ The self-asserted technical profile calls the validation **login-NonInteractive*
110110
- **valueToCompareTo**: true
111111
- Result: Error thrown
112112

113+
## CompareBooleanClaimToValue
114+
115+
Checks that boolean value of a claims is equal to `true` or `false`, and return the result of the compression.
116+
117+
| Item | TransformationClaimType | Data Type | Notes |
118+
| ---- | ------------------------ | ---------- | ----- |
119+
| inputClaim | inputClaim | boolean | The ClaimType to be asserted. |
120+
| InputParameter |valueToCompareTo | boolean | The value to compare (true or false). |
121+
| OutputClaim | inputClaim | boolean | The ClaimType that is produced after this ClaimsTransformation has been invoked. |
122+
123+
124+
The following claims transformation demonstrates how to check the value of a boolean ClaimType with a `true` value. If the value of the `IsAgeOver21Years` ClaimType is equal to `true`, the claims transformation returns `true`, otherwise `false`.
125+
126+
```XML
127+
<ClaimsTransformation Id="AssertAccountEnabled" TransformationMethod="CompareBooleanClaimToValue">
128+
<InputClaims>
129+
<InputClaim ClaimTypeReferenceId="IsAgeOver21Years" TransformationClaimType="inputClaim" />
130+
</InputClaims>
131+
<InputParameters>
132+
<InputParameter Id="valueToCompareTo" DataType="boolean" Value="true" />
133+
</InputParameters>
134+
<OutputClaims>
135+
<OutputClaim ClaimTypeReferenceId="accountEnabled" TransformationClaimType="compareResult"/>
136+
</OutputClaims>
137+
</ClaimsTransformation>
138+
```
139+
140+
### Example
141+
142+
- Input claims:
143+
- **inputClaim**: false
144+
- Input parameters:
145+
- **valueToCompareTo**: true
146+
- Output claims:
147+
- **compareResult**: false
148+
149+
150+
113151
## NotClaims
114152

115153
Performs a Not operation of the boolean inputClaim and sets the outputClaim with result of the operation.
@@ -170,4 +208,3 @@ The following claims transformation demonstrates how to `Or` two boolean ClaimTy
170208
- **inputClaim2**: false
171209
- Output claims:
172210
- **outputClaim**: true
173-

articles/active-directory-b2c/claimsproviders.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ manager: celestedg
88
ms.service: active-directory
99
ms.workload: identity
1010
ms.topic: reference
11-
ms.date: 09/10/2018
11+
ms.date: 01/29/2020
1212
ms.author: marsma
1313
ms.subservice: B2C
1414
---
@@ -48,7 +48,7 @@ The **ClaimsProvider** element contains the following child elements:
4848
| Element | Occurrences | Description |
4949
| ------- | ---------- | ----------- |
5050
| Domain | 0:1 | A string that contains the domain name for the claim provider. For example, if your claims provider includes the Facebook technical profile, the domain name is Facebook.com. This domain name is used for all technical profiles defined in the claims provider unless overridden by the technical profile. The domain name can also be referenced in a **domain_hint**. For more information, see the **Redirect sign-in to a social provider** section of [Set up direct sign-in using Azure Active Directory B2C](direct-signin.md). |
51-
| DisplayName | 1:1 | A string that contains the name of the claims provider that can be displayed to users. |
51+
| DisplayName | 1:1 | A string that contains the name of the claims provider. |
5252
| [TechnicalProfiles](technicalprofiles.md) | 0:1 | A set of technical profiles supported by the claim provider |
5353

5454
**ClaimsProvider** organizes how your technical profiles relate to the claims provider. The following example shows the Azure Active Directory claims provider with the Azure Active Directory technical profiles:

0 commit comments

Comments
 (0)