You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/b2b/redemption-experience.md
+31-2Lines changed: 31 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,6 +51,36 @@ There are some cases where the invitation email is recommended over a direct lin
51
51
- Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). In this case, the user must click the redemption URL in the invitation email.
52
52
- The user may sign in with an alias of the email address that was invited. (An alias is an additional email address associated with an email account.) In this case, the user must click the redemption URL in the invitation email.
53
53
54
+
## Invitation redemption flow
55
+
56
+
When a user clicks the **Accept invitation** link in an [invitation email](invitation-email-elements.md), Azure AD automatically redeems the invitation based on the redemption flow as shown below:
57
+
58
+
59
+
60
+
1. The redemption process checks if the user has an existing personal [Microsoft account (MSA)](https://support.microsoft.com/help/4026324/microsoft-account-how-to-create).
61
+
62
+
2. If an admin has enabled [direct federation](direct-federation.md), Azure AD checks if the user’s domain suffix matches the domain of a configured SAML/WS-Fed identity provider and redirects the user to the pre-configured identity provider.
63
+
64
+
3. If an admin has enabled [Google federation](google-federation.md), Azure AD checks if the user’s domain suffix is gmail.com or googlemail.com and redirects the user to Google.
65
+
66
+
4. Azure AD performs user-based discovery to determine if the user exists in an [existing Azure AD tenant](what-is-b2b.md#easily-add-guest-users-in-the-azure-ad-portal).
67
+
68
+
5. Once the user’s **home directory** is identified, the user is sent to the corresponding identity provider to sign in.
69
+
70
+
6. If steps 1 to 4 fail to find a home directory for the invited user, Azure AD determines whether the inviting tenant has enabled the [Email one-time passcode (OTP)](one-time-passcode.md) feature for guests.
71
+
72
+
7. If [Email one-time passcode for guests is enabled](one-time-passcode.md#when-does-a-guest-user-get-a-one-time-passcode), a passcode is sent to the user through the invited email. The user will retrieve and enter this passcode in the Azure AD sign-in page.
73
+
74
+
8. If Email one-time passcode for guests is disabled, Azure AD checks the domain suffix against a consumer domain list maintained by Microsoft. If the domain matches any domain on the consumer domain list, the user is prompted to create a personal Microsoft account. If not, the user is prompted to create an [Azure AD self-service account](../users-groups-roles/directory-self-service-signup.md) (viral account).
75
+
76
+
9. Azure AD attempts to create an Azure AD self-service account (viral account) by verifying access to the email. Verifying the account is done by sending a code to the email, and having the user retrieve and submit it to Azure AD. However, if the invited user’s tenant is federated or if the AllowEmailVerifiedUsers field is set to false in the invited user’s tenant, the user is unable to complete the redemption and the flow results in an error. For more information, refer to [Troubleshooting Azure Active Directory B2B collaboration](troubleshoot.md#the-user-that-i-invited-is-receiving-an-error-during-redemption).
77
+
78
+
10. The user is prompted to create a personal Microsoft account (MSA).
79
+
80
+
11. After authenticating to the right identity provider, the user is redirected to Azure AD to complete the [consent experience](redemption-experience.md#consent-experience-for-the-guest).
81
+
82
+
For just-in-time (JIT) redemptions, where redemption is through a tenanted application link, steps 8 through 10 are not available. If a user reaches step 6 and the Email one-time passcode feature is not enabled, the user receives an error message and is unable to redeem the invitation. To prevent this, admins should either [enable Email one-time passcode](one-time-passcode.md#when-does-a-guest-user-get-a-one-time-passcode) or ensure the user clicks an invitation link.
83
+
54
84
## Consent experience for the guest
55
85
56
86
When a guest signs in to access resources in a partner organization for the first time, they're guided through the following pages.
@@ -66,8 +96,7 @@ When a guest signs in to access resources in a partner organization for the firs
66
96
67
97
68
98
69
-
> [!NOTE]
70
-
> You can configure see [terms of use](../governance/active-directory-tou.md) in **Manage** > **Organizational relationships** > **Terms of use**.
99
+
You can configure see [terms of use](../governance/active-directory-tou.md) in **Manage** > **Organizational relationships** > **Terms of use**.
71
100
72
101
3. Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/active-directory-signing-key-rollover.md
+1-2Lines changed: 1 addition & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -142,7 +142,7 @@ The following steps will help you verify that the logic is working properly in y
142
142
### <aname="vs2013"></a>Web APIs protecting resources and created with Visual Studio 2013
143
143
If you created a web API application in Visual Studio 2013 using the Web API template, and then selected **Organizational Accounts** from the **Change Authentication** menu, you already have the necessary logic in your application.
144
144
145
-
If you manually configured authentication, follow the instructions below to learn how to configure your Web API to automatically update its key information.
145
+
If you manually configured authentication, follow the instructions below to learn how to configure your web API to automatically update its key information.
146
146
147
147
The following code snippet demonstrates how to get the latest keys from the federation metadata document, and then use the [JWT Token Handler](https://msdn.microsoft.com/library/dn205065.aspx) to validate the token. The code snippet assumes that you will use your own caching mechanism for persisting the key to validate future tokens from Azure AD, whether it be in a database, configuration file, or elsewhere.
148
148
@@ -304,4 +304,3 @@ You can validate whether your application supports automatic key rollover by dow
304
304
305
305
## How to perform a manual rollover if your application does not support automatic rollover
306
306
If your application does **not** support automatic rollover, you will need to establish a process that periodically monitors Azure AD's signing keys and performs a manual rollover accordingly. [This GitHub repository](https://github.com/AzureAD/azure-activedirectory-powershell-tokenkey) contains scripts and instructions on how to do this.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/authentication-flows-app-scenarios.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -169,13 +169,13 @@ For more information, see [Mobile app that calls web APIs](scenario-mobile-overv
169
169
170
170
You can use the Microsoft identity platform endpoint to secure web services like your app's RESTful web API. A protected web API is called by using an access token. The token secures the API's data and to authenticate incoming requests. The caller of a web API appends an access token in the authorization header of an HTTP request.
171
171
172
-
If you want to protect your ASP.NET or ASP.NET Core Web API, you need to validate the access token. For this validation, you use the ASP.NET JWT middleware. The validation is done by the [IdentityModel extensions for .NET](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki) library and not by MSAL.NET.
172
+
If you want to protect your ASP.NET or ASP.NET Core web API, you need to validate the access token. For this validation, you use the ASP.NET JWT middleware. The validation is done by the [IdentityModel extensions for .NET](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki) library and not by MSAL.NET.
173
173
174
174
For more information, see [Protected web API](scenario-protected-web-api-overview.md).
175
175
176
176
### A web API calling another web API on behalf of a user
177
177
178
-
For your ASP.NET or ASP.NET Core protected Web API to call another web API on behalf of a user, your app needs to acquire a token for the downstream web API. To acquire a token, your app calls the **ConfidentialClientApplication** class's [AcquireTokenOnBehalfOf](https://aka.ms/msal-net-on-behalf-of) method. Such calls are also named *service-to-services* calls. The web APIs that call other web APIs need to provide custom cache serialization.
178
+
For your ASP.NET or ASP.NET Core protected web API to call another web API on behalf of a user, your app needs to acquire a token for the downstream web API. To acquire a token, your app calls the **ConfidentialClientApplication** class's [AcquireTokenOnBehalfOf](https://aka.ms/msal-net-on-behalf-of) method. Such calls are also named *service-to-services* calls. The web APIs that call other web APIs need to provide custom cache serialization.
179
179
180
180
181
181
@@ -208,14 +208,14 @@ Scenarios that involve acquiring tokens also map to OAuth 2.0 authentication flo
208
208
</tr>
209
209
210
210
<tr>
211
-
<td><ahref="scenario-web-app-sign-user-overview.md"><imgalt="Web App that signs in users"src="media/scenarios/scenario-webapp-signs-in-users.svg"></a></td>
211
+
<td><ahref="scenario-web-app-sign-user-overview.md"><imgalt="Web app that signs in users"src="media/scenarios/scenario-webapp-signs-in-users.svg"></a></td>
212
212
<td><ahref="scenario-web-app-sign-user-overview.md">A web app that signs in users</a></td>
0 commit comments