You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Home Realm Discovery Policy (HRD) offers administrators multiple ways to control how and where their users authenticate. The `domainHintPolicy` section of the HRD policy is used to help migrate federated users to cloud managed credentials like [FIDO](../authentication/howto-authentication-passwordless-security-key.md), by ensuring that they always visit the Azure AD sign-in page and aren't auto-accelerated to a federated IDP because of domain hints. To learn more about HRD policy, see [Home Realm Discovery](home-realm-discovery-policy.md).
21
21
22
22
23
-
This policy is needed in situations where and admins can't control or update domain hints during sign-in. For example, `outlook.com/contoso.com` sends the user to a login page with the `&domain_hint=contoso.com` parameter appended, to auto-accelerate the user directly to the federated IDP for the `contoso.com` domain. Users with managed credentials sent to a federated IDP can't sign in using their managed credentials, reducing security, and frustrating users with randomized sign-in experiences. Admins rolling out managed credentials [should also set up this policy](#suggested-use-within-a-tenant) to ensure that users can always use their managed credentials.
23
+
This policy is needed in situations where and admins can't control or update domain hints during sign-in. For example, `outlook.com/contoso.com` sends the user to a sign-in page with the `&domain_hint=contoso.com` parameter appended, to auto-accelerate the user directly to the federated IDP for the `contoso.com` domain. Users with managed credentials sent to a federated IDP can't sign in using their managed credentials, reducing security, and frustrating users with randomized sign-in experiences. Admins rolling out managed credentials [should also set up this policy](#suggested-use-within-a-tenant) to ensure that users can always use their managed credentials.
24
24
25
25
26
26
## DomainHintPolicy details
27
27
28
-
The DomainHintPolicy section of the HRD policy is a JSON object, that allows an admin to opt out certain domains and applications from domain hint usage. Functionally, this tells the Azure AD sign-in page to behave as if a `domain_hint` parameter on the login request wasn't present.
28
+
The DomainHintPolicy section of the HRD policy is a JSON object that allows an admin to opt out certain domains and applications from domain hint usage. Functionally, this tells the Azure AD sign-in page to behave as if a `domain_hint` parameter on the sign-in request wasn't present.
29
29
30
30
### The Respect and Ignore policy sections
31
31
@@ -40,11 +40,11 @@ The DomainHintPolicy section of the HRD policy is a JSON object, that allows an
40
40
41
41
The DomainHintPolicy logic runs on each incoming request that contains a domain hint and accelerates based on two pieces of data in the request – the domain in the domain hint, and the client ID (the app). In short - "Respect" for a domain or app takes precedence over an instruction to "Ignore" a domain hint for a given domain or application.
42
42
43
-
- In the absence of any domain hint policy, or if none of the 4 sections reference the app or domain hint mentioned, [the rest of the HRD policy will be evaluated](home-realm-discovery-policy.md#priority-and-evaluation-of-hrd-policies).
44
-
- If either one (or both) of `RespectDomainHintForApps` or `RespectDomainHintForDomains` section includes the app or domain hint in the request, then the user will be auto-accelerated to the federated IDP as requested.
45
-
- If either one (or both) of `IgnoreDomainHintsForApps` or `IgnoreDomainHintsForDomains` references the app or the domain hint in the request, and they’re not referenced by the “Respect” sections, then the request won't be auto-accelerated, and the user will remain at the Azure AD login page to provide a username.
43
+
- In the absence of any domain hint policy, or if none of the four sections reference the app or domain hint mentioned, [the rest of the HRD policy will be evaluated](home-realm-discovery-policy.md#priority-and-evaluation-of-hrd-policies).
44
+
- If either one (or both) of `RespectDomainHintForApps` or `RespectDomainHintForDomains` section includes the app or domain hint in the request, then the user is auto-accelerated to the federated IDP as requested.
45
+
- If either one (or both) of `IgnoreDomainHintsForApps` or `IgnoreDomainHintsForDomains` references the app or the domain hint in the request, and they’re not referenced by the “Respect” sections, then the request won't be auto-accelerated, and the user remains at the Azure AD sign-in page to provide a username.
46
46
47
-
Once a user has entered a username at the login page, they can use their managed credentials. If they choose not to use a managed credential, or they have none registered, they'll be taken to their federated IDP for credential entry as usual.
47
+
Once a user has entered a username at the sign-in page, they can use their managed credentials. If they choose not to use a managed credential, or they have none registered, they are taken to their federated IDP for credential entry as usual.
48
48
49
49
## Prerequisites
50
50
@@ -60,7 +60,7 @@ To disable auto-acceleration sign-in for an application in Azure AD, you need:
60
60
61
61
Admins of federated domains should set up this section of the HRD policy in a four-phase plan. The goal of this plan is to eventually get all users in a tenant to use their managed credentials regardless of domain or application, save those apps that have hard dependencies on `domain_hint` usage. This plan helps admins find those apps, exempt them from the new policy, and continue rolling out the change to the rest of the tenant.
62
62
63
-
1. Pick a domain to initially roll this change out to. This will be your test domain, so pick one that may be more receptive to changes in UX (For example, seeing a different login page). This will ignore all domain hints from all applications that use this domain name. Set this policy in your tenant-default HRD policy:
63
+
1. Pick a domain to initially roll this change out to. This is your test domain, so pick one that may be more receptive to changes in UX (For example, seeing a different sign-in page). This ignores all domain hints from all applications that use this domain name. Set this policy in your tenant-default HRD policy:
64
64
65
65
::: zone pivot="graph-hrd"
66
66
@@ -168,7 +168,7 @@ New-AzureADPolicy
168
168
169
169
::: zone-end
170
170
171
-
After step 4 is complete all users, except those in `guestHandlingDomain.com`, can sign-in at the Azure AD sign-in page even when domain hints would otherwise cause an auto-acceleration to a federated IDP. The exception to this is if the app requesting sign-in is one of the exempted ones - for those apps, all domain hints will still be accepted.
171
+
After step 4 is complete all users, except those in `guestHandlingDomain.com`, can sign-in at the Azure AD sign-in page even when domain hints would otherwise cause an auto-acceleration to a federated IDP. The exception to this is if the app requesting sign-in is one of the exempted ones - for those apps, all domain hints are still accepted.
0 commit comments