You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/app-provisioning/user-provisioning.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ ms.service: active-directory
7
7
ms.subservice: app-provisioning
8
8
ms.topic: overview
9
9
ms.workload: identity
10
-
ms.date: 02/09/2023
10
+
ms.date: 02/14/2023
11
11
ms.author: kenwith
12
12
ms.reviewer: arvinh
13
13
---
@@ -20,7 +20,7 @@ In Azure Active Directory (Azure AD), the term *app provisioning* refers to auto
20
20
21
21
Azure AD application provisioning refers to automatically creating user identities and roles in the applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into SaaS applications like [Dropbox](../../active-directory/saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../../active-directory/saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../../active-directory/saas-apps/servicenow-provisioning-tutorial.md), and many more.
22
22
23
-
Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://aka.ms/scimoverview), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support those as well.
23
+
Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. Your application must support [SCIM](https://aka.ms/scimoverview). Or, you must build a SCIM gateway to connect to your legacy application. If so, you can use the Azure AD Provisioning agent to [directly connect](./on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](./on-premises-ldap-connector-configure.md) user store or a [SQL](./tutorial-ecma-sql-connector.md) database, Azure AD can support these applications as well.
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/overview.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,15 +6,15 @@ services: active-directory
6
6
ms.service: active-directory
7
7
ms.subservice: conditional-access
8
8
ms.topic: overview
9
-
ms.date: 11/07/2022
9
+
ms.date: 02/13/2023
10
10
11
11
ms.author: joflore
12
12
author: MicrosoftGuyJFlo
13
13
manager: amycolannino
14
14
ms.reviewer: calebb
15
15
16
16
ms.collection: M365-identity-device-management
17
-
ms.custom: contperf-fy20q4, azuread-video-2020
17
+
ms.custom: zt-include
18
18
---
19
19
# What is Conditional Access?
20
20
@@ -97,6 +97,8 @@ When licenses required for Conditional Access expire, policies aren't automatica
97
97
98
98
[Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) help protect against identity-related attacks and are available for all customers.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser.md
+18-17Lines changed: 18 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,11 +9,12 @@ ms.service: active-directory
9
9
ms.subservice: develop
10
10
ms.workload: identity
11
11
ms.topic: conceptual
12
-
ms.date: 01/27/2020
12
+
ms.date: 02/07/2023
13
13
ms.author: henrymbugua
14
14
ms.reviewer: kkrishna, jmprieur
15
15
ms.custom: aaddev
16
16
---
17
+
17
18
# Handle SameSite cookie changes in Chrome browser
18
19
19
20
## What is SameSite?
@@ -29,7 +30,7 @@ By default, the `SameSite` value is NOT set in browsers and that's why there are
29
30
30
31
Recent [updates to the standards on SameSite](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00) propose protecting apps by making the default behavior of `SameSite` when no value is set to Lax. This mitigation means cookies will be restricted on HTTP requests except GET made from other sites. Additionally, a value of **None** is introduced to remove restrictions on cookies being sent. These updates will soon be released in an upcoming version of the Chrome browser.
31
32
32
-
When web apps authenticate with the Microsoft Identity platform using the response mode "form_post", the login server responds to the application using an HTTP POST to send the tokens or auth code. Because this request is a cross-domain request (from `login.microsoftonline.com` to your domain - for instance `https://contoso.com/auth`), cookies that were set by your app now fall under the new rules in Chrome. The cookies that need to be used in cross-site scenarios are cookies that hold the *state* and *nonce* values, that are also sent in the login request. There are other cookies dropped by Azure AD to hold the session.
33
+
When web apps authenticate with the Microsoft identity platform using the response mode "form_post", the login server responds to the application using an HTTP POST to send the tokens or auth code. Because this request is a cross-domain request (from `login.microsoftonline.com` to your domain - for instance `https://contoso.com/auth`), cookies that were set by your app now fall under the new rules in Chrome. The cookies that need to be used in cross-site scenarios are cookies that hold the _state_ and _nonce_ values, that are also sent in the login request. There are other cookies dropped by Azure Active Directory (Azure AD) to hold the session.
33
34
34
35
If you don't update your web apps, this new behavior will result in authentication failures.
35
36
@@ -39,17 +40,17 @@ To overcome the authentication failures, web apps authenticating with the Micros
39
40
Other browsers (see [here](https://www.chromium.org/updates/same-site/incompatible-clients) for a complete list) follow the previous behavior of `SameSite` and won't include the cookies if `SameSite=None` is set.
40
41
That's why, to support authentication on multiple browsers web apps will have to set the `SameSite` value to `None` only on Chrome and leave the value empty on other browsers.
41
42
42
-
This approach is demonstrated in our code samples below.
43
+
This approach is demonstrated in the following sample code.
43
44
44
45
# [.NET](#tab/dotnet)
45
46
46
-
The table below presents the pull requests that worked around the SameSite changes in our ASP.NET and ASP.NET Core samples.
47
+
The following table presents the pull requests that worked around the SameSite changes in our ASP.NET and ASP.NET Core samples.
47
48
48
-
| Sample | Pull request |
49
-
| ------ | ------------ |
50
-
|[ASP.NET Core web app incremental tutorial](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2)|[Same site cookie fix #261](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/261)|
51
-
|[ASP.NET MVC web app sample](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect)|[Same site cookie fix #35](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/pull/35)|
52
-
|[active-directory-dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)|[Same site cookie fix #28](https://github.com/Azure-Samples/active-directory-dotnet-admin-restricted-scopes-v2/pull/28)|
|[ASP.NET Core web app incremental tutorial](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2)|[Same site cookie fix #261](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/261)|
52
+
|[ASP.NET MVC web app sample](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect)|[Same site cookie fix #35](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/pull/35)|
53
+
|[active-directory-dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)|[Same site cookie fix #28](https://github.com/Azure-Samples/active-directory-dotnet-admin-restricted-scopes-v2/pull/28)|
53
54
54
55
for details on how to handle SameSite cookies in ASP.NET and ASP.NET Core, see also:
55
56
@@ -58,16 +59,16 @@ for details on how to handle SameSite cookies in ASP.NET and ASP.NET Core, see a
|[ms-identity-java-webapp](https://github.com/Azure-Samples/ms-identity-java-webapp)|[Same site cookie fix #24](https://github.com/Azure-Samples/ms-identity-java-webapp/pull/24)|
71
+
|[ms-identity-java-webapi](https://github.com/Azure-Samples/ms-identity-java-webapi)|[Same site cookie fix #4](https://github.com/Azure-Samples/ms-identity-java-webapi/pull/4)|
71
72
72
73
---
73
74
@@ -79,4 +80,4 @@ Learn more about SameSite and the Web app scenario:
Copy file name to clipboardExpand all lines: articles/active-directory/develop/scenario-desktop-acquire-token-wam.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -129,7 +129,7 @@ Applications cannot remove accounts from Windows!
129
129
- Removes app-only (not OS-wide) accounts.
130
130
131
131
>[!NOTE]
132
-
> Ony users can remove OS accounts, whereas apps themselves cannot. If an OS account is passed into `RemoveAsync`, and then `GetAccounts` is called with `ListWindowsWorkAndSchoolAccounts` enabled, the same OS accounts will still be returned.
132
+
> Only users can remove OS accounts, whereas apps themselves cannot. If an OS account is passed into `RemoveAsync`, and then `GetAccounts` is called with `ListWindowsWorkAndSchoolAccounts` enabled, the same OS accounts will still be returned.
Copy file name to clipboardExpand all lines: articles/active-directory/develop/scenario-web-app-call-api-call-api.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -150,7 +150,7 @@ public async Task<IActionResult> Profile()
150
150
> [!NOTE]
151
151
> You can use the same principle to call any web API.
152
152
>
153
-
> Most Azure web APIs provide an SDK that simplifies calling the API as is the case for Microsoft Graph. See, for instance, [Create a web application that authorizes access to Blob storage with Azure AD](../../storage/common/storage-auth-aad-app.md?tabs=dotnet&toc=%2fazure%2fstorage%2fblobs%2ftoc.json) for an example of a web app using Microsoft.Identity.Web and using the Azure Storage SDK.
153
+
> Most Azure web APIs provide an SDK that simplifies calling the API as is the case for Microsoft Graph.
0 commit comments