Merge pull request #268873 from rwike77/externalid

updates for external id

Author: Stacyrch140

articles/app-service/configure-authentication-provider-aad.md

@@ -63,7 +63,7 @@ During creation of the app registration, collect the following information which
 - Client secret (optional, but recommended)
 - Application ID URI
 
-The instructions for creating an app registration depend on if you're using [a workforce tenant](../active-directory/fundamentals/active-directory-whatis.md) or [a customer tenant (Preview)][Azure Active Directory for customers (Preview)]. Use the tabs below to select the right set of instructions for your scenario.
+The instructions for creating an app registration depend on if you're using [a workforce tenant](../active-directory/fundamentals/active-directory-whatis.md) or [a customer tenant][Azure Active Directory for customers (Preview)]. Use the tabs below to select the right set of instructions for your scenario.
 
 To register the app, perform the following steps:
 
@@ -74,7 +74,7 @@ To register the app, perform the following steps:
 
     From the portal menu, select **Microsoft Entra ID**. If the tenant you're using is different from the one you use to configure the App Service application, you'll need to [change directories][Switch your directory] first.
 
-    # [Customer tenant (Preview)](#tab/customer-tenant)
+    # [Customer tenant](#tab/customer-tenant)
 
     1. If you do not already have a customer tenant, create one by following the instructions in [Create a customer identity and access management (CIAM) tenant](../active-directory/external-identities/customers/how-to-create-customer-tenant-portal.md).
 
@@ -117,7 +117,7 @@ To register the app, perform the following steps:
 
     No other steps are required for a workforce tenant.
 
-    # [Customer tenant (Preview)](#tab/customer-tenant)
+    # [Customer tenant](#tab/customer-tenant)
 
     1. Create a user flow, which defines an authentication experience that can be shared across app registrations in the tenant:
 
@@ -156,7 +156,7 @@ To register the app, perform the following steps:
 
     The **authentication endpoint** for a workforce tenant should be a [value specific to the cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints). For example, a workforce tenant in global Azure would use "https://login.microsoftonline.com" as its authentication endpoint. Make note of the authentication endpoint value, as it's needed to construct the right **Issuer URL**.
 
-    # [Customer tenant (Preview)](#tab/customer-tenant)
+    # [Customer tenant](#tab/customer-tenant)
 
     For a customer tenant, you must manually fill in the configuration values according to the following table.
 

articles/app-service/identity-scenarios.md

@@ -5,7 +5,7 @@ author: rwike77
 manager: CelesteDG
 ms.author: ryanwi
 ms.topic: conceptual
-ms.date: 10/31/2023
+ms.date: 03/14/2024
 ms.custom: AppServiceIdentity
 ---
 # Authentication scenarios and recommendations
@@ -15,8 +15,8 @@ If you have a web app or an API running in Azure App Service, you can restrict a
 ## Authentication solutions
 
 - **Azure App Service built-in authentication** - Allows you to sign users in and access data by writing minimal or no code in your web app, RESTful API, or mobile back end. It’s built directly into the platform and doesn’t require any particular language, library, security expertise, or even any code to use.
-- **Microsoft Authentication Library (MSAL)** - Enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. Available for multiple supported platforms and frameworks, these are general purpose libraries that can be used in various hosted environments. Developers can also integrate with multiple sign-in providers, like Microsoft Entra ID, Facebook, Google, Twitter.
-- **Microsoft.Identity.Web** - A higher-level library wrapping MSAL.NET, it provides a set of ASP.NET Core abstractions that simplify adding authentication support to web apps and web APIs integrating with the Microsoft identity platform.  It provides a single-surface API convenience layer that ties together ASP.NET Core, its authentication middleware, and MSAL.NET. This library can be used in apps in various hosted environments. You can integrate with multiple sign-in providers, like Microsoft Entra ID, Facebook, Google, Twitter.
+- **Microsoft Authentication Library (MSAL)** - Enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. Available for multiple supported platforms and frameworks, these are general purpose libraries that can be used in various hosted environments. Developers can also integrate with multiple sign-in providers, like Microsoft Entra, Facebook, Google, Twitter.
+- **Microsoft.Identity.Web** - A higher-level library wrapping MSAL.NET, it provides a set of ASP.NET Core abstractions that simplify adding authentication support to web apps and web APIs integrating with the Microsoft identity platform.  It provides a single-surface API convenience layer that ties together ASP.NET Core, its authentication middleware, and MSAL.NET. This library can be used in apps in various hosted environments. You can integrate with multiple sign-in providers, like Microsoft Entra, Facebook, Google, Twitter.
 
 ## Scenario recommendations
 

articles/app-service/includes/tutorial-set-up-app-service-authentication/after.md

@@ -7,7 +7,7 @@ manager: CelesteDG
 
 ms.service: app-service
 ms.topic: include
-ms.date: 02/25/2022
+ms.date: 03/12/2024
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.custom: azureday1
@@ -37,29 +37,31 @@ You need these names throughout this tutorial.
 
 ## 3. Configure authentication and authorization
 
-Now that you have a web app running on App Service, enable authentication and authorization. You use Microsoft Entra ID as the identity provider. For more information, see [Configure Microsoft Entra authentication for your App Service application](../../configure-authentication-provider-aad.md).
+Now that you have a web app running on App Service, enable authentication and authorization. You use Microsoft Entra as the identity provider. For more information, see [Configure Microsoft Entra authentication for your App Service application](../../configure-authentication-provider-aad.md).
+
+# [Workforce configuration](#tab/workforce-configuration)
 
 1. In the [Azure portal](https://portal.azure.com) menu, select **Resource groups**, or search for and select **Resource groups** from any page.
 
 1. In **Resource groups**, find and select your resource group. In **Overview**, select your app's management page.
 
     :::image type="content" alt-text="Screenshot that shows selecting your app's management page." source="../../media/scenario-secure-app-authentication-app-service/select-app-service.png":::
 
-1. On your app's left menu, select **Authentication**, and then click **Add identity provider**.
+1. On your app's left menu, select **Authentication**, and then select **Add identity provider**.
 
-1. In the **Add an identity provider** page, for example select **Microsoft** as the **Identity provider** to sign in Microsoft and Microsoft Entra identities.
+1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Microsoft Entra identities.
 
-1. Select a **Tenant type**, for example **Workforce** for work and school accounts or Microsoft accounts.
+1. For **Tenant type**, select **Workforce configuration (current tenant)** for employees and business guests.
 
-1. For **App registration** > **App registration type**, select **Create new app registration** to create a new app registration in Microsoft Entra ID.
+1. For **App registration** > **App registration type**, select **Create new app registration** to create a new app registration in Microsoft Entra.
 
 1. Add a **Name** for the app registration, a public facing display name.
 
 1. For **App registration** > **Supported account types**, select **Current tenant-single tenant** so only users in your organization can sign in to the web app.
 
 1. In the **App Service authentication settings** section, leave **Authentication** set to **Require authentication** and **Unauthenticated requests** set to **HTTP 302 Found redirect: recommended for websites**.
 
-1. At the bottom of the **Add an identity provider** page, click **Add** to enable authentication for your web app.
+1. At the bottom of the **Add an identity provider** page, select **Add** to enable authentication for your web app.
 
     :::image type="content" alt-text="Screenshot that shows configuring authentication." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication.png":::
 
@@ -69,15 +71,75 @@ Now that you have a web app running on App Service, enable authentication and au
     > To allow accounts from other tenants, change the 'Issuer URL' to 'https://login.microsoftonline.com/common/v2.0' by editing your 'Identity Provider' from the 'Authentication' blade.
     >
 
+# [External configuration](#tab/external-configuration)
+
+1. In the [Azure portal](https://portal.azure.com) menu, select **Resource groups**, or search for and select **Resource groups** from any page.
+
+1. In **Resource groups**, find and select your resource group. In **Overview**, select your app's management page.
+
+    :::image type="content" alt-text="Screenshot that shows selecting your app's management page." source="../../media/scenario-secure-app-authentication-app-service/select-app-service.png":::
+    
+1. On your app's left menu, select **Authentication**, and then select **Add identity provider**.
+
+1. In the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to sign in Microsoft and Microsoft Entra identities.
+
+1. For **Tenant type**, select **External configuration** for external users.
+
+1. Select **Create new app registration** to create a new app registration and select the [customer (external) tenant](/entra/external-id/customers/quickstart-tenant-setup) you want to use.
+
+1. Select **Configure** to configure external authentication.
+
+    :::image type="content" alt-text="Screenshot that shows the Add an identity provider page." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-external.png":::
+
+1. The browser opens **Configure customer authentication**.  In **Setup sign-in**, select **Create new** to create a sign-in experience for your external users.
+
+1. Enter a **Name** for the user flow.
+
+1. For this quickstart, select **Email and password** which allows new users to sign up and sign in using an email address as the sign-in name and a password as their first factor credential.
+
+1. Select **Create** to create the user flow.
+
+    :::image type="content" alt-text="Screenshot that shows creating a user flow." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-external-user-flow.png":::
+
+1. Select **Next** to customize branding.
+
+1. Add your company logo, select a background color, and select a sign-in layout.
+
+    :::image type="content" alt-text="Screenshot that shows the customize branding tab." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-branding.png":::
+
+1. Select **Next** and **Yes, update the changes** to accept the branding changes.
+
+1. Select **Configure** in the **Review** tab to confirm External ID (CIAM) tenant update. 
+
+1. The browser opens **Add an identity provider**.
+
+1. In the **App Service authentication settings** section, select:
+
+    - **Allow requests only from this application itself** for **Client application requirement**
+    - **Allow requests from any identity** for **Identity requirement**
+    - **Allow requests only from the issuer tenant** for **Tenant requirement**    
+
+1. In the **App Service authentication settings** section, set:
+    - **Require authentication** for **Authentication**
+    - **HTTP 302 Found redirect: recommended for websites** for **Unauthenticated requests**
+    - **Token store** box
+
+1. At the bottom of the **Add an identity provider** page, select **Add** to enable authentication for your web app.
+
+    :::image type="content" alt-text="Screenshot that shows the Additional checks and authentication settings sections." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-external-enable.png":::
+---
+
 ## 4. Verify limited access to the web app
 
-When you enabled the App Service authentication/authorization module in the previous section, an app registration was created in your Microsoft Entra tenant. The app registration has the same display name as your web app. 
+When you enabled the App Service authentication/authorization module in the previous section, an app registration was created in your workforce or customer (external) tenant. The app registration has the same display name as your web app. 
+
+1. To check the settings, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](/entra/identity/role-based-access-control/permissions-reference#application-developer).  If necessary, use the **Settings** icon  in the top menu to switch to the customer (external) tenant with your web app from the **Directories** + **subscriptions** menu.   When you are in the correct tenant:
 
-1. To check the settings, go to the [Microsoft Entra admin center](https://entra.microsoft.com) and select **Applications** and then **App registrations** from the menu. 
+1. Browse to **Identity** > **Applications** > **App registrations** and select **Applications** > **App registrations** from the menu. 
 1. Select the app registration that was created. 
 1. In the overview, verify that **Supported account types** is set to **My organization only**.
 
-1. To verify that access to your app is limited to users in your organization, got to your web app **Overview** and select the **Default domain** link.  Or, start a browser in incognito or private mode and go to `https://<app-name>.azurewebsites.net`.
+1. To verify that access to your app is limited to users in your organization, go to your web app **Overview** and select the **Default domain** link.  Or, start a browser in incognito or private mode and go to `https://<app-name>.azurewebsites.net`.
 
     :::image type="content" alt-text="Screenshot that shows verifying access." source="../../media/scenario-secure-app-authentication-app-service/verify-access.png":::
 

articles/app-service/includes/tutorial-set-up-app-service-authentication/intro.md

@@ -22,18 +22,18 @@ In this tutorial, you learn how to:
 > [!div class="checklist"]
 >
 > * Configure authentication for the web app.
-> * Limit access to the web app to users in your organization by using Microsoft Entra ID as the identity provider.
+> * Limit access to the web app to users in your organization by using Microsoft Entra as the identity provider.
 
 ## Automatic authentication provided by App Service
 
-App Service provides built-in authentication and authorization support, so you can sign in users with no code in your web app. Using the optional App Service authentication/authorization module simplifies authentication and authorization for your app. When you are ready for custom authentication and authorization, you build on this architecture.
+App Service provides built-in authentication and authorization support, so you can sign in users with no code in your web app. Using the optional App Service authentication/authorization module simplifies authentication and authorization for your app. When you're ready for custom authentication and authorization, you build on this architecture.
 
 App service authentication provides:
 
 * Easily turn on and configure through the Azure portal and app settings. 
 * No SDKs, specific languages, or changes to application code are required.​ 
 * Several identity providers are supported:
-    * Microsoft Entra ID
+    * Microsoft Entra
     * Microsoft Account
     * Facebook
     * Google