You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/custom-policy-get-started.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -134,7 +134,7 @@ Next, specify that the application should be treated as a public client:
134
134
135
135
1. Under **Manage**, select **Authentication**.
136
136
1. Select **Try out the new experience** (if shown).
137
-
1. Under **Advanced settings**, enable **Treat application as a public client** (select **Yes**).
137
+
1. Under **Advanced settings**, enable **Treat application as a public client** (select **Yes**). Ensure that **"allowPublicClient": true** is set in the application manifest.
138
138
1. Select **Save**.
139
139
140
140
Now, grant permissions to the API scope you exposed earlier in the *IdentityExperienceFramework* registration:
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -115,6 +115,10 @@ In addition to the Microsoft apps, administrators can add any Azure AD registere
115
115
-[Custom applications not in the gallery](../manage-apps/add-non-gallery-app.md)
116
116
-[Legacy applications published through app delivery controllers and networks](../manage-apps/secure-hybrid-access.md)
117
117
118
+
> [!NOTE]
119
+
> Since Conditional access policy sets the requirements for accessing a service you are not able to apply it to a client (public/native) application. Other words the policy is not set directly on a client (public/native) application, but is applied when a client calls a service. For example, a policy set on SharePoint service applies to the clients calling SharePoint. A policy set on Exchange applies to the attempt to access the email using Outlook client. That is why client (public/native) applications are not available for selection in the Cloud Apps picker and Conditional Access option is not available in the application settings for the client (public/native) application registered in your tenant.
120
+
121
+
118
122
## User actions
119
123
120
124
User actions are tasks that can be performed by a user. The only currently supported action is **Register security information**, which allows Conditional Access policy to enforce when users who are enabled for combined registration attempt to register their security information. More information can be found in the article, [Combined security information registration](../authentication/concept-registration-mfa-sspr-combined.md).
Copy file name to clipboardExpand all lines: articles/active-directory/develop/active-directory-v2-protocols.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ ms.custom: aaddev
18
18
19
19
# OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform
20
20
21
-
The Microsoft identity platform endpoint for identity-as-a-service with industry standard protocols, OpenID Connect (OIDC) and OAuth 2.0. While the service is standards-compliant, there can be subtle differences between any two implementations of these protocols. The information here will be useful if you choose to write your code by directly sending and handling HTTP requests or use a third-party open-source library, rather than using one of our [open-source libraries](reference-v2-libraries.md).
21
+
The Microsoft identity platform endpoint for identity-as-a-service implements authentication and authorization with industry standard protocols OpenID Connect (OIDC) and OAuth 2.0, respectively. While the service is standards-compliant, there can be subtle differences between any two implementations of these protocols. The information here will be useful if you choose to write your code by directly sending and handling HTTP requests or use a third-party open-source library, rather than using one of our [open-source libraries](reference-v2-libraries.md).
Copy file name to clipboardExpand all lines: articles/active-directory/develop/single-sign-on-saml-protocol.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -89,10 +89,10 @@ The `Scoping` element, which includes a list of identity providers, is optional
89
89
If provided, don't include the `ProxyCount` attribute, `IDPListOption` or `RequesterID` element, as they aren't supported.
90
90
91
91
### Signature
92
-
Don't include a `Signature` element in `AuthnRequest` elements, as Azure AD does not support signed authentication requests.
92
+
Don't include a `Signature` element in `AuthnRequest` elements. Azure AD does not validate signed authentication requests. Requestor verification is provided for by only responding to registered Assertion Consumer Service URLs.
93
93
94
94
### Subject
95
-
Azure AD ignores the `Subject` element of `AuthnRequest` elements.
95
+
Don't include a `Subject` element. Azure AD doesn't support specifying a subject for a request and will return an error if one is provided.
96
96
97
97
## Response
98
98
When a requested sign-on completes successfully, Azure AD posts a response to the cloud service. A response to a successful sign-on attempt looks like the following sample:
Copy file name to clipboardExpand all lines: articles/active-directory/develop/v2-conditional-access-dev-guide.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -171,7 +171,7 @@ error_description=AADSTS50076: Due to a configuration change made by your admini
171
171
172
172
Our app needs to catch the `error=interaction_required`. The application can then use either `acquireTokenPopup()` or `acquireTokenRedirect()` on the same resource. The user is forced to do a multi-factor authentication. After the user completes the multi-factor authentication, the app is issued a fresh access token for the requested resource.
173
173
174
-
To try out this scenario, see our [JS SPA On-behalf-of code sample](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/master/Microsoft.Identity.Web/README.md#handle-conditional-access). This code sample uses the Conditional Access policy and web API you registered earlier with a JS SPA to demonstrate this scenario. It shows how to properly handle the claims challenge and get an access token that can be used for your web API. Alternatively, checkout the general [Angular.js code sample](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2) for guidance on an Angular SPA
174
+
To try out this scenario, see our [JS SPA On-behalf-of code sample](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/a2b257381b410c765ee01ecb611aa6f98c099eb1/2.%20Web%20API%20now%20calls%20Microsoft%20Graph/README.md). This code sample uses the Conditional Access policy and web API you registered earlier with a JS SPA to demonstrate this scenario. It shows how to properly handle the claims challenge and get an access token that can be used for your web API. Alternatively, checkout the general [Angular.js code sample](https://github.com/Azure-Samples/active-directory-javascript-graphapi-v2) for guidance on an Angular SPA
0 commit comments