Skip to content

Commit c86ffe5

Browse files
authored
Merge pull request #230361 from MicrosoftDocs/main
Publish to live, Sunday 4 AM PST, 3/12
2 parents 3871f21 + a68c6e2 commit c86ffe5

File tree

65 files changed

+534
-254
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

65 files changed

+534
-254
lines changed

articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -181,7 +181,7 @@ authContext.acquireTokenRedirect("https://graph.microsoft.com", function (error,
181181
});
182182
```
183183

184-
MSAL.js supports both **v1.0** and **v2.0** endpoints. The **v2.0** endpoint employs a *scope-centric* model to access resources. Thus, when you request an access token for a resource, you also need to specify the scope for that resource:
184+
MSAL.js supports only the **v2.0** endpoint. The **v2.0** endpoint employs a *scope-centric* model to access resources. Thus, when you request an access token for a resource, you also need to specify the scope for that resource:
185185

186186
```javascript
187187
msalInstance.acquireTokenRedirect({

articles/active-directory/develop/msal-node-migration.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,7 @@ authenticationContext.acquireTokenWithAuthorizationCode(
171171
);
172172
```
173173

174-
The v2.0 endpoint employs a *scope-centric* model to access resources. Thus, when you request an access token for a resource, you also need to specify the scope for that resource:
174+
MSAL Node supports only the **v2.0** endpoint. The v2.0 endpoint employs a *scope-centric* model to access resources. Thus, when you request an access token for a resource, you also need to specify the scope for that resource:
175175

176176
```javascript
177177
const tokenRequest = {

articles/active-directory/governance/entitlement-management-external-users.md

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,9 @@ When using the [Azure AD B2B](../external-identities/what-is-b2b.md) invite expe
3333

3434
With entitlement management, you can define a policy that allows users from organizations you specify to be able to self-request an access package. That policy includes whether approval is required, whether access reviews are required, and an expiration date for the access. If approval is required, you might consider inviting one or more users from the external organization to your directory, designating them as sponsors, and configuring that sponsors are approvers - since they're likely to know which external users from their organization need access. Once you've configured the access package, obtain the access package's request link so you can send that link to your contact person (sponsor) at the external organization. That contact can share with other users in their external organization, and they can use this link to request the access package. Users from that organization who have already been invited into your directory can also use that link.
3535

36-
Typically, when a request is approved, entitlement management will provision the user with the necessary access. If the user isn't already in your directory, entitlement management will first invite the user. When the user is invited, Azure AD will automatically create a B2B guest account for them but won't send the user an email. An administrator may have previously limited which organizations are allowed for collaboration, by setting a [B2B allow or blocklist](../external-identities/allow-deny-list.md) to allow or block invites to other organization's domains. If the user's domain isn't allowed by those lists, then they won't be invited and can't be assigned access until the lists are updated.
36+
Typically, when a request is approved, entitlement management provisions the user with the necessary access. If the user isn't already in your directory, entitlement management will first invite the user. When the user is invited, Azure AD will automatically create a B2B guest account for them but won't send the user an email. An administrator may have previously limited which organizations are allowed for collaboration, by setting a [B2B allow or blocklist](../external-identities/allow-deny-list.md) to allow or block invites to other organization's domains. If the user's domain isn't allowed by those lists, then they won't be invited and can't be assigned access until the lists are updated.
3737

38-
Since you don't want the external user's access to last forever, you specify an expiration date in the policy, such as 180 days. After 180 days, if their access isn't extended, entitlement management will remove all access associated with that access package. By default, if the user who was invited through entitlement management has no other access package assignments, then when they lose their last assignment, their guest account will be blocked from signing in for 30 days, and later removed. This prevents the proliferation of unnecessary accounts. As described in the following sections, these settings are configurable.
38+
Since you don't want the external user's access to last forever, you specify an expiration date in the policy, such as 180 days. After 180 days, if their access isn't extended, entitlement management will remove all access associated with that access package. By default, if the user who was invited through entitlement management has no other access package assignments, then when they lose their last assignment, their guest account is blocked from signing in for 30 days, and later removed. This prevents the proliferation of unnecessary accounts. As described in the following sections, these settings are configurable.
3939

4040
## How access works for external users
4141

@@ -51,11 +51,11 @@ The following diagram and steps provide an overview of how external users are gr
5151

5252
1. An external user (**Requestor A** in this example) uses the My Access portal link to [request access](entitlement-management-request-access.md) to the access package. How the user signs in depends on the authentication type of the directory or domain that's defined in the connected organization and in the external users settings.
5353

54-
1. An approver [approves the request](entitlement-management-request-approve.md) (or the request is auto-approved).
54+
1. An approver [approves the request](entitlement-management-request-approve.md) (or the request is autoapproved).
5555

5656
1. The request goes into the [delivering state](entitlement-management-process.md).
5757

58-
1. Using the B2B invite process, a guest user account is created in your directory (**Requestor A (Guest)** in this example). If an [allowlist or a blocklist](../external-identities/allow-deny-list.md) is defined, the list setting will be applied.
58+
1. Using the B2B invite process, a guest user account is created in your directory (**Requestor A (Guest)** in this example). If an [allowlist or a blocklist](../external-identities/allow-deny-list.md) is defined, the list setting is applied.
5959

6060
1. The guest user is assigned access to all of the resources in the access package. It can take some time for changes to be made in Azure AD and to other Microsoft Online Services or connected SaaS applications. For more information, see [When changes are applied](entitlement-management-access-package-resources.md#when-changes-are-applied).
6161

@@ -81,7 +81,7 @@ To ensure people outside of your organization can request access packages and ge
8181

8282
- Allowing guests to invite other guests to your directory means that guest invites can occur outside of entitlement management. We recommend setting **Guests can invite** to **No** to only allow for properly governed invitations.
8383
- If you have been previously using the B2B allowlist, you must either remove that list, or make sure all the domains of all the organizations you want to partner with using entitlement management are added to the list. Alternatively, if you're using the B2B blocklist, you must make sure no domain of any organization you want to partner with is present on that list.
84-
- If you create an entitlement management policy for **All users** (All connected organizations + any new external users), and a user doesn’t belong to a connected organization in your directory, a connected organization will automatically be created for them when they request the package. However, any B2B [allow or blocklist](../external-identities/allow-deny-list.md) settings you have will take precedence. Therefore, you'll want to remove the allowlist, if you were using one, so that **All users** can request access, and exclude all authorized domains from your blocklist if you're using a blocklist.
84+
- If you create an entitlement management policy for **All users** (All connected organizations + any new external users), and a user doesn’t belong to a connected organization in your directory, a connected organization will automatically be created for them when they request the package. However, any B2B [allow or blocklist](../external-identities/allow-deny-list.md) settings you have will take precedence. Therefore, you want to remove the allowlist, if you were using one, so that **All users** can request access, and exclude all authorized domains from your blocklist if you're using a blocklist.
8585
- If you want to create an entitlement management policy that includes **All users** (All connected organizations + any new external users), you must first enable email one-time passcode authentication for your directory. For more information, see [Email one-time passcode authentication](../external-identities/one-time-passcode.md).
8686
- For more information about Azure AD B2B external collaboration settings, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md).
8787

@@ -90,12 +90,23 @@ To ensure people outside of your organization can request access packages and ge
9090
> [!NOTE]
9191
> If you create a connected organization for an Azure AD tenant from a different Microsoft cloud, you also need to configure cross-tenant access settings appropriately. For more information on how to configure these settings, see [Configure cross-tenant access settings](../external-identities/cross-cloud-settings.md).
9292
93-
### Review your Conditional Access policies
93+
### Review your Conditional Access policies (Preview)
9494

9595
- Make sure to exclude guests from any Conditional Access policies that new guest users won't be able to meet as this will block them from being able to sign in to your directory. For example, guests likely don't have a registered device, aren't in a known location, and don't want to re-register for multi-factor authentication (MFA), so adding these requirements in a Conditional Access policy will block guests from using entitlement management. For more information, see [What are conditions in Azure Active Directory Conditional Access?](../conditional-access/concept-conditional-access-conditions.md).
9696

9797
![Azure AD Conditional Access policy exclude settings](./media/entitlement-management-external-users/conditional-access-exclude.png)
9898

99+
- A common policy for entitlement management customers is to block all apps from guests except entitlement management for guests. This policy allows guests to enter MyAccess and request an access package. This package should contain a group (it's called Guests from MyAccess in the example below), which should be excluded from the block all apps policy. Once the package is approved, the guest is in the directory. Given that the end user has the access package assignment and is part of the group, the end user is able to access all other apps. Other common policies include excluding entitlement management app from MFA and compliant device.
100+
101+
:::image type="content" source="media/entitlement-management-external-users/exclude-app-guests.png" alt-text="Screenshot of exclude app options.":::
102+
103+
:::image type="content" source="media/entitlement-management-external-users/exclude-cloud-apps.png" alt-text="Screenshot of selection to exclude cloud apps.":::
104+
105+
:::image type="content" source="media/entitlement-management-external-users/exclude-app-guests-selection.png" alt-text="Screenshot of the exclude guests app selection.":::
106+
107+
> [!NOTE]
108+
> The entitlement management app includes the entitlement management side of MyAccess, the entitlement management side of Azure Portal and the entitlement management part of MS graph. The latter two require additional permissions for access, hence won't be accessed by guests unless explicit permission is provided.
109+
99110
### Review your SharePoint Online external sharing settings
100111

101112
- If you want to include SharePoint Online sites in your access packages for external users, make sure that your organization-level external sharing setting is set to **Anyone** (users don't require sign in), or **New and existing guests** (guests must sign in or provide a verification code). For more information, see [Turn external sharing on or off](/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting).
Loading
93.5 KB
Loading
125 KB
Loading

articles/active-directory/hybrid/how-to-connect-fed-saml-idp.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,9 @@ Within the SAML Response message, the Signature node contains information about
6363
9. The SignatureMethod Algorithm must match the following sample:
6464
`<ds:SignatureMethod Algorithm="https://www.w3.org/2000/09/xmldsig#rsa-sha1"/>`
6565

66+
>[!NOTE]
67+
>In order to improve the security SHA-1 algorithm is deprecated. Ensure to use a more secure algorithm like SHA-256. More information [can be found](https://learn.microsoft.com/lifecycle/announcements/sha-1-signed-content-retired).
68+
6669
## Supported bindings
6770
Bindings are the transport-related communications parameters that are required. The following requirements apply to the bindings
6871

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure-graph.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ author: rolyon
66
manager: amycolannino
77
ms.service: active-directory
88
ms.workload: identity
9+
ms.subservice: multi-tenant-organizations
910
ms.topic: how-to
1011
ms.date: 03/08/2023
1112
ms.author: rolyon

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ author: rolyon
66
manager: amycolannino
77
ms.service: active-directory
88
ms.workload: identity
9+
ms.subservice: multi-tenant-organizations
910
ms.topic: how-to
1011
ms.date: 03/08/2023
1112
ms.author: rolyon

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ author: rolyon
66
manager: amycolannino
77
ms.service: active-directory
88
ms.workload: identity
9+
ms.subservice: multi-tenant-organizations
910
ms.topic: overview
1011
ms.date: 02/22/2023
1112
ms.author: rolyon

0 commit comments

Comments
 (0)