Merge pull request #249877 from garrodonnell/sign-in-updates-1

[Identity Platform] Update steps from Azure portal to Entra admin center - ADO 147902

Author: v-dirichards

articles/active-directory/develop/how-applications-are-added.md

@@ -25,7 +25,7 @@ There are two representations of applications in Azure Active Directory (Azure A
 
 ## What are application objects and where do they come from?
 
-You can manage [application objects](app-objects-and-service-principals.md#application-object) in the Azure portal through the [App registrations](https://aka.ms/appregistrations) experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings. The application object will only exist in its home directory, even if it's a multi-tenant application supporting service principals in other directories. The application object may include (but not limited to) any of the following:
+You can manage [application objects](app-objects-and-service-principals.md#application-object) in the Microsoft Entra admin center through the [App registrations](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) experience. Application objects describe the application to Azure AD and can be considered the definition of the application, allowing the service to know how to issue tokens to the application based on its settings. The application object will only exist in its home directory, even if it's a multi-tenant application supporting service principals in other directories. The application object may include (but not limited to) any of the following:
 
 - Name, logo, and publisher
 - Redirect URIs
@@ -39,15 +39,15 @@ You can manage [application objects](app-objects-and-service-principals.md#appli
 
 Application objects can be created through multiple pathways, including:
 
-- Application registrations in the Azure portal
+- Application registrations in the Microsoft Entra admin center
 - Creating a new application using Visual Studio and configuring it to use Azure AD authentication
 - When an admin adds an application from the app gallery (which will also create a service principal)
 - Using the Microsoft Graph API or PowerShell to create a new application
 - Many others including various developer experiences in Azure and in API explorer experiences across developer centers
 
 ## What are service principals and where do they come from?
 
-You can manage [service principals](app-objects-and-service-principals.md#service-principal-object) in the Azure portal through the [Enterprise Applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/) experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory), and one or more service principal objects representing instances of the application in every directory in which it acts.
+You can manage [service principals](app-objects-and-service-principals.md#service-principal-object) in the Microsoft Entra admin center through the [Enterprise Applications](https://entra.microsoft.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/) experience. Service principals are what govern an application connecting to Azure AD and can be considered the instance of the application in your directory. For any given application, it can have at most one application object (which is registered in a "home" directory), and one or more service principal objects representing instances of the application in every directory in which it acts.
 
 The service principal can include:
 
@@ -127,14 +127,14 @@ Allowing users to register and consent to applications might initially sound con
 - Users signing in to applications using their organization accounts for business purposes is a good thing. If they subsequently leave the organization they'll automatically lose access to their account in the application they were using.
 - Having a record of what data was shared with which application is a good thing. Data is more transportable than ever and it's useful to have a clear record of who shared what data with which applications.
 - API owners who use Azure AD for OAuth decide exactly what permissions users are able to grant to applications and which permissions require an admin to agree to. Only admins can consent to larger scopes and more significant permissions, while user consent is scoped to the users' own data and capabilities.
-- When a user adds or allows an application to access their data, the event can be audited so you can view the Audit Reports within the Azure portal to determine how an application was added to the directory.
+- When a user adds or allows an application to access their data, the event can be audited so you can view the Audit Reports within the Microsoft Entra admin center to determine how an application was added to the directory.
 
 If you still want to prevent users in your directory from registering applications and from signing in to applications without administrator approval, there are two settings that you can change to turn off those capabilities:
 
 - To change the user consent settings in your organization, see [Configure how users consent to applications](../manage-apps/configure-user-consent.md).
 
 - To prevent users from registering their own applications:
-  1. In the Azure portal, go to the [User settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings) section under **App registrations**
+  1. In the Microsoft Entra admin center, browse to **Identity** > **Users** > **User settings**.
   2. Change **Users can register applications** to **No**.
 
 <!--Image references-->

articles/active-directory/develop/howto-add-app-roles-in-apps.md

@@ -25,25 +25,24 @@ Another approach is to use Azure Active Directory (Azure AD) groups and group cl
 
 ## Declare roles for an application
 
-You define app roles by using the [Azure portal](https://portal.azure.com) during the [app registration process](quickstart-register-app.md). App roles are defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a `roles` claim for each role that the user or service principal has been granted. This can be used to implement [claim-based authorization](./claims-validation.md). App roles can be assigned [to a user or a group of users](../manage-apps/add-application-portal-assign-users.md). App roles can also be assigned to the service principal for another application, or [to the service principal for a managed identity](../managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md).
+You define app roles by using the [Microsoft Entra admin center](https://entra.microsoft.com) during the [app registration process](quickstart-register-app.md). App roles are defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a `roles` claim for each role that the user or service principal has been granted. This can be used to implement [claim-based authorization](./claims-validation.md). App roles can be assigned [to a user or a group of users](../manage-apps/add-application-portal-assign-users.md). App roles can also be assigned to the service principal for another application, or [to the service principal for a managed identity](../managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md).
 
 Currently, if you add a service principal to a group, and then assign an app role to that group, Azure AD doesn't add the `roles` claim to tokens it issues.
 
-App roles are declared using App roles UI in the Azure portal:
+App roles are declared using App roles UI in the Microsoft Entra admin center:
 
 The number of roles you add counts toward application manifest limits enforced by Azure AD. For information about these limits, see the [Manifest limits](./reference-app-manifest.md#manifest-limits) section of [Azure Active Directory app manifest reference](reference-app-manifest.md).
 
 ### App roles UI
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-To create an app role by using the Azure portal's user interface:
+To create an app role by using the Microsoft Entra admin center's user interface:
 
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration to which you want to add an app role.
-1. Search for and select **Azure Active Directory**.
-1. Under **Manage**, select **App registrations**, and then select the application you want to define app roles in.
-1. Select **App roles**, and then select **Create app role**.
+1. Browse to **Identity** > **Applications** > **App registrations** and then select the application you want to define app roles in.
+1. Under manage select **App roles**, and then select **Create app role**.
 
    :::image type="content" source="media/howto-add-app-roles-in-apps/app-roles-overview-pane.png" alt-text="An app registration's app roles pane in the Azure portal":::
 
@@ -78,10 +77,11 @@ If you have not already done so, you'll need to assign yourself as the applicati
 
 Once you've added app roles in your application, you can assign users and groups to the roles. Assignment of users and groups to roles can be done through the portal's UI, or programmatically using [Microsoft Graph](/graph/api/user-post-approleassignments). When the users assigned to the various app roles sign in to the application, their tokens will have their assigned roles in the `roles` claim.
 
-To assign users and groups to roles by using the Azure portal:
+To assign users and groups to roles by using the Microsoft Entra admin center:
 
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
-1. In **Azure Active Directory**, select **Enterprise applications** in the left-hand navigation menu.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration to which you want to add an app role.
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
 1. Select **All applications** to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the **All applications** list to restrict the list, or scroll down the list to locate your application.
 1. Select the application in which you want to assign users or security group to roles.
 1. Under **Manage**, select **Users and groups**.
@@ -96,14 +96,14 @@ Confirm that the users and groups you added appear in the **Users and groups** l
 
 ## Assign app roles to applications
 
-Once you've added app roles in your application, you can assign an app role to a client app by using the Azure portal or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments).
+Once you've added app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments).
 
 When you assign app roles to an application, you create _application permissions_. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API call as themselves, without the interaction of a user.
 
-To assign app roles to an application by using the Azure portal:
+To assign app roles to an application by using the Microsoft Entra admin center:
 
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
-1. In **Azure Active Directory**, select **App registrations** in the left-hand navigation menu.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **App registrations** and then select **All applications**.
 1. Select **All applications** to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the **All applications** list to restrict the list, or scroll down the list to locate your application.
 1. Select the application to which you want to assign an app role.
 1. Select **API permissions** > **Add a permission**.

articles/active-directory/develop/howto-remove-app.md

@@ -28,7 +28,6 @@ In the following sections, you learn how to:
 
 ## Prerequisites
 
-- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 - An [application registered in your Azure AD tenant](quickstart-register-app.md)
 
 ## Remove an application authored by you or your organization
@@ -40,12 +39,9 @@ Applications that you or your organization have registered are represented by bo
 > [!NOTE]
 > Deleting an application will also delete its service principal object in the application's home directory. For multi-tenant applications, service principal objects in other directories will not be deleted.
 
-To delete an application, be listed as an owner of the application or have admin privileges.
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which the app is registered.
-1. Search and select the **Azure Active Directory**. 
-1. Under **Manage**, select **App registrations**  and select the application that you want to configure. Once you've selected the app, you see the application's **Overview** page.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration to which you want to add an app role.
+1. Browse to **Identity** > **Applications** > **App registrations** and then select the application that you want to configure. Once you've selected the app, you see the application's **Overview** page.
 1. From the **Overview** page, select **Delete**.
 1. Read the deletion consequences.  Check the box if one appears at the bottom of the pane.
 1. Select **Delete** to confirm that you want to delete the app.

articles/active-directory/develop/howto-restore-app.md

@@ -20,7 +20,7 @@ ms.custom: aaddev
 
 After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties. After that 30-day window passes, app registrations can't be restored, and the permanent deletion process may be automatically started. This functionality only applies to applications associated to a directory. It isn't available for applications from a personal Microsoft account, which can't be restored.
 
-You can view your deleted applications, restore a deleted application, or permanently delete an application using the **App registrations** experience under Azure Active Directory (Azure AD) in the Azure portal.
+You can view your deleted applications, restore a deleted application, or permanently delete an application using the **App registrations** experience under Azure Active Directory (Azure AD) in the Microsoft Entra admin center.
 
 Neither you nor Microsoft customer support can restore a permanently deleted application or an application deleted more than 30 days ago.
 
@@ -47,8 +47,8 @@ You can see all the applications in a soft deleted state.  Only applications del
 
 To view your restorable applications:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. Search and select **Azure Active Directory**, select **App registrations**, and then select the **Deleted applications** tab.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) using one of the roles listed in the prerequisites.
+1. Browse to **Identity** > **Applications** > **App registrations**, and then select the **Deleted applications** tab.
 
 Review the list of applications. Only applications that have been deleted in the past 30 days are available to restore. If using the App registrations search preview, you can filter by the 'Deleted date' column to see only these applications.
 

articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md

@@ -39,12 +39,11 @@ The option to restrict an app to a specific set of users, apps or security group
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be assigned one of **Global administrator**, **Application administrator**, or **Cloud application administrator** directory roles.
+To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
-1. Sign in to the [Azure portal](https://portal.azure.com)
-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch the tenant in which you want to register an application.
-1. Search for and select **Azure Active Directory**.
-1. Under **Manage**, select **Enterprise Applications** then select **All applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration to which you want to add an app role.
+1. Browse to **Identity** > **Applications** > **Enterprise applications**, then select **All applications**.
 1. Select the application you want to configure to require assignment. Use the filters at the top of the window to search for a specific application.
 1. On the application's **Overview** page, under **Manage**, select **Properties**.
 1. Locate the setting **Assignment required?** and set it to **Yes**. When this option is set to **Yes**, users and services attempting to access the application or services must first be assigned for this application, or they won't be able to sign-in or obtain an access token.