You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/conditional-access/concept-conditional-access-policies.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,14 +36,14 @@ All policies are enforced in two phases:
36
36
- Use the session details gathered in phase 1 to identify any requirements that haven't been met.
37
37
- If there's a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked.
38
38
- The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
Copy file name to clipboardExpand all lines: articles/active-directory/devices/concept-primary-refresh-token.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -159,7 +159,7 @@ The following diagrams illustrate the underlying details in issuing, renewing, a
159
159
| :---: | --- |
160
160
| A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. |
161
161
| B | CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD. |
162
-
| C | If the user is managed, CloudAP will get the nonce from Azure AD. If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Once it receives, the SAML token, it requests a nonce from Azure AD. |
162
+
| C | If the user is managed, CloudAP will get the nonce from Azure AD. If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Nonce is requested before the SAML token is sent to Azure AD. |
163
163
| D | CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and a broker scope, signs the request with the Device key (dkpriv) and sends it to Azure AD. In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials. |
164
164
| E | Azure AD validates the user credentials, the nonce, and device signature, verifies that the device is valid in the tenant and issues the encrypted PRT. Along with the PRT, Azure AD also issues a symmetric key, called the Session key encrypted by Azure AD using the Transport key (tkpub). In addition, the Session key is also embedded in the PRT. This Session key acts as the Proof-of-possession (PoP) key for subsequent requests with the PRT. |
165
165
| F | CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP request the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP stores the encrypted Session key in its cache along with the PRT. |
@@ -173,7 +173,7 @@ The following diagrams illustrate the underlying details in issuing, renewing, a
173
173
| A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. |
174
174
| B | If the user has previously logged on to the user, Windows initiates cached sign in and validates credentials to log the user in. Every 4 hours, the CloudAP plugin initiates PRT renewal asynchronously. |
175
175
| C | CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD. |
176
-
| D | If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Once it receives, the SAML token, it requests a nonce from Azure AD. If the user is managed, CloudAP will directly get the nonce from Azure AD. |
176
+
| D | If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Nonce is requested before the SAML token is sent to Azure AD. If the user is managed, CloudAP will directly get the nonce from Azure AD. |
177
177
| E | CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and the existing PRT, signs the request with the Session key and sends it to Azure AD. In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials. |
178
178
| F | Azure AD validates the Session key signature by comparing it against the Session key embedded in the PRT, validates the nonce and verifies that the device is valid in the tenant and issues a new PRT. As seen before, the PRT is again accompanied with the Session key encrypted by Transport key (tkpub). |
179
179
| G | CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP requests the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP stores the encrypted Session key in its cache along with the PRT. |
||[AU10TIX](https://www.au10tix.com/solutions/microsoft-azure-active-directory-verifiable-credentials-program) improves Verifiability While Protecting Privacy For Businesses, Employees, Contractors, Vendors, And Customers. |[Configure Verified ID by AU10TIX as your Identity Verification Partner](https://aka.ms/au10tixvc). |
24
24
||[LexisNexis](https://solutions.risk.lexisnexis.com/did-microsoft) risk solutions Verifiable credentials enables faster onboarding for employees, students, citizens, or others to access services. |[Configure Verified ID by LexisNexis Risk Solutions as your Identity Verification Partner](https://aka.ms/lexisnexisvc). |
25
-
||[Onfido](https://onfido.com/landing/onfido-microsoft-idv-service/) Start issuing and accepting verifiable credentials in minutes. With verifiable credentials and Onfido you can verify a person’s identity while respecting privacy. Digitally validate information on a person’s ID or their biometrics.| Not Available |
26
-
||[Vu Security](https://landings.vusecurity.com/microsoft-verifiable-credentials) Verifiable credentials with just a selfie and your ID.| Not Available |
27
-
||[Jumio](https://www.jumio.com/microsoft-verifiable-credentials/) is helping to support a new form of digital identity by Microsoft based on verifiable credentials and decentralized identifiers standards to let consumers verify once and use everywhere.| Not Available |
28
-
||[Idemia](https://na.idemia.com/identity/verifiable-credentials/) Integration with Verified ID enables “Verify once, use everywhere” functionality.| Not Available |
29
-
||[Acuant](https://www.acuant.com/microsoft-acuant-verifiable-credentials-my-digital-id/) - My Digital ID - Create Your Digital Identity Once, Use It Everywhere.| Not Available |
30
-
||[Clear](https://ir.clearme.com/news-events/press-releases/detail/25/clear-collaborates-with-microsoft-to-create-more-secure) Collaborates with Microsoft to Create More Secure Digital Experience Through Verification Credential.| Not Available |
25
+
||[Onfido](https://onfido.com/landing/onfido-microsoft-idv-service/) Start issuing and accepting verifiable credentials in minutes. With verifiable credentials and Onfido you can verify a person’s identity while respecting privacy. Digitally validate information on a person’s ID or their biometrics.| * |
26
+
||[Vu Security](https://landings.vusecurity.com/microsoft-verifiable-credentials) Verifiable credentials with just a selfie and your ID.| * |
27
+
||[Jumio](https://www.jumio.com/microsoft-verifiable-credentials/) is helping to support a new form of digital identity by Microsoft based on verifiable credentials and decentralized identifiers standards to let consumers verify once and use everywhere.| * |
28
+
||[Idemia](https://na.idemia.com/identity/verifiable-credentials/) Integration with Verified ID enables “Verify once, use everywhere” functionality.| * |
29
+
||[Acuant](https://www.acuant.com/microsoft-acuant-verifiable-credentials-my-digital-id/) - My Digital ID - Create Your Digital Identity Once, Use It Everywhere.| * |
30
+
||[Clear](https://ir.clearme.com/news-events/press-releases/detail/25/clear-collaborates-with-microsoft-to-create-more-secure) Collaborates with Microsoft to Create More Secure Digital Experience Through Verification Credential.| * |
Copy file name to clipboardExpand all lines: articles/azure-arc/data/includes/azure-arc-data-preview-release.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,7 +25,7 @@ The current preview release published on September 6, 2022.
25
25
New for this release:
26
26
27
27
- Arc data controller
28
-
- New extensions to monitoring stack to enable Kafka as a data cache and expose an OpenTelemetry endpoint for integration. See documentation for more details.
28
+
- New extensions to monitoring stack to allow integration of Arc telemetry data feeds with external monitoring solutions. See documentation for more details.
29
29
- Deleting an AD connector that is in use is now blocked. First remove all database instances that are using it and then remove the AD connector.
0 commit comments