You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -81,7 +81,7 @@ When you send an invitation to Google Gmail users, the guest users should access
81
81
82
82
Guest users who see a *header too long* error can clear their cookies or open a private or incognito window and try to sign in again.
83
83
84
-
:::image type="content" source="../media/google-sign-in-3086918d-4b07f997.png" alt-text="Screenshot of shows the Google sign-in page. Users have to sign-in for access.":::
84
+
:::image type="content" source="../media/google-sign-in.png" alt-text="Screenshot of shows the Google sign-in page. Users have to sign-in for access.":::
85
85
86
86
87
87
## Deprecation of WebView sign-in support
@@ -125,34 +125,34 @@ First, create a new project in the Google Developers Console to obtain a client
125
125
1. Go to the Google APIs at [https://console.developers.google.com](https://console.developers.google.com/), and sign in with your Google account. We recommend that you use a shared team Google account.
126
126
2. Accept the terms of service if you're prompted to do so.
127
127
3. Create a new project: On the dashboard, select **Create Project**, give the project a name (for example, **Microsoft Entra B2B**), and then select **Create**:
128
-
128
+
129
129
:::image type="content" source="../media/google-new-project.png" alt-text="Screenshot of the New Project page within the Google developers page.":::
130
-
130
+
131
131
4. On the **APIs and Services** page, select **View** under your new project.
132
132
5. Select **Go to APIs overview** on the APIs card. Select **OAuth consent screen**.
133
133
6. Select **External**, and then select **Create**.
134
134
7. On the **OAuth consent screen**, enter an **Application name**:
135
-
135
+
136
136
:::image type="content" source="../media/google-oauth-consent-screen.png" alt-text="Screenshot of the Google OAuth consent screen. Users have to confirm their usage.":::
137
-
137
+
138
138
8. Scroll to the **Authorized domains** section and enter **microsoftonline.com**:
139
-
139
+
140
140
:::image type="content" source="../media/google-oauth-authorized-domains.png" alt-text="Screenshot of the Authorized domains section, showing with Google domains are valid.":::
141
-
141
+
142
142
9. Select **Save**.
143
-
10. Select **Credentials**. On the **Create credentials** menu, select **OAuth client ID**:
144
-
143
+
10.Select **Credentials**. On the **Create credentials** menu, select **OAuth client ID**:
144
+
145
145
:::image type="content" source="../media/google-api-credentials.png" alt-text="Screenshot of the Google APIs Create credentials menu. Configure your credentials here.":::
146
-
146
+
147
147
11. Under **Application type**, select **Web application**. Give the application a suitable name, like **Microsoft Entra B2B**. Under **Authorized redirect URIs**, enter the following URIs:
148
-
148
+
149
149
-`https://login.microsoftonline.com`
150
150
-`https://login.microsoftonline.com/te/ tenant ID /oauth2/authresp` (where **tenant ID** is your tenant ID in Azure)
151
-
151
+
152
152
:::image type="content" source="../media/google-create-oauth-client-id.png" alt-text="Screenshot of the Authorized redirect URIs section. Where do users go to validate authorization.":::
153
-
153
+
154
154
12. Select **Create**. Copy the client ID and client secret. You'll use them when you add the identity provider in the Azure portal.
155
-
155
+
156
156
:::image type="content" source="../media/google-auth-client-id-secret.png" alt-text="Screenshot of the OAuth client ID and client secret. Set your access secret.":::
157
157
158
158
## Step 2: Configure Google federation in Microsoft Entra ID
@@ -165,9 +165,9 @@ You'll now set the Google client ID and client secret. You can use the Azure por
165
165
2. Select **External Identities**.
166
166
3. Select **All identity providers**, and then select the **Google** button.
167
167
4. Enter the client ID and client secret you obtained earlier. Select **Save**:
168
-
168
+
169
169
:::image type="content" source="../media/google-identity-provider.png" alt-text="Screenshot of Add Google identity provider page. You have to enter the Client ID and Client secret from previous steps.":::
170
-
170
+
171
171
## How do I remove Google federation?
172
172
173
173
You can delete your Google federation setup. If you do so, Google guest users who have already redeemed their invitation won't be able to sign in. But you can give them access to your resources again by deleting them from the directory and reinviting them.
@@ -178,9 +178,9 @@ You can delete your Google federation setup. If you do so, Google guest users wh
178
178
2. Select **External Identities**.
179
179
3. Select **All identity providers**.
180
180
4. On the **Google** line, select the ellipsis button (**...**) and then select **Delete**.
181
-
181
+
182
182
:::image type="content" source="../media/google-social-identity-providers.png" alt-text="Screenshot of the Delete the Google identity provider page. Use the ellipsis at the end to open the delete command.":::
183
-
183
+
184
184
5. Select **Yes** to confirm the deletion.
185
185
186
186
## Add Facebook as an identity provider for external identities
@@ -209,15 +209,15 @@ To use a Facebook account as an identity provider, you need to create an applica
209
209
7. Choose a **Category**, for example Business and Pages. This value is required by Facebook, but not used for Microsoft Entra ID.
210
210
8. At the bottom of the page, select **Add Platform**, and then select **Website**.
211
211
9. In **Site URL**, enter the appropriate URL (noted above).
212
-
10. In **Privacy Policy URL**, enter the URL for the page where you maintain privacy information for your application, for example https://www.contoso.com.
213
-
11. Select **Save Changes**.
214
-
12. At the top of the page, copy the value of **App ID**.
215
-
13. Select **Show** and copy the value of **App Secret**. You use both of them to configure Facebook as an identity provider in your tenant. **App Secret** is an essential security credential.
216
-
14. Select the plus sign next to **PRODUCTS**, and then select **Set up** under **Facebook Login**.
217
-
15. Under **Facebook Login**, select **Settings**.
218
-
16. In **Valid OAuth redirect URIs**, enter the appropriate URL (noted above).
219
-
17. Select **Save Changes** at the bottom of the page.
220
-
18. To make your Facebook application available to Microsoft Entra ID, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point, the Status should change from **Development** to **Live**.
212
+
10.In **Privacy Policy URL**, enter the URL for the page where you maintain privacy information for your application, for example https://www.contoso.com.
213
+
11.Select **Save Changes**.
214
+
12.At the top of the page, copy the value of **App ID**.
215
+
13.Select **Show** and copy the value of **App Secret**. You use both of them to configure Facebook as an identity provider in your tenant. **App Secret** is an essential security credential.
216
+
14.Select the plus sign next to **PRODUCTS**, and then select **Set up** under **Facebook Login**.
217
+
15.Under **Facebook Login**, select **Settings**.
218
+
16.In **Valid OAuth redirect URIs**, enter the appropriate URL (noted above).
219
+
17.Select **Save Changes** at the bottom of the page.
220
+
18.To make your Facebook application available to Microsoft Entra ID, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point, the Status should change from **Development** to **Live**.
221
221
222
222
## Configure a Facebook account as an identity provider
223
223
@@ -231,9 +231,9 @@ Now you'll set the Facebook client ID and client secret, either by entering it i
231
231
4. Select **All identity providers**, then select **Facebook**.
232
232
5. For the **Client ID**, enter the **App ID** of the Facebook application that you created earlier.
233
233
6. For the **Client secret**, enter the **App Secret** that you recorded.
234
-
234
+
235
235
:::image type="content" source="../media/add-social-identity-provider-page.png" alt-text="Screenshot of the Add social identity provider page. Pick your social media provider.":::
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-manage-external-identities/includes/4-exercise-configure-external-collaboration.md
4. Under **Guest user access**, review access levels that are available and then select **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)**.
7
-
7
+
8
8
> [!NOTE]
9
-
> Guest users have the same access as members (most inclusive): This option gives guests the same access to Microsoft Entra resources and directory data as member users.
10
-
> Guest users access limited to properties and memberships of directory objects: (Default) This setting blocks guest users from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all nonhidden groups.
11
-
> Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): With this setting, guests can access only their own profiles. Guests aren't allowed to see other users' profiles, groups, or group memberships.
9
+
>
10
+
> - Guest users have the same access as members (most inclusive): This option gives guests the same access to Microsoft Entra resources and directory data as member users.
11
+
> - Guest users access limited to properties and memberships of directory objects: (Default) This setting blocks guest users from certain directory tasks, like enumerating users, groups, or other directory resources. Guests can see membership of all nonhidden groups.
12
+
> - Guest user access is restricted to properties and memberships of their own directory objects (most restrictive): With this setting, guests can access only their own profiles. Guests aren't allowed to see other users' profiles, groups, or group memberships.
12
13
13
14
5. Under **Guest invite settings**, mark **Only user assigned to specific admin roles can invite guest users**.
14
15
6. Inviting guests to collaborate moves the least restrictive option, where anyone can invite guests, to the most restrictive where no one can invite guests.
15
16
7. Anyone in the organization can invite guests: Set to allow anyone to invite guest users, including users, admins, and even other guest users.
16
17
8. Member users and users assigned to specific admin roles: Set to allow only full members of the organization or members of admin groups to invite guests.
17
18
9. Only users assigned specific admin roles: Set to allow only those people included in specific admin roles to invite guests.
18
-
10. No one in organization can invite guests: Set to restrict all guest user invites by members.
19
-
11. Users in the **Guest Inviter role** can invite guests, if admin users can invite guest.
20
-
19
+
10.No one in organization can invite guests: Set to restrict all guest user invites by members.
20
+
11.Users in the **Guest Inviter role** can invite guests, if admin users can invite guest.
21
+
21
22
:::image type="content" source="../media/guest-invite-settings.png" alt-text="Screenshot of the guest invite settings with the Guests can invite set to No and highlighted.":::
22
-
23
+
23
24
12. Under **Collaboration restrictions**, review the available options and accept the default settings.
24
-
25
+
25
26
> [!IMPORTANT]
26
27
> You can create either an allowlist or a blocklist. You can't set up both types of lists. By default, whatever domains aren't in the allowlist are on the blocklist, and vice versa. You can create only one policy per organization. You can update the policy to include more domains, or you can delete the policy to create a new one. The number of domains you can add to an allowlist or blocklist is limited only by the size of the policy. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allowlist or blocklist and any other parameters configured for other features. This list works independently from OneDrive and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or blocklist for OneDrive for Business and SharePoint Online. The list doesn't apply to external users who redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the invitation fails.
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-manage-external-identities/includes/7-exercise-invite-guest-users-bulk.md
+13-12Lines changed: 13 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,29 +4,30 @@ Use this exercise to learn to invite guest users in bulk.
4
4
2. In the navigation pane, select **Identity**.
5
5
3. Under **Users**, select **All Users**.
6
6
4. On the All users screen, on the menu, select **Bulk operations - Bulk invite**.
7
-
7
+
8
8
:::image type="content" source="../media/bulk-invite-option.png" alt-text="Screenshot of the All user page with the Bulk operations and Bulk invite menu options highlighted.":::
9
-
9
+
10
10
5. In the Bulk invite users pane, select **Download** to a sample CSV template with invitation properties.
11
11
6. Using an editor to view the CSV file, review the template.
12
-
12
+
13
13
> [!NOTE]
14
-
> **Email address to invite** - the user who will receive an invitation
15
-
> **Redirection url** - the URL to which the invited user is forwarded after accepting the invitation.
14
+
>
15
+
> -**Email address to invite** - the user who will receive an invitation
16
+
> -**Redirection url** - the URL to which the invited user is forwarded after accepting the invitation.
16
17
17
18
7. Open the .csv template and add a line for each guest user. Required values are:
18
-
19
+
19
20
:::image type="content" source="../media/template-csv.png" alt-text="Screenshot of the example bulk invite guests template CSV.":::
20
-
21
+
21
22
8. Save the file.
22
23
9. On the Bulk invite users page, under **Upload your csv file**, browse to the file. When you select the file, validation of the .csv file starts.
23
-
10. After the file contents are validated, you will see **File uploaded successfully**. If there are errors, you must fix them before you can submit the job.
24
-
24
+
10.After the file contents are validated, you will see **File uploaded successfully**. If there are errors, you must fix them before you can submit the job.
25
+
25
26
:::image type="content" source="../media/bulk-invite-users-upload-csv.png" alt-text="Screenshot of the Bulk invite users with File uploaded successfully message highlighted.":::
26
-
27
+
27
28
11. When your file passes validation, select **Submit** to start the Azure bulk operation that adds the invitations.
28
29
12. To view the job status, select **view the status of each operation**. Or, you can select **Bulk operation results** in the Activity section. For details about each line item within the bulk operation, select the values under the **\# Success**, **\# Failure**, or **Total Requests** columns. If failures occurred, the reasons for failure will be listed.
29
-
30
+
30
31
:::image type="content" source="../media/bulk-operations-results.png" alt-text="Screenshot of the results of a bulk operation. You see the success and fail statistics of the operation.":::
31
-
32
+
32
33
13. When the job completes, you will see a notification that the bulk operation succeeded.
0 commit comments